On March 11 of this year, the Financial Superintendence (SFC for its initials in Spanish), published the Circular Externa 005 of 2019 (Circular) titled Rules relative to the use of cloud based computing services. The reach of this document extends to accounting, financial and corporate fulfilment processes that entities monitored by the SFC want to support with cloud based computing services.
Highlighting said document is a transition period, established as six months after the publication of this document (meaning it ends on September 11 of 2019). This span of time is meant to give the corporations subject of this regulation a period of time to adjust to the new guidelines set forth, additionally asking them that fifteen days prior to the start of processing of information stored on the cloud, they will have to gather a set of documents required by the sixth disposition of the Circular.
As for the material content of the Circular, it establishes clear requirements about how these type of contract relationships will have to be organized in the future. Some of the most important of these are listed below.
- There are minimum requirements about provider certifications, such as having a certified ISO 27001, 27017 and 27018.
- Verification of the places where information will be processed, with it being necessary that those countries have equal or superior data protection laws than the ones in place in Colombia. This extends to all legislation on the subject, including crimes against confidentiality, integrity and availability of personal data and information systems.
In terms of referral to past legal documents, there is a disposition that establishes that in the subject of Data Privacy there needs to be an analysis of what countries are allowed to gather information from Colombian entities covered by this Circular. Given the international character of data treatment, it is imperative for these entities to consult not only Statutory Laws 1266 of 2008 and 1581 of 2012, but they should also pay close attention to the developments of the countries that continue to be added to the list of those who are qualified to treat the data subject to this Circular. There is a strict list, whose latest development can be consulted in the Circular Externa 008 of 2017, published by the Superintendence of Industry and Commerce.
In conclusion, it is a positive sign for the sector that the Financial Superintendence has decided to regulate this subject in a way where there exists a general permission to use cloud based computing solutions to their business needs, while also establishing clear guidelines for the requirements to do so. It is of the utmost importance that the companies that see themselves as subject to this new Circular embark on adjusting to the new regulation, especially in regards to the transition period and its end date.
Dentons is the world's first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world's largest law firm, Dentons' global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries. www.dentons.com.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.