It is relevant for the companies in the country to have in mind the European General Data Protection Regulation (GDPR), which came into force on May 25, 2018 and which aims to protect the personal data of people who are in the states members of the European Union (EU).
Does it apply to companies located in Colombia?
The GDPR is applicable outside the EU in the following events: (i) concerning personal data processing in the context of an establishment located in the EU, if it is done outside it; and (ii) concerning personal data processing for activities related to the offer of goods and services to people located inside the EU or concerning the behavioral control of those people, if such control occurs therein.
Does it include novelties regarding our current data legislation?
The GDPR sets forth a special protection in favor of children under the age of 16 years, which consists in that the processing of personal data will require the prior consent of the person having the parental authority of the child.
On the other hand, the GDPR foresees the right to portability of personal data in favor of the data holder, which consists in allowing access thereto, in a common format, and transferring them to another controller without authorization.
Another novelty consists in the need for executing an agreement or other legal act between the processor and the controller regulating the relationship between these actors for the treatment, being the control authority able to establish type clauses.
In turn, the GDPR sets forth the obligation of the controller to notify any violation to the personal data security and which represents a risk for the rights and freedoms of the holder, to the control authorities within 72 hours upon the occurrence of the applicable event.
Finally, the controller is required to carry out an evaluation prior to processing. Thus, if the evaluation can represent risks, it must elevate a consultation to the control authority to perform the personal data processing.
What are the consequences of its enforcement in Colombia?
The main effects for companies that must enforce the GDPR are: (i) the adjustment of their agreements and personal data policies, (ii) the appointment of a representative to be established in the EU to deal with queries from the control authorities and the interested parties, unless the processing of personal data is occasional, (iii) the preparation of a written and electronic register of processing activities, and (iv) the possibility of the imposition of fines by the EU's personal data protection control authorities.
Have companies located in Colombian been sanctioned in the enforcement of the GDPR?
No cases are known. Despite the foregoing, in a recent decision against Facebook, the SIC took into account cases from Ireland, France and the Netherlands, where the GDPR is enforced, which reflects that we are facing a new reality in personal data protection.