Declarations of conformity on international transfers of personal data by the Superintendence of Industry and Commerce

According to article 26 of Law 1581, the transfer of personal data to countries that do not provide adequate levels of data protection is prohibited. It is understood that a country offers an adequate level of data protection when it complies with the standards set by the Superintendence of Industry and Commerce on the matter.

The article states that this prohibition shall not apply in the following cases:

• Information with respect to which the holder has given express and unequivocal authorization for the transfer.
• Exchange of medical data, when so required by the treatment of the holder for reasons of health or public hygiene.
• Banking or stock exchange transfers, in accordance with the applicable legislation.
• Transfers agreed within the framework of international treaties to which the Republic of Colombia is a party, based on the principle of reciprocity.
• Transfers necessary for the execution of a contract between the holder and the data controller, or for the execution of pre-contractual measures, as long as the holder's authorization is obtained.
• Transfers legally required for the safeguarding of the public interest, or for the recognition, exercise, or defense of a right in a judicial process.

In cases not contemplated as an exception, Law 1581 empowered the Superintendence of Industry and Commerce to pronounce on international data transfers through the Declaration of Conformity.

To request a Declaration of Conformity on international transfers of personal information, the interested company must file a petition before the Superintendence of Industry and Commerce, addressed to the Delegation for the Protection of Personal Data, detailing, and providing the following:

General Information:

1. Name and purpose of the databases containing the personal information that will be subject to international transfer.
2. Treatment given to the personal information contained in those databases.
3. Types of personal data that will be subject to international transfer between the Sender and the Recipient, specifying whether such data includes sensitive data or data of minors.
4. Name or company name of the Recipient of the personal data.
5. Security and confidentiality measures foreseen to carry out the international transfer of personal data.
6. Treatment that will be given to the information transferred by the Recipient of the personal data.
7. Purpose of the databases of the Recipient of the personal data, in which the data transferred from Colombia will be stored.

Documentation and policies:

1. A copy of the Sender's information treatment policies.
2. Copy of the document proving the existence and legal representation of the Recipient of the personal data.
3. Copy of the contract, agreement or document explaining the conditions of the transfer of personal data and, in particular, the guarantees regarding the protection of personal data subject to such international transfer.
4. Copy of the Personal Data Processing or Privacy Policy of the Recipient of the personal data. In the event that the Recipient of the personal data does not have a Personal Data Processing or Privacy Policy, inform the Recipient of the personal data.
5. Copy of the Information Security Policy of the Recipient of the personal data. In case the Recipient of the personal data does not have an Information Security Policy, inform it and, instead, indicate the technical, human, and administrative measures that will be implemented for the processing of personal data that will be subject to international transfer.
6. Mechanisms or channels implemented by the Recipient of the personal data for the attention of inquiries, requests and claims of the owners of information. In case the Recipient of the personal data does not have mechanisms or channels implemented for such purposes, inform it in the request.
7. Period of storage of the data in the Recipient's database.
8. Treatment that will be given to the personal data once the purpose for which the transfer will be carried out is fulfilled.
9. Quality of the persons, natural and/or legal, who will have access to the personal data subject to international transfer in the recipient country (employees, contractors or subcontractors, business partners, authorities, etc.) and copy of the models or formats of the confidentiality clauses or agreements implemented by the Recipient of the personal data.
10. Copy of the personal data protection law of the recipient country. If the recipient country does not have a personal data protection law, inform it in the request for declaration of conformity.
11. Copy of the law or regulation by which the powers or functions are granted to the personal data protection authority of the recipient country, (if it has a personal data protection authority) or whoever takes its place. The above in case such powers are not found in the personal data protection law of the recipient country or if it does not contain all of them. If in the recipient country there is no personal data protection authority or someone who takes its place, inform it in the request for declaration of conformity.
12. Last report or report published by the personal data protection authority of the recipient country, or whoever acts in its stead, to account for the fulfillment of its functions. if the personal data protection authority or whoever acts in its stead in the recipient country does not publish any report, inform it in the request for declaration of conformity.
13. Mechanisms that exist in the recipient country to guarantee the protection of the personal data of the data subjects, the administrative and/or judicial authorities before which the data subjects may claim, denounce and/or demand the protection of their rights, and the free or onerous nature of such mechanisms. Supporting documents evidencing this information must be submitted.
14. Any other information and documents that allow understanding the operation to be carried out.

Countries with an adequate level of personal data protection

Taking into account the standards indicated by the Superintendency in Circular 005 of 2017, the following countries guarantee an adequate level of protection of personal data: Germany; Austria: Belgium; Bulgaria; Cyprus: Costa Rica; Croatia; Czech Republic; Denmark; Estonia; Finland; France; Germany; Greece; Hungary; Iceland; Ireland; Italy; Latvia; Lithuania; Luxembourg; Malta; Mexico; Netherlands; Norway; Peru; Poland; Portugal; Republic of Korea; Romania; Serbia; Slovakia; Slovenia; Spain; Sweden; United Kingdom; United States of America; and the countries that have been declared with adequate level of protection by the European Commission.

In conclusion, the requests for declaration of conformity must be justified in a broad and complete manner by providing the necessary documentation in accordance with the established requirements and in the event that the data controller carries out international transfers without having the prior declaration of conformity, it may be subject to an administrative investigation by the Superintendence of Industry and Commerce that according to Article 23 of Law 1581 of 2012 has the power to impose fines equivalent to two thousand (2,000) million COP.