Personal Data Protection Officer

Likewise, article 2.2.2.2.25.4.4.4. of the Sole Regulatory Decree of the Commerce, Industry and Tourism Sector (Decree 1074 of 2015) establishes the obligation to "designate a person or area that assumes the function of personal data protection, which will process the requests of the Data Controllers, for the exercise of the rights referred to in Law 1581 of 2012". Such obligation is in charge of the companies acting as responsible or in charge of the processing of personal data, according to the definitions established in Law 1581 of 2012.

In this regard, the Personal Data Protection Officer (DPO) is the person in charge of verifying compliance with the regulations in force on personal data protection within the companies, processing the requests of the owners for the exercise of their rights, ensuring the effective implementation of the policies and procedures adopted and the implementation of good practices in personal data management. Likewise, the DPO shall structure, design and manage the program that allows the Company to comply with the regulation on personal data protection.

Taking into account the above, it is very important that those responsible and in charge of the processing of personal data make the appointment of a DPO in order to comply with the regulation and demonstrate that they have implemented appropriate and effective measures to comply with the obligations of Law 1581 of 2012, under the principle of demonstrated responsibility indicated in Article 2.2.2.2.25.6.1. of Decree 1074 of 2015.

It is very important to highlight that it is feasible to outsource the DPO functions to a specialized organization that offers professional services in this field. It is also possible for an external entity to provide DPO services to multiple controllers and processors of personal data.

The Role of the Personal Data Protection Officer

The role played by the DPO is to ensure the effective execution of the policies and procedures adopted by the Entity in order to comply with the Personal Data Protection Regime in force in Colombia. In addition, it must oversee the implementation of sound practices in the management of personal information within the company.

However, the DPO does not assume responsibility for any failure to comply with the framework established in the law, since this obligation falls directly on those responsible for and in charge of processing personal data, who have the task of ensuring and being able to demonstrate that such processing is carried out in accordance with the guidelines set out in the law.

Therefore, the controller and the processor have an essential role in facilitating the successful fulfillment of the tasks entrusted to the DPO, since the latter must be responsible for the implementation of the control mechanisms corresponding to the personal data protection program, its constant evaluation and periodic review.

Responsibilities of the Personal Data Protection Officer

The main and general obligation of the DPO is to supervise compliance with the General Regime for the Protection of Personal Data. However, it is important to mention some specific supervisory obligations linked to the Personal Data Protection Regime, which are:

1. Conduct a thorough analysis and rigorously verify the regulatory compliance of the activities related to the processing of personal data.
2. Inform, advise and provide recommendations to the person responsible for or in charge of the processing of personal data, promoting a culture of personal data protection.
3. Collect information to define the necessary activities for the processing of personal data.
4. Promote the creation and implementation of a system that facilitates the management of risks associated with the processing of personal data as a privacy protection strategy and coordinate the definition and implementation of controls.
5. To play the role of liaison and coordinator with the different areas of the organization with the purpose of ensuring a complete and transversal implementation of the Integral Personal Data Management Program.
6. To be responsible for the registration of the organization's databases in the National Registry of Databases and to keep the report updated in accordance with the guidelines issued by the Superintendence of Industry and Commerce.
7. Obtain the certification of the Binding Corporate Rules by the Superintendence of Industry and Commerce, when required.
8. Verify the contents of the contracts for international transfers of personal data entered into with other data controllers and persons in charge of the processing of personal data, whether located in Colombian territory or abroad.
9. Examine the obligations inherent to each position in the organization, in order to establish for each position, a training program for the protection of personal data, in which participation will be measured and performance will be rated.
10. Incorporate data protection policies into operations in all different areas of the organization.
11. Request that, as part of the performance evaluation of employees, the requirement to have successfully completed the personal data training program be included.
12. Provide support and advice to the organization during the process of responding to visits and requests made by the Superintendence of Industry and Commerce.
13. To follow up on the implementation and evolution of the Integral Personal Data Management Program.

Sanctions for non-compliance with the Personal Data Protection Law

Failure to comply with the obligations and responsibilities established by law with respect to the Personal Data Protection Regime could result in the imposition of the following sanctions by the Superintendence of Industry and Commerce:

1. Fines of a personal and institutional nature that could reach up to 2,000 legal monthly minimum wages in force.
2. Suspension of activities related to the processing of personal data for a period of up to six months.
3. Temporary closure of the operations related to the Processing once the term of suspension has elapsed without having adopted the corrective measures ordered by the Superintendence of Industry and Commerce.
4. Immediate and definitive closure of the operation involving the Processing of sensitive data.

In view of the above, we recommend the appointment of the DPO to effectively comply with the Personal Data Protection Regime.