Companies obliged to implement the Binding Corporate Rules in the processing of personal data

This was regulated by the Ministry of Commerce, Industry, and Tourism through Decree 255 of 2022, by which it regulated the corresponding aspects of Binding Corporate Rules for the certification of good practices in the protection of personal data and its transfer to third countries. These rules must establish guarantees, mechanisms, and authorizations regarding data protection to carry out transfers of personal data to a controller located outside Colombian territory and part of the same business group.

By incorporating Binding Corporate Rules, business groups will no longer be obliged to follow the parameters established in Article 26 of Law 1581 of 2012, which includes the responsibility to transmit personal data only to countries that provide adequate levels of protection, which have already been determined conclusively by the Superintendence of Industry and Commerce. Instead, business groups will use only their internal policies for the transfer of personal data to other countries, thus simplifying internal procedures in this matter.

General requirements that must be included in Binding Corporate Rules:

• Measures taken to prevent transfers to other entities not belonging to the business group.
• Procedures for data subjects to submit inquiries or claims and for these to be promptly addressed.
• Adoption of measures of demonstrated responsibility to prove that efficient measures have been implemented to comply with the binding corporate rules.
• Mechanisms established to communicate and record modifications introduced in the policies and to notify these modifications to the Superintendence of Industry and Commerce.

Sanctions:

The companies within the business group and each of its members will be jointly responsible for compliance with the Binding Corporate Rules. Consequently, the Superintendence of Industry and Commerce may require, investigate, and sanction the data controller established in Colombian territory for the infractions committed by any of the members of the business group.

Sanctions can range from fines of up to 2,000 SMLMV to the suspension, temporary closure, or definitive closure of activities or operations related to the processing of personal data by the Superintendence of Industry and Commerce.