With the advent of new rules regulating the protection of personal data, companies with operations in Colombia must implement policies and practices to comply with Colombia’s privacy law. In October 2012, Colombia enacted Law 1581 to regulate the protection of personal data and safeguard the constitutional right of privacy in the midst of the challenges posed by globalization and new technologies that enable the easy electronic transfer of personal data.
On June 27, 2013, Colombia’s executive branch issued a decree to implement various provisions of the law. Decree 1377 went into effect immediately.
Law 1581 is part of a growing trend in Latin America to establish broad data protection regimes. As of this publication, Colombia joins Argentina, Costa Rica, Mexico, Peru and Uruguay in enacting such laws. Other countries in Latin America, such as Brazil, are considering similar legislation. U.S. multinationals with employees in Latin America should closely follow this trend.
Important Provisions of the Privacy Law
The privacy law imposes various obligations on any “responsible party” that directly or indirectly processes personal data about the data owner. Law 1581 defines the “responsible party” as the public or private individual or entity that processes the personal data or decides how the data should be processed or the database safeguarded. The data owner is the individual whose personal data is processed. The processing of personal data encompasses the collection, processing, storage, use, transfer or suppression of any information that can be associated with an identified or identifiable individual.
Since employers, as part of their normal course of business, typically collect and process the personal data of their prospective, current or former employees, employers should be especially mindful of the following important provisions under the law:
Privacy notice. Either in writing, verbally or electronically, the responsible party must notify the data owner about: the purpose driving the data collection or processing; the intended use of the personal data; the data owner’s privacy rights; and how the data owner can access the responsible party’s policies that regulate the processing of personal data. To avoid any contention that an employee received, but did not understand, the notice, we recommend that the privacy notice be made in Spanish and in simple, clear and understandable language.
Consent requirements (generally). The responsible party must obtain the data owner’s unequivocal consent prior to processing the personal data. As such, for the consent to be valid, it must be accompanied by a privacy notice that contains all of the information described above. The consent must be expressly stated and can be provided in writing, verbally or through methods that would advise the responsible party that the data owner has expressly consented to the processing of his or her personal information. However, in no way can silence be deemed as consent. We recommend that, where possible, the employer obtain a signed consent, to be able to establish the data owner’s express consent.
The law requires the responsible party preserve proof of the data owner’s unequivocal consent. Concerning this recordkeeping requirement, the privacy law is unclear as to the length of time that a responsible party is required to preserve the proof of consent. Nonetheless, it would be prudent for employers to implement procedures whereby data owners provide unequivocal consent, as well as to retain proof of such consent for at least three years from the date the employment relationship ends, so as to align it with the statute of limitations period for any employment-related claim.
Consent can be revoked at any time, except that such revocation will be deemed invalid if it is made to avoid a legal or contractual obligation. At all times, the responsible party must provide a procedure for the data owner to revoke the consent easily and at no charge. If the processing of the personal data exceeds the purpose for which it was collected, the data owner shall have the right to petition the Superintendency of Industry and Commerce (SIC), the regulatory agency in charge of enforcing this law, to order the revocation or suppression of the personal data.
Consent for processing and protection of sensitive personal data. Except in limited circumstances, processing of sensitive personal data is prohibited. Sensitive personal data refers to information intimately tied to the data owner’s personal characteristics, such as race, ethnicity, medical condition, sexuality, political association, religious or philosophical beliefs, membership in a union or human rights organization or biological data. Because such data can be improperly used to discriminate against individuals, the privacy law provides that no action or activity can be made contingent upon the data owner providing his or her sensitive personal data for processing. This means that an employer is not allowed to require that a current or prospective employee provide his or her sensitive personal data for hiring or continued employment, unless the employer is required by law to collect this information, as it is in the case, for example, where a current or prospective employee is required to undergo a medical exam for a legitimate business reason.
Assuming the collection or processing of the sensitive personal data is allowed, the responsible party nonetheless must ensure that the data is adequately protected and kept confidential.
International and other types of transfer of personal data. Whenever the responsible party transfers personal data to a third party, such as a data processor (for example, an employer that transfers personal data to a vendor for purposes of conducting a background check), the responsible party must enter into an agreement where the third party agrees to process the personal data only for the purposes for which the personal data was collected. This means that, in no way can the personal data be processed for any other purpose without the data owner’s express consent.
The law is stringent regarding international transfers of personal data, such as when a subsidiary corporation located in Colombia transfers personal data to its parent corporation in the U.S. In such cases, the transfer is prohibited, unless the personal data will be transferred to a country with equal or higher standards for the adequate protection of personal data than those required by Law 1581. This prohibition does not apply where the SIC has determined that the third country provides an adequate level of protection or when the transfer has been made in accordance with an international treaty to which Colombia is a signatory.
As of this writing, no guidance has been provided as to whether Colombia will recognize the U.S.-E.U. Safe Harbor Framework as meeting the adequacy standard.
This prohibition notwithstanding, the privacy law provides various exceptions to the adequacy requirement. Two potentially relevant exceptions for employers are:
- When the data owner has provided his or her express and unequivocal consent to the transfer.
- Where the transfer is necessary for the fulfillment of a legal or contractual obligation.
Internal policies available to data owner. The responsible party must establish and implement policies and methods to adequately protect the privacy and confidentiality of the personal data. It is recommended that employers adopt policies that provide guidance to human resources and IT employees on the proper handling of personal data.
Enforcement and sanctions for noncompliance. Decree 1377 establishes that the SIC is authorized to enforce Law 1581 and impose sanctions for noncompliance. Specifically, the SIC may impose a fine in the amount of 2,000 times the general minimum salary in effect at the time of the fine. At the time of this publication, the maximum fine would amount to $627,411 USD. Other sanctions that may be imposed include suspension of operations for up to six months, a temporary (but indefinite) shut down of operations if the company has not corrected its practices to fully comply with the law, or permanent closure of operations if the company refuses to comply with its obligations under the law.
It is expected that the SIC will conduct inspections to monitor compliance, placing special focus on the health and financial industries, given these industries’ reliance on collecting and processing personal data to conduct their activities. Domestic and multinational employers should take the necessary measures to ensure full compliance. We recommend that companies adopt these additional measures:
- Create and implement internal policies to regulate the proper treatment and adequate protection of personal data, whether it relates to the collection, processing, storage, use, transfer or deletion of such data. Such measures should aim to ensure that no sensitive personal data is ever made public.
- Communicate such policies in a uniform manner to all current employees authorized to process personal data and obtain their acknowledgement of receipt.
- Identify the specific purpose for which the personal data may be processed.
- Provide a privacy notice to job applicants and current employees, detailing the key information discussed above, as well as explaining whether the data will be used for purposes other than complying with a legal or contractual obligation.
- Obtain the data owner’s express and unequivocal consent to the processing of the personal data. Preserve proof of the data owner’s express and unequivocal consent to the personal data processing, and the acknowledgement of receipt of the privacy notice.
- Process the personal data only for the purposes for which it was collected as stated in the privacy notice.
- Prior to transferring any personal data to a third-party service provider, ensure that the service provider has agreed, by contract, to protect it in accordance with your company’s policies and to process the personal data consistent with the objective for which it was collected.
- Since the processing or use of personal data is limited to a time or a specific purpose, employers holding personal data of former employees should abstain from processing or using it for any purpose inconsistent with those stated in the privacy notice.
- Obtain a signed agreement of confidentiality from employees handling confidential personal data. This agreement should be included as part of the employment contract, where the parties will agree that a breach of the confidentiality agreement will be just cause for termination.
Finally, as several of the above steps emphasize, it is critical that employers meticulously document each step of the process. Taking on all of these measures will be irrelevant if at the time of an SIC inspection the employer is unable to prove compliance.
Littler Mendelson is the largest U.S.-based law firm exclusively devoted to representing management in employment, employee benefits and labor law.
© 2013 Littler Mendelson. All rights reserved. Republished with permission.
SHRM Online Global HR pageKeep up with the latest Global HR news