Not a Member? Get access to HR news and resources that you can trust.
Change can be scary, but deploying new HR software doesn't have to be.
Is your employee handbook ready for the New Year? With SHRM’s Employee Handbook Builder get peace of mind that your handbook is up-to-date.
Get the HR education you need without travel expenses or time out of the office.
We don’t just visit a city, we take it over. Join the HR community in NOLA -- June 18-21, 2017.
With the advent of new rules regulating the protection of personal data, companies with operations in Colombia must implement policies and practices to comply with Colombia’s privacy law. In October 2012, Colombia enacted Law 1581 to regulate the protection of personal data and safeguard the constitutional right of privacy in the midst of the challenges posed by globalization and new technologies that enable the easy electronic transfer of personal data.
On June 27, 2013, Colombia’s executive branch issued a decree to implement various provisions of the law. Decree 1377 went into effect immediately.
Law 1581 is part of a growing trend in Latin America to establish broad data protection regimes. As of this publication, Colombia joins Argentina, Costa Rica, Mexico, Peru and Uruguay in enacting such laws. Other countries in Latin America, such as Brazil, are considering similar legislation. U.S. multinationals with employees in Latin America should closely follow this trend.
Important Provisions of the Privacy Law
The privacy law imposes various obligations on any “responsible party” that directly or indirectly processes personal data about the data owner. Law 1581 defines the “responsible party” as the public or private individual or entity that processes the personal data or decides how the data should be processed or the database safeguarded. The data owner is the individual whose personal data is processed. The processing of personal data encompasses the collection, processing, storage, use, transfer or suppression of any information that can be associated with an identified or identifiable individual.
Since employers, as part of their normal course of business, typically collect and process the personal data of their prospective, current or former employees, employers should be especially mindful of the following important provisions under the law:
Privacy notice. Either in writing, verbally or electronically, the responsible party must notify the data owner about: the purpose driving the data collection or processing; the intended use of the personal data; the data owner’s privacy rights; and how the data owner can access the responsible party’s policies that regulate the processing of personal data. To avoid any contention that an employee received, but did not understand, the notice, we recommend that the privacy notice be made in Spanish and in simple, clear and understandable language.
Consent requirements (generally). The responsible party must obtain the data owner’s unequivocal consent prior to processing the personal data. As such, for the consent to be valid, it must be accompanied by a privacy notice that contains all of the information described above. The consent must be expressly stated and can be provided in writing, verbally or through methods that would advise the responsible party that the data owner has expressly consented to the processing of his or her personal information. However, in no way can silence be deemed as consent. We recommend that, where possible, the employer obtain a signed consent, to be able to establish the data owner’s express consent.
The law requires the responsible party preserve proof of the data owner’s unequivocal consent. Concerning this recordkeeping requirement, the privacy law is unclear as to the length of time that a responsible party is required to preserve the proof of consent. Nonetheless, it would be prudent for employers to implement procedures whereby data owners provide unequivocal consent, as well as to retain proof of such consent for at least three years from the date the employment relationship ends, so as to align it with the statute of limitations period for any employment-related claim.
Consent can be revoked at any time, except that such revocation will be deemed invalid if it is made to avoid a legal or contractual obligation. At all times, the responsible party must provide a procedure for the data owner to revoke the consent easily and at no charge. If the processing of the personal data exceeds the purpose for which it was collected, the data owner shall have the right to petition the Superintendency of Industry and Commerce (SIC), the regulatory agency in charge of enforcing this law, to order the revocation or suppression of the personal data.
Consent for processing and protection of sensitive personal data. Except in limited circumstances, processing of sensitive personal data is prohibited. Sensitive personal data refers to information intimately tied to the data owner’s personal characteristics, such as race, ethnicity, medical condition, sexuality, political association, religious or philosophical beliefs, membership in a union or human rights organization or biological data. Because such data can be improperly used to discriminate against individuals, the privacy law provides that no action or activity can be made contingent upon the data owner providing his or her sensitive personal data for processing. This means that an employer is not allowed to require that a current or prospective employee provide his or her sensitive personal data for hiring or continued employment, unless the employer is required by law to collect this information, as it is in the case, for example, where a current or prospective employee is required to undergo a medical exam for a legitimate business reason.
Assuming the collection or processing of the sensitive personal data is allowed, the responsible party nonetheless must ensure that the data is adequately protected and kept confidential.
International and other types of transfer of personal data. Whenever the responsible party transfers personal data to a third party, such as a data processor (for example, an employer that transfers personal data to a vendor for purposes of conducting a background check), the responsible party must enter into an agreement where the third party agrees to process the personal data only for the purposes for which the personal data was collected. This means that, in no way can the personal data be processed for any other purpose without the data owner’s express consent.
The law is stringent regarding international transfers of personal data, such as when a subsidiary corporation located in Colombia transfers personal data to its parent corporation in the U.S. In such cases, the transfer is prohibited, unless the personal data will be transferred to a country with equal or higher standards for the adequate protection of personal data than those required by Law 1581. This prohibition does not apply where the SIC has determined that the third country provides an adequate level of protection or when the transfer has been made in accordance with an international treaty to which Colombia is a signatory.
As of this writing, no guidance has been provided as to whether Colombia will recognize the U.S.-E.U. Safe Harbor Framework as meeting the adequacy standard.
This prohibition notwithstanding, the privacy law provides various exceptions to the adequacy requirement. Two potentially relevant exceptions for employers are:
Internal policies available to data owner. The responsible party must establish and implement policies and methods to adequately protect the privacy and confidentiality of the personal data. It is recommended that employers adopt policies that provide guidance to human resources and IT employees on the proper handling of personal data.
Enforcement and sanctions for noncompliance. Decree 1377 establishes that the SIC is authorized to enforce Law 1581 and impose sanctions for noncompliance. Specifically, the SIC may impose a fine in the amount of 2,000 times the general minimum salary in effect at the time of the fine. At the time of this publication, the maximum fine would amount to $627,411 USD. Other sanctions that may be imposed include suspension of operations for up to six months, a temporary (but indefinite) shut down of operations if the company has not corrected its practices to fully comply with the law, or permanent closure of operations if the company refuses to comply with its obligations under the law.
It is expected that the SIC will conduct inspections to monitor compliance, placing special focus on the health and financial industries, given these industries’ reliance on collecting and processing personal data to conduct their activities. Domestic and multinational employers should take the necessary measures to ensure full compliance. We recommend that companies adopt these additional measures:
Finally, as several of the above steps emphasize, it is critical that employers meticulously document each step of the process. Taking on all of these measures will be irrelevant if at the time of an SIC inspection the employer is unable to prove compliance.
Littler Mendelson is
the largest U.S.-based law firm exclusively devoted to representing management in employment, employee benefits and labor law.
© 2013 Littler Mendelson. All rights reserved. Republished with permission.
SHRM Online Global HR page
Keep up with the latest
Global HR news
You have successfully saved this page as a bookmark.
Please confirm that you want to proceed with deleting bookmark.
You have successfully removed bookmark.
Please log in as a SHRM member before saving bookmarks.
Your session has expired. Please log in again before saving bookmarks.
Please purchase a SHRM membership before saving bookmarks.
An error has occurred
Recommended for you
CA Resources at Your Fingertips
SHRM’s HR Vendor Directory contains over 3,200 companies