- Have effective internal politics on data privacy.
- Implement compliance mechanisms
- Designate an individual or individuals that are in charge of the data protection matters, for example a Data Privacy Office (DPO).
- Implement procedures to educate and make people aware of the need to warrant security and confidentiality of data.
- Evaluate risks and be able to mitigate them.
- Constantly review the implementations of matters related with data privacy.
- Implement security measures mentioned above as well as the mechanisms to exercise Data Subjects’ rights.
8. Register all the data bases that handle Personal Data within the National Data Base RegistryThis is one of the most important obligations that Data Controllers will need to comply with. Recently the National Data Base Registry was made available for registration and therefore any company that handles Personal Data and that is the controller of the said data base will have to perform the registry of its data bases. Since the registry was recently enabled (November 9th, 2015), Data Controllers that have data bases must register their data bases within a year after the aforementioned date. Data bases created after the mentioned date must be registered within the following two (2) months after their creation.The following is the minimum information that must be registered; however during the process there will be some addition questions related each of the following points:
- Contact information of the Data Controller.
- Contact information of the Data Processor.
- Mechanisms to exercise the rights of Data Subjects.
- Name and purpose of the data base.
- Way of data handling (manual or automatized)
- Categories of information that is being handled (i.e. name, address, phone, sensitive data, among others)
- Mention the amount of Data Subjects of which its data is included in the data base
- Security measures
- Source of the Personal Data (identify how data was obtained)
- Information about international data transfers and/or transmissions
- Assignment or national data transfer.
- Report of news (Data Subject’s claims and/or security incidents)
The registry can be performed though the Superintendence of Industry and Commerce (“SIC”) web page and it is relatively easy. However companies must have all the mentioned information clear and must have previously performed an inventory on their data bases.9. There are criminal offenses related with the violation to Personal DataThe Colombian Criminal Code contains some criminal offenses related with “Information and Data Protection”. In particular Article 269F states: “Violation of Personal Data: Anyone who, without being authorized to do so, to its own benefit or for a third party, obtains, compiles, subtracts, offers, sells, exchanges, sends, buys, intercepts, discloses, modifies or uses personal codes, Personal Data contained in files, archives, databases or similar means, will be held liable for imprisonment for a term of 48 to 96 months and a fine”. Therefore in case that there is any breach or leakage of information companies may file a criminal lawsuit under this article. The criminal offenses will be independent from any investigation that the SIC decides to start due to the breach or leakage
10. If there is a breach to the data protection regime, sanctions will be appliedThe SIC is allowed to initiate administrative investigations against those who breach the provisions of the Data Protection Law and impose penalties of up to 2,000 Minimum Monthly Legal Wages (approx. USD $475,485.51 on 2016), and sanctions that include the temporary or permanent closure of the professional or commercial activities of the subject who breached the data protection regime. The penalties may apply individually to the company as well as to its directors and managers.Region: ColombiaInterest Area: Publications Chair, Technology, Privacy, and eCommerce
Fuente: Association of Corporate Counsel