Law 2157 of 2021

Clean Slate Law

On October 29^th, 2021, Law 2157 of 2021 was enacted (the “Law”), it amended and added the Statutory Law 1266 of 2008, better known as the Habeas Data Law.

The Law, modified the following relevant aspects of the Habeas Data Law:

1. The term of permanence of the information will be twice the time of default and, in any case, of maximum four (4) years, counted from the date on which the overdue installments are paid, or the obligation is extinguished.
2. The Law modified the amount of the fines that the authorities can impose. Thus, the fines were equated to those from the Statutory Law of Privacy (Law 1581 of 2012), which are of up to two thousand (2,000) minimum legal monthly wages (MLMV) (for 2021 approx. USD$487.175).
3. Additionally, users must inform, in writing, to data subjects, if they require it, the reasons why a credit was denied.
4. The Law establishes that the consultation of the information will be always free for the data subject. It also clarified that the fact that a data subject constantly reviews its information, cannot affect the subject’s credit score; it also established that the financial, credit or any information protected by the Law cannot be reviewed for employment decision purposes, since the purpose of such information is only related with the analysis and assessment of credit risk.

On the other hand, with the enactment of the Law, the following aspects on financial habeas data were added:

1. Negative data, and information related to the time of the period outstanding, type of collection, or any issue related with breaches on the financial obligation, will expire after the eight (8) years from the default’s date. Thus, after such term, the negative data must be eliminated from the database. Operators, users and sources of information must comply with this obligation.
2. Likewise, the following obligations were added at the time of reporting the information:
   • If the obligation is of less than fifteen percent (15%) of a MLMW, the negative report may only be performed if two different communications, at least twenty (20) days apart, have been sent to the data subject. 
   • From now on, sources of information must report the default in a maximum 18-month period. After such period, the report cannot be made.
   • If sources fail to comply with its obligation to send the communication to the data subject (art. 12 Habeas Data Law), the negative report must be eliminated, until the communication is sent, if after such the debt persist, the source will be able to perform the report.
3. Additionally, the Law recognizes the accountability principle, for the compliance of such law; thus operators, sources, and users must be able to demonstrate that they have implemented the appropriate, effective, and verifiable measures to comply with the Law. The accountability principle will be applicable in the same way as it applies on privacy regulation (Law 1581 of 2012), and thus its compliance will be verified in accordance with:
   • The legal nature and business size.
   • The nature of the data that is being handled.
   • The type of handling.
   • The potential risk on the rights of the data subject.
4. It will be necessary that operators, sources, and users guarantee:
   • The existence of an administrative organization for the adoption and implementation of policies in accordance with the Law.
   • Implementation tools, training, and education programs in relation with the policies.
   • Adoption of processes for the attention and response of petitions, queries, and claims of the data subjects.

Thus, if your company has implemented the accountability principle for the compliance of Law 1581 of 2012, its application to the new law will be much easier.

5. On the other hand, within the procedures for petitions, queries and claims, special aspects related to the impersonation cases and silence were added. Claims related with impersonation cases must be reviewed by the source within the following ten (10) days upon receipt of the information, and if such information is true the source must modify the report and add legend that says, “Victim of Personal Falsehood.” Additionally, if the source considers so, it must denounce the potential fraud of which it was a victim.

In relation with the silence on the answer to a request by a data subject, it is clear that if no answer is given within the applicable term (art. 16 Habeas Data Law), it shall be understood that the request has been accepted and if it is not, the data subject can request the Superintendency of Industry and Trade or the Financial Superintendency to impose the fines established in the Law.

The Law established a transition regime and allowed data subjects that have extinguished their obligations before the entry into force of the law and up to twelve months after it to benefit from such regime. The negative report elimination benefit will apply depending on the following:

1. If the data subjects extinguish their obligations within the twelve (12) months following the entry into force of the Law, the negative information will remain in the data bases for six (6) months, and after such time the information must be automatically eliminated.
2. If the data subjects have extinguished their obligation prior to the entry into force of the Law and the negative data has already been in the data base for at least six (6) months, it will be immediately withdrawn.
3. In the same way, if the data subject extinguished their obligation, but have not been in the database for at least six (6) months, the said negative information will remain for the remaining period to complete the six (6) months, at which time the information will be deleted.
4. In any case, if the default is of less than six (6) months, the negative information will remain for the period of the default, counted from the extinction of the obligation.
5. The following data subjects, may have their negative information withdrawn from the data bases, if they extinguish their obligation within the twelve (12) months following the entry into force of the Law:
   • Small and medium size companies.
   • Tourism sector.
   • Small agricultural producers.
   • Individuals who carry out commercial or independent activities.
   • Small producers in the agricultural sector, victims of the armed conflict and rural youth and women who have agricultural credit with Finagro.
   • Debtors and co-debtors who have credit debts with Icetex.

In case you have any queries regarding the application of the Law, we will be looking forward to helping you.

Author: María Alejandra De Los Ríos I [email protected] I Commercial Contracts – Privacy and Data Protection  / María Camila Hernández I [email protected] I Commercial Contracts – Privacy and Data Protection