Last December, the Superintendence of Industry and Commerce (“SIC”) issued two new guides for controllers and processors handling personal data. The mentioned guides include recommendations and useful tools to prevent breaches to the Colombian personal data protection rules. The matters addressed were the following:

1. Handling of photos as personal data.
2. Management of security incidents when handling personal data.

In this regard, it is important to point out that the guides’ purpose is to provide general recommendations to strengthen the self-regulation of those who, performing their activities, handle personal data. 

Likewise, it should be noted that the guides do not cover all relevant aspects regarding the handling of photos as personal data or the management of security incidents, and therefore it is important that the applicable regulation is reviewed in order to identify the specific requirements for each specific case.

1. Guide on the handling of photos as personal data.

As per what the guide establishes, it is usual that when using photos, it is ignored that they may contain personal data. In general, it is usual that photos contain personal data, since if they are from a specific individual they may contain biometric information that enables to identify one or more individuals included in the photography. 

To that extent, the SIC compiled some of the most relevant duties regarding the handling of photos as personal data, as follows:

1. To obtain prior, express and informed authorization to take and use photos.
2. To verify the legitimate origin of the photos provided by third parties.
3. To bear in mind the rules for handling photos of individuals under 18 years of age, especially since those may contain sensitive data or data of a special nature.
4. To inform the data subjects about the specific purposes for which the photos will be used.

5. To refrain from obtaining photos in a misleading manner and not assume that photos of public access can be freely used.
6. To request compliance regarding the data protection regulations from third parties hired to take photos.

Finally, it is important to clarify that despite the fact that the photos may contain personal data and therefore are protected by the said regulation, photos may be also protected from different legal perspectives, such as copyright, antitrust and image rights. The guide also establishes that the handling of photographs in the personal or domestic sphere, and for journalistic and editorial purposes is not forbidden as established in the regulation.

2. Guide for the management of security issues in the personal data handling.

The SIC also issued a set of practical recommendations to correctly deal with the occurrence and report of security incidents affecting data bases which contain personal data handled by data controllers and data processors.

As per Law 1581 of 2012, the handling of personal data, performed by controllers or processors must be done with the necessary technical, human and administrative measures to guarantee the security and confidentiality of the information.

Therefore, it is necessary for organizations to be prepared to mitigate the effects or risks that may be generated when such security measures fail. Bearing in mind the above, the guide issued by the SIC provides orientation in relation to the implementation of the following measures:

1. To require data processors to report the occurrence of security incidents.

2. To maintain adequately documented all the security incidents. 
3. To develop a personal data handling program that includes a response protocol in the management of security incidents.
4. To implement the necessary steps to deal with possible security incidents. 

Also, the guide highlights the need to increase and maintain the confidence of the personal data subjects in the organizations, as a fundamental aspect for the consolidation of any activity that involves the personal data handling.

Finally, both guides reiterate the need to apply the accountability principle in the handling of personal data, and therefore it will be important that the specific guide issued by the SIC on the accountability principle is considered at all times when referring to the handling or personal data. 

We look forward to commenting any query regarding the abovementioned matters.

 Autor

María Alejandra De Los Ríos | [email protected] | Protección de Datos y Privacidad