Law 1581 of 2012 - Colombian Personal Data Protection Law
Overview
Law 1581 of 2012 is Colombia's comprehensive personal data protection framework that regulates the collection, processing, and handling of personal data. The law implements the constitutional right of individuals to know, update, and rectify information collected about them in databases. It establishes fundamental principles for data processing, defines rights of data subjects, and sets obligations for data controllers and processors.
The law is enforced by the Superintendence of Industry and Commerce through its Data Protection Authority. It applies to both public and private entities processing personal data in Colombia or those subject to Colombian law through international treaties.
Key Components
Objectives and Scope
- Implements Article 15 of the Colombian Constitution regarding habeas data
- Applies to personal data processing in:
- Public and private databases
- Colombian territory
- International contexts where Colombian law applies
Excluded Databases
Article 2 excludes:
- Personal/domestic databases
- National security databases
- Intelligence/counterintelligence data
- Journalistic databases
- Financial data (covered by Law 1266 of 2008)
- Census data
Core Principles
- Legality: Processing must comply with legal requirements
- Purpose: Must have legitimate, informed purpose
- Freedom: Requires prior, express consent
- Quality: Data must be accurate and complete
- Transparency: Subject access rights
- Restricted Access: Limited circulation
- Security: Technical and organizational measures
- Confidentiality: Data protection obligations
Technical Requirements
Data controllers must implement:
Security measures to prevent unauthorized access
Authentication systems for data access
Encryption for sensitive data transmission
Audit trails of data processing activities
Incident response procedures
Rights of Data Subjects
Article 8 grants rights to:
- Access personal data
- Update/correct information
- Request proof of authorization
- File complaints
- Revoke consent
- Free access to personal data
Implementation Timeline
- Six months adaptation period for existing processors
- Creation of Data Protection Authority within six months
- Establishment of National Registry of Databases
- Regular compliance audits and updates
Territorial Scope
Applies to:
- Data processing within Colombia
- International transfers meeting adequacy requirements
- Colombian entities processing data abroad
- Foreign entities subject to Colombian jurisdiction
Enforcement
Superintendence of Industry and Commerce can impose:
- Fines up to 2000 minimum monthly wages
- Temporary suspension of activities
- Permanent closure for serious violations
- Mandatory corrective measures