NEW
Report & API Now Live! Data insights report and open data API endpoints live as of September 23, 2025

Law 1581 of 2012 (Ley 1581 de 2012)

type
Regulation
Jurisdiction
Full Name
Law 1581 of 2012 (Ley 1581 de 2012) (Ley Estatutaria 1581 de 2012 (octubre 2017) Por la cual se dictan disposiciones generales para la protección de datos personales)
Official Name
Ley Estatutaria 1581 de 2012 (octubre 2017) Por la cual se dictan disposiciones generales para la protección de datos personales

Description

Description
Source

Law 1581 of 2012 - Colombian Personal Data Protection Law

Overview

Law 1581 of 2012 is Colombia's comprehensive personal data protection framework that regulates the collection, processing, and handling of personal data. The law implements the constitutional right of individuals to know, update, and rectify information collected about them in databases. It establishes fundamental principles for data processing, defines rights of data subjects, and sets obligations for data controllers and processors.

The law is enforced by the Superintendence of Industry and Commerce through its Data Protection Authority. It applies to both public and private entities processing personal data in Colombia or those subject to Colombian law through international treaties.

Key Components

Objectives and Scope

  • Implements Article 15 of the Colombian Constitution regarding habeas data
  • Applies to personal data processing in:
    • Public and private databases
    • Colombian territory
    • International contexts where Colombian law applies

Excluded Databases

Article 2 excludes:

  • Personal/domestic databases
  • National security databases
  • Intelligence/counterintelligence data
  • Journalistic databases
  • Financial data (covered by Law 1266 of 2008)
  • Census data

Core Principles

  1. Legality: Processing must comply with legal requirements
  2. Purpose: Must have legitimate, informed purpose
  3. Freedom: Requires prior, express consent
  4. Quality: Data must be accurate and complete
  5. Transparency: Subject access rights
  6. Restricted Access: Limited circulation
  7. Security: Technical and organizational measures
  8. Confidentiality: Data protection obligations

Technical Requirements

Data controllers must implement:

  • Security measures to prevent unauthorized access
  • Authentication systems for data access
  • Encryption for sensitive data transmission
  • Audit trails of data processing activities
  • Incident response procedures

Rights of Data Subjects

Article 8 grants rights to:

  • Access personal data
  • Update/correct information
  • Request proof of authorization
  • File complaints
  • Revoke consent
  • Free access to personal data

Implementation Timeline

  1. Six months adaptation period for existing processors
  2. Creation of Data Protection Authority within six months
  3. Establishment of National Registry of Databases
  4. Regular compliance audits and updates

Territorial Scope

Applies to:

  • Data processing within Colombia
  • International transfers meeting adequacy requirements
  • Colombian entities processing data abroad
  • Foreign entities subject to Colombian jurisdiction

Enforcement

Superintendence of Industry and Commerce can impose:

  • Fines up to 2000 minimum monthly wages
  • Temporary suspension of activities
  • Permanent closure for serious violations
  • Mandatory corrective measures

Projects Following this Regulation

Project
Website
Source

If you are featured in the Web of Trust Map and wish to exercise your GDPR rights, including the right to be forgotten, visit the privacy policy page