Skip to content
World Watch/Colombia/Data & Privacy

Data & Privacy · Colombia

Data protection & privacy law in Colombia (2026)

Comprehensive lawStatutory Law 1581 of 2012 (Ley Estatutaria 1581 de 2012), supplemented by Law 1266 of 2008 for financial/credit data, with the Superintendencia de Industria y Comercio (SIC) as the supervisory authorityCountry index 75 · B+

Colombia shaded by its data & privacy status

Data protection in Colombia: comprehensive law, under Statutory Law 1581 of 2012 (Ley Estatutaria 1581 de 2012), supplemented by Law 1266 of 2008 for financial/credit data, with the Superintendencia de Industria y Comercio (SIC) as the supervisory authority.

Colombia operates a comprehensive personal data protection regime anchored in Article 15 of the Constitution (habeas data right) and Statutory Law 1581 of 2012, which governs collection, storage, use, and circulation of personal data across public and private sectors. The SIC enforces the law through its Deputy Superintendence for the Protection of Personal Data, handling thousands of complaints annually and issuing significant sanctions. As of August 2025, two reform bills (214/2025 and 274/2025) are before Congress to modernise the law, introducing GDPR-aligned rights and extraterritorial scope.

Key points

Primary Law

Ley Estatutaria 1581 of 2012 is the cornerstone data protection statute, implementing the constitutional habeas data right (Art. 15). It establishes principles of legality, purpose limitation, freedom, truthfulness, transparency, restricted access, security, and confidentiality for all personal data processing.

Supervisory Authority

The Superintendencia de Industria y Comercio (SIC), through its Deputy Superintendence for the Protection of Personal Data, is the national DPA. It processed over 10,000 claims and consultations in 2024 and can impose fines up to 2,000 times the monthly legal minimum wage (approx. COP 3.5 billion / USD 830,000 as of 2026).

Data Subject Rights

Individuals hold rights to know, access, update, rectify, and request deletion of their personal data, as well as to revoke consent at any time. Processing of sensitive data (health, biometrics, race, religion, sexual orientation) is prohibited absent explicit consent.

Key Controller Obligations

Controllers must obtain prior, express consent before processing; register databases in the National Database Registry (RNBD) with the SIC (annual update window January-March); notify the SIC of security breaches within 15 business days; and maintain a documented data protection policy.

International Transfers

Cross-border transfers of personal data are permitted only to countries with adequate protection or under contractual guarantees. In December 2025, the SIC issued Circular Externa No. 003 of 2025 introducing model contractual clauses for international transfers and transmissions, aligning Colombia's framework with EU adequacy standards.

2025 Reform Bills

Bills 214/2025 and 274/2025, filed in August 2025, propose major modernisation of Law 1581: extraterritorial scope requiring foreign controllers to appoint a local representative, new legal bases (contract performance, legal obligation), rights to data portability and to contest automated decisions, regulation of minors aged 14+ consent, and increased fines up to 5% of annual operational revenue.

Timeline - major decisions & events

Sep 18, 2025guidanceofficial
SIC Circular 001/2025: Demonstrated Accountability Standards for Financial Sector and Fintechs

The SIC issued binding guidelines requiring banks, fintechs, and collection agencies to adopt verifiable accountability frameworks, formalise data-transmission contracts, and reference Ibero-American model clauses for international transfers; elevates 'demonstrated responsibility' from a statutory principle to an auditable obligation with 13 enumerated compliance instructions.

Superintendencia de Industria y Comercio (SIC)
Aug 1, 2025lawofficial
Bills 274/2025 and 214/2025 Filed: GDPR-Aligned Overhaul of Law 1581

The Colombian government (MinComercio + MinCiencias) and a congressional bloc filed competing bills to modernise Law 1581 of 2012, introducing multiple legal bases for processing, rights to portability and to object to automated decisions, extraterritorial scope with a mandatory local representative, child-data protections, and fines up to 5% of annual operational revenue, the most significant reform attempt since the 2012 framework.

Superintendencia de Industria y Comercio (SIC)
Aug 21, 2024guidanceofficial
SIC Circular 002/2024: Guidelines on Personal Data Processing in AI Systems

Colombia's data protection authority issued its first AI-specific guidance, requiring that personal data used to develop, train, or deploy AI systems satisfy suitability, necessity, reasonableness, and proportionality; mandates privacy-by-design integration, documented risk assessments, and auditable human oversight mechanisms for AI pipelines.

Superintendencia de Industria y Comercio (SIC)
Jan 1, 2024guidanceofficial
SIC Circular 001/2024: Refreshed Annual RNBD Registration Obligations

The SIC updated the annual compliance cycle for the Registro Nacional de Bases de Datos, clarifying that entities with assets above 100,000 UVT and all public bodies must register and report on cross-border data flows, security incidents, and updated security measures each first quarter, raising the bar for demonstrable compliance tracking.

Ministerio de Tecnologías de la Información y las Comunicaciones (MINTIC) – Normograma
Jul 6, 2023enforcementofficial
SIC Imposes Record COP $1.3 Billion Fine on Claro for Unlawful Data Collection

The SIC fined América Móvil subsidiary Claro (Comcel S.A.) COP $1,306,289,600, then the highest privacy fine in Colombian history, for harvesting third-party mobile numbers through its 'Amigos que te premian' referral campaign without prior, express, and informed consent, aggravated by the company's recidivism from a prior sanction for the same violation.

Superintendencia de Industria y Comercio (SIC)
Nov 3, 2015decision
SIC Circular 002/2015: Registro Nacional de Bases de Datos (RNBD) Established

The SIC created the mandatory National Registry of Personal Databases, requiring private and public data controllers to register all personal databases, declare data categories and security measures, and report on cross-border transfers; annual updates became obligatory from 2018, making the RNBD a core accountability and supervisory tool.

Hogan Lovells (reporting SIC Circular 002/2015)
May 26, 2015lawofficial
Decreto Único Reglamentario 1074/2015 Consolidates Data Protection Secondary Law

Decree 1074/2015 compiled Decree 1377/2013 and other scattered secondary regulations into a single Regulatory Decree for the commerce sector, eliminating fragmentation and giving the data-protection implementing rules a stable, codified reference that remains the operative secondary framework today.

Ministerio de Comercio, Industria y Turismo (MINCIT)
Jun 27, 2013lawofficial
Decree 1377/2013: Core Implementing Regulation for Law 1581

The government issued the primary secondary regulation for Law 1581, specifying valid-consent requirements, mandatory content of privacy policies and security manuals, procedures for exercising data-subject rights, and conditions for international data transfers, providing the operational rulebook that made compliance with the 2012 law practicable.

Función Pública – Gestor Normativo
Oct 18, 2012lawofficial
Ley Estatutaria 1581/2012: Colombia's General Personal Data Protection Law Enacted

Congress enacted the comprehensive personal data protection framework covering all databases held by public and private entities in Colombian territory; mandated prior express informed consent, established sensitive-data categories (health, political opinion, etc.), defined data-subject rights (know, update, rectify, delete), and formally designated the SIC as the national supervisory authority.

Secretaría del Senado de Colombia
Oct 6, 2011decisionofficial
Constitutional Court C-748/2011: Pre-Enactment Constitutional Review of Law 1581 Draft

As constitutionally required for all statutory laws, the Court examined the draft of Law 1581 before promulgation, conditionally upholding it and clarifying the constitutional limits on processing sensitive data and children's personal information, its conditions directly shaped the final text and created binding interpretive precedent for the entire framework.

Corte Constitucional de Colombia
Jan 1, 1992decisionofficial
Constitutional Court T-414/1992: First Judicial Recognition of Habeas Data as Fundamental Right

The newly constituted Constitutional Court ruled in Sentence T-414 that protection of personal financial data constitutes a fundamental individual right, coining the doctrine of 'informatic self-determination' under Article 15 of the 1991 Constitution, opening the door for citizens to seek immediate tutela relief against improper data processing for the next two decades before any statutory law existed.

Corte Constitucional de Colombia
Jul 4, 1991lawofficial
Political Constitution of Colombia, Article 15: Habeas Data Enshrined as Constitutional Right

Colombia's new Constitution guaranteed every person the right to know, update, and rectify information held about them in public or private databases, alongside rights to privacy and correspondence, establishing the constitutional bedrock that made data protection a fundamental right justiciable before the Constitutional Court and mandating later statutory legislation.

Secretaría del Senado de Colombia

Colombia - other topics

Data & Privacy in other countries

Last verified 5/24/2026 · Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite · Explore the full world map →