Data & Privacy · Colombia
Data protection & privacy law in Colombia (2026)
Colombia shaded by its data & privacy status
Data protection in Colombia: comprehensive law, under Statutory Law 1581 of 2012 (Ley Estatutaria 1581 de 2012), supplemented by Law 1266 of 2008 for financial/credit data, with the Superintendencia de Industria y Comercio (SIC) as the supervisory authority.
Colombia operates a comprehensive personal data protection regime anchored in Article 15 of the Constitution (habeas data right) and Statutory Law 1581 of 2012, which governs collection, storage, use, and circulation of personal data across public and private sectors. The SIC enforces the law through its Deputy Superintendence for the Protection of Personal Data, handling thousands of complaints annually and issuing significant sanctions. As of August 2025, two reform bills (214/2025 and 274/2025) are before Congress to modernise the law, introducing GDPR-aligned rights and extraterritorial scope.
Key points
Ley Estatutaria 1581 of 2012 is the cornerstone data protection statute, implementing the constitutional habeas data right (Art. 15). It establishes principles of legality, purpose limitation, freedom, truthfulness, transparency, restricted access, security, and confidentiality for all personal data processing.
The Superintendencia de Industria y Comercio (SIC), through its Deputy Superintendence for the Protection of Personal Data, is the national DPA. It processed over 10,000 claims and consultations in 2024 and can impose fines up to 2,000 times the monthly legal minimum wage (approx. COP 3.5 billion / USD 830,000 as of 2026).
Individuals hold rights to know, access, update, rectify, and request deletion of their personal data, as well as to revoke consent at any time. Processing of sensitive data (health, biometrics, race, religion, sexual orientation) is prohibited absent explicit consent.
Controllers must obtain prior, express consent before processing; register databases in the National Database Registry (RNBD) with the SIC (annual update window January-March); notify the SIC of security breaches within 15 business days; and maintain a documented data protection policy.
Cross-border transfers of personal data are permitted only to countries with adequate protection or under contractual guarantees. In December 2025, the SIC issued Circular Externa No. 003 of 2025 introducing model contractual clauses for international transfers and transmissions, aligning Colombia's framework with EU adequacy standards.
Bills 214/2025 and 274/2025, filed in August 2025, propose major modernisation of Law 1581: extraterritorial scope requiring foreign controllers to appoint a local representative, new legal bases (contract performance, legal obligation), rights to data portability and to contest automated decisions, regulation of minors aged 14+ consent, and increased fines up to 5% of annual operational revenue.
Timeline - major decisions & events
The SIC issued binding guidelines requiring banks, fintechs, and collection agencies to adopt verifiable accountability frameworks, formalise data-transmission contracts, and reference Ibero-American model clauses for international transfers; elevates 'demonstrated responsibility' from a statutory principle to an auditable obligation with 13 enumerated compliance instructions.
Superintendencia de Industria y Comercio (SIC) ↗The Colombian government (MinComercio + MinCiencias) and a congressional bloc filed competing bills to modernise Law 1581 of 2012, introducing multiple legal bases for processing, rights to portability and to object to automated decisions, extraterritorial scope with a mandatory local representative, child-data protections, and fines up to 5% of annual operational revenue, the most significant reform attempt since the 2012 framework.
Superintendencia de Industria y Comercio (SIC) ↗Colombia's data protection authority issued its first AI-specific guidance, requiring that personal data used to develop, train, or deploy AI systems satisfy suitability, necessity, reasonableness, and proportionality; mandates privacy-by-design integration, documented risk assessments, and auditable human oversight mechanisms for AI pipelines.
Superintendencia de Industria y Comercio (SIC) ↗The SIC updated the annual compliance cycle for the Registro Nacional de Bases de Datos, clarifying that entities with assets above 100,000 UVT and all public bodies must register and report on cross-border data flows, security incidents, and updated security measures each first quarter, raising the bar for demonstrable compliance tracking.
Ministerio de Tecnologías de la Información y las Comunicaciones (MINTIC) – Normograma ↗The SIC fined América Móvil subsidiary Claro (Comcel S.A.) COP $1,306,289,600, then the highest privacy fine in Colombian history, for harvesting third-party mobile numbers through its 'Amigos que te premian' referral campaign without prior, express, and informed consent, aggravated by the company's recidivism from a prior sanction for the same violation.
Superintendencia de Industria y Comercio (SIC) ↗The SIC created the mandatory National Registry of Personal Databases, requiring private and public data controllers to register all personal databases, declare data categories and security measures, and report on cross-border transfers; annual updates became obligatory from 2018, making the RNBD a core accountability and supervisory tool.
Hogan Lovells (reporting SIC Circular 002/2015) ↗Decree 1074/2015 compiled Decree 1377/2013 and other scattered secondary regulations into a single Regulatory Decree for the commerce sector, eliminating fragmentation and giving the data-protection implementing rules a stable, codified reference that remains the operative secondary framework today.
Ministerio de Comercio, Industria y Turismo (MINCIT) ↗The government issued the primary secondary regulation for Law 1581, specifying valid-consent requirements, mandatory content of privacy policies and security manuals, procedures for exercising data-subject rights, and conditions for international data transfers, providing the operational rulebook that made compliance with the 2012 law practicable.
Función Pública – Gestor Normativo ↗Congress enacted the comprehensive personal data protection framework covering all databases held by public and private entities in Colombian territory; mandated prior express informed consent, established sensitive-data categories (health, political opinion, etc.), defined data-subject rights (know, update, rectify, delete), and formally designated the SIC as the national supervisory authority.
Secretaría del Senado de Colombia ↗As constitutionally required for all statutory laws, the Court examined the draft of Law 1581 before promulgation, conditionally upholding it and clarifying the constitutional limits on processing sensitive data and children's personal information, its conditions directly shaped the final text and created binding interpretive precedent for the entire framework.
Corte Constitucional de Colombia ↗The newly constituted Constitutional Court ruled in Sentence T-414 that protection of personal financial data constitutes a fundamental individual right, coining the doctrine of 'informatic self-determination' under Article 15 of the 1991 Constitution, opening the door for citizens to seek immediate tutela relief against improper data processing for the next two decades before any statutory law existed.
Corte Constitucional de Colombia ↗Colombia's new Constitution guaranteed every person the right to know, update, and rectify information held about them in public or private databases, alongside rights to privacy and correspondence, establishing the constitutional bedrock that made data protection a fundamental right justiciable before the Constitutional Court and mandating later statutory legislation.
Secretaría del Senado de Colombia ↗Colombia - other topics
Data & Privacy in other countries
Last verified 5/24/2026 · Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite · Explore the full world map →