Data protection & privacy laws in Colombia (2026)

Ley Estatutaria 1581 of 2012 is the cornerstone data protection statute, implementing the constitutional habeas data right (Art. 15). It establishes principles of legality, purpose limitation, freedom, truthfulness, transparency, restricted access, security, and confidentiality for all personal data processing.

The Superintendencia de Industria y Comercio (SIC), through its Deputy Superintendence for the Protection of Personal Data, is the national DPA. It processed over 10,000 claims and consultations in 2024 and can impose fines up to 2,000 times the monthly legal minimum wage (approx. COP 3.5 billion / USD 830,000 as of 2026).

Individuals hold rights to know, access, update, rectify, and request deletion of their personal data, as well as to revoke consent at any time. Processing of sensitive data (health, biometrics, race, religion, sexual orientation) is prohibited absent explicit consent.

Controllers must obtain prior, express consent before processing; register databases in the National Database Registry (RNBD) with the SIC (annual update window January–March); notify the SIC of security breaches within 15 business days; and maintain a documented data protection policy.

Cross-border transfers of personal data are permitted only to countries with adequate protection or under contractual guarantees. In December 2025, the SIC issued Circular Externa No. 003 of 2025 introducing model contractual clauses for international transfers and transmissions, aligning Colombia's framework with EU adequacy standards.

Bills 214/2025 and 274/2025, filed in August 2025, propose major modernisation of Law 1581: extraterritorial scope requiring foreign controllers to appoint a local representative, new legal bases (contract performance, legal obligation), rights to data portability and to contest automated decisions, regulation of minors aged 14+ consent, and increased fines up to 5% of annual operational revenue.