Business Revolution in Colombia

What are Binding Corporate Regulations?

The Binding Corporate Regulations were regulated by the Ministry of Commerce, Industry, and Tourism through Decree 255 of 2022, for the certification of good practices in personal data protection and its transfer to third countries.

The purpose of the Decree is to establish the minimum conditions for the Binding Corporate Regulations, which must provide guarantees and mechanisms regarding data protection. These regulations translate into policies, good governance principles, or codes of good business practices that are mandatory for compliance by the data controller established in Colombian territory, in order to carry out transfers of personal data to a data controller located outside of Colombia and part of the same corporate group.

As a result, by incorporating the Binding Corporate Regulations, business groups will not be required to follow the parameters established in Article 26 of Law 1581 of 2012, which includes the responsibility to transfer personal data only to countries that provide adequate levels of protection, which have already been explicitly determined by the Superintendency of Industry and Commerce.

Instead, business groups will use only their internal policies for the transfer of personal data to other countries, thus simplifying internal procedures in this area.

Below, we mention some of the indicators established to grant certification of good business practices in data protection:

Mechanisms to be established by the Binding Corporate Regulations.

• Lawful, fair, and transparent data processing in relation to the data subject.
• Data collected for specified, explicit, and legitimate purposes.
• Data that is adequate, relevant, and limited to what is necessary in relation to the purposes.
• Accuracy of personal data and continuous updates.
• Retention of data that allows identification of the data subject.
• Processed under the control of the data controller, who will ensure and demonstrate compliance with the        provisions of Decree 255 of 2022.
• Mandatory compliance for the entire business group.

Main requirements that must be included in the Binding Corporate Regulations.

• The structure and contact information of the corporate group and each of its members to whom the Binding Corporate Regulations apply.
• The transfers or series of data transfers, including the categories of personal data, the type of processing and its purposes, the types of affected data subjects, and the name of the third-party country or countries.
• The measures taken to prevent transfers to entities that do not belong to the corporate group.
• The procedures for data subjects to submit inquiries or complaints, and ensure they are addressed in a timely manner.
• The adoption of demonstrated accountability measures to verify that efficient measures have been implemented to comply with the Binding Corporate Regulations.
• The mechanisms established to communicate and record changes made to the policies and to notify these changes to the Superintendency of Industry and Commerce.

Compliance and sanctions.

The companies within the corporate group and each of their members will be jointly responsible for complying with the Binding Corporate Rules. As a result, the Superintendence of Industry and Commerce may request, investigate, and impose sanctions on the data controller established in Colombian territory for any violations committed by any member of the corporate group.

Submission of Applications for Certification.

Business groups wishing to adopt the Binding Corporate Rules must submit them to the Superintendence of Industry and Commerce for approval. This entity will publish on its website all the specifications that the Binding Corporate Rules must contain, and in this publication, it will set the date from which interested parties can submit their applications for the respective review.

How can we help you?

At Forvis Mazars, we have a team of experts specializing in compliance with the provisions established in Decree 255 of 2022, as well as in understanding the necessary indicators and requirements to obtain approval of the Binding Corporate Rules. Should you require assistance with the implementation or compliance of the obligations outlined in this bulletin, please contact us at the provided email addresses, and we will be happy to discuss the best way to support you.