Protect Your Privacy: Learn About the Types of Personal Data and Their Processing
Therefore, it is essential to understand the different types of data established by law, as each type has specific characteristics and requirements for its processing (collection, storage, use, circulation, deletion, etc.).
Below, each of the types of data outlined in the law is explained, along with a summary of key points to consider in order to ensure proper management and protection of personal data:
1. Types of Personal Data.
• Public data: This is data that is determined as such by law or the Political Constitution, as well as any data that is not semi-private, private, or sensitive. Public data includes, among others, information related to a person's civil status, profession or trade, and their status as a merchant or public servant.
Due to its nature, public data can be found in, among other sources, public registers, public documents, gazettes, official bulletins, and judicial rulings that have become final and are not subject to confidentiality, meaning they can circulate freely.
• Semi-private data: This refers to data that is neither of an intimate, confidential, nor public nature, and whose knowledge or disclosure may be of interest not only to the data subject but also to a certain sector or group of people, or to society in general.
Among these are data related to place and date of birth, address or phone number, financial and credit data, commercial or service activity, and/or economic rights of individuals, among others.
• Private data: This is data that, due to its intimate or confidential nature, is only relevant to the data subject. Private data includes personal information used to access information systems (username, IP, passwords, profiles, etc.), as well as certain images and photographs.
• Sensitive data: This is data that affects the privacy of the data subject or whose misuse could lead to discrimination, such as racial or ethnic origin, political orientation, religious or philosophical beliefs, membership in trade unions, social organizations, or human rights groups, as well as data related to health, sexual life, and biometric data
2. Rules and exceptions for the collection and circulation of personal data
Next, we will illustrate the rules for the collection and circulation of each type of personal data:
Type of personal data | Does it require authorization for its processing? |
Public | No |
Semi-private | Yes |
Private | Yes |
Sensitive | Yes |
However, these rules have some exceptions. On the one hand, regarding sensitive data, Article 6 of Law 1581 of 2012 expressly prohibits the processing of this type of data, except in the following cases:
a. When the data subject has given explicit consent to such processing, unless the law does not require the granting of such consent;
b. If the processing is necessary to safeguard the vital interest of the data subject and they are physically or legally incapacitated. In these cases, legal representatives must grant their consent.
c. When the processing is carried out as part of the legitimate activities and with appropriate guarantees by a foundation, NGO, association, or any other non-profit organization, whose purpose is political, philosophical, religious, or trade union, provided that it relates exclusively to their members or to individuals who maintain regular contact for the purpose of such activities. In these cases, the data cannot be provided to third parties without the data subject's consent.
d. If the processing concerns data necessary for the recognition, exercise, or defense of a right in judicial proceedings.
e. If the processing has a historical, statistical, or scientific purpose. In this case, measures must be taken to ensure the anonymization of the data subjects' identities.
On the other hand, Article 10 of the aforementioned law states that authorization from the data subject will not be required for processing the data when it concerns:
a. Information required by a public or administrative entity in the exercise of its legal functions or by court order;
b. Data of a public nature;
c. Cases of medical or health emergency;;
d. Processing of information authorized by law for historical, statistical or scientific purposes;
e. Data related to the Civil Registry of Persons.
3. Data of children and teenagers.
The law expressly prohibits the processing of personal data of children and adolescents, except for data of a public nature and when such processing meets the following parameters and requirements:
1. It must respond to and respect the best interests of children and adolescents.
2. It must ensure the respect of their fundamental rights.
Once the above requirements are met, the legal representative of the child or adolescent will grant authorization, following the minor's exercise of their right to be heard, an opinion that will be considered based on their maturity, autonomy, and capacity to understand the matter.
Any party responsible for or involved in the processing of personal data of children and adolescents must ensure the appropriate use of such data, applying the principles and obligations established in Law 1581 of 2012 and its regulatory decrees.
Additionally, it is the responsibility of the State and educational entities to provide information and training to legal representatives and guardians about the potential risks faced by children and teenagers in relation to the improper processing of their personal data and to promote knowledge about the responsible and secure use of such data.
4. Conclusion
The protection of personal data in Colombia is a fundamental right that seeks to guarantee the privacy of citizens. It is important that both individuals and organizations know and respect the regulations related to the handling of this data, thus promoting a culture of responsibility and security.
How can we help you?
At Forvis Mazars, we have a team of professionals specialized in complying with Law 1581 of 2012, Decree 1377 of 2013, and other current regulations regarding personal data protection. If you need support with the implementation or compliance of the obligations outlined in this newsletter, do not hesitate to contact us. We are here to help you ensure the protection of your clients' personal data and comply with all applicable regulations.
