Instructions to corporate administrators for the processing of personal data

The following is a summary of the key points of the circular:

1. Origin of the obligations:

The article 2nd of the Political Constitution of Colombia establishes that one of the essential purposes of the State is to guarantee the effectiveness of the constitutional principles and rights, including the protection of Habeas Data and the treatment of personal data.

Therefore, corporate administrators have a crucial role and must ensure compliance with the rules on personal data processing, established in laws such as 1266 of 2008, 1581 of 2012 and 2157 of 2021, and their regulatory decrees, so they have the duty of demonstrated responsibility or “accountability", which requires corporate administrators to adopt useful, timely, efficient and demonstrable measures to demonstrate full and proper compliance with the regulation.

2. The administrator as data controller:

According to the Statutory Law 1581 of 2012, the Data Controller is the natural or legal person who decides on the database and its management.

However, the corporate administrators are jointly responsible for the processing when, together with the legal entity, they determine the purposes or the essential elements of the means for the processing of personal data.

3. Obligations of the administrators in the processing of personal data:

The obligations of the administrators with respect to the Processing of Personal Data are:

• Comply with the provisions of the regulations regarding the protection of personal data.
• Establish Effective Internal Policies to guarantee the proper treatment of personal data in the economic activity, which must be monitored and controlled to ensure compliance.
• Adopt internal mechanisms to enforce Effective Internal Policies, including implementation tools, training and awareness programs that should be known and promoted by managers, through:

1. The designation of a person or area to assume the personal data protection function within the organization;
2. Approve and verify the real and effective compliance with an internal manual of policies and procedures to ensure adequate compliance with the standards;
3. Establish communication channels that allow the person or area responsible to periodically inform managers on the implementation of the organization's Effective Internal Policies.

• Establish appropriate corporate guidelines to adopt preventive measures to protect the rights of personal data owners, such as privacy impact studies, which should include the following:

1. Detailed description of the personal data processing operations.
2. Assessment of the specific risks to the rights and freedoms of data subjects, including the identification and classification of these risk.
3. The measures foreseen to avoid the materialization of risks, security measures, software design, technologies and mechanisms that guarantee the protection of personal data, considering the rights and legitimate interests of the data subjects and other persons that may eventually be affected.

• Establish guidelines to continually strengthen information security measures.

4. Conclusion

The corporate administrators shall be jointly responsible for the Processing of Personal Data when, together with the legal person, they determine the purposes or the essential elements of the means for the processing of personal data.