Decree 255 of 2021 - Personal data
On February 23, 2022, the ministry of Commerce, industry and Tourism published the Decree 255 of 2022, which regulated the Binding Corporate Rules for certification of Good practices in personal data protection and its transfer to other countries.
The Decree establishes the minimum conditions for the Binding Corporate Rules, which must determine the safeguards, mechanisms, and authorizations in terms of data protection, to transfer personal data to a data controller located outside the Colombian territory that belongs to the same business group.
Accordingly, by incorporating the Binding Corporate Rules, business groups will not have the obligation to follow the parameters established in article 26 of Law 1581 of 2012, among which is the responsibility to transfer personal data only to countries that provide adequate levels of protection, which have already been determined by the Superintendence of Industry and Commerce. The Business Groups will only use their internal policies to transfer personal data.
Here are some of the indicators that were provided to grant the certification of Good corporate practices in personal data protection.
Principles of the Binding Corporate Rules:
- Legal, loyal and transparent data treatment
- Explicit and legitimate data collection purposes
- Constant updating of data
- Preservation of data that allows identification of the data owner
- The responsible for the data treatment must prove the compliance of the obligation contained in the Decree 255 of 2022
- Mandatory compliance for the entire corporate group
General requirements to be contained in the Binding Corporate Rules:
- Measures adopted to prevent transfers to other entities that do not belong to the Corporate Group
- The procedures for the data owners to submit queries or complaints and for these to be dealt with in a timely manner
- The adoption of proven accountability measures to verify that efficient measures have been implemented to comply with the Binding Corporate Rules
- The mechanisms established to communicate and record the modifications introduced in the policies and to notify these modifications to the Superintendence of Industry and Commerce
Group sanctions:
The companies of the corporate group and each of its members shall be jointly and severally liable for the compliance of the Binding Corporate Rules. Consequently, the Superintendence of Industry and Commerce may require, investigate, and sanction the responsible for the data treatment established in the Colombian territory, for violations committed by any of the members of the corporate group.
Submission of applications for certification.
The business groups that wish to comply with the Binding Corporate Rules must submit them to the Superintendence of Industry and Commerce for approval. This entity will publish on its web page all the specifications that the Binding Corporate Rules must contain and in such publication will establish the date from which interested parties may submit their applications for review.