protección de datos personales

In recent days, two statutory bills have been introduced in Congress that pretend to modify Colombia's personal data protection regime:

  • Statutory Bill C274 of 2025 promoted by the Superintendency of Industry and Commerce (“SIC”). This bill was filed on August 27, 2025.
  • Statutory Bill C214 of 2025 promoted by a group of congressmen allied with the government. This bill was filed on August 22, 2025.

Below, we summarize the most relevant changes that coincide in both bills:

  • Extraterritorial scope of application: Colombian data protection law is extended to any controller or processor, regardless of their domicile, when they offer goods/services to persons in Colombia or monitor their behavior.
  • New definitions: Concepts such as biometric data, genetic data, and profiling, among others, are incorporated.
  • New principles: The principles of accountability (which is widely recognized by the SIC), minimization, and transparency are included, among others.
  • New rights of data subjects: The rights to object and not be subject to automated decisions when they produce legal effects that affect them in an automated manner are included, among others. 
  • Legal bases for processing: Both bills expand and detail the legal bases for processing personal data, beyond the consent of the data subject. Legitimate bases are recognized as including, among others: the performance of a contract, compliance with a legal obligation, the protection of vital interests (life or health), and the exercise of public functions.
  • Strengthened obligations for controllers/processors: The obligation to process personal data in accordance with privacy by design and by default criteria, mandatory data protection impact assessments (DPIAs) for high-risk processing, and the appointment of a Data Protection Officer in certain circumstances are introduced.
  • Sanctions: The maximum fine is increased and the alternative of a financial penalty of up to 5% of the offender's operating income is introduced.

For more information on how these developments could impact the processing of personal data in your company, please contact us. 
 

For more information contact our team

info@bu.com.co

Learn more about
Telecommunications, Media and Technology
Share these news