The SIC released for public comments a draft resolution aimed at amending Title V of the External Directive, which governs personal data protection and financial habeas data matters. 

The proposed amendments can be grouped into three main categories: 

1. Implementation of Laws 2157 of 2021 and 2573 of 2026 on financial habeas data 

First, the draft expressly incorporates Statutory Laws 2157 of 2021 and 2573 of 2026, as well as Constitutional Court Decisions C-282 of 2021 and C-413 of 2025, into the regulatory framework applicable to operators, sources, and users of financial, credit, commercial, service-related, and foreign-source information. 

In this regard, the SIC proposes to revise and expand several obligations related to: 

  • the obligation to certify the existence of authorizations for data reporting; 
  • the blocking of information when sources fail to provide evidence of such authorizations within 20 business days after the expiration of the term set out in Section 1.3.4 of the External Directive; 
  • the management of claims and annotations related to disputed information; 
  • the handling of identity theft and impersonation cases; 
  • prior notice obligations before negative reporting; 
  • maximum retention periods for negative information; 
  • free access by data subjects to their credit information; and 
  • new annual complaint-reporting obligations for operators and information sources. 

The draft also introduces enhanced safeguards for victims of identity theft, including the creation of the annotation “victim of identity fraud” and specific rules governing the correction, deletion, and blocking of information. 

2. Amendments to the RNBD 

Second, the draft includes several changes related to the RNBD. 

In particular, the SIC proposes to: 

  • modify the timelines for updating registered information; 
  • introduce new obligations to report data subject complaints; and 
  • clarify rules regarding the registration and updating of databases by data controllers. 

3. International data transfers 

Additionally, the draft updates the list of countries deemed to provide an adequate level of protection for international personal data transfers, adding countries such as Brazil, Ecuador, Kenya, Panama, and South Africa.

For more information contact our team

info@bu.com.co

Learn more about
Telecommunications, Media and Technology
Share these news