The Ministry of Trade, Industry, and Tourism issued Decree 255 of 2022 that establishes minimum conditions for the Binding Corporate Rules for obtaining the certificate of good practices in data protection and for international transfers (“BCR”) for corporate groups.  

The BCR encompass the policies, principles of good governance or mandatory corporate good practices codes, adopted by the data controller located in Colombia, in order to transfer personal data to other data controllers from the same corporate group that are located abroad.

The Decree therefore applies to corporate groups, in accordance with article 28 of Law 222 of 1995, that transfer personal data to another controller from the same corporate group, unless other mechanisms have been already implemented for international transfers under Colombian law. 

BCRs shall ensure, among others, compliance of the principles for the processing of personal data, the rules and special categories of data, the rights of data subjects, and the obligations of data controllers, in accordance with Law 1581 of 2012.

Some of the elements to be included in the BCRs are the corporate structure and the contact data of the corporate group and its members, the transfers of personal data, the type of personal data, the purposes for processing data, the name of the foreign data controller and the measures adopted to prevent the transfer of the data to entities outside the corporate group.

The BCRs will only be valid and applicable upon approval from the Superintendence of Industry and Commerce (Colombian Data Protection Authority), which also requires approval from the appropriate body according to the corresponding bylaws or the corporate group agreements.