The Superintendence of Industry and Trade indicated the procedure to be followed for the international transfer of personal data

The “transfer of personal data” occurs when personal data is shared to a third party that will act as controller of the information received. This controller will process the data on its own and for its own purposes. In this sense, the “transfer” consists in delivering personal data to a third party so that it processes the information with complete autonomy and without being subject to any subordination or dependence towards the sender. In accordance with article 26 of Law 1581/2012 (“Law 1581”), the transfer of personal data to countries that do not provide appropriate levels of data protection, is forbidden.

However, the international transfer may be done when complying with one of the following assumptions:

  • The receiving country offers an appropriate level of protection, in accordance with the standards set forth by the Superintendence of Industry and Trade (the “SIC”).
  • The transfer is made under any of the exceptions provided in article 26 of Law 1581, namely: i) authorization by the holder of the data; ii) bank or stock trading transfer, and; iii) legally required transfers for the protection of the public interest or for the exercise or defense of a right in a legal process. 
  • Declaration of Conformity regarding the viability of the data transfer issued by SIC. 

Law 1581 empowered the SIC to establish the standards to determine the requirements for country to assure adequate level  of personal data protection, and the issuance of the Declaration of Conformity and, when is required. 

In this context, on August 10th, the SIC issued External Circular 05/2017 (“Circular 005”), established the standards to determine that a personal data receiver has the proper information level were set forth, the countries which are deemed to have proper protection levels were indicated and the requirements for conducting international transfers of personal data were specified.

I. Standards of a proper level for personal data protection of a receiving country. 

Under the provisions in Circular 005, the SIC will consider a receiving country provides proper data protection when it:

  • Has rules regulating the treatment of personal data and they comprise the principles of legality, purpose, freedom, veracity or quality, transparency, access and restricted circulation, security and confidentiality.
  • Establishment of regulations of rights of the personal data holders and duties of those processing personal data.
  • There are means and conduits for protection and effective exercise of the holders’ rights, as well as compliance with the existing laws.
  • There is an authority in charge of supervising the treatment of personal data and compliance with the law and applicable regulation and guaranteeing effective compliance of the protection of the holder’s rights.

II. Countries deemed by SIC to have appropriate protection levels.

The SIC concluded in Circular 005, based on the standards contained therein, a list that names the countries that, in its opinion, offer an appropriate protection level, including Germany, the United States, France, Serbia, Sweden, Romania, Peru, the Netherlands, Portugal, Poland, the United Kingdom, Iceland, among others. The SIC, however, reserves the power to review the mentioned list and include or exclude the countries it considers pertinent.

Circular 005 indicated that, despite the data transfer being made to countries with appropriate protection levels this does not exempt those who make them from their duty to demonstrate they have implemented the necessary measures to guarantee the correct treatment of the personal data.

If it is intended to transfer personal data to a country not included in the SIC list, the interested party must check if the operation is established among the exemptions provided in article 26 of Law 1581, abovementioned, or if the receiving country meets the standards of proper level of protection, also abovementioned. If any of these assumptions is met, the interested party may make the transfer. In the event that none of them is met, the interested party must request a conformity declaration from the SIC.

Circular 005 also stated that the simple cross-border transit of data does not imply data transfer to third countries, as the cross-border transit is considered a “simple passing of data through one or several territories using the infrastructure comprised by all the networks, equipment and services required to reach its final destination.”

III. Declaration of Conformity.

According to Law 1581, in those events when a country receiving personal data is not included in the list of countries with an appropriate level of protection or that the transfer is not covered by any exception, the interested party shall propose to the SIC the issuance of a declaration of conformity on the viability of the operation.

In its request, the interested party shall provide to the SIC information according to the conditions provided in the “Guideline for Requesting a Conformity Declaration on Personal Data International Transfers”. Nonetheless, the SIC shall be entitled to request supplementary information in order to determine if the required assumptions for the viability of the operation are met.

 

For more information contact our team

info@bu.com.co

Learn more about
Telecommunications, Media and Technology
Share these news