Changes and novelties in the field of Data Protection 2022 | Dentons

Changes and novelties in the field of Data Protection 2022 | Dentons

Below, find the latest and most recent changes in Data Protection in 2022:

1. Decree 255 of 2022 (Ministry of Commerce, Industry and Tourism) – Binding Corporate Rules:

On February 23, 2022, in order to promote legal certainty and the protection of constitutional rights and guarantees in the processing of personal data, the Government of the Nation regulated the so-called “Binding Corporate Rules” by means of Decree 255 of 2022. The Binding Corporate Rules constitute an alternative to facilitate the transfer of data between data controllers/processors belonging to the same corporate group and located in different countries. These rules are materialized through self-regulatory systems that confer rights and guarantees to data subjects, as well as duties and obligations to the business group, in compliance with the principles established in the data protection regulations and in the approval that corresponds to the Superintendence of Industry and Commerce.

Decree available in Spanish here.

2. Circular 006 of 2022 (Superintendence of Industry and Commerce) – Processing of personal data for marketing, advertising, and commercial prospecting purposes:

On July 15, the Superintendence of Industry and Commerce published an instruction for companies that use information and communications technologies in the processing of data for advertising, marketing, and commercial prospecting purposes. Specifically, it establishes the following instructions:

  • Comply with data processing regulations and safeguard the fundamental right of habeas data.
  • Verify that the personal data has been obtained in a lawful manner and that it is possible to demonstrate proof of authorization.
  • Not to contact people who do not wish to receive further advertising and to remove their contact information when requested by data subjects, implementing mechanisms so that data subjects may request the deletion of their data and/or revoke authorization.
  • Implement effective mechanisms so that the Data Subjects can exercise their rights to rectify and update data, as well as file complaints and claims, establishing easily identifiable channels (link, email, telephone) for this purpose.
  • Respond in a timely and appropriate manner to queries or complaints from Data Holders about their personal data, in accordance with Articles 14 and 15 of Law 1581 of 2012.
  • Not to contact people on days or times that violate their “right to tranquility”.

Circular available in Spanish here.

3. Decree 1389 of 2022 (Ministry of Information and Communication Technologies) – General Guidelines for the governance of the public sector data infrastructure and the Data Infrastructure Governance Model:

On July 28, 2022, this Decree was published seeking to establish the general guidelines for the governance of the data infrastructure and to create the Data Infrastructure Governance Model. The Decree defines the Data Infrastructure as the set of shared, dynamic and standardized resources, made available by different actors, which allows the permanent availability of data for its use and generation of social, economic and/or public value, and states that the regulated entities must develop and incorporate technical, human and administrative capacities that guarantee the development and implementation of the provisions of the Data Infrastructure.

The Decree also proposes a Data Infrastructure Governance Model as a set of political, technical, legal and organizational elements that allow articulating actors, instances, rules, policies, plans, programs, strategies, actors, methodologies, commitments, processes and procedures to implement, strengthen, administer and manage the data infrastructure, with the purpose of generating public, social and economic value generate public, social and economic value through data. 

Decree available in Spanish here.

4. Decree 1297 of 2012 (Ministry of Finance and Public Credit) – Regulation of open finance in Colombia:

On July 25, 2022, this Decree was published which regulates open finance or “Open Banking” in Colombia. The Decree was intended to clarify the rules applicable to the transfer of consumer data between financial entities, to promote access to such information in favor of the development of new financial services and functionalities, and to clarify the rules under which entities may market their financial services through electronic platforms, including greater transparency in the terms and conditions of such interfaces and the roles of those involved in the service chain. To this end, the Decree develops the implementation of Open Banking through the following main pillars:

  • The processing and commercialization of financial consumers’ personal data.
  • Digital ecosystems and integrated finance.
  • Initiation of payments as an activity within the payments ecosystem.
  • Commercialization of Technology and Infrastructure to third parties.

Decree available in Spanish here.

5. Guide for the Implementation of Model Contractual Clauses for the International Transfer of Personal Data (Ibero-American Data Protection Network):

The Ibero-American Data Protection Network (RIPD) published a guide of model contractual clauses for international transfers of personal data. This guide, which has a non-binding character, aims to collect the main aspects to take into account when carrying out international transfers of personal data through the use of model contractual clauses.

Guide available in Spanish here.

6. Importante: Update of the National Database Registry (RNBD) 2023

In accordance with the provisions of Title V of the Sole Circular of the Superintendence of Industry and Commerce, Data Controllers must update the National Database Registry as follows:

  • Non-substantial changes: Annually, between January 2 and March 31.
  • Information related to claims filed by the Subjects: within the first fifteen (15) working days of the months of February and August of each year.
  • Substantial changes: within the first ten (10) working days of each month, as of the registration of the database.

Source link

Share This

Leave a Reply

Your email address will not be published.