March 1, 2016
After three years of negotiations, the European Commission, the European Parliament and the Council of the European Union reached an agreement on the regulation for the protection of individuals with regard to the processing of personal data (General Data Protection Regulation – GDPR). The regulation will replace Directive 95/46/EC and will be directly enforceable in all member states of the European Union, without the need to implement domestic legislation in each country. Even though the GDPR will take effect in 2018, it contains onerous obligations that have an immediate impact on all countries of the community.
When comparing the GDPR with the current Colombian legislation on Data Protection, significant differences are evident in topics such as
- the scope of application,
- the protection of children’s personal data,
- the conditions for imposing penalties,
- the notification of personal data breaches, among others.
A brief summary of those differences is presented below.
Scope of application
First of all, the scope of the GDPR differs from the current Colombian legislation. The new European regulation is not only applicable to the processing of data by a controller or a processor in the European Union, but also to the processing of data by a controller or a processor not established in the Union, when the processing activities are related to the offering of goods or services or the monitoring of the data subjects behavior within the EU.1
Furthermore, the GDPR states that, under certain circumstances, the controller or the processor not established in the EU should appoint a representative in the Union, who must be settled in one of the member states where the data subjects reside and where their data are processed.2 For its part, Colombian law contains a different scope, since it limits the scope of the regulation to the processing of personal data in Colombian territory, or to the processing carried out by controllers or processors who are not established in the country, as long as they are legally obliged due to international laws or treaties.3 Despite this, it is important to point out that in October 2015 the Colombian Senate filed a bill4 that aims to expand the scope. As a result, the bill seeks to apply the data protection regulation to any processing carried out by controllers or processors who are not resident in Colombia, if they collect, store, use, circulate or perform any operation on data of subjects who reside or are located in Colombia.
Protection of children’s personal data
With regard to the protection of children’s personal data, the GDPR requires parental consent for the processing of children’s data, specifically for minors under 16. However, member countries may reduce the required age to 13.5
Meanwhile, Colombian law requires parental consent for the processing of personal data of minors under the age of 18. In Colombia, children are subjects of special constitutional protection, and therefore, the processing of their personal data must always respect their prevalent rights.6
In the case of a personal data breach, the European regulation requires the controller to notify the supervisory authority within the following 72 hours after having become aware of it. If the notification is not made within the required time, a reasoned justification must be presented to the supervisory authority.7 On the other hand, Colombian Law does not indicate a specific procedure or period of time to notify a personal data breach, although it does establishes the obligation to inform the data protection authority about it.8
Matters not regulated by Colombian Law
It is important to highlight that the GDPR explicitly regulates matters that are not covered by Colombian laws, such as the right to erasure (“right to be forgotten”), data profiling, and the designation of a data protection officer. Thus, the GDPR regulates the right to be forgotten by establishing the circumstances that allow any individual to request the removal of their personal data.9 Additionally, the regulation defines the situations in which data profiling is allowed,10 and imposes the obligation to designate a data protection officer in 3 specific cases, namely; a) when processing is carried out by a public agency, institution or authority; b) when the main activities of the controller or the processor consist of processing operations, which, by virtue of their scope, nature or purposes, require regular and systematic monitoring of the data subjects, and; c) when the main activities of the controller or the processor consist of processing on a large scale of special categories of data and data relating to criminal convictions and offences.11
Accountability and administrative sanctions
Finally, it should be noted that the GDPR imposes direct obligations on data processors, an issue that is already regulated in Colombia, and explicitly defines the general conditions for imposing administrative fines. Consequently, sanctions may be up to 20 million euros or up to 4% of the total worldwide annual turnover of a company.
1.Article 3 of the GDPR.
2.Article 25 of the GDPR.
3.Article 2 of Law 1581 of 2015.
4.Bill 106 of 2015.
5.Article 8 of the GDPR.
6.Article 18.104.22.168.2.9 of Decree 1074 of 2015 and article 12 of decree 1377 of 2013.
7.Article 31 of the GDPR.
8.Subsection n) of article 17 of Law 1581 of 2015 and Subsection k) of Article 18 of Law 1581 of 2015.
9.Article 17 of the GDPR.
10.Article 20 of the GDPR.
11.Article 35 of the GDPR.
Dentons is the world's largest law firm, delivering quality and value to clients around the globe. Dentons is a leader on the Acritas Global Elite Brand Index, a BTI Client Service 30 Award winner and recognized by prominent business and legal publications for its innovations in client service, including founding Nextlaw Labs and the Nextlaw Global Referral Network. Dentons' polycentric approach and world-class talent challenge the status quo to advance client interests in the communities in which we live and work. www.dentons.com.