Law Name

Ley Estatutaria 1266 (2008)

Ley Estatutaria 1581 (2012)

Link to the Law

Data Transfer

International transmission of personal data carried between the agency responsible and the person in charge of processing the data does not require consent or notification to the data subject. The processing of data must comply with what the subject has consented to and what the agency responsible asks of the person in charge of processing data. The database to which the personal data is being collected for must be secure and personal data must be kept confidential.

Data Sharing

Data can be shared as long as there is written, verbal or through other means consent; silence is not considered consent. Processing of sensitive data (health data) can only be done as long as the data subject is informed that he is not obligated to authorize processing and as long as consent for the processing of the data and the purpose for processing the information is given.

Data Retention

The data subject may request that their data is suppressed or revoke previously granted authorization for processing of their personal data by filing a claim. This claim will not be processed if there is a legal or contractual obligation for the information to continue to remain in the database. If by the expiration of the legal term for processing the data the agency responsible has not eliminated personal data, the data subject can request that the Superintendence of Industry and Trade revoke authorization and/or suppression of personal data.


If requested by the Superintendence of Industry and Trade, the agency responsible for the database must provide a description of the procedures used for collection, storage, use, circulation, suppression of information and the purpose for which the information is collected. There must be proof that consent was given to process information.


The responsible must be able to demonstrate, at the request of the Superintendence of Industry and Trade, that the appropriate effective measures have been implemented. Information regarding the responsible legal nature and business, the nature of personal data processing, the type of processing and the potential risks that the processing could cause for the data subject must be made available. Additionally, the procedure used to collect data and a description of the purpose for the information must be provided. There are no set regulations, but each company, must demonstrate that their business accounts for the implementation of security policies, that there are internal mechanisms that enforce these policies and that there is a place that the data subject or titleholder can make a claim or petition regarding their personal data.

Breach Notification

No specific regulations or sanctions are noted if there is an infringement of duties. There will be an evaluation stipulated by the law.

Health Privacy Law

Ley 10 (1990)

The Dirección Nacional del Sistema de Salud can authorize that health services be borrowed, making the information subsidiary or complementary to what the borrower already has, and can do so without express consent from individuals. Health services can be borrowed as long as the borrower meets the standards of the existing health privacy law. The Dirección Nacional del Sistema de Salud should dictate the scientific norms that regulate the quality of the services and they control the risk factors, which all health service entities must comply with.

Electronic Health Records Law 

Law 2015 (February 2020)