'' 1hdustriasy Comercm
_. _ PBRI.IH TUBES
-… fggu ets-njiitaítºº5 no E H cr ¿A
¡'51 EQBI £ ÚLÚ EDGEñC¡Ú "

EXTERNAL CIRCULAR No. 0 º 5
Bogota D.C. 1 U AUG 2017.
To: RESPONSIBLE FOR THE PROCESSING OF PERSONAL DATA
Subject: Add a Third Chapter to Title V of the Sole Circular
1. Object
Set the standards for an adequate level of protection in the country receiving the personal information
and the conditions for obtaining a declaration of conformity to carry out transfer
international personal data.
2. Legal Basis
Article 26 of Statutory Law 1581 of 2012 (General Data Protection Regime
Personal), establishes the conditions to carry out the international transfer of data
personal:
”5 £ lrticle 26. Prohibition. The transfer of personal data from
any kind to countries that do not provide adequate levels of protection of
data. It is understood that a country offers an adequate level of data protection
when it complies with the standards set by the Superintendency of Industry and
Trade on the matter which in no case may be lower than the
that this law requires its recipients This prohibition will not apply when
Try to:
a) information for which the Holder has given his express authorization
. and unequivocal for the transfer.
b) Exchange of medical data, when required by the Treatment of the
Holder for reasons of health and public hygiene.
0) Bank or stock transfers, in accordance with the legislation that may result
applicable.
el) Transfers agreed in the framework of international treaties in which
the Republic of Colombia is a party, based on the principle of
reciprocity.

Indus1cria3Comei — ás
his eagerness: sup EZ rr or IA

305
-—. UI ".- 'u5.1 .._
e) Transfers necessary for the execution of a contract between the Holder and the
Responsible for the Treatment or for the execution of pre-contractual measures
as long as you have the authorization of the Owner.
t) Transfers legally required to safeguard the public interest, or
for the recognition, exercise or defense of a right in a judicial process.
Paragraph 1. In the cases not contemplated as an exception in the present
article, it will correspond to the Superintendency of Industry and Commerce,
declaration of conformity regarding international data transfer
personal. For this purpose, the Superintendent is empowered to request
information and carry out the proceedings aimed at establishing compliance with
the budgets required for the viability of the operation.
Paragraph 2. The provisions contained in this article will be applicable
for all personal data, including those contemplated in La and 1266
2008.
In accordance with the aforementioned article 26 of Statutory Law 1581 of 2012 (General Regime of
Protection of Personal Data), there are 3 assumptions that enable the international transfer of data
personal, namely:
(i) The receiving country offers an adequate level of protection, in accordance with the standards set by
the Superintendency of Industry and Commerce, which may not be lower than those provided by law.
(ii) The transfer operation is framed within the exceptions set by the
Article 26.
(iii) The Superintendency of Industry and Commerce prefers a declaration of conformity regarding
the viability of the international transfer of personal data that is specifically submitted to your
consideration.
Through Sentence C-748 of 2011, the Constitutional Court specified the conditions that the
Superintendency of Industry and Commerce should consider setting the standards of the appropriate level
protection of a receiving country of personal data transferred from Colombia:
() [S] e will understand that a country has the elements or standards of guarantee
necessary to guarantee an adequate level of protection of personal data, if your
legislation counts; with principles, covering the obligations and rights of the
parties (data owner, public authorities, companies, agencies or other bodies that
carry out personal data processing), and data (data quality, security
technique) and; with a data protection procedure that involves mechanisms and
authorities that make the protection of information effective. From the above it follows that the

Industry and Commerce

su | ¿:,;: f-_f R: '= ¡j | r¡5 T… EHBE [¡¡[G__l ¡¡

005
Ais to which the data is transferred, no. may provide a level of protection below the
contemplated in this normative body, one is an object of study ”. (Underlined outside
text)
In 2013, the Superintendency of Industry and Commerce contracted a study with a firm of
lawyers on the application in Colombia of the rules on international data transfer
personal. Based on the provisions of article 26 of Law 1581 of 2012 and the ruling
of the aforementioned Constitutional Court, within the aforementioned study a list was drawn up not
exhaustive analysis of countries that, according to the analysis carried out by said firm, have an adequate level of
protection. For this purpose, said study took into account the standards of said countries and the
regulated by these against the principles that govern the processing of personal data, the rights
of the owners, the duties of Managers and Treatment Managers, the mechanisms
willing to make these rights effective and the existence of authorities that guarantee
them effectively and enforce the law.
The list of countries for which it was concluded offer an adequate level of protection
includes the member countries of the European Union, governed by Parliament's Directive 95IdBICE1
Eur0peo and of the Council, of October 24, 1995, relative to the protection of natural persons in
with regard to the processing of personal data and the free circulation of these data, which served
as a basis for the elaboration of Statutory Law Project 184 of 2010 Senate 046 of
2010 Chamber— ?, current Law 1581 of 2012, and establishes the most rigorous standards of protection of
this fundamental right. Likewise, within the list are the countries that have been
declared with adequate level of protection by the "European Commission, taking into account the analysis
carried out by the latter, by virtue of the rules set forth in the aforementioned Directive, which is subject to
more stringent examination to determine whether, in fact, a country has protection standards
and means to ensure their effective implementation.
On the other hand, said list also contains Mexico, Republic of Korea, Costa Rica, Serbia, Peru,
Norway, Iceland and the United States. “. -. . ".- - - - _ - Decree 1377 of 2013, incorporated into Unique Decree 1074 of 2015, established the principle of
demonstrated responsibility by virtue of which the Data Controllers must be able to
to demonstrate that they have implemented appropriate and effective measures to comply with the obligations

i In May 2018, the European Directive will be replaced by Regulation (EU) 2010i679 of the European Parliament and
of the Council, of April 27, 2016, "Relating to the protection of natural persons with regard to the treatment of
personal data and the free circulation of these data and by which Directive 95/46 / CE (Regiamento generai
of data protection) ”.
2 Explanatory Memorandum: “(. ..) This project incorporates in its articles the best international practices in the field of
of data protection contemplated in Convention 108 of 1981 of the Council of Europe, European Directive 95/46 of
1995, UN Resolution 45/95 of 1990 and Madrid Resolution of 2009, with the aim of achieving with this law
accreditation of Colombia by the European Union as a safe country in data protection and thus be able to access
to the European market without restrictions, attracting foreign investment and creating new jobs ”.
Tºmmun
..nuaroms
'Eorriºso aa_oaaaraa

'.IndúStria. And trade
P-ifE-Rí “¡" ¿Nº TÍ E-¿N-í: D "Ef-H fº" = Aº

¿5¡., T, ¿g_ '' do you add 'kidnapus
OR ...."
established in Statutory Law 1581 of 2012 (General Data Protection Regime
Personal), in such a way as to guarantee the protection of the rights of the holders of the
information. This principle is applicable to all data processing carried out by the
Responsible parties, including international transfer, as a method of circulation of the
themselves.
Article 19 of Statutory Law 1581 of 2012 (General Data Protection Regime
Personal), attributes to the Superintendency of Industry and Commerce the function of exercising surveillance
to ensure that the processing of personal data respects the principles, rights,
guarantees and procedures provided for in the "law.
Article 21 of Statutory Law 1581 of 2012 (General Data Protection Regime
Personal) indicates within the functions in charge of this Superintendency “Proferir the
declarations of conformity on international data transfers ”and“ impart
instructions on the measures and procedures necessary for the adequacy of operations
of those responsible for the Treatment and those in charge of the Treatment to the provisions provided in the
present law ”.
Therefore, it is necessary to establish the standards that will allow determining which countries have
with an adequate level of protection of personal data, to which data may be transferred
personal in compliance with the mandates of the law, and the conditions to obtain the declaration of
compliance regarding the international transfer of personal data, in order to ensure that
The protection of people's information is guaranteed when the person responsible for the treatment
refers to another country.
3. Instructions
Add U - ". CGPÍÍU | 0 Third to Title V of the Circula-tunic, on international transfer of
personal data, which will be as follows: '-. -: -_ - "CHAPTER THREE: TRANSFER OF PERSONAL DATA TO
THIRD COUNTRIES '
3.1 Standards of an adequate level of protection of the receiving country of the
personal information
The analysis to establish whether a country offers an adequate level of protection of
personal data, for the purposes of making an international data transfer,
will be aimed at determining whether said country guarantees their protection,
based on the following standards:
a) Existence of rules applicable to the processing of personal data.

. -: 1; ":: -: - H NIEGMER £ ¡G
..;.! . BH51RI £ YTUR! SMQ

Industry: -andComereia
. …. . . - mmmnun
"Eºauainii '" "rsair & etan-e

"to you.
RL '- == - = "
b) Regulatory consecration of principles applicable to the Processing of data, between
others: legality, purpose, freedom, veracity or quality, transparency, access and
restricted circulation, security and confidentiality.
c) Normative consecration of the rights of the Holders.
d) Normative consecration of the duties of the Managers and Managers.
e) Existence of judicial and administrative means and channels to guarantee protection
effective of the rights of the Holders and demand compliance with the law.
t) Existence of public authority (s) (8) in charge of supervising the
Processing of personal data, compliance with applicable legislation and
the protection of the rights of the holders, who exercise (n) effectively
its functions.
3.2 Countries that have an adequate level of data protection
personal
Taking into account the standards indicated in section 3.1 above and the
analysis carried out by this Superintendency, guarantee an adequate level of
protection the following countries: Germany; Austria; Belgium; Bulgaria; Cyprus;
Costa Rica; Croatia; Denmark; Slovakia; Slovenia; Estonia; Spain; state
United of America; Finland; France; Greece; Hungary; Ireland; Iceland; Italy;
Latvia; Lithuania; Luxembourg; Malt; Mexico; Norway; Netherlands; Pony;
Poland; Portugal; UK; Czech Republic; Republic of Korea; Romania;
Serbia; Sweden; and the countries that have been declared with an adequate level of
protection by the European Commission. - '
The Superintendency of Industry and Commerce will exercise, at any time, its
'regulatory capacity to review the above list and proceed to include those who do not
are part of it or to exclude whoever considers appropriate, from
in accordance with the guidelines established in the law.
Paragraph One: Without prejudice to the fact that transfers of personal data
are carried out to countries that have an adequate level of protection, the Responsible
Treatment, by virtue of the principle of proven responsibility, must be
able to demonstrate that they have implemented appropriate and effective measures to
guarantee the adequate treatment of the personal data that they transfer to another
country and to provide security to the records at the time of making said
transfer.

(Industry 3rd Comercm
s u P E R_ ¡ai 1 ".E a o E ri (: | _ A
mmm
"EGG PMS

Piaz- EQPIMB enumt… rúrr
035
Second Paragraph: When the Transfer of personal data goes to
carry out to a country that is not within those listed in the present
numeral, will correspond to the Responsible for the treatment that will carry out the
transfer to verify if the Transaction falls within one of the
causes of exception established in article 26 of Law 1581 of 2012, or, if
that country complies with the standards set in paragraph 3.1 above, cases in which
which may make the transfer, or, if none of the
previous conditions, request the respective declaration of conformity before this
Superintendence.
Third Paragraph: The simple cross-border transit of data does not entail a
data transfer to third countries. The cross-border transit of data is
refers to the simple passage of data through one or several territories using the
infrastructure composed of all the networks, equipment and services required for
reach your final destination.
Fourth Paragraph: It is possible to carry out the transmission of personal data to
countries that have an adequate level of protection of personal data, in
the terms that govern the transfer of personal data.
3.3 Declaration of conformity
To request the Declaration of Conformity for the international transfer of
personal data, the person in charge of the treatment must file a request before
the Superintendency of Industry and Commerce in the Document Management Group
and Physical Resources of the Entity, or through email
contact us © sic.go v.co, which provides the information contained in the "Guide
To Request the Declaration of Conformity on Transfers
International Personal Data ”, published on the website of this
Superintendence. The supports and documents sent must be translated to the
Castilian.
This procedure is governed by the General Administrative Procedure established in the
Code of Administrative Procedure and Administrative Litigation.
In all cases, the Superintendency is empowered to request information
additional and carry out the proceedings it deems necessary, aimed at
establish compliance with the budgets required for the viability of the
operation.
Paragraph: When the Responsible for the Treatment, that in order to comply
with the principle of demonstrated responsibility, sign a contract with the
Responsible for the treatment recipient of the data or implement another
...:
- - |.

_… Rare: ME sro

(Industry and Cemercw mm PºR "-…: s u P e a | a 't E n o E n c | A N "... P%

B G 5 "-" MZ Eau¡piun seucac: as
legal instrument by which they indicate the conditions that will govern the
international transfer of personal data and through which they will guarantee
compliance with the principles that govern the treatment as well as the
obligations they are in charge of, it will be presumed that the operation is viable and that
It has a Declaration of Conformity.
Consequently, the Data Controllers may carry out said
transfer, prior communication sent to the Delegation for the Protection of
Personal Data of the Superintendency of Industry and Commerce, through the
which report on the operation to be carried out and declare that they have signed the contract
transfer or other legal instrument that guarantees data protection
personal object of transfer, which may be verified in any
moment by this Superintendency and, in the event that a
non-compliance, may carry out the respective investigation and impose the
corresponding sanctions and order the measures to be taken
4. Validity
This External Circular is in force as of its publication in the Official Gazette.
Sincerely,

PABLI r-: t ::: - = 'no-_ _- Ll.b
Superin - '-a- - :: n striay'
Elaborb: Maria Claudia Cauiedes

& RE Ci $
YTUR¡SW

