Page 1

LEGAL REGIME OF BOGOTÁ DC

Secretary
District Legal

© Property of the District Legal Secretariat of the Mayor's Office of Bogotá DC

Decree 1377 of 2013 National Level
Expedition date:

Effective Date:

Publication Medium:

06/27/2013

06/27/2013

Official Gazette No. 48834 of 27

Topics

June 2013.
The District Legal Secretary clarifies that the information contained herein is exclusively of a
informative, its validity is subject to the analysis and powers determined by the Law or regulations.
The contents are constantly updated.

DECREE 1377 OF 2013
(June 27)
Whereby Law 1581 of 2012 is partially regulated
THE PRESIDENT OF THE REPUBLIC OF COLOMBIA
In use of its constitutional powers, and in particular those provided for in numeral 11 of article 189 of the Political Constitution and in the
Law 1581 of 2012, and
See External Circular 008 of 2020. Superintendency of Industry and Commerce.
CONSIDERING:
That by means of Law 1581 of 2012 the General Regime for the Protection of Personal Data was issued, which, in accordance with its article 1 , has
by object “(...) develop the constitutional right that all people have to know, update and rectify the information that has been
collected about them in databases or files, and the other rights, freedoms and constitutional guarantees referred to in article 15 of the
Political constitution; as well as the right to information enshrined in article 20 thereof ”.
That Law 1581 of 2012 constitutes the general framework for the protection of personal data in Colombia.
That by means of judgment C-748 of October 6, 2011, the Constitutional Court declared the Draft Statutory Law number 184 of 2010 enforceable.
Senate, 046 of 2010 Chamber.
That in order to facilitate the implementation and compliance with Law 1581 of 2012, aspects related to the authorization of the
Holder of information for the Treatment of your personal data, the Treatment policies of the Responsible and Managers, the exercise of the
Rights of Information Holders, transfers of personal data and demonstrated responsibility for Data Processing
personal, this last issue referred to accountability.
That by virtue of the above,
DECREE:
CHAPTER I
General disposition
Article 1. Object . The purpose of this Decree is to partially regulate Law 1581 of 2012, by which general provisions are issued
for the protection of personal data.
Article 2. Data processing in the personal or domestic sphere. In accordance with the provisions of literal a) of article 2 of Law 1581 of
2012, databases maintained in an exclusively personal or exclusively personal field are exempted from the application of said law and this decree.
domestic. The personal or domestic sphere includes those activities that are part of the private or family life of the people
natural.
A Article 3 °. Definitions. In addition to the definitions established in article 3 of Law 1581 of 2012, for the purposes of this decree,
you will understand by:
1. Privacy notice: Verbal or written communication generated by the Responsible, directed to the Owner for the Treatment of their personal data,
by which you are informed about the existence of the information treatment policies that will be applicable to you, the way to access the
themselves and the purposes of the Treatment that is intended to give personal data.
2. Public data : It is the data that is not semi-private, private or sensitive. Public data is considered, among others, data related to marital status
of people, their profession or trade and their quality of merchant or public servant. By its nature, public data may be
contained, among others, in public records, public documents, gazettes and official gazettes and duly executed judicial decisions that
are not subject to reservation.
3. Sensitive data: Sensitive data is understood to be those that affect the privacy of the Holder or whose improper use may generate discrimination,
such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, union membership,
social, human rights organizations or that promote the interests of any political party or that guarantee the rights and guarantees of
opposition political parties, as well as data related to health, sexual life, and biometric data.
4. Transfer: The transfer of data takes place when the Person in Charge and / or Person in Charge of the Processing of personal data, located at
Colombia, sends the information or personal data to a recipient, who in turn is Responsible for the Treatment and is inside or outside the country.
5. Transmission: Processing of personal data that implies the communication of the same within or outside the territory of the Republic of Colombia
When it is intended to carry out a Treatment by the Manager on behalf of the Responsible.
CHAPTER II
Authorization
Article 4. Collection of personal data. In development of the principles of purpose and freedom, data collection should be limited to
those personal data that are pertinent and adequate for the purpose for which they are collected or required in accordance with the regulations
current. Except in the cases expressly provided by law, personal data may not be collected without the authorization of the Holder.
At the request of the Superintendency of Industry and Commerce, the Responsible Parties must provide a description of the procedures used for the
collection, storage, use, circulation and deletion of information, as well as the description of the purposes for which the information
is collected and an explanation of the need to collect the data in each case.
Deceptive or fraudulent means may not be used to collect and process personal data.
A Article 5 °. Authorization . The Data Controller must adopt procedures to request, at the latest at the time of collection
of your data, the authorization of the Holder for the Treatment of the same and inform you of the personal data that will be collected as well as all the
Specific purposes of the Treatment for which consent is obtained.
The personal data found in publicly accessible sources, regardless of the means by which it is accessed, being understood as
such those data or databases that are available to the public, can be processed by anyone as long as, by their
nature, are public data.
In the event of substantial changes in the content of the Treatment policies referred to in Chapter III of this decree, referring to the
Identification of the Responsible and the purpose of the Processing of personal data, which may affect the content of the authorization, the
The Data Controller must communicate these changes to the Owner before or at the latest when the new policies are implemented. What's more,
You must obtain a new authorization from the Owner when the change refers to the purpose of the Treatment.
Article 6. Authorization for the Processing of sensitive personal data . The treatment of sensitive data referred to in the article
5 of Law 1581 of 2012 is prohibited, except for the cases expressly indicated in article 6 of the aforementioned law.
In the Processing of sensitive personal data, when such Processing is possible in accordance with the provisions of article 6 of Law 1581 of
2012, the following obligations must be met:
1. Inform the owner that because it is sensitive data, he is not obliged to authorize its Treatment.
2. Inform the owner explicitly and in advance, in addition to the general authorization requirements for the collection of any type of data.
personal data, which of the data that will be subject to treatment are sensitive and the purpose of the treatment, as well as obtaining your express consent.
No activity may be conditioned on the Holder providing sensitive personal data.
Article 7. How to obtain authorization. For the purposes of complying with the provisions of article 9 of Law 1581 of 2012, the
Those responsible for the processing of personal data will establish mechanisms to obtain the authorization of the owners or whoever is
legitimized in accordance with the provisions of article 20 of this decree, which guarantee their consultation. These mechanisms may be
predetermined through technical means that facilitate the Holder its automated manifestation. It will be understood that the authorization complies with these
requirements when it is manifested (i) in writing, (ii) orally or (iii) through unequivocal conduct of the owner that allows a reasonable conclusion
who granted the authorization. In no case may silence be assimilated to unequivocal conduct.
Article 8. Proof of authorization. The Controllers must keep proof of the authorization granted by the Holders of personal data
for the Treatment of them.
Article 9. Revocation of the authorization and / or deletion of the data . The Holders may at any time request the person in charge or in charge of the
deletion of your personal data and / or revoke the authorization granted for the Treatment thereof, by submitting a claim, of
in accordance with the provisions of article 15 of Law 1581 of 2012.
The request to delete the information and the revocation of the authorization will not proceed when the Holder has a legal or contractual duty to
stay in the database.
The person in charge and the person in charge must make available to the Holder free and easily accessible mechanisms to present the request for deletion of
data or revocation of the authorization granted.
If the respective legal term has expired, the person in charge and / or the person in charge, as the case may be, have not deleted the personal data, the Holder will have
Right to request the Superintendency of Industry and Commerce to order the revocation of the authorization and / or the deletion of personal data.
For these purposes, the procedure described in article 22 of Law 1581 of 2012 will be applied .
Article 10. Data collected before the issuance of this decree. For data collected prior to issuance of this
decree, the following will be taken into account:
1. Those responsible must request the authorization of the owners to continue with the Processing of their personal data as provided in the
Article 7 above, through efficient communication mechanisms, as well as making them aware of their policies on Treatment of the
information and how to exercise your rights.
2. For the purposes of the provisions of paragraph 1, efficient communication mechanisms will be considered those that the person in charge or manager
used in the ordinary course of their interaction with the Registered Holders in their databases.
3. If the mechanisms mentioned in numeral 1 impose a disproportionate burden on the person responsible or it is impossible to request each Holder the
consent to the Processing of your personal data and to inform you of the information processing policies and the way of
exercise their rights, the Responsible Party may implement alternative mechanisms for the purposes set forth in paragraph 1, such as broad newspapers
national circulation, local newspapers or magazines, Internet pages of the person in charge, informative posters, among others, and inform about the
Superintendency of Industry and Commerce, within five (5) days following its implementation.
In order to establish when there is a disproportionate burden for the person in charge, their economic capacity, the number of
holders, the age of the data, the territorial and sectoral scope of operation of the person in charge and the alternative communication mechanism to be used,
In such a way that the fact of requesting the consent of each of the Holders implies an excessive cost and that this compromises financial stability
of the person in charge, carrying out activities of your business or the viability of your programmed budget.
In turn, it will be considered that there is an impossibility of requesting each owner's consent for the Processing of their personal data and putting in
your knowledge of the information treatment policies and the way to exercise your rights when the person in charge does not have contact information
of the holders, either because they do not work in their files, records or databases, or because they are out of date,
incorrect, incomplete or inaccurate.
4. If within thirty (30) business days, counted from the implementation of any of the communication mechanisms described in
numbers 1, 2 and 3, the Owner has not contacted the Responsible or Person in Charge to request the deletion of their personal data under the terms of the
this decree, the person in charge and in charge may continue to process the data contained in their databases for the purpose
or purposes indicated in the information treatment policy, made known to the owners through such mechanisms, without prejudice
of the power that the Holder has to exercise his right at any time and request the deletion of the data.
5. In any case, the Responsible and the Person in Charge must comply with all the applicable provisions of Law 1581 of 2012 and this decree. A) Yes
The same, it will be necessary that the purpose or purposes of the current Treatment are the same, analogous or compatible with the one or those for which
personal data was collected initially.
Paragraph. The implementation of the alternative communication mechanisms provided for in this standard must be carried out no later than within the month
following the publication of this decree.
Article 11. Temporal limitations on the Processing of personal data . The Managers and Managers of Treatment may only
collect, store, use or circulate personal data for as long as is reasonable and necessary, in accordance with the purposes that
justified the treatment, taking into account the provisions applicable to the matter in question and the administrative, accounting, tax,
legal and historical information. Once the purpose or purposes of the treatment have been fulfilled and without prejudice to legal regulations that provide otherwise,
The Responsible and the Person in Charge must proceed to delete the personal data in their possession. Notwithstanding the foregoing, personal data
They must be kept when required for the fulfillment of a legal or contractual obligation.
Those responsible and in charge of the treatment must document the procedures for the Treatment, conservation and deletion of the data
in accordance with the provisions applicable to the matter in question, as well as the instructions issued in this regard by the
Superintendency of Industry and Commerce.
Article 12. Special requirements for the processing of personal data of children and adolescents . The treatment of personal data of
Children and adolescents are prohibited, except in the case of data of a public nature, in accordance with the provisions of Article 7 of
Law 1581 of 2012 and when said Treatment meets the following parameters and requirements:
1. Respond to and respect the best interests of children and adolescents.
2. That respect for their fundamental rights is ensured.
Once the above requirements have been met, the legal representative of the child or adolescent will grant the authorization prior to the exercise of the minor's right to
be heard, an opinion that will be valued taking into account maturity, autonomy and ability to understand the matter.
Any person responsible and in charge involved in the processing of the personal data of children and adolescents, must ensure the proper use
thereof. For this purpose, the principles and obligations established in Law 1581 of 2012 and this decree must be applied .
The family and society must ensure that those responsible and in charge of processing the personal data of minors comply with the
Obligations established in Law 1581 of 2012 and this decree.
CHAPTER III
Treatment Policies
Article 13. Information Processing Policies. Those responsible for the treatment must develop their policies for the treatment of
personal data and ensure that the Treatment Managers fully comply with them.
The information treatment policies must be in physical or electronic medium, in clear and simple language and be put into
knowledge of the Holders. Said policies must include, at least, the following information:
1. Name or company name, address, address, email and telephone number of the Responsible.
2. Treatment to which the data will be submitted and its purpose when it has not been informed through the privacy notice.
3. Rights that assist you as the Holder.
4. Person or area responsible for the attention of requests, queries and claims before which the owner of the information can exercise their rights to
know, update, rectify and delete the data and revoke the authorization.
5. Procedure so that the holders of the information can exercise the rights to know, update, rectify and delete information and revoke the
authorization.
6. Date of entry into force of the information treatment policy and period of validity of the database.
Any substantial change in the treatment policies, in the terms described in article 5 of this decree, must be communicated
timely to the owners of personal data in an efficient manner, before implementing the new policies.
Article 14. Privacy notice . In cases in which it is not possible to make the information treatment policies available to the Holder,
those responsible must inform the owner through a privacy notice about the existence of such policies and how to access them,
in a timely manner and in any case at the latest at the time of the collection of personal data.
Article 15. Minimum content of the Privacy Notice. The privacy notice, at a minimum, must contain the following information:
1. Name or company name and contact details of the person responsible for the treatment.
2. The Treatment to which the data will be submitted and its purpose.
3. The rights of the owner.
4. The mechanisms provided by the person in charge so that the owner knows the information treatment policy and the substantial changes that
occur in it or in the corresponding Privacy Notice. In all cases, you must inform the Holder how to access or consult the policy of
Information processing.
Notwithstanding the foregoing, when sensitive personal data is collected, the privacy notice must expressly indicate the optional nature of the
answer to the questions that relate to this type of data.
In any case, the disclosure of the Privacy Notice will not exempt the Responsible from the obligation to inform the owners of the treatment policy
of the information, in accordance with the provisions of this decree.
Article 16. Duty to prove the availability of the privacy notice and the information treatment policies . The responsible
They must keep the model of the Privacy Notice that they use to comply with the duty they have to inform the Holders of the existence of
information treatment policies and the way to access them, as long as personal data is processed in accordance with it and the
obligations derived from this. For the storage of the model, the Responsible may use computer, electronic or any other means
other technology that guarantees compliance with the provisions of Law 527 of 1999.
Article 17. Means of disseminating the privacy notice and the information treatment policies. For the dissemination of the privacy notice
and the information treatment policy, the person in charge may use documents, electronic formats, verbal means or any other
technology, as long as it guarantees and complies with the duty to inform the owner.
Article 18. Procedures for the adequate treatment of personal data . The procedures for access, updating, deletion and
rectification of personal data and revocation of authorization must be made known or easily accessible to the holders of the information and
be included in the information treatment policy.
Article 19. Security measures. The Superintendency of Industry and Commerce will give instructions related to security measures
in the processing of personal data.
CHAPTER IV
Exercise of the rights of the holders
Article 20. Legitimation for the exercise of the rights of the holder . The rights of the Holders established in the Law, may be exercised by the
following persons:
1. By the Holder, who must sufficiently prove his identity by the different means made available to him by the person in charge.
2. By their successors in title, who must prove such quality.
3. By the representative and / or attorney-in-fact of the Holder, prior accreditation of the representation or power of attorney.
4. By stipulation in favor of another or for another.
The rights of children or adolescents will be exercised by the people who are empowered to represent them.
Article 21. On the right of access. Those responsible and in charge of the treatment must establish simple and agile mechanisms that are
permanently available to the Holders so that they can access the personal data that is under the control of those and
exercise your rights over them.
The Holder may consult his personal data for free: (i) at least once every calendar month, and (ii) whenever there are modifications
of the Information Processing Policies that motivate new consultations.
For inquiries whose periodicity is greater than one for each calendar month, the person in charge may only charge the owner the costs of shipping, reproduction
and, where appropriate, document certification. The costs of reproduction may not be greater than the costs of recovery of the corresponding material.
For this purpose, the person in charge must demonstrate to the Superintendency of Industry and Commerce, when it so requires, the support of said expenses.
Article 22. On the right to update, rectification and deletion. In development of the principle of truthfulness or quality, in the treatment of data
Reasonable measures must be adopted to ensure that the personal data that rest in the databases are accurate and
sufficient and, when so requested by the Holder or when the Responsible has been able to warn it, they are updated, rectified or deleted, in such a way
that satisfy the purposes of the treatment.
Article 23. Means for the exercise of rights. All Responsible and Person in Charge must designate a person or area that assumes the function of
protection of personal data, which will process the requests of the Holders, for the exercise of the rights referred to in Law 1581 of 2012 and
this decree.
CHAPTER V
International transfers and transfers of personal data
Article 24. On the international transfer and transmission of personal data . For the transmission and transfer of personal data,
the following rules apply:
1. International transfers of personal data must comply with the provisions of article 26 of Law 1581 of 2012.
2. The international transmissions of personal data that are carried out between a person in charge and a manager to allow the manager to carry out the
treatment on behalf of the person in charge, they will not require to be informed to the Holder or have their consent when there is a contract in the terms
of article 25 below.
Article 25. Contract for the transmission of personal data . The contract that the Responsible party signs with those in charge for data processing
personal under its control and responsibility will indicate the scope of the treatment, the activities that the person in charge will carry out on behalf of the person in charge
for the processing of personal data and the obligations of the Manager towards the owner and the person in charge.
Through said contract, the person in charge will undertake to apply the obligations of the person in charge under the policy of Treatment of the
information set by it and to carry out the Data Processing in accordance with the purpose that the Holders have authorized and with the applicable laws.
In addition to the obligations imposed by the applicable regulations within the aforementioned contract, the following obligations must be included at the head of the
respective manager:
1. Give Treatment, on behalf of the Responsible, to personal data in accordance with the principles that protect them.
2. Safeguard the security of the databases in which personal data is contained.
3. Keep confidentiality regarding the processing of personal data.
CHAPTER VI
Demonstrated responsibility for the processing of personal data
Article 26. Demonstration. Those responsible for the processing of personal data must be able to demonstrate, at the request of the Superintendency
of Industry and Commerce, which have implemented appropriate and effective measures to comply with the obligations established in Law 1581 of 2012 and
this decree, in a manner that is proportional to the following:
1. The legal nature of the person in charge and, when applicable, its business size, taking into account whether it is a micro, small, medium
or large company, in accordance with current regulations.
2. The nature of the personal data that is the object of the treatment.
3. The type of Treatment.
4. The potential risks that the aforementioned treatment could cause on the rights of the holders.
In response to a request from the Superintendency of Industry and Commerce, the Responsible Parties must provide it with a description of the
procedures used for the collection of personal data, as well as the description of the purposes for which this information is
collected and an explanation of the relevance of the personal data in each case.
In response to a request from the Superintendency of Industry and Commerce, those who process personal data must
provide this evidence on the effective implementation of appropriate security measures:
Article 27. Effective internal policies . In each case, in accordance with the circumstances mentioned in paragraphs 1, 2, 3 and 4 of Article 26
above, the effective and appropriate measures implemented by the Controller must be consistent with the instructions given by the
Superintendency of Industry and Commerce. These policies must guarantee:
1. The existence of an administrative structure proportional to the structure and business size of the person responsible for the adoption and implementation of
policies consistent with Law 1581 of 2012 and this decree.
2. The adoption of internal mechanisms to put these policies into practice, including implementation tools, training and programs.
of Education.
3. The adoption of processes for the attention and response to inquiries, requests and claims of the Holders, with respect to any aspect of the
treatment.
Verification by the Superintendency of Industry and Commerce of the existence of specific measures and policies for the proper management of
The personal data that a Responsible administers will be taken into account when evaluating the imposition of sanctions for violation of duties
and obligations established in the law and in this decree.
Article 28. Validity and repeal . This decree governs as of its publication in the Official Gazette and repeals the provisions that are applicable to it.
contrary.
LET IT BE PUBLISHED AND ENFORCED.
Given in Bogotá DC, on June 27, 2013
JUAN MANUEL SANTOS CALDERÓN
The Minister of Commerce, Industry and Tourism
SERGIO DÍAZ-GRANADOS GUIDA
The Minister of Information and Communication Technologies

