Page 1

Last update: May 04, 2021 - Official Gazette April 26, 2021
(51,657)
Copyrights reserved - Reproduction prohibited

Start

Article

STATUTORY LAW 1266 OF 2008 [1]

(December 31)
Official Gazette No. 47.219 of December 31, 2008
CONGRESS OF THE REPUBLIC
By which the general provisions of habeas data are issued and the handling of information is regulated
contained in personal databases, especially financial, credit, commercial, services and
from third countries and other provisions are issued.
Summary of Validity Notes
THE CONGRESS OF THE REPUBLIC
DECREE:
ARTICLE 1. OBJECT. The purpose of this law is to develop the constitutional right that all
people to know, update and rectify the information that has been collected about them in banks of
data, and other rights, freedoms and constitutional guarantees related to the collection,
treatment and circulation of personal data referred to in article 15 of the Political Constitution, as well as
the right to information established in article 20 of the Political Constitution, particularly in relation to
with financial and credit information, commercial, services and information from third countries.
Jurisprudence Validity
ARTICLE 2. AREA OF APPLICATION. This law applies to all information data
personnel registered in a database, whether they are managed by public entities or
private.
This law will be applied without prejudice to special regulations that provide for the confidentiality or reservation of certain
data or information registered in databases of a public nature, for statistical purposes, of
investigation or punishment of crimes or to guarantee public order.
The databases that are intended to produce State Intelligence are exempted from this law.
of the Administrative Department of Security, DAS, and the Public Force to guarantee security
national internal and external.
The public registries in charge of the chambers of commerce will be governed exclusively by the norms and
principles enshrined in the special rules that regulate them.
Likewise, those data kept in a field are excluded from the application of this law.
exclusively personal or domestic and those that circulate internally, that is, that are not supplied to
other legal or natural persons.
Jurisprudence Validity
ARTICLE 3. DEFINITIONS. For the purposes of this law, it is understood by:
a) Owner of the information. It is the natural or legal person to whom the information that rests in a
data bank and subject of the right of habeas data and other rights and guarantees referred to in this
law;
b) Source of information. It is the person, entity or organization that receives or knows personal data from
holders of the information, by virtue of a commercial or service relationship or of any other nature and that, in
reason for legal authorization or from the owner, provides these data to an information operator, which in turn
delivered to the end user. If the source delivers the information directly to the users and not, through a
operator, it will have the dual status of source and operator and will assume the duties and responsibilities of
both of them. The source of the information is responsible for the quality of the data supplied to the operator which, in
how much you have access to and provide personal information of third parties, is subject to compliance with the duties and
responsibilities envisaged to guarantee the protection of the rights of the owner of the data;
c) Information operator. <CONDITIONALLY enforceable literal> It is called the information operator
to the person, entity or organization that receives from the source personal data about various holders of the
information, manages them and makes them known to users under the parameters of this law.
Therefore, the operator, as soon as it has access to personal information of third parties, is subject to compliance with
the duties and responsibilities envisaged to guarantee the protection of the rights of the owner of the data.
Unless the operator is the same source of the information, it has no commercial or service relationship with
the owner and therefore is not responsible for the quality of the data provided by the source;
Jurisprudence Validity
d) User. The user is the natural or legal person who, under the terms and circumstances provided in the
this law, you can access personal information of one or more holders of the information provided by
the operator or by the source, or directly by the owner of the information. The user, as soon as he has access to
personal information of third parties, is subject to compliance with the duties and responsibilities provided for
guarantee the protection of the rights of the data owner. In the event that the user in turn delivers
the information directly to an operator, the latter will have the double status of user and source, and will assume the
duties and responsibilities of both;
e) Personal data. It is any piece of information linked to one or more specific people or
determinable or that can be associated with a natural or legal person. Impersonal data is not subject
to the data protection regime of this law. When in this law a reference is made to a piece of information,
it is presumed to be for personal use. Personal data can be public, semi-private or private;
f) Public data. It is the data classified as such according to the mandates of the law or the Political Constitution and all
those that are not semi-private or private, in accordance with this law. They are public, among others,
the data contained in public documents, duly executed judicial decisions that are not
subject to reservation and those related to the civil status of persons;
g) Semi-private data. Data that is not intimate, reserved, or public in nature and whose
Knowledge or disclosure may be of interest not only to its owner but also to a certain sector or group of people or to the
society in general, such as the financial and credit data of commercial activity or services referred to in the
Title IV of this law.
h) Private data. It is the data that due to its intimate or reserved nature is only relevant for the owner.
i) Commercial Information Agency. It is any legally constituted company whose activity is
main the collection, validation and processing of commercial information about companies and
merchants specifically requested by their customers, meaning commercial information that
historical and current information regarding the financial, equity, market, administrative,
operational, on the fulfillment of obligations and other relevant information to analyze the situation
integral part of a company. For the purposes of this law, commercial information agencies are
information operators and information sources.
PARAGRAPH: To commercial information agencies, as well as to their sources or users, as the case may be,
The following provisions of this law will not apply: numerals 2 and 6 of article 8 or article 12 , and
Article 14 .
j) Financial, credit, commercial, service information and information from third countries.
For all purposes of this law, financial, credit, commercial information, of
services and that from third countries, that referred to the birth, execution and termination of
monetary obligations, regardless of the nature of the contract that gives rise to them.
Jurisprudence Validity
Text of the Previous Bill
ARTICLE 4. PRINCIPLES OF DATA MANAGEMENT. In the development, interpretation and
application of this law, will be taken into account, harmoniously and comprehensively, the principles that
The following are established:
a) Principle of veracity or quality of records or data. The information contained in the databases
It must be true, complete, accurate, up-to-date, verifiable and understandable. Registration and disclosure prohibited
of partial, incomplete, fractioned or misleading data;
b) Principle of purpose. The administration of personal data must obey a legitimate purpose of
according to the Constitution and the law. The purpose must be informed to the owner of the prior information or
concomitantly with the granting of the authorization, when it is necessary or in general whenever
the owner requests information in this regard;
c) Principle of restricted circulation. The administration of personal data is subject to the limits that are
derive from the nature of the data, the provisions of this law and the principles of the
administration of personal data, especially the principles of temporality of information and the
purpose of the database.
Personal data, except public information, may not be accessible on the Internet or by other means of
disclosure or mass communication, unless access is technically controllable to provide a
knowledge restricted only to the holders or authorized users in accordance with this law;
d) Principle of temporality of the information. The information of the owner may not be provided to users or
third parties when it ceases to serve the purpose of the data bank;
e) Principle of comprehensive interpretation of constitutional rights. This law will be interpreted in the sense
that constitutional rights are adequately protected, such as habeas data, the right to good
name, the right to honor, the right to privacy and the right to information. The rights of
Headlines will be interpreted in harmony and in a balance with the right to information provided for in the
Article 20 of the Constitution and with the other applicable constitutional rights;
f) Principle of security. The information that makes up the individual records constituting the banks of
data referred to in the law, as well as the data resulting from the queries made by its users, must be
handle with the technical measures that are necessary to guarantee the security of the records avoiding their
adulteration, loss, consultation or unauthorized use;
g) Principle of confidentiality. All natural or legal persons involved in the administration
of personal data that do not have the nature of public are obliged at all times to guarantee the
reservation of information, even after the end of your relationship with any of the tasks that comprise
data administration, being able to only supply or communicate data when it corresponds
to the development of the activities authorized in this law and in the terms of the same.
Jurisprudence Validity
ARTICLE 5. CIRCULATION OF INFORMATION. Personal information collected or supplied from
in accordance with the provisions of the law to the operators that are part of the database that it manages,
may be delivered verbally, in writing, or made available to the following people and in the
following terms:
a) To the owners, to the persons duly authorized by them and to their successors in title through the
consultation procedure provided for in this law.
b) To the users of the information, within the parameters of this law.
c) To any judicial authority, prior judicial order.
d) <Literal CONDITIONALLY enforceable> To the public entities of the executive branch, when the
Knowledge of said information corresponds directly to the fulfillment of any of its functions.
Jurisprudence Validity
e) To the control bodies and other disciplinary, fiscal, or administrative investigation units, when
the information is necessary for the development of an ongoing investigation.
f) To other data operators, when there is authorization from the owner, or when without being necessary the
authorization of the owner the destination database has the same purpose or a purpose that includes the
that has the operator that delivers the data. If the recipient of the information is a foreign database,
delivery without authorization from the owner may only be made by leaving written evidence of the delivery of the
information and prior verification by the operator that the laws of the respective country or the recipient
provide sufficient guarantees for the protection of the rights of the holder.
g) To other persons authorized by law.
Jurisprudence Validity
TITLE II.
RIGHTS OF THE HOLDERS OF THE INFORMATION.
ARTICLE 6. RIGHTS OF THE HOLDERS OF THE INFORMATION. The holders will have the
following rights:
1. In front of the data bank operators:
1.1 Exercise the fundamental right to habeas data in the terms of this law, through the use of
consultation or complaint procedures, without prejudice to other constitutional and legal mechanisms.
1.2 Request the respect and protection of other constitutional or legal rights, as well as other
provisions of this law, through the use of the complaints and petitions procedure.
1.3 Request proof of the certification of the existence of the authorization issued by the source or by the user.
1.4 Request information about users authorized to obtain information.
PARAGRAPH. The administration of public information does not require authorization from the owner of the data, but
subject to compliance with the principles of the administration of personal data and the other provisions of
this law.
The administration of semi-private and private data requires the prior and express consent of the owner of the
data, except in the case of financial, credit, commercial, service data and data from third countries
which does not require authorization from the owner. In any case, the administration of semi-private and private data is
subject to compliance with the principles of the administration of personal data and the other provisions of
this law.
2. In front of the sources of the information:
2.1 <Numeral CONDITIONALLY enforceable> Exercise the fundamental rights to habeas data and
request, the fulfillment of which may be carried out through the operators, in accordance with the provisions of the
consultation procedures and claims of this law, without prejudice to other constitutional mechanisms or
legal.
Jurisprudence Validity
2.2 Request information or request the updating or rectification of the data contained in the database,
which the operator will perform, based on the information provided by the source, as established in the
procedure for inquiries, claims and petitions.
2.3 Request proof of authorization, when said authorization is required in accordance with the provisions of the
present law.
3. In front of users:
3.1 Request information about the use that the user is giving the information, when said
information has not been provided by the operator.
3.2 Request proof of authorization, when it is required in accordance with the provisions of this law.
PARAGRAPH. Holders of financial and credit information will additionally have the following
Rights:
They may go to the surveillance authority to file complaints against sources, operators or users
for violation of the regulations on administration of financial and credit information.
Likewise, they can go before the surveillance authority to pretend that an operator or source is ordered
the correction or updating of your personal data, when it is appropriate in accordance with the provisions of the
present law.
Jurisprudence Validity
TITLE III.
DUTIES OF OPERATORS, SOURCES AND USERS OF INFORMATION.
ARTICLE 7. DUTIES OF THE OPERATORS OF THE DATA BANKS. Without prejudice to
compliance with the other provisions contained in this law and others that govern its activity, the
Database operators are obliged to:
1. Guarantee, at all times to the owner of the information, the full and effective exercise of the right to habeas data
and of request, that is, the possibility of knowing the information that exists or resides in the bank of
data, and request the update or correction of data, all of which will be done through the
mechanisms for inquiries or claims, in accordance with the provisions of this law.
2. Guarantee that in the collection, treatment and circulation of data, the other rights will be respected.
enshrined in law.
3. Allow access to information only to people who, in accordance with the provisions of this
law, they can have access to it.
4. Adopt an internal manual of policies and procedures to guarantee adequate compliance with the
present law and, especially, for the attention of queries and claims by the owners.
5. Request certification from the source of the existence of the authorization granted by the holder, when said
authorization is necessary, in accordance with the provisions of this law.
6. Maintain the stored records with due security to prevent their deterioration, loss,
alteration, unauthorized or fraudulent use.
7. Perform periodic and timely updating and rectification of the data, each time they report to you
news sources, under the terms of this law.
8. Process the requests, queries and claims made by the holders of the information, in the
terms indicated in this law.
9. Indicate in the respective individual record that certain information is under discussion by
of its owner, when the request for rectification or updating of the same has been submitted and there is no
once said procedure has been completed, in the manner in which it is regulated in this law.
10. Circulate the information to users within the parameters of this law.
11. Comply with the instructions and requirements that the surveillance authority issues in relation to the
compliance with this law.
12. Others that derive from the Constitution or from this law.
Jurisprudence Validity
ARTICLE 8. DUTIES OF THE SOURCES OF THE INFORMATION. The sources of the information
must comply with the following obligations, without prejudice to compliance with the other provisions provided
in this law and in others that govern its activity:
1. Ensure that the information provided to the operators of the databases or users is
truthful, complete, exact, updated and verifiable.
2. Report, periodically and in a timely manner to the operator, all the news regarding the data that
previously provided and adopt the other necessary measures so that the information
provided to it is kept up-to-date.
3. Rectify the information when it is incorrect and inform the operators about it.
4. Design and implement effective mechanisms to promptly report information to the operator.
5. Request, when applicable, and keep a copy or evidence of the respective authorization granted by the
holders of the information, and make sure not to provide the operators with any data whose supply is not
previously authorized, when such authorization is necessary, in accordance with the provisions of this
law.
6. Certify, every six months to the operator, that the information provided has the authorization of
in accordance with the provisions of this law.
7. Resolve the claims and requests of the owner in the way that is regulated in this law.
8. Inform the operator that certain information is under discussion by its owner, when
the request for rectification or updating of the same has been submitted, in order for the operator to include
a mention in this regard in the database until said procedure has been completed.
9. Comply with the instructions issued by the supervisory authority in relation to compliance with the
present law.
10. Others that derive from the Constitution or from this law.
Jurisprudence Validity
ARTICLE 9. DUTIES OF THE USERS. Without prejudice to compliance with the provisions
contained in this law and others that govern their activity, users of the information must:
1. Save
on the information that is provided by the operators of the databases, by the sources or the
holders of the information and use the information only for the purposes for which it was delivered, in
the terms of this law.
2. Inform the owners, at their request, about the use that is being given to the information.
3. Keep the information received with due security to prevent its deterioration, loss, alteration,
unauthorized or fraudulent use.
4. Comply with the instructions issued by the supervisory authority, in relation to compliance with the
present law.
5. Others that derive from the Constitution or from this law.
Jurisprudence Validity
TITLE IV.
OF THE DATA BANKS OF FINANCIAL INFORMATION, CREDIT, COMMERCIAL, SERVICES
AND THE COMING FROM THIRD COUNTRIES.
ARTICLE 10. PRINCIPLE OF FAVORING AN ACTIVITY OF PUBLIC INTEREST. The
financial, credit, commercial, service information management activity and that from
third countries is directly related to and favors an activity of public interest, such as the
financial activity itself, as it helps the democratization of credit, promotes the development of
credit activity, protection of public confidence in the financial system and its stability, and
generates other benefits for the national economy and especially for financial, credit,
commercial and services of the country.
PARAGRAPH 1. The administration of financial, credit, commercial, service information and the
from third countries, by sources, users and operators must be done in such a way that
allow to favor the expansion and democratization of credit. Users of this type of information
should assess this type of information concurrently with other factors or elements of judgment that
technically affect the risk study and credit analysis, and may not be based exclusively on the
information regarding the breach of obligations provided by operators to make decisions
versus credit applications.
The Financial Superintendency of Colombia may impose the sanctions provided for in this law on the
Information users who deny a credit application based exclusively on the credit report
negative information from the applicant.
PARAGRAPH 2o. The consultation of financial, credit, commercial, service information and that from
third countries by the holder, it will be free at least one (1) time each calendar month.
Jurisprudence Validity
ARTICLE 11. SPECIAL REQUIREMENTS FOR OPERATORS. Bank operators
data on financial, credit, commercial, service information and that from third countries that
function as entities independent of the sources of the information, they must comply with the following
special operating requirements:
1. They must be constituted as commercial companies, non-profit entities, or cooperative entities.
2. They must have a service area for the owner of the information, for the attention of requests, inquiries and
claims.
3. They must have a security system and other technical conditions sufficient to
guarantee the security and updating of the records, avoiding their adulteration, loss, consultation or use not
authorized in accordance with the provisions of this law.
4. They must update the information reported by the sources with a periodicity not exceeding ten (10) days.
calendar counted from the receipt of the same.
Jurisprudence Validity
ARTICLE 12. SPECIAL REQUIREMENTS FOR SOURCES. Sources will need to update
monthly information provided to the operator, without prejudice to the provisions of Title III of the
present law.
The report of negative information on breach of obligations of any nature, made by the
sources of information to the operators of data banks of financial, credit, commercial information,
services and those from third countries, will only proceed after communication to the owner of the information,
in order that it can demonstrate or make the payment of the obligation, as well as dispute such aspects
such as the amount of the obligation or fee and the due date. Said communication may be included in the
periodic extracts that information sources send to their clients.
In any case, the sources of information may report the information after twenty (20)
calendar days following the date of dispatch of the communication to the last address of the address of the
affected that is registered in the files of the source of the information and without prejudice, if it is of the
case, of complying with the obligation to inform the operator that the information is under discussion
by its owner, when a request for rectification or update has been submitted and it has not yet
been resolved.
Jurisprudence Validity
ARTICLE 13. PERMANENCE OF THE INFORMATION. <Article CONDITIONALLY enforceable> The
Information of a positive nature will remain indefinitely in the operators' databases
of information.
The data whose content refers to the time of default, type of collection, status of the portfolio, and in general,
those data referring to a situation of breach of obligations, will be governed by a maximum term
of permanence, expired which must be withdrawn from the data banks by the operator, so that the
users cannot access or consult such information. The term of permanence of this information will be
of four (4) years counted from the date on which the overdue installments are paid or the
overdue obligation.
Jurisprudence Validity
ARTICLE 14. CONTENT OF THE INFORMATION. The National Government will establish the way in which
the data banks of financial, credit, commercial, service information and that from third parties
countries, must present the information of the holders of the information. For this purpose, you must indicate a
format that allows identifying, among other aspects, the full name of the debtor, the condition in which he acts,
that is, as principal debtor, joint debtor, guarantor or guarantor, the amount of the obligation or due installment, the
time of arrears and the date of payment, if applicable.
The National Government, when exercising the power provided in the previous paragraph, must take into account that in the
report format should establish that:
a) <Literal CONDITIONALLY enforceable> A negative report is presented when the natural person (s) or
legal entities are effectively in arrears in their installments or obligations.
Jurisprudence Validity
b) <Literal CONDITIONALLY enforceable> A positive report is presented when the natural person (s) and
legal entities are up to date in their obligations.
Jurisprudence Validity
Failure to comply with the obligation set forth herein will lead to the imposition of the maximum penalties provided
in this law.
PARAGRAPH 1. For the purposes of this law, it is understood that an obligation has been voluntarily
paid, when your payment has been made without a court ruling ordering it.
PARAGRAPH 2o. The consequences provided in this article for the voluntary payment of the
Overdue obligations, it will be possible for any other way of extinction of the obligations, other than
result of a court ruling.
PARAGRAPH 3. When a user consults the status of a holder in the information databases
financial, credit, commercial, services and from third countries, these will have to give
exact information about its current status, that is, give a positive report of the users that at the moment
of the consultation are up to date in their obligations and a negative one of those that at the time of the consultation
are in arrears in a fee or obligations.
The rest of the information contained in the financial, credit, commercial, service databases and the
from third countries will be part of the credit history of each user, which can be consulted
by the user, as long as they have been informed about the current status.
PARAGRAPH 4. The administration of personal data with information exclusively
unfavorable.
Jurisprudence Validity
ARTICLE 15. ACCESS TO INFORMATION BY USERS. Information
contained in databases of financial, credit, commercial, service information and that from
Third countries may be accessed by users only for the following purposes: As an element
analysis to establish and maintain a contractual relationship, whatever its nature, as well as
for the evaluation of the risks derived from a current contractual relationship.
As an element of analysis to carry out market studies or commercial or statistical research.
For the advancement of any procedure before a public authority or a private person, with respect to which
such information is relevant.
For any other purpose, different from the previous ones, regarding which and in general or for each
In particular, authorization has been obtained from the owner of the information.
Jurisprudence Validity
TITLE V.
REQUESTS FOR CONSULTATIONS AND CLAIMS.
ARTICLE 16. PETITIONS, CONSULTATIONS AND CLAIMS.
I. Processing of consultations. The holders of the information or their successors in title may consult the information
owner's personnel, who resides in any data bank, be it from the public or private sector. The operator
must provide them, duly identified, all the information contained in the individual record or
that is linked to the identification of the owner.
The request, consultation of information will be formulated verbally, in writing, or through any channel of
communication, as long as evidence of the consultation is maintained by technical means.
The request or query will be answered within a maximum term of ten (10) business days from the
date of receipt of the same. When it is not possible to attend the request or query within said term,
will inform the interested party, stating the reasons for the delay and indicating the date on which their
request, which in no case may exceed five (5) business days following the expiration of the first
finished.
PARAGRAPH. The request or query must be addressed in depth, fully supplying all the
requested information.
II. Claims processing . The holders of the information or their successors in title who consider that the
information contained in your individual record in a database must be subject to correction or
update may file a claim with the operator, which will be processed under the following rules:
1. The request or claim will be formulated in writing addressed to the operator of the database, with the
identification of the owner, the description of the facts that give rise to the claim, the address, and if applicable,
Accompanying the supporting documents that you want to enforce. In case the writing is
incomplete, the interested party must be notified to correct the faults. One month after the date of
requirement, without the applicant submitting the required information, it will be understood that he / she has withdrawn from the
claim or petition.
2. Once the complete request or claim has been received, the operator will include in the individual record in a period not
greater than two (2) business days a legend that says "claim in process" and the nature of the same. Bliss
Information should be kept until the claim is decided and should be included in the information that is
supplies to users.
3. The maximum term to attend the request or claim will be fifteen (15) business days from the
day after the date of receipt. When it is not possible to attend the request within said term,
will inform the interested party, stating the reasons for the delay and indicating the date on which their
request, which in no case may exceed eight (8) business days following the expiration of the first
finished.
4. In cases where there is a source of information independent of the operator, the latter must provide
transfer of the claim to the source within a maximum term of two (2) business days, which must resolve and report
the response to the operator within a maximum period of ten (10) business days. In any case, the answer must be given
to the owner by the operator within a maximum term of fifteen (15) business days from the day following the
date of presentation of the claim, extendable for eight (8) more business days, as indicated in the
previous numeral. If the claim is presented to the source, it will proceed to resolve the claim directly,
but you must inform the operator about the receipt of the claim within two (2) business days after
your receipt, so that the obligation to include the legend that says “claim in
procedure ”and its nature within the individual registry, which the operator must do within the
two (2) business days after receiving the information from the source.
5. To respond to the request or claim, the operator or the source, as the case may be, must make a
complete verification of the observations or proposals of the owner, making sure to review all the
pertinent information to be able to give a complete answer to the owner.
6. Without prejudice to the exercise of the protection action to protect the fundamental right of habeas data, in
If the owner is not satisfied with the response to the request, he may resort to the judicial process
corresponding within the relevant legal terms to discuss what is related to the obligation
reported as non-compliant. The claim must be filed against the source of the information which, a
Once notified of the same, it will proceed to inform the operator within the following two (2) business days, of
a way that the obligation to include the legend that says “information under discussion
judicial ”and the nature of the same within the individual registry, which the operator must do within the
two (2) business days after receiving the information from the source and for as long as it takes
obtain a final judgment. The same procedure must be followed in the event that the source initiates a judicial process.
against the owner of the information, referring to the obligation reported as breached, and he proposes

against the owner of the information, referring to the obligation reported as breached, and he proposes
exceptions of merit.
Jurisprudence Validity
TITLE VI.
SURVEILLANCE OF THE RECIPIENTS OF THE LAW.
ARTICLE 17. SURVEILLANCE FUNCTION. <Article CONDITIONALLY enforceable> The
The Superintendency of Industry and Commerce will exercise the function of monitoring the operators, sources and
users of financial, credit, commercial, service information and information from third countries, in
Regarding the personal data administration activity that is regulated in this law.
In cases where the source, user or operator of the information is an entity supervised by the
Financial Superintendency of Colombia, this will exercise surveillance and impose sanctions
corresponding, in accordance with its own powers, as established in the Statute
Organic of the Financial System and the other pertinent norms and those established in the present law.
For the exercise of the surveillance function referred to in this article, the Superintendency of Industry
and Commerce and the Financial Superintendency of Colombia, as the case may be, will have in addition to their own the
following faculties:
1. Issue instructions and orders on how to comply with the provisions of this law
related to the administration of financial, credit, commercial, service information and the
from third countries, set the criteria that facilitate compliance and indicate procedures for their
thorough application.
2. Ensure compliance with the provisions of this law, the rules that regulate it and the
instructions given by the respective Superintendency.
3. Ensure that operators and sources have a security system and other conditions
sufficient techniques to guarantee the security and updating of the records, avoiding their adulteration,
loss, consultation or unauthorized use in accordance with the provisions of this law.
4. Order the operator, source or user to carry out external audits of systems in order to
verify compliance with the provisions of this law.
5. Order ex officio or at the request of the party the correction, update or withdrawal of personal data when this
is appropriate, in accordance with the provisions of this law. When it is at the request of a party, it must
prove to the Superintendency that a claim was processed for the same facts before the
operator or the source, and that the same was not attended or was unfavorably attended.
6. Initiate ex officio or at the request of administrative investigations against operators, sources and users
of financial, credit, commercial, service information and that from third countries, in order to
establish whether there is administrative liability arising from non-compliance with the provisions of the
present law or the orders or instructions issued by the respective surveillance body, and if it is from the
In case of imposing sanctions or ordering the pertinent measures.
Jurisprudence Validity
ARTICLE 18. SANCTIONS. The Superintendency of Industry and Commerce and the Financial Superintendency
may impose on operators, sources or users of financial, credit, commercial information,
services and those from third countries, prior explanations in accordance with the applicable procedure,
the following sanctions:
Fines of a personal and institutional nature up to the equivalent of one thousand five hundred (1,500) minimum wages
monthly legal in force at the time of the imposition of the sanction, for violation of this law, norms
that regulate it, as well as for the non-observance of the orders and instructions given by said
Superintendence. The fines provided herein may be successive as long as the non-compliance that the
originated.
Suspension of the activities of the database, up to a term of six (6) months, when there is
carrying out the administration of the information in serious violation of the conditions and requirements provided
in this law, as well as for the non-observance of the orders and instructions issued by the
Superintendencies mentioned to correct such violations.
Closure or closure of database operations when, once the suspension term has elapsed, there is no
its technical and logistical operation, and its rules and procedures, have been adapted to the requirements of the law,
in accordance with the provisions of the resolution that ordered the suspension. Immediate and definitive closure of the
operation of databases that manage prohibited data.
Jurisprudence Validity
ARTICLE 19. CRITERIA TO GRADUATE SANCTIONS. The sanctions for infractions that are
referred to in the previous article, they will graduate according to the following criteria, insofar as they are applicable:
a) The dimension of the damage or danger to the legal interests protected by this law.
b) The economic benefit that has been obtained for the offender or for third parties, by the commission of the
infringement, or the damage that such infringement may have caused.
c) Recurrence in the commission of the offense.
d) The resistance, refusal or obstruction to the investigative or surveillance action of the Superintendency of
Industry and Commerce.
e) The reluctance or contempt to comply, with the orders issued by the Superintendency of Industry and
Commerce.
f) The express acknowledgment or acceptance made by the person under investigation of the commission of the offense before
the imposition of the sanction that may arise.
Jurisprudence Validity
ARTICLE 20. TRANSITION REGIME FOR CONTROL ENTITIES. The Superintendency
of Industry and Commerce and the Financial Superintendency will assume, six (6) months after entering
validity of this law, the functions established here. For such purposes, within said term the
The National Government will adopt the necessary measures to adapt the structure of the Superintendency of
Industry, Commerce and Finance, providing it with the budgetary and technical capacity necessary to comply with
said functions.
Jurisprudence Validity
TITLE VII.
OF THE FINAL PROVISIONS.
ARTICLE 21. TRANSITIONAL REGIME. To comply with the provisions contained in the
this law, the people who, on the date of its entry into force, carry out any of the activities here
regulated, will have a period of up to six (6) months to adapt their operation to the provisions of the
present law.
The holders of the information that at the entry into force of this law were up to date in their obligations
object of report, and whose negative information has remained in the databases for at least one
year counted from the cancellation of the obligations, they will be beneficiaries of the immediate expiration of the
negative information.
In turn, the holders of the information that are up-to-date in their reporting obligations, but
whose negative information has not remained in the databases for at least one year after
Once the obligations have been canceled, they will remain with said negative information for as long as they need
to fulfill the year, counted from the cancellation of the obligations.
The holders of the information who cancel their reporting obligations within six (6) months
following the entry into force of this law, they will remain with said negative information in the
data banks for a term of one (1) year, counted from the date of cancellation of such obligations.
Once this period of one (1) year has elapsed, the negative data must be automatically withdrawn from the banks of
data.
The benefit provided in this article will be lost in the event that the owner of the information again incurs
default, event in which your report will again reflect all of the past defaults, in the
terms provided in article 13 of this law.
Jurisprudence Validity
ARTICLE 22. VALIDITY AND REPEALS. This law governs from the date of publication and repeals the
provisions that are contrary to it.
Jurisprudence Validity
The President of the honorable Senate of the Republic,
HERNÁN FRANCISCO ANDRADE SERRANO.
The Secretary General of the honorable Senate of the Republic,
EMILIO RAMÓN OTERO DAJUD.
The Speaker of the honorable House of Representatives,
GERMÁN MALE COTRINO.
The Secretary General of the honorable House of Representatives,
JESÚS ALFONSO RODRÍGUEZ CAMARGO.
REPUBLIC OF COLOMBIA - NATIONAL GOVERNMENT
Be published and enforced.
Given in Bogotá, DC, on December 31, 2008.
ÁLVARO URIBE VÉLEZ
The Director of the Administrative Department of the Presidency of the Republic, in charge of the functions of the
Office of the Minister of the Interior and Justice,
BERNARDO MORENO VILLEGAS.
***
1 Prior Review of Constitutionality. Declared Exequible by Sentence C- 1011 of October 16,
2008.

Provisions analyzed by Avance Jurídico Casa Editorial Ltda. ©
"Laws since 1992 - Express Effectiveness and Constitutional Judgments"
ISSN [1657-6241 (Online)]
Last update: May 04, 2021 - Official Gazette April 26, 2021 (51,657)

The notes of validity, concordances, notes of the editor, form of
The presentation and layout of the compilation are protected by the
copyright rules. In relation to these legal values
aggregates, it is prohibited by current regulations to
use in similar publications and for commercial purposes,
including -but not only- copying, adaptation, transformation,
reproduction, use and mass disclosure, as well as any other use
expressly prohibited by copyright regulations, which
is contrary to the regulations on the promotion of competition or
requires express and written authorization of the authors and / or owners
copyright. In case of doubt or request for authorization
You can call 617-0729 in Bogotá, extension 101. The
Entering the page implies acceptance of the rules of use of the
information contained herein.

