HomeAnalyticsAlertsData Protection Enforcement in Colombia: Recent Regulatory Actions

Data Protection Enforcement in Colombia: Recent Regulatory Actions

Colombia's data protection authority has shifted from issuing guidance to pursuing active enforcement. Companies that have deferred their compliance reviews are now facing a narrowing window. Sanctions under Colombia's data protection legislation are rising in both frequency and severity – and international businesses are squarely in the regulator's sights.

Colombia's Superintendencia de Industria y Comercio (Superintendency of Industry and Commerce, or SIC) is the designated data protection authority (DPA) responsible for enforcing the country's statutory data protection regime. The SIC has the power to investigate, sanction, and order corrective measures against any data controller or data processor handling personal data of Colombian residents. Penalties include substantial fines, suspension of data processing operations, and public reprimands – each capable of causing significant reputational and commercial harm.

This alert summarises the key regulatory developments, identifies which business categories face the greatest exposure, and sets out immediate actions for international companies operating in or targeting the Colombian market.

What has changed: the regulatory shift in Colombia

Colombia's data protection legislation – the statutory regime governing the collection, use, circulation, and storage of personal data – has been in force for over a decade. For most of that period, enforcement was relatively infrequent. That environment has changed materially.

The SIC has significantly expanded its enforcement activity. Its recent regulatory actions include formal investigations into inadequate consent mechanisms, failures to honour data subject rights, and unlawful cross-border data transfers. The authority has issued binding orders requiring companies to overhaul their data processing registries and internal compliance programmes.

A central focus of recent SIC actions is the Registro Nacional de Bases de Datos (National Database Registry. Alternatively. RNBD). the mandatory public register in which all data controllers processing personal data of Colombian residents must enrol their databases. The SIC has intensified audits of RNBD registrations and has begun imposing sanctions on companies with incomplete, inaccurate, or missing registrations.

In parallel, the SIC has scrutinised the adequacy of consent mechanisms deployed by businesses. Blanket or bundled consents, pre-ticked boxes, and consent language embedded in general terms and conditions are no longer considered acceptable. The authority expects granular, freely given, specific, and informed consent – a standard that has drawn comparisons to GDPR compliance standards applied in European jurisdictions.

Cross-border data transfers have also attracted heightened attention. Under Colombia's data protection legislation. Transferring personal data to a recipient outside Colombia requires either the destination country to offer an adequate level of protection or the parties to execute a data transfer agreement approved by the SIC. Many international companies operating through Colombian subsidiaries or processing Colombian customer data from abroad have not yet put these instruments in place.

Who is affected: thresholds and business categories

The SIC's enforcement remit applies to any natural or legal person – whether domiciled in Colombia or abroad – that processes personal data of Colombian residents. There is no minimum size threshold. A foreign company that collects even limited personal data through a Colombian-facing website, app, or commercial relationship falls within the scope of the legislation.

In practice, the SIC's recent investigations have concentrated on the following business categories:

  • E-commerce platforms and digital marketplaces operating in the Colombian market
  • Financial services providers, including fintechs and credit intermediaries
  • Healthcare operators and telemedicine providers processing sensitive personal data
  • Human resources and payroll service providers acting as data processors
  • Technology companies transferring Colombian user data to servers outside the country

Sensitive personal data – including health information, biometric data, political opinions, and religious beliefs – attracts the highest scrutiny. Data processors handling this category on behalf of a data controller bear direct obligations and cannot rely solely on the controller's compliance posture.

International companies that have structured their Colombian operations through a local subsidiary should note that the subsidiary itself qualifies as a data controller under Colombian law. The parent entity may also be considered a controller or processor depending on the flow of data within the group. Both entities may face independent sanctions if their respective obligations are not met.

To receive an expert assessment of your company's data protection exposure in Colombia, contact us at info@ferrazwhitmore.com.

What to do now: immediate action items

The compliance deadline for RNBD registration is continuous – the obligation is live and ongoing. Companies that have not yet registered, or whose registrations are outdated, are already non-compliant. The SIC does not provide a grace period once an investigation has opened. The following actions should be prioritised without delay.

Audit your RNBD registration. Verify that all databases containing personal data of Colombian residents are enrolled in the National Database Registry. Confirm that the information on record accurately reflects your current data processing activities, including any new data categories or processing purposes introduced since initial registration.

Review your consent mechanisms. Assess whether your current consent language and collection processes meet the SIC's expectations. Bundled or generalised consents should be replaced with specific, layered mechanisms that allow data subjects to grant or withhold consent for each distinct processing purpose.

Map your cross-border data transfers. Identify every transfer of Colombian personal data to a recipient outside Colombia – including intra-group transfers to parent companies, affiliates, or cloud service providers. For each transfer, confirm whether a data transfer agreement is in place and whether it has been submitted to or recognised by the SIC.

Clarify data controller and data processor roles. Document the allocation of responsibilities between your Colombian entity and any group companies or third-party vendors involved in processing Colombian personal data. Ensure that data processing agreements with external data processors contain the clauses required under Colombian data protection legislation, including provisions on security measures and sub-processing authorisation.

Verify your data subject rights procedures. Confirm that your organisation can respond to requests from Colombian residents to access, correct, suppress, or revoke consent for their personal data within the timelines prescribed by Colombian law. Failure to honour these rights has been a recurring basis for SIC enforcement actions. Companies advising on technology-driven data processing should also review our analysis of AI and technology law obligations in Colombia, given the increasing overlap between automated decision-making and data protection requirements.

For a comprehensive review of your organisation's data protection posture in Colombia, including RNBD registration status and cross-border transfer arrangements, visit our dedicated data protection services page for Colombia.

For broader context on how enforcement trends in the Americas are converging, see our related alert on data protection enforcement in the United States.

About Ferraz & Whitmore

Ferraz & Whitmore is an international law firm based in Lisbon, advising business clients across 46 jurisdictions. Our data protection practice supports international companies in managing compliance obligations, DPA investigations, and cross-border data transfer arrangements across Latin American and European markets. Engaging a lawyer in Colombia or across the region with experience in both civil law data protection regimes and GDPR compliance frameworks is particularly valuable when enforcement activity intensifies. As a law firm in Colombia and across the Americas, we advise multinationals, technology companies, and financial services groups on the full spectrum of data controller and data processor obligations. Our attorneys have advised on data transfer and consent mechanism matters before the SIC and in cross-border contexts involving both civil law and common law systems. To discuss your organisation's exposure under Colombia's data protection legislation, contact us at info@ferrazwhitmore.com.

Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. Ferraz & Whitmore assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@ferrazwhitmore.com.