The Superintendence of Industry and Commerce, as the Data Protection Authority, updated its guidelines for implementing de Principle of Accountability in international transfers of personal data.
Said document contains specialized recommendations so that the cross-border circulation of data is carried out respecting the rights of the data subjects whose information is sent to other countries. This guideline is additional and complementary to the one published by the authority in 2015 (Guide for the implementation of Accountability).
Colombian Data Protection Authority published on May 28, 2015, the guidelines for implementing the Principle of Accountability. However, said document does not refer to the cross-border flow of personal data.
Through Circular Externa of August 10, 2017, the Colombian authority ordered the following in the first paragraph of numeral 3.2:
"Without prejudice to the transfers of personal data being made to countries that have an adequate level of protection, those Controllers, by virtue of the principle of Accountability, must be able to demonstrate that they have implemented appropriate and effective measures to guarantee the adequate processing of the personal data that they transfer to another country and to grant security to the records at the time of making the transfer”.
Thus, at the end of 2019, the DPA considered it necessary to publish a complimentary document that developed what is related to the Principle of Accountability in the international transfers of Personal Data. This guideline was revised and updated in 2021 to improve its content and consider recent international documents such as, among others, the Implementing Decision (EU) 2021/914 regarding the standard contractual clauses for the transfer of personal data to third countries.
The specific recommendations embedded in the document are the following:
- Carry out Privacy Impact Assessments (PIA´s) before transferring the data to another country.
- Incorporate privacy, ethics, and security by design and by default.
- Verify that you are empowered to transfer or transmit personal data to another country.
- Establish how the accountability measures to transfer personal data will be demonstrable.
- Ensure compliance with the purposes to be achieved with the accountability measures.
- Consider the subsequent transfers of personal data.
- Replicate proactive measures for the Processing of Personal Data to international transfers of said information.
- Articulate the accountability tools in a contract adjusted to the particularities of each transfer.
- Increase trust and transparency with your clients and third-party data subjects.
Additionally, in other guidelines, Colombian DPA has referred and recommended strategies of Accountability to be implemented in relation to the Processing of Personal Data. For example, this was expressly included in the following guidelines:
- Guide on data processing in the horizontal property (pages 19-20)
- Guide on data processing for e-commerce purposes (Pages 4-6)
- Data processing guidelines for marketing and advertising purposes (Pages 8-10)
The 2021 guideline is one of the different actions that the Colombian authority has carried out so that the adequate processing of personal data is guaranteed in practice and human rights are respected.