Luis Alberto Montezuma provides his insight on the latest sanctions imposed by the Colombian Data Protection Authority (the Superintendence of Industry and Commerce, or SIC) for using personal data to send direct marketing without first obtaining the consent of data subjects.

1. DATA PROTECTION LEADER12
Obtaining consent
Recent cases investigated by SIC have
involved Colombian companies that
were accused of using personal data
to send direct marketing without first
obtaining the consent of data subjects
to process their data for such purposes.
Some companies used an opt-out
method rather than an opt-in method to
legalise their use of the personal data
they collected. However, Colombian law
prohibits the use of opt-out methods.
In the abovementioned cases, the
data subjects did not know about the
collection and use of their information
until they received marketing
communications from the companies.
Other investigated companies were
not able to provide any evidence
to support their claims that data
subjects had accepted the use of their
information for multiple purposes. Under
Colombian law, when the personal
data is collected for multiple purposes,
consent is required for each use and
must involve a clear affirmative action.
The cases
In the matter of SuperGiros S.A.S, SIC
found that the company, which provides
money transfer services, committed
unfair and deceptive acts when
collecting and using personal data for
multiple purposes. SuperGiros did not
obtain the informed consent of data
subjects, that is to say, data subjects did
not know that their personal information
would be used for purposes other than
the simple money transfer operation
they had ordered. SIC considered
such practices unfair and deceptive
under Article 4 of Decree 1377 of 2013
(June 27) Which Partially Regulates
Law 1581 of 2012 (‘the Decree’).
SIC stressed, ‘Consequently, SIC
has found that SuperGiros had been
undertaking deceptive practices through
its consent model, which had the goal
of inducing its clients to provide their
data to be used for purposes other than
those necessary in the ordinary course
of its business without the informed
knowledge of those clients. The model
even included the possibility of sharing
personal data with third parties.’
According to Article 12 of the Data
Protection Law, data subjects must
be informed, at a minimum, about:
• the identity of the controller;
• the intended purposes of the processing
of the provided personal data;
• the optional nature of the answer
given to the questions asked, when
they pertain to sensitive personal data
or to the personal data of children;
• the rights of information, access
and rectification or erasure of
their data, as well as the rights to
withdraw consent at any time and/
or to object to any processing; and
• the contact details of the
controller so that data subjects
may exercise their rights.
In addition, in the matter of Bilingual
School Clermont Ltda., SIC found
that the school collected and
maintained, among other categories
Complying with Colombian
data protection law: a
guide to consent
The main pillar of Statutory Law 1581 of 2012 (October 17) Which Issues General Provisions for the
Protection of Personal Data (‘the Data Protection Law’) is the requirement for data controllers to
obtain consent from data subjects to lawfully process their personal data. However, the Colombian
data protection authority (‘SIC’) has been faced with many cases of controllers not complying with
this obligation. Luis Alberto Montezuma Chavez, Privacy and Data Protection Specialist, outlines
SIC’s investigations into data subjects’ complaints, and the reasoning behind its imposition of
fines, in order to help organisations comply with the Data Protection Law’s requirements.
Luis Alberto Montezuma Chavez Privacy and Data Protection Specialist
luismontezumachavez@gmail.com
Bogotá
COLOMBIA
image: busypix / E+ / Getty Images

2. A Cecile Park Media Publication | November 2017 13
of data, children’s personal information
without explicit parental consent.
In this case, SIC highlighted, ‘[N]ot
only did the school use personal data
without obtaining the express and
informed consent of data subjects prior
to the processing, but also within that
group there were subjects with special
constitutional protection such as children.’
Under Article 12 of the Decree, collecting
information from children is lawful only if,
and to the extent that, consent is given by
their parents or guardians. Moreover, as
per Article 7 of the Data Protection Law, an
exception applies only to the processing
of data that are public in nature.
Finally, in the matter of L&F Consultorias
Legales y Financieras S.A.S., SIC found that
the company had obtained personal data
from different public sources, among them
the location of polling stations published on
the National Civil Registry’s website, with
the purpose of sending marketing to data
subjects’ postal address, without providing
evidence to SIC that they had gained the
prior and informed consent of individuals.
SIC noted, ‘[T]he company processed
personal data to send commercial offers
to the postal addresses of data subjects
without complying with the Law. During
the investigation, the company did not
show any evidence of having obtained
the prior and express consent of the
individuals concerned to process their
data, or that it had informed them of
the existence of the processing and its
purposes and of their rights pursuant
to giving their consent. This information
must be provided before and in any event
at the moment of requesting consent.’
SIC therefore prohibited L&F Consultorias
from collecting personal data unless
it obtained the prior consent of
data subjects. It also required L&F
Consultorias to obtain valid forms of
consent in order to comply with the Law.
Recommendations
In order to obtain valid consent under the
Law, companies must take into account,
at a minimum, the following rules:
1. The consent given must be express
(or explicit), informed and obtained
before collecting personal data, unless
specific exemptions apply (e.g. to protect
the individual’s vital interests). Express
consent is the lawful basis for the use of
personal data. Moreover, explicit consent
is the way of legitimising the use of
special categories of data. Under Article
5 of the Data Protection Law, sensitive
personal data is defined as that relating
to ethnicity, political opinions, religion,
trade union membership, health and the
sexuality of data subjects, and includes
biometric data. Greater protections
apply to the collection of sensitive data
compared to other kinds of data.
2. It is important to identify the purposes
for collecting personal data in each
business and/or area of the company,
and evaluate the effectiveness of
implementing a unique consent model
for each specific category of individuals,
e.g. clients, providers or employees
(subject to certain exceptions, such
as children’s data). Conversely, using
multiple consent models can create
complications when aligning policies as
closely as possible so as not to hinder
cooperation between divisions.
The model for obtaining consent must
contain at least the following information:
• the forms of processing that
personal data will be subject to and
the purpose of the processing;
• the optional nature of answering
certain questions when they
pertain to sensitive personal
data or children’s data;
• the rights of data subjects; and
• the identification of the controller, as
well as their physical or electronic
address and telephone number.
3. The option should be given to data
subjects to consent separately to different
types of processing wherever appropriate.
Moreover, requests for consent must
be separate from an organisation’s
general terms and conditions.
4. Data subjects should be provided with
a clear, concise and easily accessible
privacy policy, which should be made
available online, via email or at the
business’ location when the consent is
obtained. This is particularly important
because data subjects should be
aware of and understand exactly how
companies are going to use their data.
5. Companies should ensure that
personnel are knowledgeable about
how to get a data subject’s express (or
explicit) consent. In addition, they should
ensure that the parties responsible
for requesting the consent are held
accountable for its acquisition.
6. Organisations should keep records
to demonstrate what the data subjects
have consented to, including what they
were told, and when and how they
consented to the processing of their data.
7. Consent models should be evaluated
and adjusted in light of relevant
circumstances that may change an
aspect of the authorisation given
by the data subject (e.g. changes
in the purposes of the processing,
technological developments,
organisational or societal developments,
regulations or privacy policies).
Conclusion
Based on the examination of the
sanctions imposed by SIC, we can
deduce that companies (the controllers)
employ unsatisfactory practices to collect
personal data from individuals (the
data subjects) in violation of the Law.
It is important to state, in conclusion,
that all companies must be accountable
for providing clear and real information
to data subjects about the processing
of their data, as well as obtaining
their consent before collecting any
information from them. This will help
companies to not only ensure a fair and
transparent collection of data subjects’
data, but also to avoid sanctions.
Companies should ensure that personnel are knowledgeable
about how to get a data subject’s express (or explicit) consent.
In addition, they should ensure that the parties responsible for
requesting the consent are held accountable for its acquisition.