August 15, 2018

New Requirements for Colombia's National Registry of Databases

Holland & Knight Alert
Danilo Romero Raad | Camila Lopez

Leer en Español: Nuevos Requisitos para el Registro Nacional de Bases de Datos en Colombia

Interested parties are reminded that due to Decree 090 of Jan. 18, 2018, legal corporations and nonprofit companies with assets that exceed 610.000 Tax Value Units (TVU), equivalent to approximately $20.225 million Colombian pesos, are required to register their corresponding databases in the Superintendence of Industry and Commerce's (SIC) National Registry of Databases (NRD) before Sept. 30, 2018.

In addition, through External Circular No. 003 of Aug. 1, 2018, the SIC modified the obligations for the responsible management parties, as follows:

  • 1. The general annual update of the information registered in the NRD must be done between Jan. 2 and March 31, 2020
  • 2. The first report of claims presented by holders must be done starting in 2019, with reporting in the second semester the information corresponding to the first semester

Taking the aforementioned into account, the following are the obligations that those responsible for the management of databases must comply with:

  • 1. From Jan. 2 to March 31, 2020: General update of the information registered in the NRD
  • 2. From 2019, during the first 15 labor days of February and August: Update the information related to holders' complaints
  • 3. During the first 10 labor days of each month: If the databases registered in the NRD had significant changes

A change is considered significant when it is related to: 1) the database purpose, 2) the person in charge of the treatment, 3) service channels for holders of the information, 4) the classification or type of personal data that is stored, 5) the security measures implemented by the company, 6) the privacy policy and 7) the international transmission and/or transference of personal data.

  • 4. Finally, interested parties are reminded that it is an obligation to inform the NRD of any security incident during the 15 labor days following the detection of this incident.

Those responsible for the management of databases that are not required to register them in the NRD must also report any security incidents within 15 labor days.

Clients seeking more information on NRD requirements may contact the authors.



Information contained in this alert is for the general education and knowledge of our readers. It is not designed to be, and should not be used as, the sole source of information when analyzing and resolving a legal problem. Moreover, the laws of each jurisdiction are different and are constantly changing. If you have specific questions regarding a particular fact situation, we urge you to consult competent legal counsel.

Related Insights