Does your business in Colombia handle personal data? Here’s what you need to know after the SIC’s new circular

Do you have a business in Colombia? 

Then there’s something you can’t overlook: the processing of personal data from your clients, providers, employees, or users.

And it’s not just a best practice — it’s a legal obligation.

The Superintendence of Industry and Commerce (SIC) has just issued a new circular with clear instructions for companies — and especially for their administrators — on how to manage these data responsibly and securely.

We’ll explain what this new regulation says and how it can directly impact the operation of your business in Colombia.

What is this new circular about?

The SIC updates the manual: the rules of the game on data protection are now clearer (and more demanding).

External Circular No. 003 of August 23, 2024, issued by the Superintendence of Industry and Commerce (SIC), reinforces the obligations of corporate administrators regarding the protection of personal data.

This applies to any natural or legal person who manages, represents, or runs a company.

Although the circular does not change the law, it does clarify how companies must act when handling personal data, in accordance with the principle of accountability, which requires not only complying with the regulations, but also being able to demonstrate that compliance through proper policies, procedures, and records.

What is considered “processing of personal data”?

You don’t need to have a massive database to be required to comply with data protection regulations.
Just by storing or using a person’s information, you are already processing personal data.

This includes any action such as collecting, storing, using, sharing, or deleting that information.

Data processing includes any action you take with information such as:
– Full names
– Email addresses
– Contact numbers
– Medical history
– Location
– Employment or financial data

In other words: if you have an Excel sheet with customer information, you’re already processing personal data and are subject to this regulation — regardless of the size of your business in Colombia.

What is the SIC reminding companies about?

Protecting personal data is not optional, nor is it just about placing a notice on your website.
It is a real responsibility for any company. The SIC is reminding companies that the right to habeas data must be taken seriously, which means:

✅ You must inform individuals that you are going to process their personal data and obtain their consent
✅ You must have clear internal policies to protect personal data
✅ You must apply preventive corporate measures — not wait until there’s a complaint or a sanction
✅ You must demonstrate that you comply with the law — not just say that you do

The circular brings back the principle of accountability: it’s not enough to comply — you must be able to prove that you are doing so. This applies to any business in Colombia that collects or manages personal data in any form.

What does the Constitution say about it?

This circular didn’t come out of nowhere — it has a constitutional foundation.

The SIC relies on several key articles of the Political Constitution of Colombia:
Article 15: The right to privacy and good name
Article 333: Free enterprise has a social function
Article 2: The State must protect fundamental rights

This means that data protection is not just an administrative or commercial issue, but also a matter of human rights and corporate social responsibility, especially for those running a business in Colombia.

What should companies do?

It is essential to create or update your privacy policies, contracts, and all documents related to the handling of personal data.

With the new circular, all companies must ensure they have:
– A privacy policy
– A cookie policy
– A personal data processing policy
– And, if applicable, image use authorization

These policies must be clear, visible, and accessible to all individuals whose data you collect.
They must also be disclosed through the same channels where the data is collected, ensuring compliance with the principle of accountability.

It’s not just about having documents: they must be implemented effectively — especially if you want to avoid legal issues in your business in Colombia.

In addition:
– You must implement real information security protocols.
– You must obtain clear and verifiable consent from your users or clients.
– You must regularly clean your database, removing any information that is no longer necessary for your operations — and keep a documented record of this process.
– You must have communication channels in place so that users, employees, providers, and others can report any concerns or updates regarding the use of their personal data.
– You must be able to respond to any request from the SIC by demonstrating that you comply with the law.

This applies whether you’re a large company with thousands of users — or a small business that stores client data in a spreadsheet.

What if you don’t comply?

The SIC is no longer just making recommendations — it can now impose economic sanctions on companies that fail to meet these obligations.

Failing to comply with these requirements can lead to fines, investigations, and serious legal issues.

In recent years, the SIC has already sanctioned multiple companies for selling databases, not protecting user information, or failing to respond appropriately to data update or deletion requests.

What can you do right now?

Don’t wait until there’s a problem to act.

👉 Conduct an internal audit of how your company uses data
👉 Make sure you have clear data processing and privacy policies
👉 Train your team on data protection
👉 Align your operations with what the circular requires

Do you have questions about how your company handles personal data? Write to us.
We’ll help you evaluate your compliance level and implement real protection measures for your business in Colombia.