Colombia Is Getting Ready to Become the Next Country to Facilitate BCRs

You may be familiar with Binding Corporate Rules (BCRs) in the context of the GDPR and EU data transfers. But long before the GDPR, EU data protection authorities (DPAs) determined that it was possible to transfer personal information to countries outside the EU based on an internal policy that applied to a company group. Through that internal policy, personal information could have the same level of protection throughout the group, regardless of the country to which the personal information was transferred.

In recent years, we have seen quite a few non-EU countries, such as Argentina, the Dubai International Financial Centre, Turkey, Switzerland, and the United Kingdom, also facilitate their own BCRs. The most recent country to add BCRs to its roster of transfer mechanisms is Colombia.

On February 23, 2022, almost 10 years after the enactment of Colombia’s data protection law, Law No. 1581 of 2012, the Colombian Ministry of Commerce, Industry, and Tourism issued a decree establishing the conditions that BCRs will need to meet. Issuance of this decree paves the way for the DPA, the Superintendence of Industry and Commerce, to specify the provisions that must be included in BCRs and establish an approval/certification process. Once these rules and processes are in place, companies will be able to submit their Colombian BCRs for approval. Currently, Colombian law provides for limited bases to transfer personal information to countries outside Colombia, such as contractual necessity, individuals’ express consent, or special approval of the DPA; Colombia does not have (the equivalent of) standard contractual clauses.

Overview of Decree 255 of 2022

According to the requirements in the decree, in order to receive approval, Colombian BCRs must guarantee compliance with the data protection principles enshrined in the law and regulatory decrees; the rules on processing sensitive personal data; the rights of individuals; the legal bases for the processing of personal data; and the duties of those responsible for the processing.

In particular, the BCRs must establish mechanisms to ensure that the processing of personal data complies with certain data processing principles, such as the principles of (i) lawfulness, loyalty, and transparency; (ii) purpose limitation; (iii) data minimization; (iv) data integrity; and (v) accountability of the controller. These principles are very similar to the principles under Article 5 of the GDPR and the requirements applicable to EU BCRs.[1]

In addition to these data processing principles, Colombian BCRs must also contain, among other measures, a description of data flows and processing activities; third-party beneficiary rights for individuals; restrictions on external transfers; training requirements; complaint and request handling procedures; a privacy governance structure; and audit requirements. These requirements again are very similar to those of the EU BCRs. However, since it is now up to the DPA to establish specifications and/or additional requirements, the possibility remains for the provisions in the Colombian BCRs to still end up deviating from those in the EU BCRs.

Companies will not be able to submit their Colombian BCRs for approval until after publication of the requirements by the DPA on its website. However, it has already been indicated that, as part of the approval process, the DPA will verify that Colombian BCRs are legally binding and applicable to all members that are part of the same business group. Of note is that Colombian BCRs will need to apply to all companies within the group; it will not be possible to exclude any group companies from the scope of the Colombian BCRs, in clear contrast to the EU BCRs that allow companies to choose which of their legal entities will be covered by the EU BCRs.

Group companies subject to the Colombian BCRs will be jointly and severally liable for compliance with their obligations under the BCRs. The DPA may investigate and sanction the Colombian controller for infractions committed by any foreign group company under the BCRs.

One for all?

Those familiar with the EU BCRs will notice that the requirements for the Colombian BCRs largely overlap with the requirements for the EU BCRs. Companies that already have EU BCRs may therefore seek to leverage their existing BCRs and compliance programs to comply with the requirements applicable to Colombian BCRs as currently set out in the decree. However, as indicated, the full contours of the requirements will not be apparent until the DPA has published them, which has yet to happen. One thing is already certain: as is the case for most other countries’ BCRs, companies will have to create a separate standalone document for their Colombian BCRs. While it will be possible to leverage the drafting and setup of the existing EU BCRs, it will not be possible to have one set of BCRs covering both Colombia and the EU. As a result, companies doing business in Colombia will have yet another set of BCRs to implement and maintain.

[1] The Working Party 29 Working Document on Binding Corporate Rules for Controllers, including a table of the elements and principles to be included in EU BCRs, is available here: https://ec.europa.eu/newsroom/article29/items/614109.