The processing of personal data is a process regulated by Law 1581 of 2012 in Colombia, which is why it is recommended that from the beginning, your company has a process or documentation to support that it has acquired the necessary measures to comply with the requirements for data processing.
It is essential to keep in mind who is responsible for the Processing of Personal Data, to have the ability to demonstrate if the Superintendency of Industry and Commerce requests it.
Implement adequate and effective measures to comply with the obligations established in Law 1581 of 2012 and Decree 1377 of 2013. (Incorporated in Decree 1074 of 2015) in Colombia.
According to the article “Guide on the processing of personal data for marketing and advertising purposes”, it suggests that appropriate measures are those adjusted to the needs of data processing and effective in achieving the desired result or effect. That is, inoperative, useless, inane or fruitless measures should not be adopted. Only those that are appropriate, correct, useful, timely and efficient should be established with the purpose of complying with the legal requirements for processing Personal Data.
It is very correct to emphasize that the regulations on personal data entail evidentiary burdens borne by the Data Controllers such as the following:
- Evidence must be kept of having informed the owner or owner of the data, at the time of requesting authorization, in a clear and express manner as ordered by article 12 of Law 1581 of 2012 in Colombia and, in the event that the Owner requires, give you a copy of it.
- You must always request and keep, in accordance with the conditions established in this law, a copy of the respective authorization granted by the Owner.
- Have the possibility of providing a description of the procedures used for the collection, storage, use, circulation and deletion of information, as well as a description of the purposes for which the information is collected and an explanation of the need to collect the data. in each case.
- Have documentation on the procedures that are used for the Treatment, conservation and deletion of personal data in accordance with the provisions applicable to the matter in question.
- Develop policies for the processing of personal data in your company and ensure that Data Processors fully comply with them.
- Have a Privacy Notice model and maintain its use to comply with the obligation that tends to be made known to the owners of the information to be processed. The existence of the information processing policy and the way to access it, while personal data is processed in accordance with it and the obligations derived from it persist.
- Have the necessary and reasonable measures to ensure that the personal data stored in databases are accurate and sufficient, in the event that the Owner or Controller requests data that is updated, corrected or deleted, meets the purposes of the treatment.
All of the above supported under Article 22 of Decree 1377 of 2013 in Colombia
Companies that carry out marketing, marketing and advertising activities must have useful, appropriate and effective measures that help them comply with their legal obligations. Not only this, they must also evidence and demonstrate compliance with their duties. These tools must be subject to continuous review and evaluation in order to validate their level of effectiveness in terms of compliance and degree of protection of personal data.
The challenge for companies regarding the Principle of Demonstrated Responsibility goes beyond just issuing documents or writing policies. It is a constant activity that requires demonstrating real and effective compliance in the practice of its tasks.
It is not enough to make symbolic statements of good intentions, but it is essential to demonstrate concrete results in terms of the appropriate processing of personal data in marketing, marketing and advertising projects.
To conclude, it is vital to carry out periodic and specialized training and training for the company's collaborators to provide the knowledge, guides and tools required for the correct development of the tasks that involve the “Processing of Personal Data”.