Show more results...

Generic selectors
Exact matches only
Search in title
Search in content
Post Type Selectors
Join our team
EN / ES

As we consider it to be of your interest, please find below a brief summary of Decree 255 issued in February 2022. This regulation develops the provisions of the Colombian general data protection law regarding the Binding Corporate Rules (BCRs).
What are Binding Corporate Rules (BCRs)?
According to Colombian Decree 255 of 2022, the BCRs are policies, principles of good governance, or codes of best practices applicable to data controllers in Colombia that transfer personal data to other data controllers located abroad that are part of the same group of undertakings or enterprises.
The BCRs will be part of the Data Protection Management Program of the data controllers that belong to the group of undertakings or enterprises that adopt them.
Who is obliged to adopt them?
Those groups of undertakings or enterprises that transfer personal data to a controller of such group outside the Colombian territory, unless the group applies other data transfer mechanisms established in the Colombian law. They will be binding and mandatory for those companies that belong to the groups of undertakings or enterprises that adopt them.
Who will control and monitor their implementation?
The Superintendence of Industry and Commerce (SIC) will (i) establish the specifications applicable to the BCRs, (ii) publish the date from which data subjects may submit the requests of the groups of undertakings or enterprises, (iii) review and approve the BCRs, and (iv) investigate and sanction the data controller in Colombia for violations committed by any of the members of the group of undertakings or enterprises.
What should I do to identify if I am obliged and how should I implement them?
First, review the current privacy program of your clients to identify if they transfer data to members of the same group of undertakings or enterprises abroad, and verify if they are already entitled to do so under the grounds provided, or if they would be obliged to adopt BCRs. If they intend to implement BCRs originating from a parent company in Europe, be aware that the concepts of transfer are different in the Colombian regulation and the European regulation, so the corresponding adaptations will have to be made. Also, the rights of the data subjects, general requirements and mechanisms for the implementation of BCRs may also differ from the European regulation.
Therefore, we recommend checking with your clients in case they operate in Colombia and transfer data to third countries that are part of the same group of undertakings or enterprises.