The Colombian Superintendence of Industry and Commerce (the “SIC”) forbade the use of digital or manual fingerprints for personal data processing under Covid

27/03/2020

The SIC issued Circular 002 of 2020, whereby it ordered personal data Controllers and Processors to restrain themselves from using manual, digital or any other kind of fingerprint reader that could allow the spread of COVID19 

For the SIC, the fingerprint readers are tools used for the processing of personal data in which people include their fingerprint and therefore there could be indirect contact that could lead to infection of COVID-19. Thus, the SIC considered necessary forbidding the use of this mechanism or procedures while the emergency state remains. 

The SIC issued this order, under its legal attributions (section e) from article 21 of Law 1581 of 2012, under which “[…] issue instructions over the measures and procedures needed for the adaptation of the operations for the Controllers and Processors to the dispositions included in the Law […]”) 

This order does not apply for biometric identification systems in which the use of the device is individual and personal.

Information regarding the use of electronic, digital, digitalized signatures

23/03/2020

The Technology, Communications, and Data Protection Practice Group at Gómez-Pinzón Abogados present considerations regarding the use of electronic, digital, digitalized signatures given the recent measures taken by the Colombian government due to public health reason that difficult face-to-face negotiations. 

Therefore, there has been an increasing necessity to conduct legal acts without being present, and particularly, to have minimal security conditions for proving the willingness of the parties of such legal acts by electronic means. In that regard, below we present the general terms, the three aforementioned concepts: 

1. Electronic Signature: refers to a data message that represents the acceptance of an individual regarding a digital document, such as a contract. Whenever using an electronic signature, it is important to consider that regarding this data message some aspects are not certified by themselves such as the authenticity, integrity, and non-repudiation (no repudio) that, conversely, are indeed certified by the use of a Digital Signatures. The willingness to conduct a legal act through systems that allow proving the authenticity with access credentials to a system with user and password could have the same effects of an electronic signature, given the absence of the aforementioned certifications of specific conditions. This is a valid mechanism to conduct legal acts and prove willing to make these acts as per Law 527 of 1999. 

2. Digital Signature: This is an alphanumeric value added to a data message that using a mathematical method, certifies that such value has been obtained with the password of the sender of the message and certifies the integrity of the message itself. This is an authentication method for electronic documents in which a third party intervenes, known as a certification entity, who ensures the essential conditions of the signature for its validity. This is a valid mechanism to conduct legal acts and prove willing to make these acts as per Law 527 of 1999 and offers a higher level of certainty compared to an electronic signature. 

3. Digitalized signature: This is a scanned image of a physical signature and by itself cannot be considered as an electronic signature as per the Colombian Law, provided that it does not meet the minimum requirements as per Law 527 of 1997 and, therefore, its sole inclusion would not be considered valid to prove the willingness of a party that supposedly “signs” the document. If it is included in a Data Message, this would not increase its validity by the inclusion of a scanned image of a signature in the document. 

For the development of distance businesses, these are ideal methods given that messages that are signed by an electronic signature or digital signature would have the same value as evidence as a physical signature. In the same manner, in all judicial or administrative acts, the validity, effectiveness or value as evidence of any information as a data message only by being in this format. 

If any doubt arises in this regard or if any help is required in the implementation of these legal figures, do not hesitate on contacting us.

Data processing and management

13/03/2020

Regarding the gathering of personal data of employees or contractors, companies must restrain themselves from collecting information concerning possible symptoms that these individuals (or their relatives) might have shown without having obtained prior and appropriate authorization for such processing of sensitive data, provide that their consent for this operation is required by the Colombian Data Protection Legal Framework. 

• Except for the regular periodic medical labor evaluations, there shall not be any imposition to employees to fill any query regarding symptoms nor shall they be obliged to inform in advance their travel plans or any other measures that could be invasive to their privacy.
• If an employee reports symptoms of sickness or there is reason to suspect that there has been contagion of COVID-19, it is advisable to implement strict security measures over such personal data, without limiting the implementation of registries and supports regarding the measures adopted by the employer. These registries must consider among other measures: i) be subject to restrictions of access, except for the areas in charge; ii) register the minimal quantity of personal data possible; and iii) if possible, be subject to the use of anonymization mechanisms.