The People’s Republic of China (PRC) and Colombia have their own laws and regulations to protect the privacy and personal data. Both equally seek to guarantee the rights of the data owners and regulate the correct use of personal data when collected, stored, and processed the course of doing business in each country or abroad Compliance with these legal provisions is mandatory for natural persons and legal entities.
These are the most relevant aspects to be considered by anyone that collects, stores, and processes personal data in the PRC and Colombia:
Which are the main laws and regulations of personal data in the PCR and Colombia?
CGDPR*
The protection of personal data in Colombia is mainly regulated by: i) Law 1581 of 2012 and ii) the Regulatory Decree 1074 of 2015 in its chapter 25, among other rules that develop it. This set of rules will be called “CGDPR”.
PIPL**
The protection of personal information is mainly regulated by: i) the Cybersecurity Law; ii) the Data Security Law; and iii) the Personal Information Protection Law. For the purposes of this exercise, only the Personal Information Protection Law will be considered, which will be called “PIPL”.
Which are the roles in personal data protection?
CGDPR
CGDPR establishes three main roles for personal data processing:
-
- Controller: decides which processing operations will be applied to the personal databases.
Article 4 (e) of Law 1581 of 2012.
-
- Processor: conducts the data processing in accordance with the instructions given by the Controller.
Article 4 (d) of Law 1581 of 2012.
-
- Data subject: natural person whose personal data is the object of processing.
Article 4 (f) of Law 1581 of 2012.
PIPL
PIPL establishes several roles for personal information handling:
-
- Personal information handler: It is responsible for their personal information handling activities and shall adopt the necessary measures to safeguard the security of the personal information they handle.
Article 4 (f) of Law 1581 of 2012.
-
- Entrusted person: handles personal information as agreed with the personal information handler. it is necessary to establish the conditions for the processing of personal information by means of an agreement between the parties.
Article 73 of Personal Information Protection Law of the People’s Republic of China
-
- Natural persons: natural individual whose personal data is the object of handling.
Article 21 and 59 of Personal Information Protection Law of the People’s Republic of China
-
- Personal information protection officer: person responsible for supervising personal information handling activities, adopted protections measures, among others. When personal information handlers reach the quantities provided by the government authority they shall appoint a personal information officer.
Article 2 of Personal Information Protection Law of the People’s Republic of China.
What is the scope of application of these laws?
CGDPR
-
In general, the CGDPR applies to any personal data contained in any database. The CGDPR regulates the processing of personal data within the Colombian territory and the situations where processors and controllers of said data despite of being outside of the Colombian territory fall under the scope of the Colombian law. However, there are some data processing activities that are outside of the CGDPR scope.
Article 2, Law 1581 of 2012.
PIPL
-
The PIPL applies to data processing activities that take place within the borders of the PRC. However, this law also applies where someone handles outside the PRC territory personal information of individuals who are located within the PCR.
Article 3 of Personal Information Protection Law of the People’s Republic of China.
Personal Data v. Personal Information
CGDPR
-
Personal Data is any information linked or that can be associated to one or several determined or determinable natural persons.
Article 3(c) of Law 1581 of 2012.
PIPL
-
Personal Information is any type of information related to identified or identifiable natural persons.
Article 4 of Personal Information Protection Law of the People’s Republic of China.
Sensitive Data v. Sensitive Personal Information
CGDPR
-
Sensitive Data are defined as those which affect the privacy of the Data Subject or whose improper use may lead to discrimination against the Data Subject. In the authorization for processing personal data, the data controller must inform the data subject about which sensitive data will be processed and that it is not mandatory to provide this information.
Article 5, Law 1581 of 2012.
PIPL
-
Sensitive Personal Information is defined as the personal information that, once leaked or illegally used, may easily cause harm to the dignity of natural persons and grave harm to personal or property security. Authorization for the processing of sensitive personal information must be obtained separately.
Articles 28, 29 and 30 of Personal Information Protection Law of the People’s Republic of China.
-
Authorization for the processing of sensitive personal information must be obtained separately.
Articles 28, 29 and 30 of Personal Information Protection Law of the People’s Republic of China.
Authorization for processing Personal Data v. Individual consent
CGDPR
-
Authorization for processing personal data must be prior, express, and informed. It may be obtained by any means that allow subsequent consultation of what has been authorized. It must contain the purposes of the processing, among other legal requirements.
Article 4(c) and article 9 of Law 1581 of 2012.
PIPL
-
Individuals must give their consent under the condition of full knowledge, and in a voluntary and explicit statement. In some cases, legal provisions may require separate and mandatory written consent, which must be complied with.
Article 14 of Personal Information Protection Law of the People’s Republic of China.
-
If the purposes of the processing change the handling method, or the categories of handled personal information, a new consent must be obtained.
Article 14 of Personal Information Protection Law of the People’s Republic of China.
Data flows between personal information handlers
CGDPR
-
Transfer is the flow of information that takes place between personal data controllers. When the transfer takes place within the national territory, the CGDPR does not expressly establish requirements for the transfer. If the transfer is outside Colombian territory, the CGDPR has special requirements to regulate the matter.
Article 26 of Law 1581 of 2012 and article 2.2.2.25.5.1 of Regulatory Decree 1074 of 2015.
PIPL
-
PIPL does not assign a specific name to the information flow operation that takes place between personal information handlers. However, it establishes the obligation to notify individuals on the information to be sent, the identification of the personal information handler that receives it, the purposes of the processing and the method of processing, among other details of this operation.
Article 23 of Personal Information Protection Law of the People’s Republic of China.
-
For the receiving personal information handler, the law establishes the obligation to obtain a new consent from the individual in case that the purposes or methods of the processing change.
Article 23 of Personal Information Protection Law of the People’s Republic of China.
Data flows between personal information handler and entrusted party within borders
CGDPR
Transmission is the flow of information that takes place between the personal data controller and personal data processor. The CGDPR expressly regulates the transmission of personal data; for its operation, it requires the execution of a contract for the transmission of personal data that must comply with the requirements indicated in the decree regulating this matter.
PIPL
-
The PIPL does not assign a specific name to the information flow operation performed between the personal information handler and the entrusted person. However, it establishes the obligation to enter into an agreement that determines the details of the processing. The entrusted person may not retain the information, which implies that the entrusted person must return or delete it.
Article 21 of Personal Information Protection Law of the People’s Republic of China.
-
The entrusted person may not give the personal information for processing to another entrusted person without the consent of the personal information handler.
Article 21 of Personal Information Protection Law of the People’s Republic of China.
If you wish to learn more about this matter, please contact our head of the Data Privacy Unit of OLARTEMOURE Martha Gaitán at martha.gaitan@olartemoure.com. Thank you
