Colombia Data Protection Law (Law 1581 of 2012)

Colombia

v2012

6 domains

28 controls

Colombia's Law 1581 of 2012 establishes the general framework for the protection of personal data, regulated by Decree 1377 of 2013. It defines principles for lawful processing, requirements for consent, data subject rights, security obligations, and the role of data controllers and processors. Oversight is currently exercised by the Superintendence of Industry and Commerce (SIC), though legislative efforts are underway to establish an independent data protection authority.

Verified

Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.

Framework Domains (6)

Ley 1581: Data Protection Authority and Sanctions (Title VII)

3 controls

Controls in the Ley 1581: Data Protection Authority and Sanctions (Title VII) domain of Colombia Data Protection Law (Law 1581 of 2012) — 3 controls
Code	Title	Description
CO-L1581-A19	Data Protection Authority (SIC)	The Superintendence of Industry and Commerce (SIC), through a Delegatura for Personal Data Protection, exercises oversig...
CO-L1581-A21	Functions of the SIC	The SIC ensures compliance, processes consultations/complaints, orders measures, conducts investigations, imposes sancti...
CO-L1581-A23	Sanctions	The SIC may impose fines up to 2,000 monthly minimum wages, suspension of activities, temporary/definitive closure of pr...

Ley 1581: Duties of Controllers and Processors (Title VI)

2 controls

Controls in the Ley 1581: Duties of Controllers and Processors (Title VI) domain of Colombia Data Protection Law (Law 1581 of 2012) — 2 controls
Code	Title	Description
CO-L1581-A17	Duties of Controllers (Responsables)	Controllers must guarantee rights, obtain authorization, keep data accurate, ensure security, handle consultations/compl...
CO-L1581-A18	Duties of Processors (Encargados)	Processors must guarantee data security, handle consultations/complaints, apply the controller's policies, update/rectif...

Ley 1581: General Provisions and Principles (Titles I-II)

10 controls

Controls in the Ley 1581: General Provisions and Principles (Titles I-II) domain of Colombia Data Protection Law (Law 1581 of 2012) — 10 controls
Code	Title	Description
CO-L1581-A2	Scope of Application	Applies to personal data recorded in any database by public or private entities in Colombian territory or where Colombia...
CO-L1581-A3	Definitions	Defines key terms: Titular (data subject), Tratamiento (processing), Responsable (controller), Encargado (processor), Au...
CO-L1581-A4-ACCESO	Principle of Restricted Access and Circulation	Processing is limited by the nature of the data; personal data (except public data) may not be available on the Internet...
CO-L1581-A4-CONFID	Principle of Confidentiality	All persons involved in processing non-public data must guarantee confidentiality, even after the relationship ends.
CO-L1581-A4-FINALIDAD	Principle of Purpose	Processing must serve a legitimate purpose under the Constitution and law, which must be informed to the data subject.
CO-L1581-A4-LEGALIDAD	Principle of Legality	Processing is a regulated activity that must comply with Ley 1581 and its implementing rules.
CO-L1581-A4-LIBERTAD	Principle of Freedom (Consent)	Processing requires the prior, express and informed consent of the data subject; data may not be obtained or disclosed w...
CO-L1581-A4-SEGURIDAD	Principle of Security	Data must be managed with the technical, human and administrative measures necessary to secure records against adulterat...
CO-L1581-A4-TRANSPARENCIA	Principle of Transparency	The data subject has the right to obtain, at any time and without restriction, information about the existence of data c...
CO-L1581-A4-VERACIDAD	Principle of Veracity and Quality	Data must be truthful, complete, accurate, up to date, verifiable and comprehensible; partial, incomplete or misleading...

Ley 1581: Registry, International Transfers and BCRs

3 controls

Controls in the Ley 1581: Registry, International Transfers and BCRs domain of Colombia Data Protection Law (Law 1581 of 2012) — 3 controls
Code	Title	Description
CO-L1581-A25	National Database Registry (RNBD)	Controllers must register their databases in the National Database Registry (Registro Nacional de Bases de Datos) admini...
CO-L1581-A26	Prohibition on International Transfers	Transfer of personal data to countries not providing adequate protection levels is prohibited, except: subject authoriza...
CO-L1581-A27	Binding Corporate Rules	Transfers and transmissions within corporate groups may rely on binding corporate rules (normas corporativas vinculantes...

Ley 1581: Rights and Conditions of Lawful Processing (Titles IV-V)

7 controls

Controls in the Ley 1581: Rights and Conditions of Lawful Processing (Titles IV-V) domain of Colombia Data Protection Law (Law 1581 of 2012) — 7 controls
Code	Title	Description
CO-L1581-A10	Cases Not Requiring Authorization	Authorization is not required for: information required by a public/administrative entity in legal exercise or by court...
CO-L1581-A12	Duty to Inform the Data Subject (Privacy Notice)	At or before collection the controller must inform the subject of the processing and its purpose, their rights, and the...
CO-L1581-A13	Persons to Whom Information May Be Disclosed	Personal data may be supplied only to the data subject/assignees, entities with legal/judicial authority, and third part...
CO-L1581-A14	Consultations (Access Requests)	Data subjects (or assignees) may consult their personal data held by a controller/processor; the consultation must be an...
CO-L1581-A15	Complaints (Reclamos)	Data subjects may file complaints to correct, update, delete data or for breach of the law; complaints must be handled w...
CO-L1581-A8	Data Subject Rights (Habeas Data)	Data subjects may: know, update and rectify their data; request proof of authorization; be informed of the use of their...
CO-L1581-A9	Authorization of the Data Subject	Processing requires prior, express and informed authorization of the data subject (except Art.10 cases), obtained by any...

Ley 1581: Special Categories of Data (Title III)

3 controls

Controls in the Ley 1581: Special Categories of Data (Title III) domain of Colombia Data Protection Law (Law 1581 of 2012) — 3 controls
Code	Title	Description
CO-L1581-A5	Sensitive Data Definition	Sensitive data affects the data subject's intimacy or whose misuse may cause discrimination: racial/ethnic origin, polit...
CO-L1581-A6	Processing of Sensitive Data	Processing sensitive data is prohibited except: explicit authorization; vital interest of an incapacitated subject; legi...
CO-L1581-A7	Children's and Adolescents' Data	Processing must respect the prevailing rights of children and adolescents; processing their data is proscribed except pu...

Maps to 2 other frameworks

28 total controls

GDPR

19 source controls mapped|11 target controls covered

68%

Costa Rica Personal Data Protection Law (Law No. 8968) as amended by Executive Decree No. 42089-MGP

7 source controls mapped|8 target controls covered

25%

Compare Colombia Data Protection Law (Law 1581 of 2012) with GDPR

Frequently Asked Questions

What is Colombia Data Protection Law (Law 1581 of 2012)?

Colombia Data Protection Law (Law 1581 of 2012) is a compliance framework from Colombia with 6 domains and 28 controls. Colombia's Law 1581 of 2012 establishes the general framework for the protection of personal data, regulated by Decree 1377 of 2013. It defines principles for lawful processing, requirements for consent, data subject rights, security obligations, and the role of data controllers and processors. Oversight is currently exercised by the Superintendence of Industry and Commerce (SIC), though legislative efforts are underway to establish an independent data protection authority. It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.

How many controls does Colombia Data Protection Law (Law 1581 of 2012) have?

Colombia Data Protection Law (Law 1581 of 2012) has 28 controls organised across 6 domains. The largest domains are Ley 1581: General Provisions and Principles (Titles I-II) (10 controls), Ley 1581: Rights and Conditions of Lawful Processing (Titles IV-V) (7 controls), Ley 1581: Data Protection Authority and Sanctions (Title VII) (3 controls). Each control defines specific requirements that organisations must implement to achieve compliance.

What frameworks does Colombia Data Protection Law (Law 1581 of 2012) map to?

Colombia Data Protection Law (Law 1581 of 2012) maps to 2 other compliance frameworks. The top mapping partners are GDPR (68% coverage), Costa Rica Personal Data Protection Law (Law No. 8968) as amended by Executive Decree No. 42089-MGP (25% coverage). Use our comparison tool to explore control-level mappings between frameworks.

How do I get started with Colombia Data Protection Law (Law 1581 of 2012) compliance?

Start your Colombia Data Protection Law (Law 1581 of 2012) compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about Colombia Data Protection Law (Law 1581 of 2012) requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 28 controls and track your progress.

Start Your Compliance Journey

Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 718 frameworks.

Get Started Free →

Free forever — no credit card required