On August 21st, 2024, the Superintendency of Industry and Commerce (SIC) issued Circular No. 002, which outlines guidelines for the processing of personal data in artificial intelligence systems. Specifically, Data Controllers and Processors are required to:
- Carry out assessments based on the criteria of suitability, necessity, reasonableness, and strict proportionality.
- Implement risk identification methodologies.
- Conduct privacy impact assessments.
- Adopt technological, human, administrative, physical, or contractual measures that ensure information security.
Subsequently, on August 22nd, 2024, the SIC issued Circular No. 003, which establishes behaviors and duties for Company Managers regarding compliance with Personal Data Protection Regulations. This is relevant insofar as Company Managers will be co-responsible for the processing when, together with the legal entity (i.e., the Company), they determine the purposes or means regarding the databases and/or the processing of personal data.