Due to the recent issuance of the Chinese data privacy law and the evolution of business relations between China and Colombia, any privacy professional of companies doing business in or between these countries must be aware of the key issues of the Personal Information Protection of China (“PIPL”) and the Colombian General Data Protection Regulation (“CGDPR”).
Here are the most relevant aspects of the PIPL vs. the CGDPR:
Regulation
CGDPR
The protection of personal data in Colombia is mainly regulated by:
- Statutory act 1581 de 2012.
- Regulatory decree 886 of 2014.
- Regulatory decree 1074 of 2015 (Chapter 25).
- Title V of the Sole Circular of the Superintendency of Industry and Commerce.
- Regulatory decree 255 of 2022.
This set of rules will be called “CGDPR”.
PIPL
The protection of personal information is mainly regulated by:
- Cybersecurity Law.
- Data Security Law and Personal Information Protection Law.
- Specifications on Security Certification for Cross-border Personal Information Processing Activities.
- Other laws or administrative regulations may regulate the matter and must be complied with
Only the Personal Information Protection Law will be considered, which will be called “PIPL”.
Scope
CGDPR
- Personal data contained in any database not included in the exempted activities stablished in the law.
- Controllers and processors of personal data within the Colombian territory, and Controllers and processors that are not established in Colombia but are subject to Colombian law.
PIPL
-
- Processing of personal information carried out within China.
Article 3 of Personal Information Protection Law of the People’s Republic of China.
-
- Processing of personal information carried out outside the territory that involves personal information of data subjects located in China.
Article 3 of Personal Information Protection Law of the People’s Republic of China.
Personal Data v. Personal Information
CGDPR
-
Personal data is defined by law as any information linked or associated) to one or several determined or determinable natural persons. This definition is specific and does not refer to other matters.
3 Article 3(c) of Law 1581 of 2012.
PIPL
-
Personal information is any type of information related to identified or identifiable natural persons. The PIPL expressly excludes anonymized information from this definition.
Article 4 of Personal Information Protection Law of the People’s Republic of China.
Sensitive Data v. Sensitive Personal Information
CGDPR
-
Sensitive data is part of the category of special data. Sensitive Data is defined as the personal data that affects the privacy of the Data Subject or whose inadequate use may lead to discrimination against the Data Subject.
Article 5, Law 1581 of 2012.
-
In the authorization for processing persona data, the data controller must inform the data subject about which sensitive data will be processed and that it is not mandatory to provide this information.
Article 5, Law 1581 of 2012.
PIPL
-
There are specific rules for processing Sensitive Personal Information. Sensitive Personal Information is defined as the information that, once leaked, or illegally used, may easily cause harm to the dignity of natural persons, grave harm to personal or property security. The concept of Sensitive Personal Information also includes the information of children under 14 years of age.
Articles 28, 29 and 30 of Personal Information Protection Law of the People’s Republic of China.
-
This type of personal information may only be processed for a specific purpose and a need to fulfill specific protection measures.
Articles 28, 29 and 30 of Personal Information Protection Law of the People’s Republic of China.
-
Data subjects shall provide his/her informed consent in a separate to allow the processing of sensitive personal Information. Some legal provisions may require the informed consent for processing Sensitive Personal Information in written form.
Articles 28, 29 and 30 of Personal Information Protection Law of the People’s Republic of China.
Roles during the processing
CGDPR
-
- Controller: decides over the personal data and the processing operations that may apply to the personal databases.
Article 4 (e) of Law 1581 of 2012.
-
- Processor: process personal data according to the instructions given by the Data controller.
Article 4 (d) of Law 1581 of 2012.
-
- Data Subject: natural individual whose personal data is the object of processing.
Article 4 (f) of Law 1581 of 2012.
PIPL
-
- Personal information handler: It is responsible for their personal information processing activities and shall adopt the necessary measures to safeguard the security of the personal information they handle.
Article 73 of Personal Information Protection Law of the People’s Republic of China.
-
- Entrusted person: handles personal information as agreed with the personal information handler. it is necessary to establish the conditions for the processing of personal information by means of an agreement between the parties.
Article 21 and 59 of Personal Information Protection Law of the People’s Republic of China.
-
- Individual: natural individual whose personal data is the object of processing.
Article 2 of Personal Information Protection Law of the People’s Republic of China.
-
- Personal information protection officer: person responsible for supervising personal information processing activities, adopted measures for protection of personal information, among others.
Article 52 of Personal Information Protection Law of the People’s Republic of China.
-
- Representative: person responsible for matters related to the personal information that the personal information handler handles. This role shall be appointed when the personal information handler is outside the borders of the PRC. The representative must be within the borders of the PRC. An alternative for this role is to establish a dedicated entity who performs the same functions.
Article 53 of Personal Information Protection Law of the People’s Republic of China.
Legal basis for the processing
CGDPR
- Informed consent granted by the Data Subject.
- Information required by a public or administrative entity in the exercise of its legal functions or by court order.
- Public data.
- Cases of medical or health emergency.
- Information authorized by law for historical, statistical, or scientific purposes.
- Data related to the Civil Registry of a persons.
-
In all cases, processing of personal data must be performed in accordance with the legal provisions of the CGDPR.
Article 10 of Law 1581 of 2012.
PIPL
-
- Informed consent granted by the Data Subject
Article 13 of Personal Information Protection Law of the People’s Republic of China.
-
- to comply with a contract in which the data subject is an interested party or to manage human resources matters related to the individual
Article 13 of Personal Information Protection Law of the People’s Republic of China.
-
- to comply with statutory duties and obligations
Article 13 of Personal Information Protection Law of the People’s Republic of China.
-
- to handle sudden situations of public safety, where health and life of individuals must be protected, under emergency conditions or to protect the security of property
Article 13 of Personal Information Protection Law of the People’s Republic of China.
-
- to implement news reporting, public opinion supervision and other activities of public interest
Article 13 of Personal Information Protection Law of the People’s Republic of China.
-
- when dealing with personal information disclosed by the individuals themselves or which has already been lawfully disclosed; or
Article 13 of Personal Information Protection Law of the People’s Republic of China.
-
- other circumstances provided for in any other laws and administrative regulations.
Article 13 of Personal Information Protection Law of the People’s Republic of China.
Individual consent
CGDPR
- Informed consent must be prior, express, and informed. It may be obtained by any means that allow subsequent consultation of what has been authorized. It must contain:
-
- Complete identification of the data controller
Article 4(c) and article 9 of Law 1581 of 2012.
-
- The purposes of the processingArticle 4(c) and article 9 of Law 1581 of 2012.
-
- The type of processing to be performed on the personal dataArticle 4(c) and article 9 of Law 1581 of 2012.
-
- The rights of the Data Subjects; andArticle 4(c) and article 9 of Law 1581 of 2012.
-
- The means provided by the Data Controller to exercise these rights, among other legal requirements.Article 4(c) and article 9 of Law 1581 of 2012.
- If sensitive data is processed, the Data Subject must be informed of this processing in the authorization.
-
It is forbidden to use misleading or fraudulent means to collect and process personal data.Article 2.2.2.25.2.1 Regulatory decree 1074 of 2015.
PIPL
- Individuals must give their consent under the condition of full knowledge, and in a voluntary and explicit statement. It must contain:
- - Identification and contact method of the personal information handler
- - The purpose of personal information processing
- - The processing methods
- - The categories of handled personal information
- - The retention period
- - Methods and procedures for individuals to exercise the rights provided in PIPL, among other requirements provided by the law or administrative regulations.
- In some cases, legal or administrative provisions may require separate and mandatory written consent, which must be complied with.
-
If the purposes of the processing change the processing method, or the categories of handled personal information, a new consent must be obtained.
Article 14 of Personal Information Protection Law of the People’s Republic of China.
Legal provisions for personal data flows
CGDPR
-
Transfer is the flow of information that takes place between controllers. If the transfer is outside the Colombian territory, the CGDPR has special requirements to regulate the operation. When the transfer takes place within the national territory, the CGDPR does not expressly establish requirements for the transfer.
Article 26 of Law 1581 of 2012 and article 2.2.2.25.5.1 of Regulatory Decree 1074 of 2015.
-
In the context of the international transfer of personal data, the procedure for implementing binding corporate rules in Colombia was recently regulated. This applies to corporate groups that circulate personal data with its companies of located outside Colombia.
Regulatory Decree 255 of 2022.
- Another legal mechanism for circulating personal data is Transmission, which is as the flow of information that takes place between a controller and processor. This operation requires the execution of a transmission agreement that must comply with the legal requirements.
PIPL
- For the information flow operation that takes place between personal information handlers, the PIPL establishes the following:
- - Obligation to notify the individuals about the information to be sent
- - The identification and contact method of the personal information handler that receives it
- - The purposes of the processing
- - The method of processing
- - other details of this operation.
-
The PIPL establishes the obligation, for the receiving personal information handler, to obtain a separate consent from the individual.
Article 23 of Personal Information Protection Law of the People’s Republic of China.
- For the information flow operation performed between the personal information handler and the entrusted person, in general terms the PIPL establishes the obligation to enter an agreement that determines the details of the processing. The entrusted person may not retain the information, which implies that the entrusted person must return or delete it.
-
The trusted person may not give the personal information for processing to another trusted person without the consent of the personal information handler.Article 21 of Personal Information Protection Law of the People’s Republic of China.
-
In addition, the PIPL provides a special chapter containing the rules for sending personal information outside the PRC territory, for which the PIPL establishes 4 conditions, one of which must be complied with to carry out this processing of personal information.
Article 38 of Personal Information Protection Law of the People’s Republic of China.