Habeas Data Rights in Colombia: Equivalent to DSAR Explained

In Colombia, the equivalent to a DSAR--Data Subject Access Request--falls under habeas data rights. These stem from Article 15 of the Colombian Constitution, which guarantees the right to know, update, and rectify personal information in databases. Ley 1266 regulates financial, credit, commercial, and services data, while Ley 1581 de 2012 provides the general framework for protecting all personal data, requiring prior express informed authorization for its collection and use.

Data holders can request access to their information, revoke authorization, or seek suppression when data protection principles are not respected or by free request. Companies acting as data controllers must prove prior authorization before contacting data subjects, per guidance from the Superintendencia de Industria y Comercio (SIC).

This process applies to Colombian residents managing data with companies or databases. It differs from EU DSAR processes.

What Controls Your Habeas Data Rights

Habeas data rights originate in primary Colombian sources. Article 15 of the Constitution establishes the right to intimacy, good name, and control over personal data in files or databases, including the ability to know, update, and rectify it.

Ley 1266 specifically covers personal data in financial, credit, commercial, and services sectors. Ley 1581 de 2012 extends protection to all personal data categories, mandating that controllers obtain express informed authorization before treating data. SIC guidance reinforces that controllers must hold proof of this authorization to contact data subjects.

These rules govern requests to access or control data. Company privacy policies implement these laws but do not override them.

Key Rights and Company Obligations

Data holders hold specific rights under these laws. They can request to know or access their personal data, update or rectify inaccuracies, revoke treatment authorization, and seek suppression of data. Suppression applies when protection principles, rights, or guarantees are violated, or upon free request.

Controllers and those in charge of data treatment face obligations. They must only contact data subjects with evidence of prior express authorization. Without it, further contact violates habeas data protections, as outlined in SIC guidance.

Access rights focus on obtaining information held, while suppression addresses removal. These remain distinct.

What Does Not Control Habeas Data Requests

Habeas data requests follow Colombian constitutional and statutory rules, not EU GDPR processes like DSAR, which operate under different frameworks such as Article 15 of the GDPR. Payment disputes, such as chargebacks or bank transaction claims, use separate rails like consumer protection for financial services. Merchant refunds or public records requests under freedom of information laws also stand apart.

Company contact policies or marketing opt-outs implement habeas data but do not define the core rights.

Steps to Exercise Your Rights

Contact the data controller or company holding your information first with your request. Provide details on the data concerned.

If unresolved, escalate to the Superintendencia de Industria y Comercio (SIC) using their Formulario de PQRSF for petitions, complaints, claims, or requests. Other options include the SIC Línea anticorrupción at 157 or Sede Electrónica contact during business hours, Monday to Friday 8:00 a.m. to 4:30 p.m.

Keep records of all communications.

FAQ

What is habeas data in Colombia?

Habeas data is the constitutional right under Article 15 to know, access, update, rectify, revoke authorization for, or suppress personal data in databases, regulated by Ley 1266 for financial data and Ley 1581 de 2012 for general data.

How does habeas data differ from EU DSAR?

Habeas data follows Colombian law and SIC guidance, focusing on constitutional protections and authorization proof. EU DSAR arises from GDPR Article 15 and varies by member state authority.

Can I request access to my financial data?

Yes, under Ley 1266, holders can request to know or access financial, credit, commercial, or services data held by controllers.

What proof does a company need to contact me?

Controllers must prove prior express informed authorization, per SIC guidance and Ley 1581 de 2012.

How do I file a habeas data request with SIC?

Use the SIC Formulario de PQRSF via their Sede Electrónica, or call Línea anticorrupción at 157.

Does habeas data cover data deletion?

It covers suppression of data when principles are violated or by free request, distinct from access or rectification rights.

Next, identify the data controller and submit your request directly, retaining copies. Escalate to SIC if needed using official channels.