Habeas Data Colombia: A Compliance Guide for Data Teams

Colombia's Ley 1581 of 2012 (Habeas Data law) governs the collection, storage, use, and transfer of personal data. The Superintendencia de Industria y Comercio (SIC) enforces it. Fines can reach 2,000 monthly minimum wages per infraction, and repeat violations trigger operational suspension orders.

This post focuses on what the law requires from the people who build and operate data pipelines — not legal counsel, but the engineers and analysts handling tables containing personal information.

What Counts as Personal Data Under Ley 1581

The law distinguishes three tiers:

Public data: Name, profession, publicly held titles. Subject to the law but with lighter treatment.

Semi-private / private data: Financial history, employment records, health information. Full consent and purpose limitation apply.

Sensitive data (datos sensibles): Racial or ethnic origin, political opinions, religious beliefs, union membership, health data, sexual life and orientation, biometric data. Processing is prohibited except under specific exceptions (explicit consent, vital interests, legitimate public interest). Article 6 of Ley 1581 lists these explicitly.

Any table containing columns that fall into the sensitive category requires heightened controls: encryption at rest, strict access logging, and documented justification for processing.

Consent Requirements

Valid consent under Ley 1581 must be:

Prior: Collected before data is processed.
Explicit: Not inferred from silence or general terms of service.
Informed: The specific purpose, the identity of the data controller, and the rights of the data subject must be stated.
Revocable: Data subjects must be able to withdraw consent and have data deleted (right of suppression).

For data teams, this means: if a column exists in your warehouse without a documented consent basis, it is a liability. The SIC has issued sanctions for retaining data beyond the consented purpose even when original collection was lawful.

The Role of Data Quality in Proving Compliance

Article 4 of Ley 1581 lists data quality as an explicit principle: data must be exact, complete, updated, verifiable, and understandable. This is not aspirational language — it is a legal obligation.

Auditors from the SIC ask specific questions:

Can you demonstrate that personal data records are complete and not corrupted?
Can you show when data was last validated and by whom?
Can you prove that deleted records are actually deleted (not merely flagged)?
Do your systems detect and flag inaccurate personal data before it is used in decisions?

A data quality scorecard with timestamped runs, dimension-level scores, and rule histories is direct evidence that Article 4 obligations are being met.

Compliance Checklist for Data Teams (8 Points)

[ ] Inventory all tables containing personal data. Include schema, data owner, and classification tier (public / private / sensitive).
[ ] Document the consent basis for each personal data table. Legal basis must map to a specific Article of Ley 1581 or Decreto 1377/2013.
[ ] Enforce column-level access controls. Sensitive columns (health, biometric, sexual life) require role-based restrictions with audit logging.
[ ] Run automated completeness and accuracy checks on personal data tables. Produce timestamped evidence for audits.
[ ] Implement and test data deletion workflows. Verify that suppression requests result in actual deletion, not just soft-delete flags.
[ ] Set retention limits. Each personal data table must have a documented maximum retention period aligned with the consented purpose.
[ ] Log every access to sensitive data columns. Logs must be retained for at least five years (SIC audit window).
[ ] Conduct annual data quality reviews. Document findings and remediation actions to demonstrate ongoing compliance with Article 4.

For the Spanish version of this guide, see /blog/habeas-data-colombia-cumplimiento-es.

See /pricing for DQ plan limits and /docs for the full compliance documentation.

FAQ

Q: Does Ley 1581 apply to foreign companies processing Colombian residents' data? A: Yes. The SIC has taken the position that the law applies whenever the data subjects are Colombian residents, regardless of where the data controller is incorporated.

Q: What is the difference between Ley 1581 and Decreto 1377? A: Ley 1581/2012 is the primary statute. Decreto 1377/2013 is the implementing regulation that adds operational detail: authorization forms, privacy notice requirements, and registration with the National Data Registry (Registro Nacional de Bases de Datos).

Q: Can a data quality tool substitute for legal counsel on Habeas Data compliance? A: No. DQ provides evidence of Article 4 compliance (data quality obligations) and helps inventory and classify personal data. Legal advice from a Colombian attorney is required for consent mechanisms, contract clauses, and regulatory filings.

About DQ. DQ is the data quality engine that profiles, validates, and remediates your tables in 90 seconds. Built by K/20X Labs, Bogotá / NYC.