COLOMBIA Law and Practice Contributed by: Maria Carolina Pardo, Ciro Meza, Angélica Navarro and Carlos Ignacio Arboleda, Baker McKenzie
granted at the time of collection being invalid. This can complicate global IoT deployments. Regarding the regulatory framework for tel - ecommunications, the Communications Regu - lation Commission (CRC) and the ITC Ministry oversee telecommunications services, includ - ing those used by IoT devices. Resolution CRC 5968 of 2020 particularly applies to IoT and M2M communications. This resolution establishes the administration of identification resources for mobility services provided by telecommunica - tions operators. It assigns a specific range of numbers for M2M and IoT services, ensuring that these devices are properly identified and managed within the telecommunications net - work. This regulation helps streamline the inte - gration of IoT devices into existing networks and ensures that they operate within a standardised framework. From an AML and CFT perspective, companies also face compliance challenges. Colombian regulation requires companies to implement comprehensive AML/CFT measures, such as conducting business-wide risk assessments, performing customer due diligence and reporting suspicious transactions to the Financial Informa - tion and Analysis Unit ( Unidad de Información y Análisis Financiero ; UIAF). For IoT deployments, this means ensuring that IoT devices and plat - forms are not used to facilitate money launder - ing or terrorism financing activities. Companies must integrate AML/CFT compliance into their IoT governance frameworks. 4.3 Data Sharing In Colombia, the primary legal framework gov - erning data protection and sharing is established by Law 1581 of 2012 and Decree 1377 of 2013. Key requirements for data sharing include the following.
• Obtaining consent: IoT companies must obtain explicit consent from data subjects before sharing their personal data with exter - nal processors or controllers. • Data processing agreements: When shar - ing data with third parties, companies must have data transfer agreements (with external controllers) or transmission agreements (with external processors) in place to ensure com - pliance with data protection laws. Data trans - mission refers to the sharing of personal data between a data controller and a data proces - sor, either within Colombia or internationally, who is responsible for processing the data on behalf of the data controller. Data transfer, on the other hand, refers to the sharing of personal data between a data controller and another data controller, who is responsible for processing the data and applying his or her own privacy policy. The aforementioned data sharing requirements apply to all companies that process personal data, regardless of their size or sector. Note that processing personal data is defined as any oper - ation or set of operations performed on personal data, such as collection, storage, use, circulation or deletion. Colombia has heightened requirements for spe - cific categories of data, particularly sensitive data and data concerning minors. Sensitive data in Colombia is defined under Law 1581 of 2012 as any data that affects the pri - vacy of the data subject or whose improper use might cause discrimination. This includes infor - mation revealing racial or ethnic origin; political orientation; religious or philosophical beliefs; membership of trade unions, social organisa - tions or human rights organisations; and data related to health, sexual life and biometrics. The
40
CHAMBERS.COM
Powered by FlippingBook