Machine Translation of "By Which Dictate General Provisions For The Protection Of Personal Data" (Colombia)

By Which Dictate General Provisions For The Protection Of Personal Data

Original Language Title: Por la cual se dictan disposiciones generales para la protección de datos personales

Subscribe to a Global-Regulation Premium Membership Today!

Key Benefits:

Unlimited Searches
Weekly Updates on New Laws
Access to 5,345,848 Global Laws from 110 Countries
View the Original Law Side-by-Side with the Translation

Subscribe Now for only USD$40 per month.

STATUTORY LAW OF 2012
1581 (October 17)
Official Gazette No. 48587 of October 18, 2012

CONGRESS OF THE REPUBLIC Whereby general provisions for the protection of personal data are held. Effective Jurisprudence

THE CONGRESS OF COLOMBIA DECREES: TITLE I.

PURPOSE, SCOPE AND DEFINITIONS.
ARTICLE 1o. OBJECT. This law aims to develop the constitutional right of all people to know, update and rectify information gathered about them in databases or files, and other rights, freedoms and constitutional guarantees that refers to the Article 15 of the Constitution; and the right to information enshrined in Article 20 thereof. Effective Jurisprudence

Matches Article 2.
. AREA OF APPLICATION. The principles and provisions of this Act shall apply to personal data recorded in any database that makes them amenable to treatment by public entities or private nature.
This law apply to the processing of personal data in Colombian territory or when the data controller or processor not established in national territory will be applicable Colombian law under international standards and treaties.
The system of protection of personal data is established in this law shall not apply:
a) A database or maintained in an exclusively personal or domestic sphere files.
When these databases or files are to be provided to third parties should, beforehand, inform the owner and request permission. In this case the controllers and the databases and files will be subject to the provisions of this Act;
B) databases and files whose purpose is national security and defense as well as the prevention, detection, monitoring and control of money laundering and terrorist financing;
C) Databases that are intended to contain information and intelligence and counterintelligence;
D) databases and archives of news reports and other editorial content;
E) databases and regulated by Law 1266 of 2008 files;
Concept

SGEOLOGICO 2015 31643 f) A databases and regulated by Law 79 of 1993.
PARÁGRAFO files. The data protection principles apply to all databases, including the exception in this Article, within the limits provided in this law without quarreling with the data that have characteristics of being covered by the legal reserve. In the event that the special regulations governing data bases excepted provides principles that take into account the special nature of data, concurrently apply themselves to those provided in this Act. Effective Jurisprudence

ARTICLE 3. DEFINITIONS. For the purposes of this law, it is understood by:
a) Authorization: prior, express and informed consent of the Contractor to carry out the processing of personal data;
B) Database: organized personal data that is subject to joint processing;
C) Personal Data: Any information related or may be associated with one or more specific or determinable natural persons;
D) Data Processor: natural or legal, public or private, which by itself or in association with others, perform the processing of personal data on behalf of the controller;
E) Treatment Responsible: natural or legal, public or private, which by itself or in association with others, decide on the database and / or treatment of data;
F) Title: Natural person whose personal data are processed;
G) Treatment: Any operation or set of operations on personal, such as collection, storage, use, circulation or deleting data. Effective Jurisprudence

Matches
TITLE II.
GUIDING PRINCIPLES.

ARTICLE 4. PRINCIPLES FOR THE TREATMENT OF PERSONAL DATA. In the development, interpretation and application of this law, shall apply harmoniously and holistically, the following principles:
a) Principle of legality regarding Data processing: The treatment referred to this law is a regulated activity must be subject to the provisions therein and the other provisions implementing;
B) Principle of purpose: Treatment must obey a legitimate purpose in accordance with the Constitution and the law, which must be reported to the Contractor;

C) The principle of freedom: Treatment can only be exercised with the consent prior, express and informed the Contractor. Personal data may not be obtained or disclosed without prior authorization, or in the absence of legal or judicial mandate relieve consent;
D) Principle of accuracy or quality: The information subject to treatment must be truthful, complete, accurate, current, verifiable and understandable. Treatment of partial, incomplete, split or misleading data is prohibited;
E) Principle of transparency: The Treatment Titular the right should be guaranteed to obtain from the controller or processor, at any time and without limitation, information about the existence of data concerning him;
F) Principle of restricted access and movement: Treatment is subject to limits deriving from the nature of personal data, the provisions of this law and the Constitution. In this sense, the treatment can only be done by authorized by the Contractor and / or person covered by this law persons;
Personal data, except public information may not be available on the Internet or other mass media or mass, unless access is technically controllable to provide knowledge restricted only to holders or third parties authorized under the present communication law;
G) Safety principle: The information subject to treatment by the data controller or processor referred to this law, it should be handled with the technical, human and administrative measures necessary to provide security to records avoiding adulteration, loss, consultation, use, or unauthorized or fraudulent access;
H) Principle of confidentiality: All persons involved in the processing of personal data that do not have the nature of public are obliged to ensure the confidentiality of information, even after their relationship ended with some of the work comprising Treatment, can only perform supply or communication of personal data where this is in the development of activities authorized by this law and the terms of it. Effective Jurisprudence

Matches
TITLE III.
SPECIAL CATEGORIES OF DATA.

The 5th ITEM. SENSITIVE DATA. For the purposes of this Act, is meant by sensitive data those affecting the privacy of the Contractor or whose misuse can lead to their discrimination, such as those revealing racial or ethnic origin, political orientation, religious beliefs or philosophical, membership of trade unions, social organizations, human rights or promote interests of any political party or to guarantee the rights and guarantees of opposition political parties as well as data concerning health, sexual life and biometric data. Effective Jurisprudence

Jurisprudence

Concordant
ARTICLE 6o. SENSITIVE DATA PROCESSING. Treatment of sensitive data is prohibited, except when:
a) The Contractor has given its explicit consent to such treatment, except in cases required by law not to grant such authorization;
B) processing is necessary to protect the vital interest of the Contractor and this is physically or legally incapacitated. At these events, the legal representatives must give their authorization;
C) The treatment is carried out in the course of legitimate activities with appropriate guarantees by a foundation, NGO, association or any other non-profit organization whose purpose is political, philosophical, religious or trade union, always they relate exclusively to its members or persons who have regular contact because of their purpose. In these events, the data can not be provided to third parties without the authorization of the owner;
D) the processing relates to data necessary for the establishment, exercise or defense of a right in judicial proceedings;
Text Bill Previous

E) Treatment has a historical, statistical or scientific purpose. In this event the measures leading to the suppression of identity of the Holders shall be taken. Effective Jurisprudence

ARTICLE 7. RIGHTS OF CHILDREN AND TEENAGERS. Treatment in respect to the prevailing rights of children and adolescents will be ensured.
Treatment of personal data of children and adolescents, except for data that is public in nature remains outlawed.

It is the task of the state and educational institutions of all kinds provide information and train legal representatives and guardians about the potential risks to which children and teenagers face regarding abuse Treatment of personal data, and provide knowledge about responsible and safe use by children and adolescents of their personal data, their right to privacy and protection of personal information and that of others. The National Government will regulate the matter, within six (6) months following the enactment of this law. Effective Jurisprudence

TITLE IV.
RIGHTS AND CONDITIONS OF LEGALITY FOR DATA PROCESSING.

Article 8. RIGHTS HOLDERS. The holder of personal data shall have the following rights:
a) To know, update and rectify your personal data against data controllers or processors. This right may be exercised, among others against partial, inaccurate, incomplete, split data, misleading, or those whose treatment is prohibited or not authorized;
B) Request proof of authorization granted to the controller unless expressly excepted as a requirement for the treatment, in accordance with the provisions of Article 10 of this Law;
C) Be informed by the controller or the processor, upon request, regarding the use that has given their personal data;
D) To submit to the Superintendency of Industry and Commerce complaints for violations of the provisions of this Act and other regulations that modify, add or supplement;
E) Revoking the authorization and / or request the deletion of data when the treatment not the principles, rights and constitutional and legal guarantees are respected. The revocation and / or deletion proceed when the Superintendency of Industry and Commerce has determined that the treatment the person responsible have engaged in conduct contrary to the law and the Constitution;
Text Bill Previous

F) Access free of charge to your personal data that have undergone treatment. Effective Jurisprudence

Article 9. AUTHORIZATION HOLDER. Subject to the exceptions provided by law, in the treatment prior and informed consent of the holder, which must be obtained by any means that may be subject to further consultation is required. Effective Jurisprudence

ARTICLE 10. CASES WHERE IT IS NOT NECESSARY OK. Holder's authorization is not required in the case of:
a) Information required by a public or administrative entity in the exercise of their legal functions or court order;
Concept

SGEOLOGICO 2015 31643 b) data of a public nature;
Concept
2015
31643 SGEOLOGICO c) Cases of medical or health emergency;
D) Treatment of information authorized by law for historical, statistical or scientific purposes;
Concept

SGEOLOGICO 31643 2015 e) data related to the Civil Registry of Persons. Who
access to personal data, without prior authorization should in any case comply with the provisions of this law. Effective Jurisprudence

Matches
ARTICLE 11. SUPPLY OF INFORMATION. The requested information may be supplied by any means, including electronic, as required by the Contractor. The information should be easy to read, no technical barriers to access and must correspond as a whole to that which rests in the database.
The Government shall determine the manner in which the data controllers and processors must provide the information the Contractor, based on the nature of personal data, These regulations shall be no later than one year after the enactment of this law. Effective Jurisprudence

ARTICLE 12. DUTY OF inform the holder. The controller, when requesting the authorization holder shall inform clearly and states the following:
a) Treatment which will be submitted personal data and purpose thereof;
B) The optional nature of the response to the questions that will be made when these relate to sensitive data or data on children and adolescents;
C) his rights as a holder;
D) Identification, physical or electronic address and telephone number of the controller.

PARÁGRAFO. The controller must keep proof of compliance with the provisions of this Article, the Contractor's request, provide a copy of this. Effective Jurisprudence

ARTICLE 13. PERSONS TO WHOM THEY CAN PROVIDE INFORMATION. The information that meets the conditions set out in this Act may be provided to the following persons:
a) holders, their heirs or their legal representatives;
B) A public or administrative entities in the exercise of their legal or court order functions;
C) authorized by the Holder or by third law. Effective Jurisprudence

TITLE V. PROCEDURES.

ARTICLE 14 CONSULTATIONS. Holders or their assignees may consult the personal information of the Contractor rest in any database, whether it is public or private sector. The controller or processor shall provide these all information contained in the individual record or that is linked to the identification of the Contractor.
The consultation shall be made in the middle enabled by the data controller or processor, as long as they can maintain proof of this.
The consultation will be attended by a maximum term of ten (10) working days from the date of receipt thereof. When it is not possible to attend the consultation within that period, he shall inform the person concerned, stating the reasons for the delay and indicating the date your inquiry will be addressed, which in no case exceed five (5) working days expiration of the first term.
PARÁGRAFO. The provisions of special laws or regulations issued by the National Government may establish lower terms, given the nature of the personal data. Effective Jurisprudence

ARTICLE 15. COMPLAINTS. The Contractor or his successors consider that the information contained in a database should be subject to correction, updating or deletion, or when alerting the alleged breach of any of the duties under this Act may file a complaint with the Head of treatment or the processor which will be processed under the following rules:
1. The claim shall be made by writing to the controller or the processor, identifying the Holder, the description of the facts giving rise to the claim, address, and accompanying documents you want to enforce. If the claim is incomplete, the interested party will be required within five (5) days following receipt of the claim to remedy failures days. After two (2) months from the date of request, without the applicant submits the required information shall be deemed to have waived the claim.
If the recipient of the claim is not competent to solve, will transfer to the appropriate within a maximum term of two (2) working days and report the situation to the person concerned.
2. Upon receipt of the completed claim be included in the database is a legend that says "claim pending" and the reason for it, within a period not exceeding two (2) business days. The legend should be maintained until the claim is decided.
3. The maximum term to address the claim will be fifteen (15) working days from the day following the date of its receipt. When it is not possible to meet the demand within that period, it shall inform the data subject of the reasons for the delay and the date your claim will be met, which in no case exceed eight (8) working days following the expiry of the first finished. Effective Jurisprudence

ARTICLE 16.
procedural requirement. The Holder or beneficiary may only raise complaint before the Superintendency of Industry and Trade has exhausted once the consultation process or grievance with the controller or processor. Effective Jurisprudence

TITLE VI.
DUTIES controllers and processors.

ARTICLE 17. DUTIES OF controllers. Data controllers must meet the following duties without prejudice to the other provisions of this Act and other governing their activity:
a) guarantee that the patentee, at all times, full and effective exercise of the right of habeas data;
B) Request and preserve, as provided in this Act, a copy of the relevant authorization granted by the Contractor;
C) duly inform the holder of the purpose of the collection and the rights given by virtue of the authorization granted;

D) Retain the information under the security conditions necessary to prevent adulteration, loss, consultation, use, or unauthorized or fraudulent access;
E) Ensure that the information supplied to the Data Processor is truthful, complete, accurate, current, verifiable and understandable;
F) Update information, communicating in a timely way the processor, all the news in the data previously supplied him and take other necessary measures to ensure that the information provided this is kept current;
G) Rectify incorrect information when relevant and communicate what the processor;
H) Provide the processor, as appropriate, only data processed is previously authorized in accordance with the provisions of this Act;
I) Require the processor at all times, respect the security and privacy of information Holder;
J) Processing inquiries and complaints made under the terms stated in this law;
K) Adopt an internal manual of policies and procedures to ensure proper compliance with this law and in particular to the attention of inquiries and complaints;

Resolution 2014 SGEOLOGICO 8
l) Inform the processor when certain information is under discussion by the Contractor, after the complaint was filed and not yet completed the respective procedure;
M) Inform request of the Holder on the given data use;
N) Inform the data protection authority when violations of safety codes are presented and there are risks in information management Holders.
O) Comply with the instructions and requirements that imparts the Superintendency of Industry and Commerce. Effective Jurisprudence

Matches
ARTICLE 18. DUTIES OF processors. Treatment Managers must meet the following duties without prejudice to the other provisions of this Act and other governing their activity:
a) guarantee that the patentee, at all times, full and effective exercise of the right of habeas data;
B) Keep the information under the security conditions necessary to prevent adulteration, loss, consultation, use, or unauthorized or fraudulent access;
C) Perform timely update, correct or delete the data in terms of this Act;
D) update the information reported by the data controllers within five (5) working days from receipt;
E) Processing inquiries and complaints made by the Holders under the terms stated in this law;
F) Adopt an internal manual of policies and procedures to ensure proper compliance with this law and, especially, for answering inquiries and complaints from the Holders;
G) To register in the database the legend "claim pending" in the way regulated by this law;
H) Insert in database Legend "information on legal discussion" once notified by the competent authority on judicial proceedings related to the quality of personal data;
I) To refrain from circulating information that is being disputed by the Contractor and whose lock has been ordered by the Superintendency of Industry and Commerce;
J) Provide access to information only to persons who may have access to it;
K) Inform the Superintendency of Industry and Commerce as violations of safety codes are presented and there are risks in information management Holders;
L) Comply with the instructions and requirements that imparts the Superintendency of Industry and Commerce.
PARÁGRAFO. In the event that both of the quality of data controller and the data processor the same person will be required to fulfill the duties provided for each. Effective Jurisprudence

Matches
TITLE VII.
SURVEILLANCE MECHANISMS AND PUNISHMENT.

CHAPTER I. AUTHORITY DATA PROTECTION.

ARTICLE 19. DATA PROTECTION AUTHORITY. The Superintendency of Industry and Commerce, through a Delegatura for the Protection of Personal Data, exercise vigilance to ensure that the processing of personal data principles, rights, guarantees and procedures under this law are respected.
PARAGRAPH 1.
. The national government within six (6) months from the date of entry into force of this law incorporated within the structure of the Superintendency of Industry and Commerce an office of Deputy Superintendent to exercise the functions of Authority Data Protection. PARAGRAPH 2.
. Monitoring the processing of personal data regulated by Law 1266 of 2008, subject to the provisions of this standard. Effective Jurisprudence

ARTICLE 20. RESOURCES FOR THE EXERCISE OF ITS FUNCTIONS. The Superintendency of Industry and Commerce will have the following resources to perform the functions entrusted to it by this law:
a) The resources that are allocated in the General Budget of the Nation. Effective Jurisprudence

Matches Jurisprudence

Concordant
Text Bill Previous

ARTICLE 21. FUNCTIONS. The Superintendency of Industry and Commerce shall perform the following functions:
a) ensure compliance with the legislation on protection of personal data;
B) Further investigations into the case, on its own initiative or upon request and as a result of them, order the measures necessary to implement the right of habeas data. For this purpose, provided that the right is unknown, it may provide that access to and supply of data is granted, rectification, updating or removal thereof;
C) Provide temporary blocking of data when the application and the evidence provided by the Contractor, a certain risk of violation of their fundamental rights is identified, and such blocking is necessary to protect them while a decision is adopted final;
D) To promote and disseminate the rights of individuals regarding the processing of personal data and implement teaching to train and inform citizens about exercise and guarantee the fundamental right to data protection campaigns;
E) Provide instructions on measures and procedures necessary for adapting the operations of data controllers and processors to the provisions of this Act;
F) To request the data controllers and processors the information necessary for the effective exercise of their functions.
G) Uttering declarations of conformity on international transfers of data;
H) Manage the Public National Register of Databases and issue orders and acts necessary for administration and operation;
I) Suggesting or recommending any adjustments, corrections or adjustments to the regulations that are consistent with the technology, computer or communications evolution;
J) To require the collaboration of international or foreign entities when the rights of the Holders are affected outside Colombia on the occasion, among others, international data collection characters;
K) Other functions as assigned by law. Effective Jurisprudence

CHAPTER II.
PROCEDURE AND SANCTIONS.

ARTICLE 22. PROCESSING. The Superintendency of Industry and Commerce, once established breach of the provisions of this law by the controller or the processor, adopt measures or impose appropriate sanctions.
In matters not regulated by this law and the relevant procedures relevant rules of the Administrative Code shall be followed. Effective Jurisprudence

Matches
ARTICLE 23. SANCTIONS. The Superintendency of Industry and Commerce may impose on data controllers and processors the following sanctions:
a) fines personal and institutional character up to the equivalent of two thousand (2,000) minimum monthly wages in force at the time of the imposition of the sanction. Fines may be as long as there successive failure that originated;
Text Bill Previous

B) Suspension of activities related to treatment for a term of six (6) months. In the event of suspension corrective to be taken shall be indicated;
C) Temporary closure of operations related to treatment once the term of suspension has elapsed without it has taken corrective ordered by the Superintendency of Industry and Commerce; immediate and definitive
d) Closing of the transaction involving the processing of sensitive data;

PARÁGRAFO. The sanctions referred to in this article only apply to people of a private nature. In the event that the Superintendence of Industry and Commerce warn an alleged breach of a public authority to the provisions of this Act, shall refer the matter to the Attorney General's Office for further investigation respectively. Effective Jurisprudence

ARTICLE 24. CRITERIA FOR GRADUATE SANCTIONS. Penalties for violations referred to in the previous article, will graduate attending the following criteria, as are applicable:
a) The extent of the damage or danger to the legal interests protected by this law;
B) The economic benefit obtained by the infringer or third parties under the commission of the offense;
C) Repeated commission of the offense;
D) resistance, refusal or obstruction to the research or surveillance of the Superintendency of Industry and Trade action;
E) The reluctance or disrespect to comply with orders issued by the Superintendency of Industry and Commerce;
F) The express recognition or acceptance by a research on the commission of the offense prior to the imposition of the sanction as may be appropriate. Effective Jurisprudence

CHAPTER III.
THE NATIONAL REGISTRY OF DATABASES.

ARTICLE 25. DEFINITION. The National Registration Database is the public directory databases subject to treatment that operate in the country.
The registry it will be administered by the Superintendency of Industry and Commerce and will be free consultation to citizens.
To register database, interested parties should contribute to the Superintendency of Industry and Commerce policy information processing, which will force those responsible and in charge of it, and whose failure will lead to appropriate sanctions. Treatment policies in no case be lower than the duties under this Act.
PARÁGRAFO. The National Government shall regulate, within the year following the enactment of this Act year, the minimum information required in the registry, and the terms and conditions under which must be registered in this data controllers. Effective Jurisprudence

TITLE VIII.
DATA TRANSFER TO THIRD COUNTRIES.

ARTICLE 26. PROHIBITION. the transfer of personal data of any kind to countries that do not provide adequate levels of data protection is prohibited. It is understood that a country provides an adequate level of data protection it meets the standards set by the Superintendency of Industry and Commerce on the subject, which in no case be lower than the present law requires recipients.
This prohibition shall not apply in the case of:
a) Information regarding which the Contractor has given its express and unequivocal authorization for the transfer;
B) Exchange of medical data, when required Treatment Holder for reasons of health or public health;
C) stock exchange or banking transfers, under the law applicable to them;

Matches
D) Transfers agreed under international treaties to which the Republic of Colombia is a party, based on the principle of reciprocity;
E) Transfers necessary for the implementation of a contract between the Contractor and the controller or for the implementation of precontractual measures if and when they have obtained the consent of the Contractor;
F) Transfers legally required to safeguard the public interest or for the establishment, exercise or defense of a right in judicial proceedings.
Text Bill Previous
PARAGRAPH 1.
. In cases not listed as an exception in this Article, it is for the Superintendency of Industry and Commerce, proffering the declaration of conformity on the international transfer of personal data. For this purpose, the Superintendent is empowered to require information and processing the actions aimed to establish compliance with budgets that requires the viability of the operation. PARAGRAPH 2.
. The provisions of this Article shall apply to all personal data, including those covered by the 1266 Act, 2008. Effective Jurisprudence

TITLE IX.
OTHER PROVISIONS.
Effective Jurisprudence

Text Bill Previous

ARTICLE 27. Binding Corporate Rules. The National Government will issue the corresponding regulations on BCRs for certification of best practices in data protection, personal and transfer to third countries. Effective Jurisprudence

ARTICLE 28.
transitional regime. People who at the date of entry into force of this law from exercising any of the activities regulated here have a period of up to six (6) months to conform to the provisions in this law. Effective Jurisprudence

ARTICLE 29. REPEAL. This law repeals all provisions that are contrary except those referred to in article 2. Effective Jurisprudence

ARTICLE 30. EFFECTIVE DATE. This law governs from its promulgation. Effective Jurisprudence

The President of the honorable Senate,
ROY LEONARDO BARRIERS MONTEALEGRE.
The Secretary General of the honorable Senate,
GREGORIO Eljach PACHECO.
The President of the honorable House of Representatives,
AUGUSTO POSADA SÁNCHEZ.
The General Secretary (E) of the honorable House of Representatives,
FLOR MARINA RAMIREZ DAZA.
REPUBLIC OF COLOMBIA - NATIONAL GOVERNMENT
published and enforced.
In compliance with the provisions of the Judgment C-748 of 2011 issued by the Constitutional Court, proceed to the enactment of the bill, which orders the transfer of the case to Congress, to continue the process of rigor and subsequent delivery to the President of the Republic.
Given in Bogotá, DC, on October 17, 2012.

CALDERON JUAN MANUEL SANTOS Minister of Justice and Law, Ruth Stella Correa Palacio
PALACE.
The Minister of Finance and Public Credit,
Mauricio Cardenas Santa Maria.
The Minister of Commerce, Industry and Tourism, Sergio Diaz-Granados
GUIDA.
The Minister of Technology, Information and Communications, Diego Molano Vega
.
JUDGMENT C-748-11.

BILL AND STATUTORY DATA PROTECTION Habeas PERSONAL-Object
CONSTITUTIONAL LAW OF STATUTORY-DRAFT BILL
Features General STATUTORY-Requirements / BILL special STATUTORY-Requirements | || sTATUTORY lAW law special hierarchy / lAW sTATUTORY subject-matter subject to statutory law

Statutory laws are a special type of law hierarchy, whose essential aim of safeguarding the entity that regulates matters which are fundamental rights and duties as well as procedures and remedies for their protection; the administration of justice; the organization and governance of political parties and movements, the status of the opposition and electoral functions; institutions and mechanisms for citizen participation; states of emergency, and electoral equality between candidates for the Presidency of the Republic; these materials which comprise a cardinal importance for the development of Articles 1 and 2 of the Charter, as its special regulation guarantees the validity of constitutional principles and aims for achieving the essential purposes of the State. So impart rigor to the approval of the regulation of such materials and also senior to the laws that enshrine, are suitable means to achieve the effectiveness of constitutional rights, safeguarding a just order, and the existence of a democratic and participatory system. If any project well to become law must meet the following requirements: be officially published by Congress before being sent to the respective committee; fill the corresponding debates in committees and plenary sessions of the Chambers, after they have made their respective presentations and respecting the quorum provided by Articles 145 and 146 of the Constitution; make project announcements prior to the discussion and voting on each of the committees and plenary law, a requirement that also applies to the debates on the reports of conciliation commissions, which shall be published at least one day before to be discussion and approval; respect the terms for discussion provided for in Article 160, that is eight days between the first and second debate in each chamber, and fifteen days between approval of the project in one of the chambers and the initiation of the debate in the other; respect the principles of unity of matter, identity and consecutiveness; have obtained government sanction, which obviously, in the case of statutory laws, the penalty is supplied after the Constitutional Court has granted prior informal review of constitutionality and declared, therefore, that the provisions of the project conformity with the Charter. In addition to the above, because it is a statutory bill, it is necessary for the project: (i) has been approved by an absolute majority and (ii) has been processed in a single legislature.
BILL STATUTORY-Step in a single term refers only to proceedings in Congress
settled case-law of this Court, the Constitution mandates that within the legislature make transit project in Congress, this is that is modified and approved by the Chambers during that period, but the constitutional review by the Court and presidential approval can occur outside the legislature, because if the process that must be filled at a single legislature would include review by the Court or objections and presidential sanction, it would be virtually impossible to approve, amend or repeal statutory law, or they would have to be dealt with in Congress too quickly, without proper democratic discussion, and even improvisation.
PRIOR CONSULTATION OF INDIGENOUS AND ETHNIC GROUPS IN LAW STATUTORY legislative process is not necessary when-regulation is general without directly affecting ethnic communities
While the Court stated that the consultation with communities ethnic likely to be directly affected by any legislative measure constitutes a procedural requirement that must be filled before the respective legislative process, being necessary in the case of decisions directly affecting one or more ethnic communities; in the present case, an examination of the content of the bill to the conclusion that the measures through he intended to adopt not directly relate to any ethnic community settled in the country, so that prior consultation was not a prerequisite. Indeed, the project only establishes a general regime for data protection in Colombia comprising legislation to society in general and does not define a specific treatment directly aimed at ethnic communities, so not directly affect Colombian ethnic communities not being therefore necessary consultation processes before starting the legislative process.

CONSTITUTIONAL CONTROL BILL AND STATUTORY DATA PROTECTION Habeas PERSONAL-Step legislative
In general terms the legislative process for the draft statute of habeas data and protection of personal data, met the constitutional requirements provided for any legislative decision and particularly for such laws special hierarchy, as having been presented to Congress and text along with the explanatory memorandum published timely, their approval, which began in the first committee of the House of Representatives , it was carried out within a single term; discussions were met in plenary and permanent committees in both legislative chambers; the papers along with the modifying sheets were published and were complied with earlier announcements for discussion and approval; following the differences in the texts approved by the House of Representatives and the Senate, an accidental conciliation commission was formed to overcome the discrepancies and reconciliation report was published and approved by both the House of Representatives and the Senate roll call vote with an absolute majority and are checked prior announcement to vote and corresponding approval and terms that must mediate between the debates in commissions and between legislative chambers met. However it can not be said with respect to Articles 29, 30 and 31 in terms of how they were included who did not attend the mandates of the principles of consecutiveness and supple identity, so declared unconstitutional.
PRINCIPLE OF UNIT OF MATTER IN BILL STATUTORY Characterisation / PRINCIPLE OF UNIT OF MATTER IN BILL STATUTORY-Vulneración constitutes a material defect
By the principle of unity of matter each of the provisions that make up a legal system must belong to its thematic core, which may be required, among others, as set out in its title. With this principle is to avoid the subject regulated by a provision is absolutely outside the thematic core of the law that contains it. Thus, there is violation of the unity of matter because regulated in an article bears no relation to the subject of the legal body that contains it, being understood by the constitutional jurisprudence that the violation of the principle of unity of matter constitutes a material defect. Referring to the constitutional scope of the principle of unity of matter, the Court has indicated that he intends to "ensure that laws have systematic and integrated content, based on a single theme, or possibly several interrelated themes. The importance of this principle is that through its application seeks to prevent legislators, and citizens are caught with the surreptitious adoption of rules that have nothing to do with the (s) subject (s) that is ( n) the theme of the law passed, and that for that reason, may not have undergone the necessary democratic debate within the legislative chambers. Due observance of this principle contributes to the internal consistency of standards and facilitates compliance and enforcement to avoid or at least reduce the difficulties and interpretive discussions in the future may arise as a result of the existence of provisions unrelated main subject to the law "
pRINCIPLE oF UNIT oF mATTER-Connectedness theme, teleological, causal or systematic
iDENTITY oN pRINCIPLE oF PENDING LEGISLATIVE-Scope refers
the principle of identity arises concerning the mandate constitutional whereby during the second debate each chamber may introduce amendments it deems appropriate, as long as they do not change the essence of the bill until then approved, then, in that case, should fill all discussions required according to Article 157. the Court determined as conceptual core of the principle of relative identity, "the idea that over the four debates substantially maintain the same project, ie, that the changes in exercise of the principles of pluralism and decision majority can be made to the project, are not of such magnitude that end up turning it into a completely different ".
Consecutiveness PRINCIPLE OF PENDING LEGISLATIVE-Scope / PRINCIPLES ON IDENTITY AND PENDING LEGISLATIVE consecutiveness-Relationship

The principle of consecutiveness establishes the requirement that all matters approved a law have been debated by the standing committees of both chambers and plenary, which does not mean that each of the variations arising during the legislative process should returned to first debate to take the whole process, but those issues not covered at all during the previous stages, to be returned to be approved or discussed by the committee and / or plenary considering the bill previously. If it does not, then it is understood that these provisions are unconstitutional vitiated by violation of Article 157 of the Charter. Thus the principle of consecutiveness not predicated on the exact contents of the articles, but matters or issues regulated in the law that contain them. Usually the principle of relative identity is related automatically, and with the principle of consecutiveness even identified relationship is not always inevitable as it may happen that a provision has not been approved in four debates without the content becomes the draft law in one entirely. However, it must be said that whenever a vice for violation of the principle of identity with the introduction of an amendment is identified, it results in the violation of the consecutiveness for precisely such changes, although essential, were not approved or even discussed with all regulatory discussions. So not every transgression of the consecutiveness involves the violation of identity but instead, any violation involves a breach identity to consecutiveness.
Consecutiveness PRINCIPLES AND IDENTITY ON PENDING LEGISLATIVE-Ignorance constitutes an irremediable vice
consecutiveness PRINCIPLES AND IDENTITY ON STATUTORY Habeas Data and Data Protection PERSONAL BILL-Unfamiliarity by introducing subjects that did not take the
regulatory debates consecutiveness PRINCIPLES aND IDENTITY iN BILL oN sTATUTORY dATA aND PROTECTION Habeas PERSONAL-Unfamiliarity because articles related to criminal records data and data management intelligence and counterintelligence were introduced in the third and fourth debates
in relation to articles 29, 30 and 31 of the draft statute, related data relating to the certificate of no criminal record and data management intelligence and counterintelligence, although its content is no stranger the matter of the bill and therefore do not violate the unity of matter, if breach of an obvious way the principle of consecutiveness, because the matters dealt with the above provisions were not the subject of previous debates, since they were introduced in the third and fourth debates.
RECONCILIATION COMMISSIONS ACCIDENTAL PENDING LEGISLATIVE-Conformation / RECONCILIATION COMMISSIONS ACCIDENTAL PENDING LEGISLATIVE-Competition
Jurisprudence has been clear in establishing that the object of accidental conciliation commissions and the approval of their reports, limited to overcome the discrepancies in the text of each chamber considering that given the purely accidental nature of conciliation commissions, can not meet the legislative function assigned by the Constitution and the law, permanent constitutional commissions and plenary of each House, as it is in them, which must be filled in the process of deliberation and approval of the different legal standards.
Right to habeas data-origin, evolution and regulation in the field of
right to habeas data-Concept / right to habeas data-Lines performing international law in the autonomous Fundamental DATA-constitutional jurisprudence / Habeas LAW

In the constitutional jurisprudence, the right to habeas data was first interpreted as a guarantee of the right to privacy, there was talk that the protection of data pertaining to private and family life, understood as the individual sphere impenetrable in which everyone can make their life project and in which neither the state nor other individuals can interfere. Also, since the early years of the new Charter, it came into the Court a second interpretative line data considered a manifestation of the free development of personality habeas. According to this line, the habeas data has its ultimate foundation "(...) in the field of self-determination and freedom that the law recognizes the subject as an indispensable condition for the free development of personality and dignity in avenging his honor. Already since 1995, it comes a third line of interpretation that is what has prevailed since and pointing to habeas data as an autonomous right in the core of the right to habeas data is composed of computer self-determination and freedom -including economic freedom. This right as autonomous fundamental, required for effective protection mechanisms that guarantee, which should not only depend from the judges but an administrative institution that in addition to the control and surveillance for both subjects of public and private law, ensure effective enforcement of data protection and, because of its technical nature, have the ability to set public policy on the matter, without political interference to carry out those decisions.
Right to habeas data-Contents
minimum within the prerogatives or minimum contents that emerge from the right to habeas data are at least the following: (i) the right of people to know -acceso- information that on them are collected in databases, which entails access to the databases where that information is; (Ii) the right to include new data to a full picture of the holder is provided; (Iii) the right to update information, ie, to update the content of these databases; (Iv) the right to information in databases is rectified or corrected in such a manner consistent with reality; (V) the right to exclude information from a database, either because you are misusing it, or simply will of the holder except the exceptions provided for in the regulations.
RESERVE STATUTORY LAW IN YOUR MATERIALS PURPOSE OF REGULATING-jurisprudential criteria to determine it
RESERVE STATUTORY LAW ON FUNDAMENTAL RIGHTS-is predicated only of essential / CORE CORE OF A FUNDAMENTAL RIGHT-concept structural elements || | the Court has stated that respect for fundamental rights, the reserve of statuary law is not predicated of the regulation of all events linked to fundamental rights but only the essential structural elements of fundamental rights, so that the statutory laws should not be regulate in detail each variant or each manifestation of such rights or all those aspects that have to do with their exercise; and to define the essential structural elements, constitutional jurisprudence has used the theory of the essential core, according to which fundamental rights are: (i) a core or core content that can not be limited by political majorities or unknown no case, even when a fundamental right collides with another of the same type or another constitutional principle; and (ii) an adjacent content regulated. In accordance with constitutional jurisprudence is the responsibility of the statutory legislator develop important aspects of the essential core, being, important issues of own core of statutory laws: (i) the consecration of limits, restrictions, exceptions and prohibitions of general scope; and (ii) the basic principles that guide their exercise. Another element that can be deduced from an examination of the structure of fundamental rights is the definition of basic entitlements which are the right for holders and become obligations for taxpayers.
Right to habeas data-Justification for regulation by statutory law Habeas
DATA-protection models in comparative law
CENTRALIZED MODEL DATA PROTECTION-Features / SECTOR MODEL DATA PROTECTION-Features

In comparative law there are two models widely recognized data protection: a centralized model and a sectoral model. The centralized model, implemented in European countries, with some modifications, within the European Union, part of a general category of personal data and the idea that any treatment of them is considered per se potentially problematic, why should subject to principles and common minimum guarantees to be complemented by special regulations, according to the data type and the interests involved, but that in no way imply a repeal of general protection standards that are applicable to both public and private. It is typical of this model the existence of an independent central entity, autonomous and, which oversees the implementation, compliance and enforcement of standards of general protection, and which is empowered to authorize or prohibit international transfers of data in response to the equivalence the protection afforded by the country of destination. In contrast, the sector model not part of a common category of personal data and therefore not considered that all these data should be subject to the same minimum regulation, and therefore, under this model special regulations are adopted and different for each type personal data, depending on your relationship with intimacy, or privacy as it is called in the Anglo-Saxon system and the protection of higher interests, such as security and national defense, ie sector regulation is based on a kind of balance of interests resulting in different rules depending on the type of data and gives more or less powers of intervention to the authorities. In this model, the verification of compliance with the rules is also assigned to sectoral authorities, which are endowed with different powers of surveillance and control, according to the level of intervention imposed by the legislature.
HYBRID MODEL DATA PROTECTION Corresponds to regulatory model adopted in the Colombian case
In Colombia, the bill that led to the 1266 Act of 2008 and which was the subject of the judgment C- 1011, 2008, seeking to become a law of general principles applicable to all categories of personal data, but despite its claim of generality, the bill really only established basic standards of protection for financial and commercial information designed to calculate the level of credit risk people. So in that judgment, the Court made clear that the matter of what later would become the 1266 Law is only the financial and commercial data. Therefore, the 1266 Act can only be considered a sectoral regulation of habeas data. Now, with the new bill seeks to fill the void of minimum standards for the protection of all personal data, hence its title is precisely "Whereby general provisions for the protection of personal data are issued", concluding that the introduction of this general regulation and minimum applicable to a greater or lesser extent all personal data, the legislature has given way to a hybrid protection system which converges a law of general principles with other sectoral regulations, which should be read in accordance with the general law, but it introduces specific rules that address the complexity of treatment of each type of data.
BILL Habeas Data STATUTORY AND PROTECTION OF PERSONAL-Scope and exceptions
FILE AND DATABASES-Concepts
BILL AND STATUTORY DATA PROTECTION Habeas PERSONAL-expression "entities DATA "the scope includes both natural and legal persons

pERSONAL-characteristics constitutional jurisprudence has stated that the characteristics of personal data are as follows: i) be referred to exclusive and specific aspects of natural, ii) allow people to identify the person, to a greater or lesser extent, thanks to the global picture that is achieved with the same and other data; iii) property resides exclusively in the owner thereof, which is not altered by its acquisition by a third party lawfully or unlawfully, and iv) treatment is subject to special rules (principles) as regards uptake , management and disclosure. "
right to habeas dATA aND dATA PROTECTION PRINCIPLES processing of personal data

The draft statutory law in the field of processing of personal data the principles of legality, the finality, of freedom, of accuracy or quality, transparency, and restricted access, security and the principle of confidentiality circulation, principles which are without prejudice to the management process database application is given to the guiding principles derived directly from the Constitution as well as those derived from the thematic core of the draft statute, which despite not would find numbered it is understood incorporated because of a systematic reading of the draft Statutory Law.
Right to self-Standards INFORMATICA international principles govern
SENSIBLE IN STATUTORY DATA Habeas PROTECTION OF PERSONAL DATA AND DATA-Definition / SENSITIVE DATA IN STATUTORY LAW AND DATA PROTECTION Habeas PERSONAL-Ban their treatment and exceptions to the prohibition statutory
the draft law defines as sensitive data, "(...) that affect privacy Holder and whose misuse can generate their discrimination ..." this definition that the Board is set the Constitutional jurisprudence and its delimitation, besides protecting the habeas data is a guarantee of the right to privacy, why is compatible with the Constitution. Similarly, the ban on processing, as a rule, is not only compatible with the Charter, it is a requirement of the right to privacy and development of the principle of habeas data access and restricted circulation. However the rule provides that in certain cases the processing of such data is essential for the proper provision of services such as health care and education-or for the realization of rights linked precisely to the intimate sphere of people like the freedom of association and the exercise of religious freedoms and opinion-, these exceptions precisely responding to the need for treatment of sensitive data in these scenarios, and for being excepted cases that can generate high risks in terms of violations of habeas data , intimacy and even the dignity of data subjects, agents who perform the treatment in these cases, have enhanced responsibility which translates into greater demand which should also result in administrative and criminal punitive action.
Interests of the child-Prohibition of the processing of personal data of children and adolescents
RIGHTS OF HOLDERS OF PERSONAL DATA international regulatory Framework
right to habeas data IN PROCESSING OF PERSONAL DATA-Principles and Guarantees
constitutional right to habeas dATA PROCESSING oF PERSONAL dATA iN-Events that comes the revocation of the authorization and the deletion of data
Although habeas data gives a group of powers to the individual so that, in exercise of the general clause of freedom, can control the information itself has been compiled in a central information, this control is not only preached prior authorization for the treatment of data, but the individual is free to decide what information you want continue and which should be excluded from a source of information, as long as there is no legal mandate that imposes such a duty or where there is a contractual obligation between the person and the data controller, necessitating the permanence of data. Thus, the right to habeas data empowers the holder of personal data require managers that data access, inclusion, exclusion, correction, addition, renovation and certification of data and limiting the possibilities of disclosure, publication or assignment thereof, in accordance with the principles governing the management process personal data. Consequently, the Holder may revoke the authorization and request the deletion of data when: (i) the principles, rights and constitutional and legal guarantees, if not respect in which, in order to ensure due process, the Superintendence of Industry and Commerce must determine that the treatment the person responsible have engaged in conduct contrary to order and (ii) under the free and voluntary request of the Holder of data, where there is no legal or contractual obligation imposed by the Holder duty to remain in said database. Habeas
IN DATA PROCESSING OF PERSONAL DATA-rights and conditions of legality

Habeas IN DATA PROCESSING OF PERSONAL DATA Requirement-free, prior, express and informed the owner of the data / Habeas DATA IN TREATMENT OF PERSONAL DATA consent Cases of exception to the authorization or consent for use the figure does not violate the constitution
the consent of the information is a budget for the constitutional legitimacy of management processes personal data, being a qualified consent: since it must be prior, that is, that authorization It must be provided in a stage before the incorporation of the data; express, to the extent that must be unequivocal; and informed, since the holder must not only accept the treatment of data, but also must be fully aware of the effects of their authorization. The project develops Where authorization, specifically when it is not necessary: the information is required by a public or administrative entity in the exercise of their legal or court order functions, data of a public nature, cases of medical or health emergency treatment authorized by law for historical, statistical or scientific purposes and data related to the civil registration of persons, these cases where there are important constitutional interests that justify such a restriction. PUBLIC-Concept
INFORMATION / PUBLIC INFORMATION-access without reservation and without authorization to do so required
FACULTY REGULATORY-Nature and scope
Court has said that the regulatory authority has no basis in the provisions of Article CP 189-11, and implies that the Executive is covered with the power to issue decrees, resolutions and orders necessary for the execution of the laws fulfilled. The regulatory authority therefore has "ordinary, derivative, limited and permanent" nature. It is ordinary because it is a function of the Executive Branch without exercise required for enabling different from the constitutional provision that confers. It has derivative character, since it requires the prior existence of legislative material for exercise. It is limited because "finds its limit and range in the constitution and the law, so it can not alter or modify the content and spirit of the law, nor can go to regulate laws that do not run the administration as well as you can not regulate materials whose content is reserved to the legislature. " Finally, "the regulatory authority is permanent, given that the Government can make use of it as often as it sees fit for law enforcement accomplished in question and until it retains its validity."
STANDARD AUTHORIZING tHE GOVERNMENT tO REGULATE tHE WAY tO PROVIDE INFORMATION tO tHE HOLDER oF DATA-No offers repair and meets constitutional purpose of regulatory power it
There is no objection as to the power granted to the national government because it is a matter highly technical, delimited and not about the essential aspects of the fundamental right, much less offers a comprehensive regulation thereof. Therefore, in this context, the statutory legislator directs the National Government, through its regulatory power, concrete how the information will be delivered to the Contractor. On this, it should be recalled that the Court has admitted the constitutionality of such provisions, as long as the legislature has established a legislative material content as a basis for the exercise of that power.
CONSULTATIONS AND CLAIMS MANAGERS TO LEADERS AND DATA PROCESSING-legitimization / CONSULTATIONS AND CLAIMS MANAGERS TO LEADERS AND DATA PROCESSING-Procedure
right to habeas data IN PROCESSING OF PERSONAL DATA-queries and complaints as mechanisms to do cash

Articles 14 and 15 of the bill regulating mechanisms for consultation and claim the owner of the data or its assignees responsible or data processor, in order to make effective the right to habeas data. It is noted that: (i) the owners or their successors may consult the personal information of the holder to rest on any basis of public or private data; (Ii) those responsible and processors must provide the holder all information contained in the database because a single record is or there is any associated identification; (Iii) responsible and the processor must have some means enabled for consultation can be made, which should allow proof leave; (Iv) consultation must be resolved within a maximum period of 10 working days from the date of receipt of the application; and (v) in the event of not being able to answer in that term, he must inform the owner about the reasons. Anyway the answer must be received within 5 days after the expiration of the first term. This standard does a typical regulation of the right of petition enshrined in Article 23 of the Constitution, which in the case study results in the right of holders of habeas data or their successors to present to the databases that manage the public or private authorities, requests for information or data set that have on them and the terms for consultation. Article 15 in turn, regulates the claims that can make the owner of the data or its assignees the person responsible treatment to correct, update or delete the information contained in the database or when it is deemed to have been failed to comply with any of the duties they deserve.
Right of petition-law instrumental / RIGHT request-response characteristics that satisfies / right to petition CONSULTATIONS PERSONAL DATA-regulation
The constitutional jurisprudence has outlined some features that should have the answer to that understands satisfied the right to request, in the case of those responsible as data processors they are obliged to observe, which can be summarized as follows: (i) the answer must be substantive, ie, can not escape the purpose of the request, (ii) that is complete and clear answer to the questions raised by the applicant, (iii) timely matter undertakes to respect the terms set out in the standard. Thus, the right of petition which is regulated in the standard under analysis becomes an instrument available to the holder of the data to make enforceable or workable the autonomous right of habeas data, being defined the right to petition as an instrumental right through which the citizen approaches to management or those deprived that because of the activities performed hold a privileged position over other individuals, which requires the State to regulate mechanisms that allow the latter to have a tool that force them to respond to the concerns and disagreements that may arise by reason of the activity they deploy, seeking to achieve the satisfaction of other fundamental rights.
COMPLAINT WITH THE SUPERINTENDENT OF INDUSTRY AND TRADE-procedural requirement / tutela FOR THE PROTECTION right to habeas data-Origin
The provision laid down in statutory bill states that can only raise complaint with the Superintendence of Industry and Commerce as protection authority of the data, once it has exhausted the process of consultation or complaint with the controller or data processor, which is proportionate and reasonable, since the rule (i) no fixed terms or unreasonable for treatment agents respond inquiries and complaints deadlines; (Ii) regulates in detail the procedure, which guarantees the holder of the fact that to get the answer to a query or a complaint, the required subject will not put obstacles that hinder the exercise of their right, and the event that this happens, because it will be enough to go before the data protection authority.
RESPONSIBLE FOR THE PROCESSING OF PERSONAL DATA-Definition

The controller is one that defines the purposes and essential means for the treatment of data, including those who serve as source and user and duties that are ascribed respond to the principles of data management and rights -intimacy and habeas data- holder's personal data. The controller is the one who must apply for and retain authorization stating the express consent of the owner for the processing of data, and report clearly the purpose of it.
PROCESSOR PERSONAL DATA-Definition
The processor is who performs the processing of personal data on behalf of the data controller, who, in compliance with the principles of freedom and purpose, upon receiving the delegation to treat the data in the terms in which determined responsible, must ensure that that is authorized for treatment and that treatment will be performed for the purposes informed and accepted by the owner of the data. Although, because of the position that each of these subjects occupies in the stages of the treatment process the data, it is the responsibility that corresponds to gain and retain the authorization of the holder, it does not prevent the manager ask your client display the authorization and verify that the reported purpose is fulfilled and accepted by the owner of data.
Right to habeas data IN PROCESSING OF PERSONAL DATA Duties and responsibilities of those responsible and processors / habeas data LAW IN PROCESSING OF PERSONAL DATA-responsibility in cases of concurrent qualities of responsible and processor
in the draft statute the legislature enlisted in separate precepts duties makers and managers of treatment, duties, generally speaking, seek to ensure the full exercise of the right to habeas data by the holders and the management principles of personal data. These duties at the head of responsible and processor enable secure, prima facie, the scope of protection of the right of habeas data, because, as he said this Corporation in Case C-1011 of 2008, all management principles personal data identified by the constitutional jurisprudence, are effective against all those involved in the processes of collection, processing and circulation of data, regardless of their position in the treatment of the data. How is it possible that a processor resulting becoming responsible in defining the purpose and the essential elements of the reason why their duties not only be those who said the project to its initial condition but for coming to hold and such an event which comply with the qualities of responsible and processor in the same person, will be required to fulfill the duties provided for each. In the same vein, when that quality comes to move by the treatment that one of them reaches to the personal data. Also, despite the use of a different terminology to that used by Law 1266 of 2008, the fact is that both responsible as the processor have clear, specific and precise responsibilities against the holder of the data, because both subjects are required to ensure full and effective exercise of the right to habeas data, which radiates all the principles governing data processing, where the holder has all the means to achieve the update, correction and deletion or deletion of information , as discussed in the previous section. In these terms, both responsible as the processor have a concurrent responsibility to the accuracy, completeness, purpose and incorporation of data, if one considers that the collection and processing of data is not a neutral activity that prevents the charge treatment respond, even for the accuracy of the information subject to process, because it corresponds to ensure that the requirements for personal data to be processed are met, and if it is not possible to identify clearly the position of one and another, will have to respond with solidarity and can not excuse their duties updating, rectification and exclusion or deletion of data.
SUPERINTENDENT OF INDUSTRY AND TRADE-skills as personal protection authority / SUPERINTENDENT OF INDUSTRY AND TRADE-Powers data regarding habeas data and protection of personal data
ADMINISTRATIVE POLICE POWER-Exercise by the Superintendency of Industry and Commerce

Article 19 of the draft statute regulates data protection authority and designates as such to the Superintendency of Industry and Commerce, through a Delegatura for the protection of personal data, which involves the creation within the structure of the superintendency, an office for a Chief Superintendent to exercise the functions of Authority data protection becoming clear that the protection of personal data requires not only regulation that enshrines the principles governing the treatment of data, the rights of the owner, the duties and responsibilities of persons involved in their treatment, whatever the denomination they receive, but an express penalty system as an institutional framework that allows effective control and scope of guarantee of the right habeas data. Superintendents, although they are within the scope of the executive branch of government and under the President of the Republic have an independent and autonomous because it is technical agencies with administrative and forced autonomy to meet in exercising its powers the principles under the terms of Article 209 of the Constitution, governing the administrative function, both characteristics that ensure compliance with set international standards on the authorities responsible for data protection.
CURRENT INCOME OF THE NATION-Classification
SUPERINTENDENT OF INDUSTRY AND TRADE-Fines imposed are non-tax revenues that can not be used for operation of the superintendency / SUPERINTENDENT OF INDUSTRY AND TRADE-Allocate fines imposed for operation ban contradicts the destination of specific income and the principle of box unit SPECIFICITY
PRINCIPLES oF SPENDING aND uNIT bOX Vulneración
accordance with Article 359 of the Constitution which stipulates that "There will be earmarked revenues "principle which is closely related to the principle of unity cash stipulated in Decree 111 of 1996 (Organic Budget Statute), which states that" with the collection of all income and capital resources payment attend timeliness of all appropriations authorized in the General Budget of the Nation "; ie that all government revenue must enter without prior destination to a common fund from which are allocated to finance public spending, which concludes the Chamber to allocate the functioning of the Superintendency of Industry and Commerce, fines generated with the performance of the functions assigned in the project review, contradicts the prohibition of destination specific income and cash unit established by the Organic Statute of the National Budget.
DATA PROTECTION AUTHORITY International Standards
PERSONAL-PROTECTION AUTHORITY OF PERSONAL DATA COMPARED-Spain
AUTHORITY OF PERSONAL DATA PROTECTION LAW IN COMPARATIVE LAW-Portugal
AUTHORITY FOR PERSONAL DATA PROTECTION COMPARATIVE LAW-AUTHORITY Argentina
PROTECTION oF PERSONAL DATA iN COMPARATIVE LAW-Uruguay
SANCIONADOR STATE POWER-Definition / POWER-STATE SANCTIONS Principles to which it is subjected

The state sanctioning power has been defined as an instrument of self-protection, as helps preserve the institutional legal order by assigning powers to the administration that enable it to impose its own officials and individuals compliance, including by punitive means of a discipline whose observance contributes to the performance of its tasks. This power is a manifestation of jus punendi, which is subject to the following principles: (i) the principle of legality, which results in the existence of a law regulating it; that is, it applies only to ordinary or extraordinary definition legislator. (Ii) The principle of criminality that although not equally rigorous criminal, does oblige the legislature to make a description of the conduct or behavior that results in the application of the sanction already explicitly determine the penalty. (Iii) The due process requires, among others, the definition of a procedure, whether summary, to ensure due process and, in particular, the right to defense, including the express designation of the competent authority to impose the sanction . (Iv) The principle of proportionality means that the penalty must be proportionate to the misdemeanor or administrative offense that seeks to punish. (V) The independence of the criminal penalty; this means that the sanction can be imposed regardless of whether the event giving rise to it may also constitute violation of criminal regime.
TYPICITY PRINCIPLE OF ADMINISTRATIVE LAW IN DISCIPLINARY-not violated when the failure or violation is described specifically and accurately, or determinable
REFERRAL RULES AND PRINCIPLES OF DUE PROCESS AND DEFENSE IN-Application Penalty system is not unconstitutional
the Chamber finds that in the procedure to be followed for the imposition of sanctions is forwarding to the Administrative Code; that is, although the statutory legislature expressly not consecrated "the procedure" for the application of the sanctions referred to in Article 23, that remanded to point out that paragraph is consistent with Article 29 of the Constitution, since there is indeed a specific procedure to apply the data protection authority, a procedure that satisfies the right to due process and defense.
Penalty system Habeas IN PROTECTION OF PERSONAL DATA AND-Respects principles of legal reserve, Legality and typicality
SANCTIONS IN Habeas DATA AND PROTECTION OF PERSONAL DATA DATA-Competition and grading them to impose
REGIME sanctioning iN LAW aND DATA PROTECTION Habeas PERSONAL-Satisfy the principles of proportionality and reasonableness
NATIONAL REGISTER oF DATABASES-Creation / NATIONAL REGISTRATION DATABASE-Object / NATIONAL REGISTRATION DATABASE-charge Administration of the Superintendency of Industry and Commerce / NATIONAL REGISTRY oF DATABASES-regulation by the Government of content and enrollment conditions
INTERNATIONAL TRANSFER oF PERSONAL DATA-Origin
INTERNATIONAL TRANSFER oF PERSONAL DATA-Prohibition levels subject to verification adequate data protection / SUPERINTENDENT oF INDUSTRY aND TRADE-Determines parameters guarantee protection of personal / TRANSFER oF pERSONAL dATA tO OTHER COUNTRIES data-Exceptions to mediate prohibition subject to prior express authorization of the owner of the data

The international transfer of personal data has emerged as a result of globalization and the phenomena of economic and social integration, in which both companies and government agencies require transfer personal data for different purposes, resulting successful transfer ban of personal data to countries that do not provide adequate levels of data protection, thereby avoiding infringe the rights of people as the right to privacy data. Adequate levels of protection means satisfied if their legislation has: with principles covering obligations and rights of the parties and data; and a procedure involving protection mechanisms and authorities takes effective protection of information. Article 26 of the Bill, creates a set of exceptions to the rule that prohibits the transfer of personal data to a country which does not ensure an adequate level of protection, which for the Court not offer any objection of unconstitutionality, to the extent that mediates prior express authorization of the owner of the data, except as provided for in paragraph f) of the same article, the Court finds that there stipulated managed terms that may be subject to inaccuracies and that given its broad and ambiguous nature generate inconvenience at the time of application, and taking into consideration that it is regulating the fundamental right to habeas data, it must be remembered that the limitations imposed on their exercise through the consecration of exceptions, to be precise without using concepts that their degree of indeterminacy may compromise the exercise or enjoyment of other constitutional rights.
PROCESSING OF PERSONAL DATA-Concept / PROCESSING OF PERSONAL DATA-Touch key aspects of the right to habeas data
REGULATING TREATMENT ON PERSONAL DATA DATA Habeas subject-matter subject to statutory law / SPECIAL PROVISIONS IN LAW Habeas data-not subject to regulation by the Government
Processing of personal data is any operation or set of operations, whether automated or not, that apply to personal data, especially its collection, storage, use, disclosure or suppression, and the process can be public or private, requiring, under the terms of the jurisprudence of this Court, clear definitions of the object or activity managers databases entities, internal regulations, technical mechanisms for collection, processing, storage, security and disclosure of personal data and the regulation of service users of the administrators of databases, so well understood the treatment of personal data, it is clear that regulation is a competition that the legislator has reserves because it touches on aspects of the right to habeas data, and in no way can it be left to the executive who does his ordination. Under these conditions, Article 27 of the draft statute provides for an authorization for the Government to regulate regarding the treatment of personal data that require special provisions, authorization is unacceptable given that these regulations must be issued exclusively by the legislature and not by the executive.
CORPORATE-concept RULES / RULES CORPORATE-provide a complement to regulation of States to protection of personal / corporate standards Data BILL ON DATA PROTECTION Habeas PERSONAL-DATA Subject to government regulation
Standards they refer to corporate governance principles or regulations of good practices created directly by organizations binding on its members, becoming international codes of conduct for the protection of personal data in particular in its flow. The delegation makes the standard to be the national government which regulates the minimum content that should contain these corporate standards conforms to the Constitution, for developing the principles governing the management of personal data, these codes of conduct for good practices in this area, become an additional tool for the effective guarantee of the right to habeas data.
REGIME IN TRANSITION BILL Habeas DATA AND DATA PROTECTION PRESONALES-forecast does not violate the Constitution
Reference: PE-032
record the Draft Constitutional Control Enacting Law No. 184 of 2010 Senate; 046 2010 House, "by which general provisions for the protection of personal data are issued" Judge Speaker
:

JORGE IGNACIO Pretelt Chaljub

Bogotá DC, six (6) October two thousand and eleven (2011)
The Plenum of the Constitutional Court, composed of judges Juan Carlos Henao Pérez, who presides, Maria Victoria Street Correa, Mauricio González Cuervo, Gabriel Eduardo Mendoza Martelo, Jorge Ivan Palacio Palacio, Nilson Pinilla Pinilla, Jorge Ignacio Pretelt Chaljub, Humberto Antonio Sierra Porto and Luis Ernesto Vargas Silva, in exercise of its constitutional powers and in compliance with the requirements and procedures established in Decree 2067 1991, has issued this judgment on the basis of the following,
1. BACKGROUND 1.1 By
office of January 17, 2011, the President of the Senate of the Republic, Dr. Armando Benedetti Villaneda, referred to the Constitutional Court the text of the Draft Statutory Law No. 184 of 2010 Senate; 046 2010 House, "by which general provisions for the protection of personal data are issued" in order for the Court to forward the informal referred to Article 241-8 of the Constitution study.
1.2 TEXT OF BILL:
"TEXT Reconciled STATUTORY LAW NUMBER PROJECT 184 2010 SENATE CHAMBER 046 2010
" for which general provisions for the protection of personal data are issued "| ||
The Congress of Colombia DECREES: TITLE I

PURPOSE, SCOPE AND DEFINITIONS Article 1
. Object. This law aims to develop the constitutional right of all people to know, update and rectify information gathered about them in databases or files, and other rights, freedoms and constitutional guarantees that refers to the Article 15 of the Constitution; and the right to information enshrined in Article 20 thereof.
Article 2 °. Area of application. The principles and provisions of this Act shall apply to personal data recorded in any database that makes them amenable to treatment by public entities or private nature.
This Act apply to the processing of personal data in Colombian territory or when the data controller or processor not established in national territory will be applicable Colombian law under international standards and treaties.
The system of protection of personal data is established in this law shall not apply:
a) A database or maintained in an exclusively personal or domestic sphere files.
When these databases or files are to be provided to third parties should, beforehand, inform the owner and request permission. In this case the controllers and the databases and files will be subject to the provisions of this law.
B) databases and files whose purpose is national security and defense as well as the prevention, detection, monitoring and control of money laundering and terrorist financing.
C) databases that are intended to contain information and intelligence and counterintelligence.
D) databases and archives of news reports and other editorial content.
E) databases and regulated by Law 1266 of 2008.
f) databases and regulated by Law 79 of 1993. Paragraph
files. The data protection principles apply to all databases, including the exception in this Article, within the limits provided in this law without quarreling with the data that have characteristics of being covered by the legal reserve. In the event that the special regulations governing data bases excepted provides principles that take into account the special nature of data, concurrently apply themselves to those provided in this Act.
Article 3. Definitions. For the purposes of this law, it is understood by:
a) Authorization: prior, express and informed consent of the Contractor to carry out the processing of personal data.
B) Database: organized personal data which undergoes treatment set.
C) Personal Data: Any linked information or may be associated with one or more specific or identifiable individuals.
D) Processor: natural or legal, public or private, which by itself or in association with others, perform the processing of personal data on behalf of the controller.
E) Responsible treatment: natural or legal, public or private, which by itself or in association with others, decide on the database and / or treatment of the data.

F) Title: Natural person whose personal data are processed.
G) Treatment: Any operation or set of operations on personal, such as collection, storage, use, circulation or deleting data. TITLE II

GUIDING PRINCIPLES Article 4. Principles for the processing of personal data. In the development, interpretation and application of this law, shall apply harmoniously and holistically, the following principles:
a) Principle of legality in the field of data processing: treatment referred to this law is a regulated activity must be subject to the provisions therein and the other provisions implementing.
B) Principle of purpose: treatment should follow a legitimate purpose in accordance with the Constitution and the law, which must be reported to the owner.
C) The principle of freedom: the treatment can only be exercised with the consent prior, express and informed consent of the owner. Personal data may not be obtained or disclosed without prior authorization, or in the absence of legal or judicial mandate relieve consent.
D) Principle of accuracy or quality: the information subject to treatment must be truthful, complete, accurate, current, verifiable and understandable. the treatment of partial, incomplete, split or misleading data is prohibited.
E) Principle of transparency: the holder the right treatment must be guaranteed to obtain from the controller or data processor at any time and without limitation, information about the existence of data concerning them.
F) Principle of restricted access and movement: the treatment is subject to limits deriving from the nature of personal data, the provisions of this law and the Constitution. In this sense, the treatment can only be done by authorized by the holder and / or person covered by this law people.
Personal data, except public information may not be available on the Internet or other mass media or mass communication, unless access is technically controllable to provide knowledge restricted only to holders or third parties authorized under this law.
G) Safety principle: the information subject to treatment by the data controller or data processor referred to this law, it should be handled with the technical, human and administrative measures necessary to provide security to records avoiding adulteration, loss, consultation, use, or unauthorized or fraudulent access.
H) Principle of confidentiality: all persons involved in the processing of personal data that do not have the nature of public are obliged to ensure the confidentiality of information, even after their relationship ended with some of the work comprising treatment can only perform supply or communication of personal data where this is in the development of activities authorized by this law and the terms of it. TITLE III

SPECIAL CATEGORIES OF DATA Article 5 °. sensitive data. For the purposes of this Act, is meant by sensitive data those affecting the privacy of the Contractor or whose misuse can lead to their discrimination, such as those revealing racial or ethnic origin, political orientation, religious beliefs or philosophical, membership of trade unions, social organizations, human rights or promote interests of any political party or to guarantee the rights and guarantees of opposition political parties, as well as data concerning health, sexual life and biometric data.
Article 6. Processing of sensitive data. Treatment of sensitive data is prohibited, except when:
a) The Contractor has given its explicit consent to such treatment, except in cases required by law not to grant such authorization.
B) processing is necessary to protect the vital interest of the Contractor and this is physically or legally incapacitated. At these events, the legal representatives must give their authorization.
C) The treatment is carried out in the course of legitimate activities with appropriate guarantees by a foundation, NGO, association or any other non-profit organization whose purpose is political, philosophical, religious or trade union, always they relate exclusively to its members or persons who have regular contact because of their purpose. In these events, the data can not be provided to third parties without the authorization of the owner.

D) the processing relates to data which the Contractor has manifestly made public or are necessary for the establishment, exercise or defense of a right in judicial proceedings.
E) Treatment has a historical, statistical or scientific purpose. In this event the measures leading to the suppression of identity of the Holders shall be taken.
Article 7. Rights of children and adolescents. Treatment in respect to the prevailing rights of children and adolescents will be ensured.
Treatment of personal data of children and adolescents, except for data that is public in nature remains outlawed.
It is the task of the state and educational institutions of all kinds provide information and train legal representatives and guardians about the potential risks to which children and teenagers face regarding abuse Treatment of personal data, and provide knowledge about responsible and safe use by children and adolescents of their personal data, their right to privacy and protection of personal information and that of others. The National Government will regulate the matter, within six (6) months following the enactment of this law.

TITLE IV RIGHTS AND CONDITIONS OF LEGALITY FOR DATA PROCESSING
Article 8 °. Rights holders. The holder of personal data shall have the following rights:
a) To know, update and rectify your personal data against data controllers or processors. This right may be exercised, among others against partial, inaccurate, incomplete, split data, misleading, or those whose treatment is prohibited or not authorized.
B) Request proof of authorization granted to the controller unless expressly excepted as a requirement for the treatment, in accordance with the provisions of Article 10 of this Law.
C) Be informed by the controller or the processor, upon request, regarding the use that has given personal data.
D) To submit to the Superintendency of Industry and Commerce complaints for violations of the provisions of this Act and other regulations that modify, add or supplement.
E) Revoking the authorization and / or request the deletion of data when the treatment not the principles, rights and constitutional and legal guarantees are respected. The revocation and / or deletion will only proceed when the Superintendency of Industry and Commerce has determined that the treatment the person responsible have engaged in conduct contrary to the law and the Constitution.
F) Access free of charge to your personal data that have undergone treatment.
Article 9. Authorization of the owner. Subject to the exceptions provided by law, in the treatment prior and informed consent of the holder, which must be obtained by any means that may be subject to further consultation is required.
Article 10. Cases where the authorization is not required. Holder's authorization is not required in the case of:
a) Information required by a public or administrative entity in the exercise of their legal functions or by court order.
B) information of a public nature.
C) Cases of medical or health emergency.
D) Treatment of information authorized by law for historical, statistical or scientific.
E) data related to the Civil Registry of Persons. Who
access to personal data, without prior authorization should in any case comply with the provisions of this law.
Article 11. Provision of information. The requested information may be supplied by any means, including electronic, as required by the Contractor. The information should be easy to read, no technical barriers to access and must correspond as a whole to that which rests in the database.
The Government shall determine the manner in which the data controllers and processors must provide the information the Contractor, based on the nature of the personal data. These regulations shall be no later than the day following the promulgation of this law year.
Article 12. Duty to inform the holder. The controller, when requesting the authorization holder shall inform clearly and states the following:
a) which will undergo treatment their personal data and the purpose of it.

B) The optional nature of the response to the questions that will be made when these relate to sensitive data or data on children and adolescents.
C) his rights as a starter.
D) Identification, physical or electronic address and telephone number of the controller.
Parágrafo. The controller must keep proof of compliance with the provisions of this Article, the Contractor's request, provide a copy of this.
Article 13. Persons who can provide them with the information. The information that meets the conditions set out in this Act may be provided to the following persons:
a) holders, their heirs or their legal representatives.
B) A public or administrative entities in the exercise of their legal functions or by court order.
C) authorized by the Holder or by third law. TITLE V PROCEDURES

Article 14. Consultations. Holders or their assignees may consult the personal information of the Contractor rest in any database, whether it is public or private sector. The controller or processor shall provide these all information contained in the individual record or that is linked to the identification of the Contractor.
The consultation shall be made in the middle enabled by the data controller or processor, as long as they can maintain proof of this.
The consultation will be attended by a maximum term of ten (10) working days from the date of receipt thereof. When it is not possible to attend the consultation within that period, he shall inform the person concerned, stating the reasons for the delay and indicating the date your inquiry will be addressed, which in no case exceed five (5) working days expiration of the first term.
Parágrafo. The provisions of special laws or regulations issued by the National Government may establish lower terms, given the nature of the personal data.
Article 15. Claims. The Contractor or his successors consider that the information contained in a database should be subject to correction, updating or deletion, or when alerting the alleged breach of any of the duties under this Act may file a complaint with the Head of treatment or the processor which will be processed under the following rules:
1. The claim shall be made by writing to the controller or the processor, identifying the Holder, the description of the facts giving rise to the claim, address, and accompanying documents you want to enforce. If the claim is incomplete, the interested party will be required within five (5) days following receipt of the claim to remedy failures days. After two (2) months from the date of request, without the applicant submits the required information shall be deemed to have waived the claim.
If the recipient of the claim is not competent to solve, will transfer to the appropriate within a maximum term of two (2) working days and report the situation to the person concerned.
2. Upon receipt of the completed claim be included in the database is a legend that says "claim pending" and the reason for it, within a period not exceeding two (2) business days. The legend should be maintained until the claim is decided.
3. The maximum term to address the claim will be fifteen (15) working days from the day following the date of its receipt. When it is not possible to meet the demand within that period, it shall inform the data subject of the reasons for the delay and the date your claim will be met, which in no case exceed eight (8) working days following the expiry of the first finished. Article 16.
procedural requirement. The Holder or beneficiary may only raise complaint before the Superintendency of Industry and Trade has exhausted once the consultation process or grievance with the controller or processor.

TITLE VI DUTIES OF RESPONSIBLE FOR TREATMENT TREATMENT AND MANAGERS
Article 17. Duties of controllers. Data controllers must meet the following duties without prejudice to the other provisions of this Act and other governing their activity:
a) guarantee that the patentee, at all times, full and effective exercise of the right of habeas data.
B) Request and preserve, as provided in this Act, a copy of their authorization granted by the Contractor.

C) Report to the Contractor duly about the purpose of the collection and the rights given by virtue of the authorization granted.
D) Retain the information under the security conditions necessary to prevent adulteration, loss, consultation, use, or unauthorized or fraudulent access.
E) Ensure that the information supplied to the Data Processor is truthful, complete, accurate, current, verifiable and understandable.
F) Update information, communicating in a timely way the processor, all the news in the data previously supplied him and take other necessary steps for the information provided this is kept current measures.
G) Rectify incorrect information when relevant and communicate what the processor.
H) Provide the processor, as appropriate, only data processed is previously authorized in accordance with the provisions of this law.
I) Require the processor at all times, respect the security and privacy of cardholder information.
J) Processing inquiries and complaints made under the terms stated in this law.
K) Adopt an internal manual of policies and procedures to ensure proper compliance with this law and, especially, for answering inquiries and complaints.
L) Inform the processor when certain information is under discussion by the Contractor, after the complaint was filed and not yet completed the respective procedure.
M) Inform request of the Holder on the given data use.
N) Inform the data protection authority when violations of safety codes are presented and there are risks in information management Holders.
O) Comply with the instructions and requirements that imparts the Superintendency of Industry and Commerce.
Article 18. Duties of processors. Treatment Managers must meet the following duties without prejudice to the other provisions of this Act and other governing their activity:
a) guarantee that the patentee, at all times, full and effective exercise of the right of habeas data.
B) Keep the information under the security conditions necessary to prevent adulteration, loss, consultation, use, or unauthorized or fraudulent access.
C) Conduct timely updating, correction or deletion of data in the terms of this law.
D) update the information reported by the data controllers within five (5) working days from receipt.
E) Processing inquiries and complaints made by the Holders under the terms stated in this law.
F) Adopt an internal manual of policies and procedures to ensure proper compliance with this law and, especially, for answering inquiries and complaints from the Headlines.
G) Record in the database marked "pending claims" in the way it is regulated by this law.
H) Insert in database Legend "information on legal discussion" once notified by the competent authority on judicial proceedings related to the quality of personal data.
I) To refrain from circulating information that is being disputed by the Contractor and whose lock has been ordered by the Superintendency of Industry and Commerce.
J) Provide access to information only to people who can access it.
K) Inform the Superintendency of Industry and Commerce as violations of safety codes are presented and there are risks in information management Holders.
L) Comply with the instructions and requirements that imparts the Superintendency of Industry and Commerce.
Parágrafo. In the event that both of the quality of data controller and the data processor the same person will be required to fulfill the duties provided for each.

TITLE VII MONITORING MECHANISMS AND PUNISHMENT CHAPTER I

AUTHORITY
DATA PROTECTION Article 19 Data Protection Authority. The Superintendency of Industry and Commerce, through a Delegatura for the Protection of Personal Data, exercise vigilance to ensure that the processing of personal data principles, rights, guarantees and procedures under this law are respected.

Paragraph 1. The national government within six (6) months from the date of entry into force of this law incorporated within the structure of the Superintendency of Industry and Commerce an office of Deputy Superintendent to exercise the functions of Authority data Protection.
Paragraph 2nd. Monitoring the processing of personal data regulated by Law 1266 of 2008, subject to the provisions of this standard.
Article 20 Resources for the performance of their duties. The Superintendency of Industry and Commerce will have the following resources to perform the functions entrusted to it by this law:
a) The fines imposed on under surveillance.
B) The resources that are allocated in the General Budget of the Nation.
Article 21. Functions. The Superintendency of Industry and Commerce shall perform the following functions:
a) ensure compliance with the legislation on protection of personal data.
B) Further investigations into the case, on its own initiative or upon request and as a result of them, order the measures necessary to implement the right of habeas data. For this purpose, provided that the right is unknown, it may provide that access to and supply of data is granted, correct, update or delete them.
C) Provide temporary blocking of data when the application and the evidence provided by the Contractor, a certain risk of violation of their fundamental rights is identified, and such blocking is necessary to protect them while a decision is adopted final.
D) To promote and disseminate the rights of individuals regarding the processing of personal data and implement teaching to train and inform citizens about exercise and guarantee the fundamental right to data protection campaigns.
E) Provide instructions on measures and procedures necessary for adapting the operations of data controllers and processors to the provisions of this law.
F) To request the data controllers and processors the information necessary for the effective exercise of their functions.
G) Uttering declarations of conformity on international data transfers.
H) Manage the Public National Register of Databases and issue orders and acts necessary for administration and operation.
I) Suggesting or recommending any adjustments, corrections or adjustments to the regulations that are consistent with the technology, computer or communications evolution.
J) To require the collaboration of international or foreign entities when the rights of the Holders outside Colombia on the occasion, among others, international collection of personal data are affected.
K) Other functions as assigned by law. CHAPTER II

PROCEDURE AND SANCTIONS Article 22. Procedure. The Superintendency of Industry and Commerce, once established breach of the provisions of this law by the controller or the processor, adopt measures or impose appropriate sanctions.
In matters not regulated by this law and the relevant procedures relevant rules of the Administrative Code shall be followed.
Article 23. Sanctions. The Superintendency of Industry and Commerce may impose on data controllers and processors the following sanctions:
a) fines personal and institutional character in favor of the Superintendency of Industry and Trade up to the equivalent of two thousand (2,000 ) monthly legal minimum wage at the time of the imposition of the sanction. Fines may be as long as there successive failure that originated.
B) Suspension of activities related to treatment for a term of six (6) months. In the event of suspension corrective to be taken must be indicated.
C) Temporary closure of operations related to treatment once the term of suspension has elapsed without it has taken corrective ordered by the Superintendency of Industry and Commerce. immediate and definitive
d) Closing of the transaction involving the processing of sensitive data.
Parágrafo. The sanctions referred to in this article only apply to people of a private nature. In the event that the Superintendence of Industry and Commerce warn an alleged breach of a public authority to the provisions of this Act, shall refer the matter to the Attorney General's Office for further investigation respectively.

Article 24. Criteria for graduate sanctions. Penalties for violations referred to in the previous article, will graduate attending the following criteria, as are applicable:
a) The extent of the damage or danger to the legal interests protected by this law.
B) The economic benefit obtained by the infringer or third parties under the commission of the offense.
C) Repeated commission of the offense.
D) resistance, refusal or obstruction to the research or surveillance of the Superintendency of Industry and Trade action.
E) The reluctance or disrespect to comply with orders issued by the Superintendency of Industry and Commerce.
F) The express recognition or acceptance by a research on the commission of the offense prior to the imposition of the sanction as may be appropriate.

CHAPTER III THE NATIONAL REGISTRY OF DATABASES
Article 25. Definition. The National Registration Database is the public directory databases subject to treatment that operate in the country.
The registry it will be administered by the Superintendency of Industry and Commerce and will be free consultation to citizens.
To register database, interested parties should contribute to the Superintendency of Industry and Commerce policy information processing, which will force those responsible and in charge of it, and whose failure will lead to appropriate sanctions. Treatment policies in no case be lower than the duties under this Act.
Parágrafo. The National Government shall regulate, within the year following the enactment of this Act year, the minimum information required in the registry, and the terms and conditions under which must be registered in this data controllers.

TITLE VIII TRANSFER OF DATA TO THIRD COUNTRIES
Article 26. Prohibition. the transfer of personal data of any kind to countries that do not provide adequate levels of data protection is prohibited. It is understood that a country provides an adequate level of data protection it meets the standards set by the Superintendency of Industry and Commerce on the subject, which in no case be lower than the present law requires recipients.
This prohibition shall not apply in the case of:
a) Information regarding which the Contractor has given its express and unequivocal authorization for the transfer.
B) Exchange of medical data, when required by Title Treatment for health reasons or public hygiene.
C) stock exchange or banking transfers, under the law applicable to them.
D) Transfers agreed under international treaties to which the Republic of Colombia is a party, based on the principle of reciprocity.
E) Transfers necessary for the implementation of a contract between the Contractor and the controller or for the implementation of precontractual measures if and when they have obtained the consent of the Contractor.
F) transfers necessary or legally required to safeguard the public interest or for the establishment, exercise or defense of a right in judicial proceedings.
Paragraph 1. In cases not listed as an exception in this Article, it is for the Superintendency of Industry and Commerce, proffering the declaration of conformity on the international transfer of personal data. For this purpose, the Superintendent is empowered to require information and processing the actions aimed to establish compliance with budgets that requires the viability of the operation.
Paragraph 2nd. The provisions of this Article shall apply to all personal data, including those covered by the 1266 Law of 2008. TITLE IX

OTHER PROVISIONS Article 27. Special provisions. The National Government will regulate regarding the treatment of personal data that require special provisions. In any case, such regulations may not be contrary to the provisions of this law.
Article 28. Binding Corporate Rules. The National Government will issue the corresponding regulations on BCRs for certification of good practices in protection of personal data and their transfer to third countries.

Article 29. Certification criminal record. The Administrative Department of Security, DAS, or who performs this function, maintain and update the criminal and national identification records according to reports and notices to the effect should send the judicial authorities in accordance with the Constitution and the law.
When issuing judicial certified by citizen petition, the Administrative Department of Security or who performs this function shall not be included as criminal record criminal records of the applicant when it has served his sentence or the same prescribed.
Paragraph 1. The archives of the Department of Administrative Security, or who perform this role in this matter, shall be confidential and therefore reports only certificates or records contained therein shall be issued.
Paragraph 2nd. The Administrative Department of Security, DAS, or who performs this function, ensure the availability of free and permanent electronic information on the Certificate of Judicial Background for consultation by the operator concerned or by third parties through the website entity and the same shall enjoy full validity and legitimacy.
Paragraph 3rd. The judicial certificate issued at the request of the petitioners of their own records, not be valid in those positions where the total lack of background is required.
In this case, when the Public Administration entities require the submission of judicial records must strictly comply with what is stated in Article 17 of Decree 2150 of 1995 or the norm that modify, supplement, add or clarify .
Article 30. Databases intelligence and counterintelligence. Databases or files of the entities that develop intelligence and counterintelligence activities should be strictly guided by the data processing parameters set out in the National Plan of Intelligence and the Joint Intelligence as well as other legal standards.
In any case the authorization of an order of operations or mission work, can not be issued by a public servant who has a different managerial, command or equivalent level.
The documents, information and technical equipment of organisms develop intelligence or counterintelligence work will be covered by the legal reserve for a maximum term of 40 years and will have reserved character of information according to the level of classification appropriate in each case.
Parágrafo. A public servant who decides to rely on the legal reserve for not providing information to a holder must do so reasoned, pointing to the reasonableness and proportionality of its decision to the applicant. In any case, against the aforementioned decisions are subject to relevant resources and legal and constitutional actions.
No person may oppose the legal reserve requirements of judges and other competent authorities.
Article 31. Evidentiary value and reserve the intelligence and counterintelligence. In any case, intelligence reports have probative value in court proceedings, but its contents may be guiding the development of urgent actions carried out by the judicial police in criminal matters criterion. In any case the reserve to protect the identity of those who are the subject of such reports, officials of intelligence and counterintelligence, methods and sources will be ensured.
Article 32. Transitional regime. People who at the date of entry into force of this law from exercising any of the activities regulated here have a period of up to six (6) months to conform to the provisions in this law.
Article 33. Waivers. This law repeals all provisions that are contrary except those referred to in Article second.
Article 34. Validity. This law governs from its promulgation.
Senator Luis Fernando Velasco
Chaves.
House Representative, Alfredo Deluque
Zuleta. "
CITIZENS 1.3 INTERVENTIONS
In the process
interventions of the following persons and entities were presented: the Ministry of Industry, Trade and Tourism, the Legal Secretariat of the Presidency of the Republic, the Ombudsman, citizens Juanita Durán Velez, Santiago Diazgranados Mesa, Alejandro Salas Pretelt, Rolfe Hernando González Sosa and Maria Lorena Florez Rojas, Universidad de los Andes, the Foundation for Press Freedom (FLP), Computec SA - Datacrédito, the Colombian Association of Integrative Medicine (ACEMI), Association Colombia banking and Financial Institutions of Colombia (ASOBANCARIA).
The Chamber will refer to the content of each of the interventions to perform the analysis of constitutionality formal and material from each of the provisions of the bill under study. CONCEPT 1.4

ATTORNEY Attorney General's Office requested the Court declared constitutional the Bill of Statutory Law Camera- 184 046 2010 2010 Senate with the following details:
1.4.1. Regarding the process of forming the statutory bill, states:
1.4.1.1. It ensures that the project complies with the provisions of Article 160 of the Constitution, since (i) between approval first and second debate in each of the chambers spent time not less than eight days, and (ii) between the approval stocked in a chamber and the beginning of the debate in the other was a period of no less than fifteen days. In particular, he explains that (a) the First Committee of the House approved the bill on 14 September 2010 and the plenary gave its approval on 19 October 2010; (B) the First Committee of the Senate approved the bill on December 6, 2010 and proceeded in the same way the plenary on 15 December 2010; (C) the project was approved by the House of Representatives on October 19, 2010 and its Senate debate began on 6 December 2010.
1.4.1.2. On the other hand, he claims that the project complied with the provisions of Article 153 of the Charter which requires an absolute majority of members of Congress to approve proposed statutory bills, as well as their processing takes place within a single legislature. In the specific case, it indicates that the bill was filed on August 3, 2010 and its procedure ended on 16 December 2010, which shows that the process was supplied within the legislature that began on July 20 of that year and culminated on 20 June 2011. 1.4.2
. Regarding the legal analysis and material statutory bill reads as follows:
1.4.2.1. Considers that the decision to limit the collection and processing of personal data and the use and access to databases containing such information is reasonable, because its purpose is to preserve public the data pertaining the privacy of their headline.
1.4.2.2. He argues that the literal c) of Article 5 is enforceable, on the understanding that should always further authorization by the owner.
1.4.2.3. On the other hand, indicates that the exceptions to the prohibition on movement of sensitive data under Article 6 because it is based on the consent or important purposes, they are reasonable. However, it reports that in the case of exercise of legitimate activities of a group of people, organized non-profit, as in the case of foundations, NGOs, associations, unions or any other; the fact of belonging to that group is no reason to obviate the need to obtain prior authorization of the data.
1.4.2.4. He argues that the special protection given to personal data of children and adolescents in Article 7 is reasonable, as is clear from their status as subjects of special constitutional protection. However, he noted that the exception provided by this provision in the data that are "public nature" can generate two conflicting situations: first, part of children and adolescents do not have full capacity to consent , which is intended to overcome the requirement of authorization from their parents or guardians; and secondly, it does not take into account that this population, to have unrestricted access to the Internet, especially social networks, thoughtlessly can post their personal data and privacy. Therefore, the prosecution believes that the term "public nature" as exception to the prohibition of processing of sensitive data of children and adolescents, must be declared unconstitutional.

1.4.2.5. On Article 10 of the draft, in which they are established events in which the authorization of the owner, specifically in relation to the third event referred to "question a case of medical or health emergency" it is not necessary, estimates that is a reasonable exception, as it seeks to safeguard the life and physical integrity of the data holder. However, he clarified that this exception can only shelter to medical or scientific personnel attending the urgency.
1.4.2.6. With respect to paragraph of Article 10 states that "(...) who access personal information, without prior authorization must in any case comply with the provisions of this law (...)", Attorney considers that leaves open the door to serious transgressions, while invalidating the prohibition on processing personal data without consent of the owner, which is unreasonable and unacceptable in constitutional terms. He adds that if a data is obtained without the prior consent of the owner, unless otherwise provided by law, is in breach of Article 15 of the Constitution. The same result can be applied when the data is circulated. For these reasons it requests that the provision be declared unconstitutional.
1.4.2.7. It states that the paragraph of Article 14, specifically in relation to that "(...) the Government may set lower than those indicated in the procedures under the law terms", although in principle it could be concluded that it is a measure favorable to the interests holders of the data and therefore there would be no restriction on their rights is an unconstitutional measure. It argues that it can not be overlooked that the power to regulate the mechanisms of protection of fundamental rights that have to do with the core of the same, is solely for the statutory legislator. Therefore, any modification of the mechanisms of protection and benefit to the right holder, it is up to Congress to do it through a statutory law.
1.4.2.8. In relation to Article 27, taking into account the above reasons, remember that the power to regulate the mechanisms of protection of fundamental rights, insofar as they affect the core of the same, has reserves of statutory law. Therefore it concludes that this provision is unconstitutional.
1.4.2.9. It also reveals that "may constitute criteria guiding the development of urgent actions carried out by the judicial police in criminal matters" in Article 31 is enforceable under the understanding that to carry out these activities order is required judicial. In his opinion, if not treated to prevent serious imminent, but to investigate crimes risk, that is, the development of the actual task of judicial police in criminal matters, should always existirse a prior court order.
1.4.2.10. Finally, it argues that the words "or regulations issued by the National Government" contained in paragraph of Article 14 is unconstitutional.

METHODOLOGY 1.5 Comprehensive review of the draft statute will be as follows. First, and prior to the study of constitutionality, the Chamber will make a reference to the historical origin and scope of the fundamental right to habeas data. Second, determine what the model statutory regulation adopted by the legislature and its implications for the analysis of constitutionality of the provisions of the Project. Established the general framework for data protection in Colombia, the Corporation held on both formal and material analysis articulated the project.
2. 2.1 PRELIMINARY CONSIDERATIONS CONSIDERATIONS

2.1.1 The matter of statutory bill: regulation of some minimum contents of the fundamental right to habeas data
The title of the bill - "Whereby general provisions are issued for the protection of personal data "- it indicates that its main objective is to regulate generally guarantees the fundamental right to protection of personal data, right in the constitutional jurisprudence has often been called right to habeas data and some opportunities right to information or informational self-determination [1]. To determine whether, in fact, the draft regulates at least some of the minimum content of this right, then the Board will review its origin and scope:
2.1.1.1 Origin of the right to habeas data
2.1.1.1. 1 . The protection of personal data emerged linked to the right to privacy recognized in various instruments of international law of human rights.

At the international level, the right to privacy was first recognized in 1948 in the Universal Declaration of Human Rights, Article 12 provides that every person must be protected from arbitrary interference with his privacy, family, home or correspondence, as well as attacks on his honor and reputation. [2] Later, in 1966, this provision was reproduced in Article 17 of the International Covenant on Civil and Political Rights (ICCPR), which was given binding nature among states parties.
At the regional level, also in 1948, the right to privacy with Article V of the American Declaration of the Rights and Duties of Man was recognized. The right was again introduced in Article 11 of the American Convention on Human Rights of 1969, which broadly reproduces Article 12 of the Universal Declaration of Human Rights.
In the European system of protection, the right to privacy was first recognized in Article 8 of the Convention for the Protection of Human Rights and Fundamental Freedoms in 1950. This article also to protect life private and family life and home and correspondence, proscribes any interference by the public authorities in the exercise of this right except "(...) as this interference is provided for by law and constitute a measure in a democratic society, be necessary for national security, public safety, economic welfare of the country, the defense of order and crime prevention, protection of health or morals, or the protection of the rights and freedoms of others. " [3]
2.1.1.1.2 in Europe was precisely where, based on that provision and in view of the risks to which faces privacy in the information society, began to carve the way for the recognition of habeas data as an autonomous fundamental right. Thus, in 1967, the Council of Europe convened an advisory committee to study the risks that generate information technologies on the rights of individuals. As a result of this commission was issued in 1968, Resolution 509 on human rights and new scientific and technical achievements, which called for the protection of privacy against new technologies.
In the 70s, the Committee of Ministers of the Council of Europe adopted the resolution on "the protection of privacy of individuals against electronic data banks in the private sector," and resolution on "the protection of privacy of individuals against electronic data banks in the public sector", which encourages member countries to implement a series of protection principles. Subsequently, several countries have introduced legislation designed to establish safeguards for personal data; several of these laws created specific rules in order to protect not only privacy, but also other values such as integrity, autonomy and dignity. [4]
In 1981, Convention 108 of the Council of Europe on the protection of individuals with regard to automatic processing of personal data, provided explicit information such protection and set common guidelines protection model. The Convention expanded the catalog of guarantees with the introduction of the principles of loyalty, accuracy, purpose, relevance, not misuse, neglect, advertising, individual access and security and the ban on automatic processing of data revealing racial origin people, political opinions, religious or other beliefs, as well as data on health or sexual life. [5] It also introduced definitions of personal data, computer files, automated processing and information management authorities. [6] Convention 108 gave way to a second generation of national data protection laws that incorporated many of the principles recognized therein. [7]

In 1983, a ruling by the German Constitutional Court called for the first time the right to protection of personal data and the right to informational self-determination, based on the right to free development of personality. [8] To this court, that right includes the right to decide for himself when and within what limits appropriate to disclose situations involving life itself. Moreover, the court noted that the guarantee of the right requires special protection measures, taking into account that the interconnection of multiple databases can lead to the development of a personality profile that limits the freedom of choice. This example was followed by the Spanish Constitutional Court, which, in 1993, stated that Article 18.4 of the Spanish Constitution enshrines an autonomous fundamental right to provide that the law should limit the use of information technology to ensure privacy, honor and the full exercise of the rights of citizens. [9]
Years later, at Community level, by Directive 95/46 / EC 1995 on the protection of individuals with regard to the processing and movement of personal data, the European Parliament and the Council of Europe, although the link the protection of personal data privacy, require several definitions and introduce guidelines on specific safeguards governing the movement of such data, for example, in terms of early treatment and procedural requirements. [10]
Settings informational self-determination as an autonomous right ends with the Charter of Fundamental Rights of the European Union 1999, Article 8 of which explicitly recognizes the right of everyone to "the protection of personal data concerning him "and that" [t] hese data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. "it also indicates that" [t] veryone has the right to access data which has been collected concerning him or her ", and notes that the verification of compliance with these guarantees should be responsible in each state to an independent body.
2.1.1.1.3 Within the United Nations have also presented important initiatives aimed at strengthening the protection of personal data and provide independent content to the right to habeas data. For example, by Resolution 45/95 of 14 December 1990, "Guiding Principles on computerized personal data files", number of minimum guarantees that national legislation should provide for the treatment of this type of information is recognized.
Moreover, the Human Rights Committee in its General Comment 16 on Article 17 of the ICCPR, albeit connects the protection of personal data with the right to privacy, by interpretation sets a series of important guidelines that should guide the protection of such data, and that "[t] he collection and recording of personal information on computers, data banks and other devices, whether by public authorities and by private persons or entities, must be regulated by law "or that everyone has the right to verify" (...) if their personal data stored in automated data files and, if so, to obtain intelligible information about what these data and for what purpose have stored "guarantees that are part of the contents of habeas data. [11]
2.1.1.1.4 A regional system level protection, the right to habeas data or informational self-determination remains interpreted from Article 11 of the American Convention on Human Rights on the right to privacy. However, through Resolution AG / RES.1395 (XXVI-O / 96), the General Assembly of the OAS requested the CJI to undertake a study of the legal contexts of member states on two topics: access the information and protection of personal data. This study led to the June 13, 2011, the General Assembly adopt a resolution on access to public information and protection of personal data. In this document, he instructed the CJI that, before the forty-second regular session of the General Assembly, to present a document of principles of privacy and protection of personal data in the region. In addition, for several years there is an American draft convention on informational self-determination, which expressly recognizes the right to habeas data.

2.1.1.1.5 In Colombia, although Article 15 of the Constitution of 1991 recognized for the first time explicitly the right to habeas data, from years ago there was already a concern in Congress and the Executive to protect Personal information. Among the initiatives in this area, it is worth noting Law 23 of 1981 "By establishing rules on medical ethics", Article 34 provides that clinical history "[e] s a private document under reserve it can only be known by third parties prior authorization from the patient or in cases provided by the Law "and Law 96 of 1985, Article 51 recognizes the public nature of the data on personal identification number and place and date of issue but grants reserved for files that lie in the Registry linked to the identification, such as biographical data, fingerprint formula affiliation and character.
2.1.1.1.6 Finally, as already mentioned, Article 15 of the 1991 Constitution explicitly recognized the "(...) the right to know, update and rectify information gathered about them in databases and files of public and private entities "and further provided that" [i] n the collection, processing and circulation of information freedom and other guarantees enshrined in the Constitution will be respected ". These provisions read in conjunction with the first part of Article 15 -on the right to privacy, Article 16, which recognizes the right to free development of personality and Article 20 -on right to information assets and liabilities and the right to rectificación- of the Charter, have led to the recognition of an autonomous fundamental right classified as right to habeas data, and on some occasions, such as the right to informational self-determination or computer.
2.1.1.1.7 In the constitutional jurisprudence, the right to habeas data was first interpreted as a guarantee of the right to privacy, there was talk that the protection of data pertaining to private and family life, understood as the impenetrable individual sphere in which everyone can make their life project and in which neither the state nor other individuals can interfere. [12]
Since the early years of the new Charter, also came into the Court a second interpretative line data considered a manifestation of the free development of personality habeas. According to this line, the habeas data has its ultimate foundation "(...) in the field of self-determination and freedom that the law recognizes the subject as an indispensable condition for the free development of personality and avenging tribute to his dignity" [13] .
Since 1995, arises a third line of interpretation that points to habeas data as an autonomous right and that is what has prevailed since. [14] Thus, according to the judgment SU-082 of 1995 [15], the core of the right to habeas data is composed of computer self-determination and freedom -including economic freedom. In addition, this right shall include at least the following privileges: "a) The right to know the information relating thereto; || b) The right to update such information, that is, to bring them up to date, by adding new facts; || c) The right to rectify information do not correspond to the truth. "and includes the right to expiration of negative data.
In the same vein, in Case T-176 of 1995 [16], the Court stated that the right to habeas data is violated when any of the powers set out in the judgment SU-082 1995 is unknown, ie when the information contained in the file or database is "(...) collected illegally, without the consent of the data" it is erroneous or falls "(...) about intimate aspects of life of its owner not susceptible to be known publicly. "
Subsequently, the T-729 2002 judgment [17], the Court explained that it is important to differentiate and define the habeas data regarding other rights such as privacy and good name, at least for three reasons: "( ...) (i) the possibility of obtaining judicial protection via protection independently; (Ii) for the delimitation of the material contexts areas comprising its legal protection; and (iii) by the peculiarities of the legal regime and the different rules to resolve the possible conflict with the right to information. "[18] Next, the Court defined the right as follows:

"The fundamental right to habeas data is that which gives the faculty [19] to the holder of personal data, to require managers personal data access, inclusion, exclusion, correction, addition, update, and certification data, as well as limiting the possibilities of disclosure, publication or assignment thereof, in accordance with the principles [20] to inform the management process personal databases ".
More recently, in Case C-1011, 2008 [21], the Court again recognized the autonomy of the right to habeas data and conceptualized as follows:
"Habeas data gives, (...), a group of powers to the individual so that, in exercise of the general freedom clause, you can control the information itself has been compiled by a central information. In that sense, this fundamental right is intended to protect the interests of the owner of the information to the abuse potential of computing power. "
2.1.1.1.8 In short, as shown in the previous count, recognition of the right to habeas data self-identified as a fundamental right both nationally and internationally pursues the protection of personal data in a world globalized in which computing power is growing. This protection responds to such data are of importance for the guarantee of other rights such as privacy, good name and the free development of personality. However, there is a close relationship with such rights, it does not mean it's not a different law, while comprising a series of differentiable guarantees and whose protection is directly appealable through the tutela, without prejudice to the principle of subsidiarity governing the admissibility of the action.
2.1.1.2 The content of the right to habeas data
In accordance with the jurisprudence of this Court within the prerogatives uncopyrighted mínimos- arising from this right are at least the following: (i) right of people to know -acceso- the information on them is contained in databases, which entails access to the databases where that information is; (Ii) the right to include new data to a full picture of the holder is provided; (Iii) the right to update information, ie, to update the content of these databases; (Iv) the right to information in databases is rectified or corrected in such a manner consistent with reality; (V) the right to exclude information from a database, either because you are misusing it, or simply will of the holder except the exceptions provided for in the regulations.
2.1.1.3 The law develops some content of the right to habeas data and therefore should be handled by statutory law
2.1.1.3.1 Article 152 of the Constitution provides for a special form of laws with a more rigorous process - especially in terms of majorities- [22] due to the type of materials to regulate, these are: (i) fundamental rights and duties, and the procedures and resources for their protection; (Ii) the administration of justice; (Iii) the organization and governance of political parties and movements, the status of the opposition and electoral functions; (Iv) institutions and mechanisms for citizen participation; (V) states of emergency; and (vi) electoral equality between candidates for the Presidency of the Republic.
This corporation has defended the thesis that the reserve of statutory law should not be interpreted restrictively in the sense that any regulation that addresses matters covered by Article 152 of the Constitution requires be issued by means of this type law. [23]
The Court has also held that the type of development and degree of detail of the regulation that the Constitution requires the legislature statutory depend on the kind of matter. Thus, in the case of electoral functions, the Court has advocated a kind of reserve reinforced, according to which corresponds to the statutory legislator not only establish the basic guidelines of such functions, but develop them in greater detail with a claim of completeness and systematization . In this regard, this Court stated the following in Case C-226 of 1994 [24]:

"Therefore, in accordance with the above arguments, the Constitutional Court concludes that unlike what happens with fundamental rights, in the case of electoral functions, statutory law should regulate not only the essential elements of the same but all those permanent aspects for the proper performance of those duties by citizens, including issues that could apparently be considered minor powers or purely technical aspects, but have decisive effects on the electoral dynamics, such as setting dates elections, setting the terms of closing the registration of candidates or voter registration, the organization of voting cards or voting systems, etc. By its very nature, statutory law of electoral functions is then detailed content. This does not preclude exceptionally certain electoral materials can be regulated by ordinary laws. Thus, there are provisions corresponding to purely operational aspects to facilitate the realization of a specific choice and keep connectedness with the election issue themselves without electoral functions, such as authorization of a budgetary appropriation to finance a particular election. Such materials can be regulated by statute. "(Bold added)
For the hypothesis of the administration of justice, the Court has held that are subject to the statutory laws" essential structural elements of the civil justice " [25] *, which have been identified as "the principles underlying the administration of justice as well as bodies and exercise their general competence" [26].
With regard to the mechanisms of citizen participation, the Court has held that those provisions that compromise the core of the right to participate must be processed as statutory. Therefore "essential redoubt that is absolutely necessary for such a right can be exercised and be effectively protected, it must be regulated by this special process. In this regard, the provisions with the meaning of introducing limits, restrictions, exceptions, prohibitions or conditions on the exercise of the right "[27], are subject to special procedures.
Respect of fundamental rights, in accordance with the first criterion explained, the Court has indicated that booking statuary law is not predicated of the regulation of "all events linked to fundamental rights" [28] but "only essential structural elements of fundamental rights "[29], so that the statutory laws should not regulate in detail each variant or each manifestation of such rights or all those aspects that have to do with your exercise. In this regard, the Court stated as follows in Case C-145 of 1994:
"(...) the ordinary legislative competence is directly authorized by the Charter to regulate fundamental rights and if such an event is not present, the aforementioned competition exceptive would become ordinary, as much directly or indirectly touch any laws or some fundamental rights. On fundamental rights must be made 'a restrictive interpretation of the reservation of statutory law that a broad interpretation would make the exception -the statutory laws based on qualified majorities and procedures rígidos- rule to the detriment of the principle of simple majority is enshrined in the Constitution '. This means that the statutory laws are responsible for regulating only the essential structural elements of fundamental rights and mechanisms for their protection, but are not intended to regulate in detail each variant manifestation of these rights or all those aspects that have to see with your exercise, because this would lead to a petrification of law ". (Bold added)
To define the essential structural elements, constitutional jurisprudence has used the theory of the essential core. According to this theory, fundamental rights have (i) a core or core content that can not be limited by political or unknown majorities in any case, even when a fundamental right collides with another of the same type or another constitutional principle, and (ii) an adjacent content regulated. The questions generated by this theory are: if the core is a guarantee countermajoritarian, who would compete its definition? and what is the division of powers between statutory law, ordinary law and regulations with respect to the adjacent content?

A response that occurred in the early years of the Court is that the essential core is defined by the Constitution and statutory law corresponds to develop the closest to the nucleus [30] adjacent content; however, this line of case law does not define what the content adjacent closest to the core. [31] Moreover, as the Court itself has recognized the constitutional provisions on fundamental rights they tend to be abstract and general, making it difficult to extract from them a minimum content of rights.
A second response has been exhibited in the constitutional jurisprudence is that the responsibility of the statutory legislator develop important aspects of the essential nucleus, which appears to suggest that such a core is delineated by both the constituent and by the statutory legislator. [32 ] Some of the important issues of the essential core that are specific statutory laws and have been identified by the Court are: (i) the consecration of limits, restrictions, exceptions and prohibitions of general scope [33] and (ii) basic principles that guide its exercise [34]. Another element that can be deduced from an examination of the structure of fundamental rights is the definition of basic entitlements which are the right for holders and become obligations for taxpayers.
The second answer seems to be more consistent with recent developments of constitutional jurisprudence, where the adoption of a historic building criterion of fundamental rights is evident. According to this criterion, fundamental rights are extended over time and depend on what a society considers essential in a historical moment and from the concept of human dignity. [35] Therefore, the content of the rights changes and expands, which is important for the work of updating the statutory and constitutional legislator judge. [36]
However, the thesis of the author does not detract from the countermajoritarian function of the essential core, because on the one hand, the work of the statutory legislature is to define it matters not expressly provided by the constituent, which means it can not ignoring the provisions of the above text, and other statutory laws as have previous control of the constitutional Court, the constitutional judges perform the task of examining countermajoritarian that the legislature has not exceeded its jurisdiction in the matter.
Moreover, the Chamber notes that in several rulings the Court has held that the statutory laws when dealing with fundamental rights, must pretend to regulate comprehensive, structural and completely. [37] For the Chamber, this statement must be interpreted in conjunction with the doctrine previously analyzed on material contained in statutory law, ie, with the thesis that the statutory legislator, together with the constituent, define the essential elements of rights. Therefore, the claim of completeness and comprehensiveness should be limited to structural elements of the right, ie, in accordance with what was said previously, (i) to the basic prerogatives that derive from the law and become obligations for taxpayers (ii) the principles that guide its exercise -when there, and (iii) exceptions to their protection and other limitations of general order [38].
Finally, regarding the procedures and resources for the protection of fundamental rights, it is necessary to make the following clarifications:
First, such procedures and resources, although they are referred to in paragraph a) of Article top 152 alongside the fundamental rights and duties, constitute a separate matter, since they are not elements of the structure of rights but a tool to make them effective [39]; therefore they may or may not be developed in the same statutory law.
Second, the constitutional jurisprudence has indicated that it is subject to the statutory laws regulating only directly from the exercise of rights. [40] Therefore, it is the responsibility of the statutory legislator only the development of procedures and resources for direct protection of rights.
However, such tools can be either judicial or administrative, ie, letter a) refers to (i) both actions or resources that allow the satisfaction of a claim before a judge right and imply the existence a process, (ii) as administrative mechanisms such as monitoring and control bodies and aimed at resolving disputes relating to the realization of fundamental rights administrative processes.

With regard to judicial remedies, it is necessary to bring up the classification used in Case C-372 of 2011 [41], according to which a fundamental right to enjoy ordinary justiciability mechanisms and other reinforced aimed at protecting direct and immediate rights; the latter must deal statutory law.
2.1.1.3.2 Under these considerations, the Chamber notes that indeed, as the title and Article 1 indicate, the project develops content or minimum core of the right to habeas data and therefore its approval should continue the process of statutory laws.
The second article defines the general exceptions to the application of the provisions of the project, except, as principles will be developed later.
The second title establishes the guiding principles, which establish the minimum standards to be followed by both public authorities and individuals relating to the processing of personal data. These principles limit the scope of treatment and define the guidelines to proceed claims access, inclusion, updating, correction and exclusion.
Title III establishes the general rule prohibiting the processing of sensitive data such as personal data form of deserving special protection, provides specific exceptions to this prohibition, and emphasizes the protection of personal data, especially the sensitive- of children and adolescents.
The fourth title develops basic data powers granted to holders of habeas personal data, as well as the conditions of legality for data processing as authorized by the owner, providing the requested information and its implications, ie gives a higher minimum content derived prerogatives of the right to habeas data.
The fifth title refers to the procedures for consultation and complaints, and defines the jurisdiction to resolve such requests. This title is complemented by the seventh title that regulates, through three chapters, mechanisms for monitoring, control and sanction, the administrative authority responsible for data protection and national registration databases.
The sixth title, which contains the duties of those responsible and processors, is the counter face of the powers to the holder of the data in the fourth degree; In other words, this title brings, without being taxativo- the duties which the law imposes on some of the taxpayers. These duties also are indispensable for the imposition of administrative sanctions to which refers the seventh title, sanctions which in turn constitute an additional mechanism of protection of habeas data.
The eighth title regulates the transfer of data to third countries and sets out some minimum requirements that must be met in order to extend protection to data even beyond national borders.
Finally, the ninth title includes several materials, including (i) the power to regulate government regarding the treatment of data that require special provisions; (Ii) the issuance of binding corporate rules by the government; (Iii) certification of criminal records; (Iv) guidelines databases of intelligence and counterintelligence; and (v) the probative value and the reserve of the intelligence and counterintelligence, all matters relating to special forms of personal data.
Since the draft regulates some of the minimum content of the right, was necessary, as indeed did the Congress- process the initiative through the procedure of statutory law.
2.1.2 The regulatory model introduced by the bill:
hybrid model protection 2.1.2.1 In comparative law there are two models widely recognized data protection: a centralized model and a sectoral model.
The first model, implemented in European countries and, with some modifications, within the European Union, part of a general category of personal data and the idea that any treatment of them is considered potentially problematic per se, reason why should abide by principles and common, which may be supplemented by special regulations, according to the data type and the interests involved minimum guarantees, but that in no way imply a repeal of general protection standards. [42] Furthermore, these general standards, as well as special, are applicable to both the public and private sectors.

So, the level of the Union, (i) a set of general principles anticipated mandatory in all states and applicable to any personal data except the exceptions expressly mentioned, (ii) and guarantees for those interested, prior notification as against the collection and processing of personal data and the right to access and oppose the collection and circulation. Such rules ensure adequate levels of protection, which in turn facilitates cross-border data flow.
It is also typical of this model the existence of an independent central entity, autonomous and, which oversees the implementation, compliance and enforcement of general protection standards, and which is empowered to authorize or prohibit international transfers of data taking the equivalence of the protection offered by the destination country [43]. This organization specializes in the protection of personal data, allowing you to generate memory and produce knowledge that are reemployed in the design of public policies in this area. [44] This does not preclude the existence of specialized bodies for areas requiring additional regulation.
In contrast, the sector model not part of a common category of personal data and therefore not considered that all these data should be subject to the same minimum regulation. [45] That is why under this model special and different regulations for each type of personal data are adopted, depending on their relationship with privacy, or privacy as it is called in the Anglo-Saxon system and protection such as safety and best interests national defense, ie sector regulation is based on a kind of balance of interests resulting in different rules depending on the type of data and gives more or less powers of intervention to the authorities. The verification of compliance with the rules is also assigned to sectoral authorities, which are endowed with different powers of surveillance and control, according to the level of intervention imposed by the legislature.
This model is also inspired by the idea of self-regulation [46] market, why the State only participates in the protection of certain data in areas that are at high risk of invasion of privacy as the financial sphere, health and rights of children.
So, in the US, although there is a federal law of general data protection -Privacy Act of 1974 [47], regulation of personal data is governed mainly by sectoral laws such as the Electronic Communications Privacy Act (1986) , which relates to the protection of personal data in electronic communications; the Cable Communications Policy Act (1994), which regulates the protection of personal data in files cable television; the Fair Credit Reporting Act -modified repeatedly between 1996 and 2001, which refers to credit reports; the Bank Secrecy Act (1994) concerning bank records; the Telephone Consumer Privacy Act (1994) on phone records; the Drivers Privacy Protection Act (1994), relating to the protection of files of driving permits; the Health Insurance Portability and Accountability Act (1996), which regulates the transfer of medical insurance; and the Children's Online Privacy Protection Act (1998), on parental control of children in their Internet activities. [48]
2.1.2.2 In Colombia, the bill that led to the 1266 Act of 2008 sought to become a law of general principles applicable to all categories of personal data. However, as noted by this Court in Case C-1011, 2008 [49], despite its claim of generality, the bill really only established basic standards of protection for financial and commercial information designed to calculate the level of credit risk people. So in that judgment, the Court made clear that the matter of what later would become the 1266 Law is only the financial and commercial data. [50] Therefore, the 1266 Act can only be considered a sectoral regulation of habeas data.

This new bill seeks to fill the void of minimum standards of protection of all personal data -anunciado by the Constitutional Court in Case C-1011, 2008 [51], hence its title is precisely "By the which general provisions for the protection of personal data are issued ". That intention was also announced by the government in the explanatory memorandum, in which he stated: "(...) it is necessary for the country to have a comprehensive and cross legislation to ensure the effective protection of personal data throughout the treatment process ". As will be seen later, despite several shortcomings of the project, it can be concluded that effectively introduces general principles and rules to ensure some minimum content of the right to habeas data, understanding how as discussed previously.
Consequently, with the introduction of this general regulation and minimum applicable to a greater or lesser extent all personal data, the legislature has given way to a hybrid protection system which converges a law of general principles with other regulations sector, which should be read in conjunction with the general law but introduces specific rules that address the complexity of treatment of each type of data.
In this context it is to be understood, for example, Article 2, which establishes a series of excepted areas of application of the provisions of the project, except in matters of principle. These areas should be specifically regulated by the legislature through a sectoral law in which complementary principles are introduced, as well as other specific rules depending on the type of data, as happened with the financial and commercial data for calculating risk credit. This is the reason why in the paragraph of Article 2 expressly states "[i] n the event that the special regulations governing the basis of Excepted data provides principles that take into account the special nature of data, the same applied in concurrently to those provided in this law. "
Understood model protection resulting this new bill, read in conjunction with law 1266, passed the Chamber to consider the constitutionality of the articles. 2.2

EXAMINATION OF LEGISLATIVE PROCEDURE 2.2.1 Interventions citizens and concept of Public Prosecutions
2.2.1.1 The Legal Secretariat of the Presidency states that in compliance with Article 153 of the Constitution, the statutory bill was approved subject to review within a single legislature and by the absolute majority of the members of each chamber. Likewise, the general requirements set out in Article 157 of the Constitution so that a project can become Law of the Republic met.
States that the Bill was presented on August 3, 2010 by the Ministers of Interior and Justice, Dr. Fabio Valencia Cossio; Commerce, Industry and Tourism, Luis Guillermo Plata Paez Dr. and Information Technology and Communications, Dr. Daniel Enrique Medina Velandia, to the General Secretary of the House of Representatives and corresponded to him at that time the No. 046 2010 House.
This draft Statutory Law, with appropriate explanatory memorandum was published on August 4 in the Congress Gazette No. 488 of 2010, in compliance with the constitutional requirement consistent in the official publication of the project by Congress before being sent to the respective Commission (CP Art.157-1).
In accordance with the provisions in paragraph 2 of Article 157 of the Constitution, this project was approved in first debate on the relevant Standing Committee of each chamber, initially by the First Committee of the House on September 14, 2010, as recorded in Minutes No. 12 of the same date, published in the Gazette 958 of 2010. this time, both the paper report and the articles were voted affirmatively by 29 of the 35 Honorable Representatives that make up this commission, articulated what was approved with the required majority.
Subsequently was approved by the First Committee of the Senate on December 6, 2010, as stated in Act No. 33 of this date, published in the Gazette 39, 2011. This time, the project was voted in block with a total of 13 yeas of a total of 19 members of this Commission.

Similarly, pursuant to paragraph 3 of the same article. 157 of the Constitution, the Bill of Statutory Law was approved by the plenary of each chamber, initially in the House of Representatives on October 19, 2010, as stated in Act No. 24, published in the Gazette 2010. 868 this debate was approved paper report with a majority of 89 representatives. a new vote on several items opened, obtaining a majority of 104 representatives. No parliamentary vote negatively or excused or abstained from voting. Finally, registration for voting opened and the question was asked about whether he wanted the bill became Law of the Republic to which 102 responded affirmatively Representatives. None voted negatively, either excused or abstained from voting.
Later in the Senate of the Republic on December 15, 2010, as stated in the Act No. 34, published in the Gazette No. 80 of 2011, was approved the bill, with the following procedure. The report was approved paper affirmatively by 60 Senators. Immediately afterwards, the Chair submitted for consideration by the plenary articulated block the project being approved by 56 senators and negatively voted for a senator. The omission of the reading of the articles, the articulated block, the title and that is law of the Republic, the bill number 2010 184 Senate Chamber 046 2010.
Likewise, the draft statute was approved by the absolute majority required by the Constitution in Article 153, this procedure can be verified in the Proceedings of plenary both House and Senate referenced as follows: Within
the plenary of the House of Representatives on October 19, 2010 a first block of articles was approved by 97 of 166 members that make up the House, within the same session, the remainder of the articles was approved by 106 Representatives, as the question of whether they want the project to be law was approved by 113 members of the House.
In the session of the Senate of the Republic the draft statute was approved by the statutory majority with a total of 60 votes of 102 senators, the omission of the reading of the articles, the articulated block, the title and it law of the Republic, was approved by 56 senators.
Concludes arguing that the constitutional requirements for the processing of statutory laws were fulfilled, with the understanding that no formal defect that may lead to the unconstitutionality of the bill warned, for which general provisions are issued for Personal data protection. It also stresses that in accordance with Article 158 of the Constitution, the project fulfills the purpose of unity and coherence in the matter of the right to "habeas data".
2.2.1.2. The Ministry of Commerce, Industry and Tourism maintains that the Constitution does not impose the statutory legislative duty to regulate comprehensively the matter subject to the reserve, for conformity with the rules laid down by the Constitutional Court in this matter, "whether on a matter subject to statutory law a comprehensive regulation is issued, it can only be done through a statutory law, regardless of whether such regulation, provisions that could have been addressed through an ordinary law incorporating ". It also refers to a second rule in this regard, according to which "the regulation of elements belonging or compromise the essential core of a right or subject to statutory law matter, can only be contained in a law of this kind, irrespective of that regulation whether or not integral. "

2.2.1.3. ASOBANCARIA warns paragraph of Article 2 is unconstitutional on procedural grounds because it violates the principle of consecutiveness. This, because to conduct a review of the successive transformations that received Article 2 of the bill throughout the legislative process and a recount of constitutional jurisprudence related to this principle is that the inclusion of paragraph 2 It is a new article, since the integrity of their content was not previously discussed, much less approved in previous instances. For example, the provision according to which "The principles on data protection shall apply to all databases, including the exception in this Article, within the limits provided in this law without quarreling with the data they have characteristics to be covered by the legal reserve "was not a constant in Congress; as neither was the fact that "In the event that the special regulations governing the basis of Excepted data provides principles that take into account the special nature of data, the same applied concurrently to those provided in this Act ". By contrast, in the different stages of the process of discussion of the project was advocated by the application of special provisions such as the Law 1266 of 2008, in those events where it would be applicable, in order to avoid hermeneutical trauma and guarantee the specificity of legislative regulations provided for particular situations.
2.2.1.4. Citizen Maria Lorena Florez Rojas emphasizes that the principle of consecutiveness established as an obligation to every project, to become law, should be approved in the first debate on the relevant standing committee in each chamber and secondly by the plenary both the Senate and of the House of Representatives it can not be violated to introduce new texts that are completely unrelated to the project discussed. In this way, it refers to the statement by the Constitutional Court on the understanding that "not enough to establish that a particular text approved in plenary is new with respect to what was approved in committee, since it can respond to a modification or addition produced in the terms of those higher standards. It is also necessary for the charge of unconstitutionality to succeed, it is established that such novelty is not related to connectedness with what was approved in the first debate or is contrary to what there decided. "
In this sense, he says that the introduction of Article 29 of the draft concerning the judicial precedent is not fulfilled the requirement of consecutiveness because the item included in that article was not discussed by both chambers, at least in second debate . In short, he states that "Within the presentation of the second debate in the House (Gaceta Judicial 706 of 2010), no discussion concerning the legal background and the removal of criminal record evidence, ie, that the item was included by the Senate without the full legislative process indicating the unconstitutionality of the article in question is surtiera. In addition, under Article 178 of Law 5 of 1992, modifications, additions or deletions can be introduced in the second debate as long as the issue has been discussed in the first debate, which in this case occurred (sic). If the Judicial Gazette 625 2010, report of the first debate Chamber, discussed the topic is not discussed or analyzed by this camera (sic). "
Therefore, the text of Article 29 introduced by the Senate does not comply with the principle of consecutiveness because it alters the essence of the project for not keeping identity with the subject discussed in the first debate and commissions, also for not keeping identity with the topic discussed is not connected as the opening theme of the project since the removal of criminal records within the judicial certificate is not related to the purpose of the law is to develop the constitutional right of all people to know update and rectify information about them contained in databases or files.
2.2.1.5. Meanwhile, citizen Juanita Duran Velez notes that the Bill does not comply with the integrity required by the Constitution to statutory laws, and thus violates the principle of statutory law.

2.2.1.6. The Attorney General's Office argues that the project complies with the provisions of Article 160 of the Constitution, since (i) between approval first and second debate in each of the chambers had a continuous period of not less than eight days, and (ii) between a camera stocked approval and the start of the debate in the other there was a period of no less than fifteen days.
In the particular case: (i) the First Committee of the House approved the bill on 14 September 2010 and the plenary gave its approval on 19 October 2010; the First Committee of the Senate approved the bill on December 6, 2010 and in the same way proceeded plenary on 15 December 2010. (ii) The project was approved by the House of Representatives on October 19, 2010 and discussion Senate began on 6 December 2010.
on the other hand, claims that the project complied with the provisions of Article 153 of the Constitution which requires an absolute majority of members of Congress to approve projects as statutory laws also that its procedure must take place within a single legislature. In the specific case, the bill was filed on August 3, 2010 and its procedure ended on 16 December 2010, which shows that the process was supplied within the legislature that began on July 20 of that year and culminates on 20 June 2011. 2.2.2
. The specialty of the approving process of statutory laws (Articles 152 and 153 Superior)
2.2.2.1. Because it is the study of a statutory bill, it is necessary for the Court to verify compliance with the stringent requirements of the Constitution for the approval of such special laws hierarchy. Be the first to note that the particular procedure provisions of Article 153 Superior statutory laws is as essential to safeguard the well organization of the matters regulated, these are fundamental rights and duties as well as procedures and remedies for their protection; the administration of justice; the organization and governance of political parties and movements, the status of the opposition and electoral functions; institutions and mechanisms for citizen participation; states of emergency, and electoral equality between candidates for the Presidency of the Republic (Article 152).
As noted, it is matters that involve a cardinal importance for the development of Articles 1 and 2 of the Charter, as its special regulation guarantees the observance of constitutional principles and aims for the attainment of the essential purposes of State. So impart rigor to the approval of the regulation of such materials and also senior to the laws that enshrine, are suitable means to achieve the effectiveness of constitutional rights, safeguarding a just order, and the existence of a democratic and participatory system. So
things, the constituent decided to create a special category of laws which, in that order, require stricter formal attributes to be approved as those applying to ordinary laws, as well as a prior constitutional control, automatic and comprehensive, all with the objective of providing greater stability and special status under the significance of the matters regulated. Under such knowledge, the constitutional jurisprudence, since its inception, has established:
"The Constitution of 1991 introduced the form of statutory laws to regulate some matters on which the Constituent wanted to accommodate the establishment of bodies of law harmonics and comprehensive, characterized by greater stability than ordinary laws, by a higher level than these, for a more demanding processing and initial and full certainty about its constitutionality.
The Charter itself has differentiated this kind of laws not only special issues which concerned and their hierarchy, but aggravated by their approval, amendment or repeal demand process "[52]
2.2.2.2. Any project to become law (Constitution, Articles 157 and 158) must meet the following requirements:
(i) To be published officially by the Congress before being sent to the respective committee;
(Ii) Dispense the corresponding debates in committees and plenary sessions of the Chambers, after they have made their respective presentations and respecting the quorum provided by Articles 145 and 146 of the Constitution;

(Iii) Conduct ads draft law prior to the discussion and voting on each of the committees and plenary (Article 160 of the Constitution). It should be noted that Article 9 of Legislative Act 1 of 2003 (Constitution, Article. 161) provided that this requirement also applies to the debates on the reports of conciliation commissions, which shall be published at least one day before to be discussion and approval;
(Iv) Respect for discussions terms provided for in Article 160, eight days between the first and second debate in each chamber, and fifteen days between approval of the project in one of the chambers and the initiation of the debate on the other;
(V) To respect the principles of unity of matter, identity and consecutiveness (Constitution, Articles 158, 157, 160 and 16);
and (vi) To have obtained government sanction. Obviously, in the case of statutory laws, the penalty is supplied after the Constitutional Court has granted prior informal review of constitutionality and declared, therefore, that the draft provisions conform to the Charter [53] .
Addition to the above, because it is a statutory bill (Constitution Article 153), it is necessary for the project: (i) has been approved by an absolute majority and (ii) has been processed in a single legislature.
In this regard, it is clear that it is settled jurisprudence of this Court, the Constitution mandates that within the legislature make transit project in Congress, that is, to be amended and approved by the Chambers during that period, but the constitutional review by the Court and presidential approval can occur outside the legislature [54]. And is that as explained in Case C-011 of 1994, if the procedure that must be filled at a single legislature would include review by the Court or the objections and presidential sanction, it would be virtually impossible to approve, amend or repeal statutory laws or they would have to be dealt with in Congress too quickly, without proper democratic discussion, and even improvisation.
2.2.2.3. However, since in the judgment C-702 of 2010 [55], the Constitutional Court said that prior to ethnic communities who may be affected directly by any legislative, consultation is a procedural requirement that must be filled before proceeding respective legislative, the Board will consider at this stage if this time was to stock up this consultative process.
It should be noted that prior consultation is only necessary in the case of decisions directly affecting one or more ethnic communities. On this point the Court stated as follows in Case C-030 of 2008 [56]:
"(...) There are two distinct levels of involvement of indigenous and tribal peoples: the corresponding policies and programs of somehow affect them, an event that should be paid a general right to participate, and corresponding to the administrative or legislative measures which are likely to affect them directly, the case for which there is provided a duty to consult. "|| | in the present case, an examination of the content of the bill to the conclusion that the measures through he intended to adopt not directly relate to any ethnic community settled in the country, so that prior consultation was not a prerequisite . Indeed, the project only establishes a general regime for data protection in Colombia and does not define a specific treatment directly aimed at ethnic communities, preventing establish what ethnic groups or to what extent would be found within the sphere of influence of mandates of the project.
The definition of special provisions, where regulation could enter data ethnic communities would be left to the national government should be declared constitutional article 27 of the draft. So it is at the time that such regulation is believed to arise when the requirement of prior consultation.
In conclusion, since in this case the project under consideration does not directly affect Colombian ethnic communities, but is legislation to society in general, was not necessary consultation processes before starting the legislative process.
The Court will examine the process of approval of the bill under review in Congress, in order to verify whether the requirements attended the aforementioned legislative process.
2.2.3. Filing and publication of the bill

The statutory bill "by which general provisions for the protection of personal data are issued", was presented to the Congress of the Republic on August 3, 2010, by the then Minister of Interior and Justice, Fabio Valencia Cossio; Minister of Commerce, Industry and Tourism, Luis Guillermo Plata Paez; and the Minister of Information Technologies and Communications, Daniel Medina Velandia Enrique. The bill was filed with the numbers 046 2010 House, Senate 184 2010.
The draft, together with the explanatory memorandum was published in the Congress Gazette No. 488 of August 4, 2010 [57]. The process began in the House of Representatives and, because it is a statutory provision, was delivered to the Constitutional Commission of the first permanent legislative cell.
2.2.4. Step in the House of Representatives
2.2.4.1. Publication of the report of the first discussion
The paper first debate in the First Committee of the House of Representatives, which was asked to approve the initiative with modifications, was presented by the representatives Alfredo Deluque Zuleta Oscar Fernando Bravo Realpe, Orlando Velandia Sepulveda, Germán Male Cotrino, Efrain Torres Monsalve. The report first debate paper was published in the Congress Gazette 625 of September 9, 2010 [58].
The list of amendments proposed by the rapporteurs Representatives to the text of the bill submitted by the Government [59], consisted of the following:
"AMENDMENT TENDER
Changes to the text published in the Gazette No. 488 August 4, 2010
1. the first paragraph of Article 2 is deleted and one with the 2nd paragraph.
There is a contradiction between the two paragraphs of this article can be provided to misinterpretations. The scope excludes directly to financial data that are already regulated by Law 1266 of 2008. As a result of this situation, financial details will be governed by the provisions in Act 1266 only 2008.
2. 3rd introduced definitions in Article literal h) Authority Control: Understood by Control Authority for the purposes of this Act to the Superintendency of Industry and Commerce
Throughout the bill is spoken and assigned functions Control Authority to personal data, and only to Article 19 is defined. For a better understanding of the Officers, Managers and holders of information, the definition is incorporated into this article.
3. Enter in Article 7, the rights of children and adolescents, the regulations will the national government of this matter will not exceed six months after the law enacted.
That article prohibits the processing, use, disclosure, publication or circulation of personal data of children and adolescents whose purpose is marketing, traffic, sale or transfer to third parties. Left head of the National Government regulation of matter. As the issue of disclosure of this segment of the population is considered vital prudent to leave before the deadline said.
4. Clarify the scope of the revocation of consent in the literal e) of Article 8.
The literal e) provides that the revocation of consent shall be given when the treatment is not the rights, guarantees and legal and constitutional principles are respected. However it is important to note that this recall does not proceed immediately and that to be effective there must be a resolution by the Supervisory where it is established that effectively treat the legal and constitutional provisions were violated.
5. item c) is deleted from Article 10 and amending paragraph a) as follows: When the information is required by a public authority, provided that mediates a legal authorization.
Article 10 brings the exceptions in which the authorization of the holder data processing is not required. The literal a) sets out the cases of legal authorization for historical, statistical, scientific or other, meanwhile the literal c) provided that when the information was required by a public authority in the exercise of their functions found enshrined in law .

The taxatividad the literal a) is not necessary since it is clear from the constitutional principles and the development makes them the bill, that the exception to the prior authorization of the owner for delivery and data processing personal can only be authorized by law. Now as to the literal c), it is not clear and may cause confusion, what is meant is the same as the literal a), therefore it is proposed to handle into one, making it clear also that public authorities they can not apply and process personal data for the performance of their duties, but only when permitted by law.
6. Include in Article 11 within one year for regulation for the provision of information.
7. Modify the literal b) of Article 13 in the sense indicate that the supply of information referred to in the bill can only be delivered to a public authority and provided legal authorization except upon.
As in Article 10 it should be clear that the public authority for the simple fact of being can neither treat nor seek or be the recipient of personal data, only in the event that there is a legal provision so available.
8. Include a paragraph in Article 23 sanctions, indicating that they only apply to private persons who violate the provisions of this law, and that for public authorities the Superintendency of Industry and Trade once the respective investigation and finding violation the law shall refer the case to the Attorney General's Office to matters within its competence.
Article 23 contains the penalties that may be imposed Supervisory those responsible for the treatment and management of personal data, ranging from fines to closure of the operation, it is clear that these, by their nature, the procedure for imposing and the entity that imposes that for this case the Superintendency of Industry and Commerce may not apply to public authorities, since there is no competition for it. Thus, this situation is specific and clear that once advanced the investigation by the Control Authority should identify any lack of a public authority must refer the case to the Attorney General's Office for what your competition. "
2.2.4.2. Announcement and approval in the first debate
According to communication signed by the Secretary of the First Committee of the House of Representatives [60], the bill was announced for discussion and approval in the first debate at the meeting of September 8, 2010, as stated in the Act No. 11 of this date, published in the Congress Gazette No. 957 of 24 November 2010. the announcement was made as follows [61]:
"on instructions of Mr. President advertised for discussion and voting at the next session the following projects will be integrating the Agenda:
(...)
bill of Statutory law No. 46 of 2010 House, by which general provisions are issued for Personal data protection.
Mr. President on its instructions have been announced in compliance with the Constitution, projects that the next session will discuss and vote.
Thank viewers follow this session, we thank the parliamentarians. the meeting is adjourned, it is summoned for next Tuesday at nine o'clock, just as on Wednesday at the same time. Please".
In effect, the bill with the proposed amendments to the report paper, was approved in the first debate at the meeting of September 14, 2010, as stated in the Act No. 12 of that same date, published in the Congress Gazette No. 958 of 24 November 2010.
in connection with the quorum and majorities obtained, the Secretary reports on the above-mentioned certification (pages 542-546 test notebook No. 2), the report presentation, the proposed articulated and title of the project were approved with the absolute majority required by Article 153 Superior. Narra that occurred with roll-call vote, with the affirmative vote of 31 representatives of the 35 that make up the Commission. This could be verified by reading the Act No. 12 of September 14, 2010, in which the development of the discussion and the vote on the bill under study, coinciding with the statements made by the Secretary General of the Commission is plasma [ 62] and which can further be noted that the report terminating the paper was approved with 29 positive votes, the articles also with 29 votes in favor and title with 30 yeas.

The final text of the bill approved by the First Committee of the House of Representatives was published in the Congress Gazette No. 706 of 28 September 2010, in which this Court finds that the members of the Commission welcomed fully the report's proposal of lecture, without adding new provisions without modifying existing ones.
2.2.4.3. Publication of the report of the second debate in the House of Representatives
The positive report of the second debate specification changes, was presented by the representatives Alfredo Deluque Zuleta Oscar Fernando Bravo Realpe, Orlando Velandia Sepulveda, Germán Male Cotrino, Efrain Torres Monsalve, Miguel Gomez Martinez and Humphrey Roa Sarmiento. The document was published in the Congress Gazette 706 of 28 September 2010 [63].
The proposed amendments are those cited below [64]:
"
MODIFICATIONS TO TENDER TEXT AMENDMENT PUBLISHED IN THE GAZETTE NUMBER 625 2010
1. the term support for the database (Article 2) is deleted
To provide greater consistency in the text the term support is removed, which makes direct reference to the database term which is defined in Article 3 of the project.
2. It is clarified that the personal data refer to natural persons (article 3)
It is important to clarify that the right contained in Article 15 of the Constitution refers to the data of natural persons since it is these that are direct object of the possible violations in the treatment.
The Constitutional Court has indicated that legal persons are entitled to protection of your information, it has stated referring to the information on late payments or fulfillment of financial obligations, an issue that was already regulated by Law 1266 of 2008.
Colombian law has different rules and protect the information from companies, and among others, the following: Trade secrets (Andean Decision 486 of 2000); Inside information (Criminal Code and Law 45 of 1990); books and papers merchant (Commercial Code). So, give more protection equivalent to give more importance to information of legal persons (overprotection) than that of natural persons.
3. the definition of Control Authority (article 3) is removed
To clarify the possible inconvenience that may result from the concurrence of authorities as a result of Act 1266 of 2008 the concept of Control Authority is deleted and defined in articulated that for purposes of this law should be understood as data Protection Authority to the Superintendency of Industry and Commerce.
4. It clarifies that only the information that is public in nature may be subject to treatment in the case of children and adolescents (Article 7)
Although the general principle of this article states that the processing of personal data is outlawed children and adolescents whose purpose is marketing, traffic, sale or transfer to third parties, it is important to clarify that public information is not subject to this prohibition given its nature.
5. the verb is deleted deleted from the literal a) and amending paragraph e) of Article 8
is important to clarify that the Holder does not have the power to remove your data as Article 15 of the Constitution provides that these may know , correct or update the information. Also revoke the authorization and / or request the deletion of data when the treatment not the principles, rights and constitutional and legal guarantees are respected. The revocation and / or deletion will only proceed when the Superintendency of Industry and Commerce has determined that the treatment the person responsible have engaged in conduct contrary to the law and the Constitution.
6. the title of Article 13 shall be amended as it is the same Article 11
Both Article 11 and 13 had the same name, therefore provides that in the case of Article 13, the title will be "People who are you can supply the information. "
7. the name is changed Supervisory Authority for Data Protection (Article 19).
The Superintendency of Industry and Commerce has no power to control referenced and therefore could be interpreted that he is assigning this new faculty. Therefore it clarifies that the Superintendency of Industry and Commerce will be the Data Protection Authority and not Control.
2.2.4.4. Announcement and project approval in second debate

In principle, the bill was announced on October 12, 2010 for the following day, as stated in the Act No. 22 of the same date, published in the Congress Gazette 925 of November 18, 2010 [65]. The announcement was made as follows:
"address Roosvelt Dr. Rodriguez Rengifo Presidency:
Mr. Secretary, let us read the bills tomorrow.
Secretary General Dr. Jesus Alfonso Rodriguez C .:
Announce Projects, tomorrow or Wednesday, October 13 for the next session in which bills or legislative act are discussed.
Secretary General Dr. Flor Marina Daza Ramirez: Projects
second debate.
(...)
Draft Statutory Law No. 046 of 2010 House
Mr. President, have been announced bills for October 13, 2010, according to Legislative Act 1 July 3 2003, Article 8 thereof. "
However, at the meeting on October 13, 2010 discussion of the project but the plenary decided to vote in the next session, as stated in the Act not started . 23 of the same date, published in the Congress Gazette 849 of November 2, 2010, which reads:
"Address of the President, Dr. Carlos Alberto Zuluaga Diaz:
I have asked Mr. coordinator of speakers who will start today to make the great debate for all caucuses and all parties and all Representatives THINK about the project, as 85 votes in favor are needed, the project will request is to discuss the project today and we will vote on the project, Dr. Deluque on Tuesday, but please debating today with all the guarantees, with all the tranquility and Tuesday we vote on the bill. "[66]
Now, in the minutes mentioned it can be seen that the project was duly announced again, as follows [67]:
"Projects for the Plenary Session on October 19 or to the next Plenary Session announced in which bills are debated or acts:
(...)
bill number 2010 046 House
(...)
Mr. President have been announced bills to the plenary session for the day 19 October for the next Plenary Session in which Acts bills or legislative acts according to Legislative Act 01 of July 3, 2003 are discussed in section 8 thereof. "[68]
Indeed, the bill was approved at the plenary of the House of Representatives, at the meeting of October 19, 2010, as stated in the Act No. 24 of the same date, published in the Congress Gazette 868 of November 4, 2010 [69].
About quorum and majorities obtained as certification signed by the Secretary General of the House of Representatives [70], it met the requirement of being approved by half plus one of the members of this legislative cell, ie with absolute majority. Said Secretary "at the Plenary Session of the Chamber of Representatives on October 19, 2010, to which one hundred and fifty were present and five (155) Honorable Representatives, was considered and approved by an absolute majority of those present roll-call vote Report Presentation for the second debate, the title and Articles of the Bill ". The ratings were developed as follows:
"Proposition ending the report Paper for Second Debate: for Yes: 89 by No: 0. As stated on page 25 of the Congress Gazette No . 868 2010 (Approved).
Articles 1, 3, 6, 7, 9, 12, 13, 14, 15, 16, 17, 18, 20, 22, 24 and 29 do not have propositions. On the other: 97 by No: 0 (See page 26 and 27 of the Official Gazette No. 868 of 2010).
Voting Block the following items with and without proposition and some new items: proposal for Article 2 proposal for Article 10 proposal for Article 19 proposal for Article 21 to Article 23 proposal, proposition to Article 25 proposal for Article 26 proposal for Article 27 proposal for Article 28. articles 4, 5, 8 have proposition and 23. by Yes: 106 by no: 0 (View pages 28 to 32) "
the final text approved in the House of Representatives, was published in the Congress Gazette No. 833 of October 29, 2010 [71], where it is possible to verify that the Plenary adopted the proposed changes -up to the report paper reproducidos- and also the proposals of different representatives to remove or add the content of some items, namely approved:
i) the phrase was included "as well as the right to information enshrined in Article 20 of the same "at the end of Article 1 [72].

Ii) five literals were added to Article 2 [73]:
"The system of protection of personal data is established in this law shall not apply:
(...)
c ) A databases and archives of news reports and other editorial content;
D) databases and regulated by Law 1266 of 2008 files;
E) databases and regulated by Law 79 of 1993 files;
F) databases and regulated by Law 594 of 2000 files; .
G) databases and related to the Civil Registry of Persons files "
iii) paragraph a) of Article 10 was amended and paragraph d) of this provision [74] is added: | || "the authorization holder shall not be required in the following cases:
a) When the information is required by a public or administrative entity in the exercise of their legal functions or by court order.
(...)
D) When authorized by law for historical, statistical, scientific or other "
iv) the first paragraph of Article 19 was amended and paragraph [75] was added.:
"Article 19 data protection Authority. The Superintendency of Industry and Commerce will exercise vigilance to ensure that the personal data processing principles, rights, guarantees and procedures established by law are respected.
Parágrafo. Monitoring, data processing, persons regulated by Law 1266 of 2008, will be adjusted as provided in this rule. "
V) the literal f Deleted) Article 21 [76].
Vi) a paragraph to Article 25, pointing [77] is added:
"To register database, interested parties should contribute to the Superintendency of Industry and Trade, policy information processing , which will force the controllers and the same and whose failure will lead to appropriate sanctions.
The policies shall in no case be less than the duties under this Act. "
Vii) the second paragraph of Article 26 [78] is created.
Viii) the initial Article 27 [79] is eliminated.
Ix) Add the phrase "except those referred to in Article 2 of this law" at the end of Article 28 on derogations [80].
"Binding Corporate Rules:
x) a new article, which states [81] is created. The National Government will issue the corresponding regulations on binding corporate rules for certification of good practices in protection of personal data and their transfer to third countries "
xi) a new article, which states [82] is created. || | "transitional regime. People who to date entry into force of this law from exercising any of the activities regulated here, have a period of 6 months to conform to the provisions in this law. "
2.2.5. Step in the Senate
2.2.5.1. Public Hearing
By Resolution No. 04 of November 18, 2010, a public hearing was convened to discuss the bill under consideration. This took place on November 25 of that year, as stated in the Congress Gazette No. 60 of 28 February 2011 [83]. It was attended by citizens Raul Antonio Vargas and Andres Camargo Cubillos Eduardo Benavides, law students at the Free University.
The first proposed to the Senate include an article related to the certificate of no criminal record issued by the Administrative Department of Security DAS, as it involves handling sensitive data, especially regarding issues certificates indicating that a person "recorded history but is not required by judicial authority".
The second intervener raised some concerns about the scope and purpose of the law.
2.2.5.2. Publication of the paper first debate
first debate in the First Committee of the Senate, Senators gave a favorable presentation Luis Fernando Velasco Cháves, Carlos E. Soto, Luis Carlos Avellaneda Hemel Hurtado Angulo, Jorge Eduardo Londoño and Juan Manuel Corzo. The paper was published in the Congress Gazette 1023 of December 2, 2010 [84]. Speakers
Senators suggested the following amendments to the text of the bill approved by the House of Representatives (underscores, bullets and numbering, outside original text):
"Rationale for changes to the text passed by the House of representatives

Compliance with the above principles, the already exposed in the Law 1266 of 2008 and international data protection regulations, allows a filter to scan some articles of the draft for our consideration should be studied and modified looking for a real recognition of data protection in Colombia.
· In Article 2 °. Scope should consider justifications except some databases
1. It is proposed to exclude from the literal a) "and those circulating internally, that is not supplied to other legal or natural persons".
This because it is inconsistent to pretend generate a statute that would violate the principle of equality to derogate from its application to a good deal of data operators, because if allowed to circulate data internally while this is not the subject the law would skewing not only the right of Habeas data but related as access to information, due process and other rights related to information management. Since it is well known that for a judicial decision or the application of a law exempting one or the other this exception must meet the constitutional concepts of equality and fairness argumentative sense in which the Court says.
2. In the literal b) it is proposed to define the need for a purpose to exempt from the scope of the databases and files aimed at national security and defense, money laundering and terrorism.
3. It is also proposed to eliminate this exception to the databases and files on judicial and criminal investigations since they do not necessarily have a direct purpose for national security and defense.
The issue of the corresponding apply to protection of personal data in databases that are related to intelligence or security should always be subject to constitutional laws and directives if the legislature intended to regulate this issue by law can not be against the constitutional principles of access to information and habeas data "Indeed, at least at present, only this type of data has legal reserve against its owner. Consequently, since data backup intelligence against the holder of the data, could only exist if stipulated in a specific, clear and consistent law with the Constitution and existing provisions They cover only data backup that are part of investigations judicial, only this information can remain hidden from the owner "[85].
4. In addition to the two paragraphs above change to literal b) Paragraph
was added. The preceding paragraph shall apply only when the data contained in these databases meet the data backup features that are part of judicial investigations.
Paragraph 2nd. The data contained therein will be made public only when justified by their nature.
This consequently that the information and personal data in databases of state must comply with the principles of data management and therefore should be freely accessible by the Contractor, while as justification mediate some kind legal reserve.
The second paragraph promotes respect for nature data that contains them; namely that private data must be respected and not be made public unless the holder authorized or the data present any real danger and justified national security and defense, money laundering, terrorism as it contains the literal b ).
· Article 4. Principles for the processing of personal data.
1. It is added to paragraph b), the principle of finality, proportionality adding in its final part the text "No treatment incompatible personal data may be made for the purpose authorized by the owner or the law, unless it has the consent holder unequivocal ".
2. the text "Similarly, personal data can only be used for authorized by the holder or the law ends." is added to the literal f) the principle purpose of the first paragraph
added These principles are part of the international standards, approved, among others in the Madrid Resolution 2009 (annex) and have been established in the jurisprudence of the Constitutional Court as fundamental to give a treatment because personal data. Specifically, these were synthesized and coalesced in the Sentence C-1011 of 2008.
· Article 6. Processing of sensitive data.
1. grammatically the phrase modifies "except for the following events" with "except".

2. the term "parent" is amended in subsection b) by "legal representatives".
3. It is incorporated in the literal c) the word "an" before the word "foundation" and additionally the term "NGO" after the word "foundation" is incorporated.
· Article 7. Rights of children and adolescents.
1. the term "parent" is modified by "legal representatives or guardians".
2. the terms "marketing, traffic, sale or transfer to third parties" in order to prevent literal interpretations affecting the fundamental rights of children and adolescents are made is deleted.
· Article 9. Authorization of the owner.
Phrase is deleted "prior, written or verbal authorization is required" by "which shall be obtained by any means that may be subject to further consultation" with the aim of establishing dynamic authorization mechanisms as long as there is a medium or support to check the authorization of the owner.
· Article 10 Cases where the authorization is not required.
1. amending the phrase "in the case of data collected from sources of unrestricted access to the public" by "data of a public nature" to avoid confusion about the scope of "unrestricted public".
2. Is removed from the literal d) the word "other" to prevent interpretation by the authorization of the Contractor excepted.
3. the derogation on civil registration of Article 2 of this article as literal new e) moves because although it is true that data relating to civil registration of persons are public, not by this means that they are not subject to the provisions in this law.
4. In the final paragraph of this article clarifies that the provisions of this law are applicable to all types of data that is regulated, although the prior authorization of the holder is not required, being: "Whoever access to personal data without for a prior authorization shall always comply with the provisions of this law. "
· Article 12. Duty to inform.
The opportunity to inform the Holder of the email address of charge upon request your personal information, in the literal d) is incorporated.
· Article 13. Persons who can provide them with the information.
The wording of paragraph b) is amended to establish a criterion of unity of terms in relation to Article 10 of the draft as follows: "A public or administrative entities in the exercise of their legal or court order functions." | || · Article 15. Claims.
The requirement of the written complaint medium is removed and the possibility that the person responsible to establish what is the most suitable way to receive complaints from the Headlines is established. In this regard it is important to clarify that this procedure may not be restrictive access Holders to file the corresponding claims.
· Article 17. Duties of controllers.
Is added in a literal n) the duty of those responsible to inform the Superintendency of Industry and Commerce where there are risks or security breaches of databases by third parties.
This measure allows you to objectively evaluate the Superintendency of Industry and Commerce eminent risk of security breaches and to establish procedures and mechanisms to inform holders of this situation.
· Article 18. Duties of processors.
1. the first part of the literal j) is deleted since this duty is a function of the Superintendency of Industry and Commerce and not the Data Processor. Therefore it is moved to Article 21 of the draft.
2. k) literal with the duty of the Managers to inform the Superintendency of Industry and Commerce where there are risks or security breaches of databases by third parties is added. This measure allows you to objectively evaluate the Superintendency of Industry and Commerce eminent risk of security breaches and to establish procedures and mechanisms to inform holders of this situation.
· Article 19 Data Protection Authority.
1. the creation of a Data Protection Delegatura within the Superintendency of Industry and Commerce is established. a new paragraph in which it is established that the National Government shall regulate this matter within a period not exceeding six months are also incorporated. This measure allows a specific and specialized Delegatura on the subject of protection of personal data.

2. Also corrected in the second paragraph the word "force" for "vigilance".
· Article 21. Functions.
function require the collaboration of international or foreign entities when the rights of the Holders outside Colombia (literal j) on the occasion, among others, international collection of personal data was included as responsibility is affecting it incorporated managers but it really is a unique feature of the Superintendency of Industry and Commerce.
· Article 26. Transfer of data to third countries.
Is removed from the second paragraph the possibility that two entities (Financial Superintendency and the Superintendency of Industry and Commerce) have the power to determine the appropriate level of data protection in a third country. This power is exclusively in the hands of the Superintendency of Industry and Commerce.
· Article 27. Special provisions.
A new article where is given the authority to the government to regulate by decree concerning the processing of special personal data that require specific provisions given the nature of the data is created.
This ability allows the government to regulate more expeditiously special data that require constant changes given the dynamics in their treatment.
· Article 29 (new Article)
a new article after article 28 under Title "OTHER PROVISIONS" which includes as special provision management must be specifically the failure to publish in the record is added background information concerning penalties and penalties prescribed fulfilled as a judicial precedent.
In that vein, the initiative is not intended to be ordered to DAS that their databases records completed sentences disappear, only against the management of such information is made a call for caution and only for purposes that really demand is revealed, because we can not forget that one of the purposes of punishment is the social reintegration of active subject who was a criminal offense.
2.2.5.3. Announcement and approval in the first debate of the Senate
At its meeting of December 2, 2010, announced the discussion and approval of the bill, session contained in the Act No. 32 of this date, published in the Gazette Congress No. 38 of 11 February 2011. the announcement was carried out as follows [86]:
"for the Secretariat, reading is given to projects that provision of the Presidency shall be subject to discussion and vote at the next session:
2. Bill number 2010 184 Senate Chamber 46, 2010, by which general provisions for the protection of personal data are issued ".
At the end reads:
"As the 3:30 pm, the Chair adjourned the meeting and calls for Monday, December 6, 2010, from 10:00 am, in the lounge Guillermo Valencia National Capitol. "
Indeed, according to certification issued by the Secretary of the First Committee of the Senate on March 14, 2011 [87], the bill was discussed and approved by the First Committee of the Senate, with the proposed amendments in the report presentation, December 6, 2010, as stated in the Act No. 33 of the same date, published in the Congress Gazette 39 of 11 February 2011.
in additional certification, signed at the same date, the Secretary of the Commission first notes that the discussion and vote took place "with the majority required by the Constitution and the Law for the processing of statutory law", that is, with absolute majority voting process, as follows [88]
ü "In the meeting on December 6, 2010, Act No. 33, was discussed and voted this initiative, attended by 17 honorable senators. When logging deliberative quorum was recorded.
Ü Regarding the proposal to ending paper report:
For this initiative, a paper report, which sought to first debate the initiative settled. Subjected
roll-call vote at the meeting on December 6, 2010 - Act No. 33, the proposition that ends the paper report, along with the question if they feel that this bill must be given the processing of Statutory Law was approved by roll call vote with the following result: YES votes: 13 vOTES bY NO: 00.
Ü Voting Approved by the Commission Articulado First
· PROJECT TITLE:
Voted on the following: "TAUGHT BY WHICH GENERAL PROVISIONS FOR THE PROTECTION OF PERSONAL DATA" Approved by a vote
nominal which obtained the following results:
VOTES CAST: 15

YES votes: 15
NO votes: 0
· ARTICULADO INITIATIVE:
Submitted to the vote on the text of the statement of changes.
Approved by roll call vote which obtained the following results:
VOTES CAST: 13
YES votes: 13
VOTES BY NO: 0 "
The final text adopted in the First Committee the Senate, contained in the Congress Gazette No. 39 of 11 February 2011 (folio 64 notebook No. 4 - page 5 et seq Gazette), realizes that this legislative cell adopted the proposed amendments in the report presentation, except the following [89]:
in Article 2, not the need for a purpose to exempt from the scope of the databases and files aimed defined security and national defense, money laundering and terrorism.
In Article 2, the second paragraph was not included.
In addition, it can be seen that during the discussion were not proposed or approved other modifications.
2.2.5.4. Paper for second reading in the Senate
For the second discussion paper was presented by Senators Luis Fernando Velasco Cháves, Carlos E. Soto, Luis Carlos Avellaneda Hemel Hurtado Angulo, Jorge Eduardo Londoño and Juan Manuel Corzo, and was published in the Congress Gazette No. 1080 of 13 December 2010 [90].
The report paper proposes new changes to the bill from the First Committee of the Senate. Thus exposed:
"Rationale for changes to the text adopted by the First Senate Commission on first reading
Compliance with the principles of access to information and reserved circulation that regulates data protection is considered relevant make the following changes to the text for a real recognition of data protection in Colombia.
· Article 2 °. Area of application.
1.
Paragraph: paragraph of paragraph b) is deleted. the preceding paragraph shall apply only when the data contained in these databases meet the data backup features that are part of judicial investigations.
This because of being their interpretation can cause conflict by leaving the door open that anyone could access classified for national security issues that are not subject to judicial investigation information.
2. a literal d) and new paragraph at the end of Article 2 is added:
2.1. "D) databases that are intended to intelligence and counterintelligence."
The new literal d) is included given that while it is held in the literal c) of the same article a description of related databases the issue of state security, it is well known that the issue of intelligence and counterintelligence should be treated carefully because although closely related to state security, handling and purposes are autonomous, why and respecting the existing case law is preferred clearly identify the conditional exclusion of such databases.
2.2. Paragraph. The data protection principles apply to all databases, including the exception in this Article, within the limits provided in this law without quarreling with the data that have characteristics of being covered by the legal reserve. In the event that the special regulations governing data bases excepted provides principles that take into account the special nature of data, concurrently apply themselves to those provided in this Act.

The inclusion of the paragraph is because regardless of the purpose that has the database, as this contains information and personal data must comply with the general principles governing the treatment and protection of data; This has been affirmed repeatedly by the Constitutional Court to state the development and scope must have the principles governing the issue of protection of information. A unified and clear legislation on the subject in development is absolutely necessary always responding to the principles of necessity and proportionality, why pretend to leave databases without applicable to them the principles of data management, it should only be done in response to a particular study of each case on truthful foundations and enough argument to allow, through the test of reasonableness, decide and motivate why the basic principles that develops a fundamental right does not apply, simply analyzed from the perspective of the Court the principles of freedom, need ,, truthfulness, integrity, purpose. And its importance in the development of the fundamental right to habeas data, protection of personal data and computer self-determination.
· Article 5. "sensitive data"
which is added emphasizes:
"For the purposes of this Act, means those affecting sensitive data privacy Holder or whose misuse can generate their discrimination, such as those revealing racial or ethnic origin, political orientation, religious or philosophical beliefs, trade union membership, social organizations, human rights, or promotes interests of any political party or to guarantee the rights and guarantees of opposition political parties, as well as data concerning health, sexual life and biometric data. "
The inclusion of definitions to the text to be considered such as sensitive data is motivated by the importance that protects the information that relates to political positions or work on Human Rights, example of this are the countless cases of Colombian that belong to a union or be human rights defenders have ended up being victims of countless crimes, there lies the fact of giving special protection such information. · Article 29

1. the phrase modifies "its stead" to "perform this role," added the phrases "or who performs this function" and "or person exercising this function" after the word Administrative Security Department.
2. a paragraph No. 2 was added
The addition of paragraph seeks to judicial records issued by the Administrative Department of Security, DAS, or the entity that holds the office of issue it you do using the technological means to that like other entities such as the Attorney General's Office, or Personería the person concerned can access for free and through the website of the entity, the registration of criminal records where you can know whether or not judicial records without it becomes necessary that the information provided in this handbook or the reason of history, this in pursuit of the right to equality, access to information and Habeas data.
3. A third new paragraph to Article 29
The issue of the judicial certificate stating that no criminal record for people who have served their sentence or they have been declared prescribed, although it respects the right to Habeas Data, can generate error in nominators of public entities to give possession to a person violating articles 122, 179 paragraph 1, 197, 232, 249, 264 and 267 of the Constitution of Colombia.
For this reason and to harmonize the two provisions, 2nd paragraph stating that the judicial certificate issued at the request of the petitioners of their own records, not be valid in those positions where the total lack of required background is included. In these cases, they must comply strictly with what is stated in Article 17 of Decree Law 2150 of 1995:
When entities of the Public Administration require the presentation of court or police records, disciplinary or professional about a particularly citizen should, upon written authorization of the same, request them directly to the appropriate entity. For this purpose, the applicant must cancel the relevant rights if the case.
4. The name of this article in Title IX other provisions. Title

Article 29. Article 29 Certification criminal record.

· 2 new articles, Article 30 and 31Artículo 30 (new) are included
an article entitled Facts for intelligence and counterintelligence is added; with which it is intended that the capture, storage, processing, dissemination and use of sensitive and personal data and cardholder information in databases related to intelligence and counterintelligence; They are handled with the criteria of the protection of sensitive data, determining responsibility for officials who are responsible not only for the treatment and collection of information but of those who order their capture and treatment such as heads, directors and deputy directors of the special units , sectional divisions and other delegations that authorization, by its nature or missionary spirit exercise these functions; as well as those authorized in the manuals of these units and who authorized or ordered operations or missions work from agencies that conduct intelligence and counterintelligence or make part of the Joint Intelligence.
An article entitled Facts for intelligence and counterintelligence is added; with which it is intended that the capture, storage, processing, dissemination and use of sensitive and personal data and cardholder information in databases related to intelligence and counterintelligence; They are handled with the criteria of the protection of sensitive data, determining responsibility for officials who are responsible not only for the treatment and collection of information but of those who order their capture and treatment such as heads, directors and deputy directors of the special units , sectional divisions and other delegations that authorization, by its nature or missionary spirit exercise these functions; as well as those authorized in the manuals of these units and who authorized or ordered operations or missions work from agencies that conduct intelligence and counterintelligence or make part of the Joint Intelligence.
Always Catalyzing the capture, storage, processing, dissemination and use of sensitive and personal data and cardholder information is made taking the Constitution and the law and without infringing fundamental rights such as the Habeas Data, the good name and honor serving strict guidelines, keeping and maintaining absolute secrecy against third parties and making known to that holder of the information you can know, update or correct under Article 15 of the Constitution provided that the exercise of this judicial reservation does not infringe or the law. Avoiding that these data can be made public or disclosed except, existence of a criminal record or contraventions and hopefully not before the trial stage.
Since in accordance with the existing case law, the Court maintains these same principles in countless statements "
2.2.5.5. Ad fourth debate and approval
According to the statement by the Secretary General of the Senate [91], in plenary on 14 December 2010 announced the discussion and approval of the bill, as can be read in Act No. 33 of this date, published in the Congress Gazette No. 78 of 10 March 2011. the announcement was made as cited below [92]:
"on instructions from the Presidency and, in accordance with legislative Act 01 of 2003 Secretariat projects to be discussed and adopted at the next session are announced.
Mr President, the following are the projects for the session tomorrow:
Projects presentation for Second Debate
(...)
Bill 2010 184th Senate Chamber 046 2010 by which general provisions for the protection of personal data are held.
(...)
All these projects are duly published in the Gazette of Congress, are read President announced projects and for the next session "
At the end reads:
" Being 8: 30 pm, the Chair adjourned the meeting and calls for Wednesday December 15, 2010, at 9:00 am "
in fact, the bill was approved by roll-call vote in plenary on 15 December 2010, contained in the Act No. 34 of the same date, published in the Congress Gazette No. 80 of March 11, 2011.

In connection with the quorum and majorities, the Secretary General of the Senate said in certification signed on 24 March this year, that "[t] he vote was 57 votes and 56 votes for the SI and 1 NO vote "[93]. The Act No. 34 of December 15, 2010, it is observed that the report terminating the paper was approved with 60 votes in favor; and articulated in the title block and were approved with 56 positive votes and one (1) vote against [94].
The final text approved in the Senate, was published in the Congress Gazette No. 1118 of 22 December 2010. It is possible to identify all proposed changes are welcomed in the report of the second report debate in the Senate, and Act No. 34 of December 15, 2010 also noted that during the discussion of the project not be proposed or approved additional changes.
2.2.6. Settlement of the bill
As verified by the Plenary Chamber to count the approval process of the bill under study and to demonstrate the changes in the content thereof during the various stages, the texts approved by the House of Representatives and the Senate ended up being different, so that under the provisions of Article 161 Superior, was necessary to form an accidental conciliation commission seeking to overcome the discrepancies, Commission of which they were part the Senator Luis Fernando Velasco and Alfredo Representative to the Chamber Deluque Zuleta.
Such discrepancies are found in Articles 2, 4, 5, 10, 12, 15, 17, 18, 19, 21 and 26 and the creation of Articles 27, 28, 29, 30, 31 and 32.
2.2.6.1. Contents reconciliation report the bill under analysis and publication in the Gazette of the Congress
Accidental Conciliation Commission adopted, in general, the text approved by the Senate, unless the changes made by that legislative Cell the text of paragraphs b) and f) of Article 4 as it was being passed by the House of Representatives.
In addition, some typographical and grammatical errors that were found in Articles 2 and 29.
The reconciliation report was published in the Gazettes of Congress No. 1101 and 1102 of 15 December 2010 were corrected || | 2.2.6.2. Adoption of the report of conciliation in the House of Representatives
In plenary session of the House of Representatives of December 15, 2011, was announced the discussion and adoption of the report of conciliation, as stated in the Act No. 42 of that date published in the Congress Gazette No. 287 of 20 May 2011. the announcement was made as follows [95]:
"the following projects for Plenary Session on December 16, 2010 are announced, according to the Legislative Act No. 1 3 July 2003 in its article 8.
Conciliation Reports:
Bill of Statutory Law number 046 of 2010 House - Senate 184 2010, by which general provisions for the protection of personal data are held.
(...)
Mr. President, have been announced bills to the plenary session tomorrow 16 December 2010. "
And at the end of the session, reads:
" will the meeting was adjourned and convened morning at half past nine. "
the reconciliation report was approved the next day, at the meeting of December 16, 2010, as verified by the Act No. 43 that date, contained in the Congress Gazette No. 237 of May 6, 2011.
according to what was stated by the Secretary General of the corporation certificate issued on 26 May this year [96 ], the reconciliation report was adopted by roll call vote with an absolute majority constitutionally required, with 98 positive votes, as seen on pages 20 and 21 of the Official Gazette No. 237 of 2011 [97]:
"Secretary General, Dr. Jesus Alfonso Rodriguez C .:
Bill 46 of 2010 House, Senate 184 2010, by which dictates n general provisions for the protection of personal data, Mr. President.
Address Dr. Carlos Alberto Zuluaga Diaz Presidency:
is read the reconciliation report by the Secretary, he opens his discussion continues its discussion, is to be closed, is closed. Open the registry.
Secretary General, Dr. Jesus Alfonso Rodriguez C .:
registration opens this report are reminded that this is a statutory bill and requires an absolute majority for approval.
Roosvelt Rodriguez vote Yes.
Madrid Hodeg vote Yes.
Joaquin Camelo vote Yes.

Humphrey Roa vote Yes.
Buenaventura Leon vote Yes.
Raimundo Mendez vote Yes.
Laureano Acuña vote Yes.
Those who vote verbally, I ask you please, with the greatest respect , which again do not electronically, because it yields a wrong result.
Address Dr. Carlos Alberto Zuluaga Diaz Presidency:
closes, Mr. Secretary.
Secretary General, Dr. Jesus Alfonso Rodriguez C .:
voting closes. Yes by 97. It has been approved doctor. Records its positive vote, yes, it has been adopted the report Reconciliation Bill 046 of 2010 House, Senate 184 2010.
(...)

EXPLANATORY NOTE Act No. 43 of December 16, 2010
It is clarified by the General Secretariat of the House of Representatives that the result of electronic voting and accompanying manual, Reconciliation report on the Draft Statutory Law, general provisions for the protection of personal data is:. for the Yes 98 with the positive vote of the honorable Representative Rafael Antonio Madrid Hodeg "
2.2.6.3. Announcement and adoption of the report of conciliation in the Senate
The reconciliation report was announced at the plenary session of the Senate of December 15, 2011, as stated in the Act No. 34 of that same date, published in Congress Gazette No. 80 of March 11, 2011. the adoption of the report was announced as follows reads:
"on instructions from the Presidency and, in accordance with Legislative Act 01 of 2003 Secretariat read out the projects to be discussed and adopted at the next session.
Mr. President, are the projects for tomorrow

'report Conciliation Bill 2010 184th Senate Chamber 2010 046 "
Indeed, the Plenary of the Senate of the Republic approved the reconciliation report the next day, December 16, 2010, as noted in the Act No. 35 of the same date contained in the Congress Gazette No. 81 of March 14, 2011 [98].
By letter dated March 24, 2011 [99], the Secretary General of the Senate, certified that the reconciliation report is nominally approved with "61 votes for the other." The Act No. 36 of December 16, 2010, reads:
"The Chair submitted for consideration of the plenary the report of the Conciliation Bill 2010 184th Senate Chamber 046 2010; closed discussion and, in accordance with Legislative Act 01 of 2009, opens the vote and instructs the Secretariat to open electronic registration to proceed with the roll-call vote.
The Chair closed the vote and instructs the Secretariat close the record and report the outcome of the vote.
By Secretariat reported the following results:
By Yes: 61
Total: 61 votes "
2.2.7. Constitutionality of the legislative process for the draft statute under study
2.2.7.1. Compliance with the special requirements for the approval of statutory law in the case: compliance with the requirement of an absolute majority
The approval of the bill at all stages occurred with the positive vote of half plus one of the members each legislative cell, as required by Article 153 Superior and also in accordance with the provisions of Article 133 of the Charter, as amended by Article 5 of legislative Act 1 of 2009, the vote of the members of Congress will be nominal and public. Let's see:
i) The approval of the bill in first reading in the House of Representatives gave the affirmative vote of 31 representatives of the 35 that make up the Commission [100].
Ii) approval in the plenary of the House of Representatives with 89 votes gave positive [101].
Iii) In the First Committee of the Senate the bill was approved with the affirmative vote of 13 Senators of the 18 that make up the Commission [102].
Iv) In the plenary Senate 56 senators they voted affirmatively and negatively one (1) Senator [103].
V) The reconciliation report was approved by the plenary of the House of Representatives with the positive vote of 98 representatives [104].
Vi) The plenary of the Senate adopted the report of conciliation with the affirmative vote of 61 Senators [105].
2.2.7.2. Approval within one legislature

The statutory bill was filed in the Congress of the Republic on August 3, 2010, publishing his text with explanatory memorandum on August 4, 2010, in the Congress Gazette No. 488 of this date. The bill was finally approved by the plenary of the chambers with reconciliation report, in sessions of 16 December 2010. So, this Court verifies that the bill under study was approved within a single legislature, Here, within which began on July 20, 2010 and ended on June 20, 2011, in compliance with the provisions of Article 153 of the Charter.
2.2.8. Compliance with the general requirements for approval of laws
2.2.8.1. Publication of the bill, before being sent to the respective Commission (paragraph 1 of Article 157 of the Charter)
As demonstrated by this Court in describing assorted stages during the processing of the bill under consideration, this was published prior to being sent to each of the commissions and cameras. Indeed:
i) The bill submitted by the Government to the Congress of the Republic was published on August 4, 2010 (Congress Gazette No. 488 of that date) and began the first debate in the First of the House of Representatives, September 14, 2010 [106] Commission.
Ii) The publication of the paper report for the second debate in the House of Representatives, gave the September 28, 2010 (Congress Gazette No. 706 of this date), and the discussion of the bill began in the plenary of that legislative cell, October 13, 2010 [107].
Iii) Likewise, the report report of the first debate in the Senate, was published on December 2, 2010 (Congress Gazette No. 1023 of the same date) and the first debate in the First Committee occurred on December 6, 2010 [108].
Iv) Similarly, the publication of the report of the second debate in the Senate was held on December 13, 2010 (Congress Gazette No. 1080 of that date), and the debate was conducted the December 15, 2010 [109].
V) Finally, the report Accidental Conciliation Commission was published on December 15, 2010 (Congressional Gazettes No. 1101 and 1102 of that date), and the same was discussed and approved at the plenary sessions of both chambers on December 16 of that year [110]
2.2.8.2. Compliance with the terms for the initiation of discussions
The first paragraph of Article 160 Superior states that between the first and the second debate There must be a period of not less than eight days, and between project approval in one chamber and the initiation of the debate in the other, must spend at least fifteen days.
In the process of the bill under consideration this Court observes that met the constitutional above terms. Thus, between the adoption of the bill in the First Committee of the House of Representatives (14 September 2010) and the date of the second debate in the legislative cell (October 13) they have been more than eight days. Similarly, among the first debate in the Senate (December 6, 2010) and the discussion at its Plenary (December 15), he spent more than eight days time.
In addition, between the adoption of the bill in the House of Representatives (13 October 2010) and the initiation of the debate in the Senate of the Republic First- -Commission (December 6), occurred more than 15 days .
2.2.8.3. prior to the vote on the bill
Article 8 of Legislative Act 1 of 2003, which added the last paragraph of Article 160 of the Charter provides that no bill can be voted on different session to that for ad which it was previously announced and, in addition, the notice must be made in separate session to that in which we discuss and vote the bill.
As provided in the relevant case law, this provision seeks to avoid the surprise vote the bills and legislative acts, in order to allow congressmen are aware of what projects will be discussed and voted in the following sessions [ 111].
From the point of view of the defense of democratic values, case law holds that the announcement "provides citizens and social organizations with an interest in influencing the formation of the law and the fate of this exercise their political participation rights (Article 40 CP) in order to influence the outcome of the vote, which is important to implement the principle of participatory democracy (Articles 1 and 3 CP) "[112]

The requirement of prior notice then a constitutional requirement is to strengthen the democratic principle, respect for parliamentary minorities, and the publicity and transparency of the legislative process. So
things, the text of the constitutional provision shows that the ad must meet the following requirements: [113]
"a) The notice must be present in the voting on any bill.
B) The notice must give the president of the chamber or commission in a different and prior to that in which the vote on the draft should be done session.
C) The date of the vote must be true, ie, determined or at least determinable.
D) A bill can not be voted on in a different session than that for which it has been announced. "
As evidenced by this providence in previous sections, in the case this Court finds that during all stages of the procedure of the bill, fulfilled the requirements mentioned range to be understood prior announcement. Let's see:
i) The bill was announced for discussion and approval in the first debate in the First Committee of the House of Representatives for the "next Tuesday" at the meeting on Wednesday September 8, 2010 [114 ]. And indeed, the bill was approved in the first debate next Tuesday, September 14, 2010 [115].
Ii) During the second debate in the House of Representatives, in principle, the bill was announced on October 12, 2010 for the next day, "October 13" [116].
However, although the meeting on October 13, 2010 discussion of the project began, the Plenary decided to hold the vote at the next meeting, announcing it again in due form "to the Plenary Session of the 19th October "[117].
Indeed, the bill was approved at the plenary session on October 19, 2010, as stated in the Act No. 24 of the same date, published in the Congress Gazette 868 of November 4, 2010. | || iii) meeting on December 2, 2010, it was announced the discussion and approval of the bill in the first debate in the first Committee of the Senate of the Republic, "for Monday, December 6, 2010" [118].
This happened because the bill was discussed and approved in that Commission on December 6, 2010, as stated in the Act No. 33 of the same date, published in the Congress Gazette 39 of 11 February
2011. iv) in plenary on 14 December 2010 announced the discussion and approval of the bill "for Wednesday 15 December 2010", as can be read in the Act No. 33 of that date published in the Congress Gazette No. 78 of March 10, 2011.
Indeed, the bill was approved in plenary session on December 15, 2010, contained in the Act No. 34 of the same date published in the Congress Gazette No. 80 of 11 March 2010.
v) the reconciliation report was announced for discussion at the plenary of the House of Representatives, 15 December 2011 "day for Plenary session tomorrow December 16, 2010 "[119].
As announced, the reconciliation report was approved the next day, at the meeting of December 16, 2010, which is verified in the Act No. 43 of this date contained in the Congress Gazette No. 237 of May 6, 2011.
vi) the reconciliation report was announced for the following day at the plenary session of the Senate of December 15, 2011, as stated in the Act No. 34 of the same date, published in the Congress Gazette No. 80 of 11 March 2011.
Indeed, the Plenary of the Senate of the Republic approved the reconciliation report the next day, December 16, 2010, as seen in Act No . 35 of the same date contained in the Congress Gazette No. 81 of 14 March 2011.
2.2.8.4. Breach of the principles of identity consecutiveness and flexibility in approving Articles 29, 30 and 31
2.2.8.4.1.
Characterization of the principles Regarding the principle of unity of matter should be clarified that although the constitutional jurisprudence has understood that the violation of this principle constitutes a material defect [120], the fact is that it has also explained that the it has a decisive role in streamlining the process of drafting the law and arises on the occasion of the adoption of the standard under study although it does not store unit of matter with the thematic core of the law that contains [121 ]; for that reason, the Board considers relevant for the purposes of organization and coherence of the judgment, now addressing compliance with this principle.

Second, Article 158 of the Charter provides that "(t) odo bill should refer to the same subject and be inadmissible provisions or modifications not relate to it," and Article 169 states that " (e) l title of laws must correspond precisely to their content. "
A reading of these provisions, it is possible to define the principle of unity of matter is that each of the provisions that make a legal system, belong to its thematic core, which may be required, among others, with established in its title. This does not refer only to those provisions that are introduced during the approval process, but is predicated of any of its rules, even if it was present since the bill began its passage through -for Congress that, among other reasons , it can not be understood as a vice procedimental-.
This last feature is very illustrative to distinguish the principle of relative identity - with which usually confundirse-, while the latter is predicated only of the amendments made during the legislative process the project initially submitted to the legislature, prohibiting they make the project a totally different conceived so far.
In addition, the principle of unity of matter is distinguished from the first flexible identity that the former seeks to prevent the subject regulated by a provision is absolutely outside the thematic core of the law that contains it. Instead, the principle of identity tends to prevent a rule created during the legislative process, substantially change the bill until that stage had. Then, the unit of matter proscribes the rules do not have any relation to the subject of the law that are part; and, meanwhile, the identity prohibits creating or modifying rules aspects of the bill that make it one quite different. Therefore, there may be a violation of the unity of matter because regulated in an article unconnected with the issue of legal body that contains it, without thereby identity is violated, as may the existence or approval of that article does not result in the creation of a new bill, other than originally conceived. Conversely, it may happen that the violation of the principle of identity by the amendment to the bill, by changing its essence, without involving the violation of the unity of matter in both the hallowed with the amendment is moved is limited to the thematic core of the bill, but doing essentially different.
Third, according to settled case-law of the Corporation, fully explained by the Judgment C-400 of 2010 [122], Articles 158 and 169 of the Charter, seek to rationalize and technify the legislative process, both at the time discussion of projects in Congress, as for the final product, ie the law that finally becomes approved. [123]
The Court explained that the previous constitutional requirements reflect the need to make the principle of legal certainty, which imposes "a central axis to give the various discussions that the initiative raises in the legislative body" [124], and because issued after law enforcement demands a minimum of internal consistency, which allows recipients of standards identified as such and meet the obligations that flow from it. [125]
Indeed, referring to the constitutional scope of the principle of unity of matter, the Court has indicated that he intends to "ensure that laws have systematic and integrated content, based on a single theme, or possibly several issues related to each other. The importance of this principle is that through its application seeks to prevent legislators, and citizens are caught with the surreptitious adoption of rules that have nothing to do with the (s) subject (s) that is ( n) the theme of the law passed, and that for that reason, may not have undergone the necessary democratic debate within the legislative chambers. Due observance of this principle contributes to the internal consistency of standards and facilitates compliance and enforcement to avoid or at least reduce the difficulties and interpretive discussions in the future may arise as a result of the existence of provisions unrelated subject matter to which the law refers "[126].
In addition, it has been held that the principle of unity of matter is observed when there is thematic, teleological, systematic causal or rule between the accused and the law that contains connectedness. [127]

Now, it has been estimated that out of respect for freedom of configuration of the legislature, the study of the existence of connectedness in these aspects should not be too rigid [128]. In the same vein, the Court has considered that the unity of matter does not mean thematic simplicity, so that a law may well refer to various issues, provided between them a relationship of objective and reasonable connectedness [129] . Thus, the Court has rescued the flexible nature of judicial review to be exercised when it comes to verifying compliance with the principle of unity of matter [130].
Regards the principle of relative identity in the first place, it should be noted that this principle is derived from the systematic analysis of the second paragraph of Article 160 Superior with paragraph 2 and 3 of Article 157. Thus arises the constitutional mandate under which during the second debate each chamber may introduce amendments it deems appropriate (Article 160 [131]), as long as they do not change the essence of the bill until then approved, then, in that case, should fill all discussions required according to Article 157 [132].
For illustration, it should be noted that, in contrast to the current flexible nature of the principle of identity, the Constitution of 1886, a principle of absolute identity is enshrined, according to which bills presented to Congress they could not be amended by the legislature during its course and then had to be approved identical as they were based in their origin.
The constituent deemed necessary, under democratic, deliberative and pluralistic, beginning transverse to the 1991 and roundly applicable to parliamentary activity, that principle is relativizara depending on the possibility of amendment of projects to better provide the content, effectiveness and streamlining legislation and, of course, of legislative activity. But, of course, it is fulfilling the four debates when they understand essential to the project, ensuring the legislative initiative. So in those events, modifications, additions or deletions they should be transferred to the respective permanent constitutional commission to exhaust the ordinary procedure of approval from the first debate (Article 179 of the Organic Law on Regulation of Congress) [133].
In Case C-141 of 2010 [134], the Court determined as conceptual core of the principle of relative identity, "the idea that over the four debates remains substantially the same project, ie the modifications in exercise of the principles of pluralism and majority decision can be made to the project, are not of such magnitude that end up turning it into a completely different. "
Also noted that this basic rule must be considered in relation to each particular case, according to its specific characteristics, but from the general rule is respect for the democratic principle (Article 133 Superior).
Moreover, it must refer that when the principle of relative identity is explained, usually associated automatically, and even identifies with the principle of consecutiveness, which is the requirement that every issue included in the bill be discussed during the four debates. However, that relationship is not always inevitable as it may happen that a provision has not been approved in four debates without the content of the bill become one entirely. However, it must be said that whenever a vice for violation of the principle of identity with the introduction of an amendment is identified, it results in the violation of the consecutiveness for precisely such changes, although essential, were not approved or even discussed with all regulatory discussions. So not every transgression of the consecutiveness involves the violation of identity but instead, any violation involves a breach identity to consecutiveness.

Finally, on the principle of consecutiveness, first, as has been explained, the principle is derived Superior Article 157, which establishes the requirement that all matters approved a law have been debated by the commissions standing of both chambers and plenary. This does not mean that each of the variations arising during the legislative process to be returned to the first debate to take the whole process, but those issues are not addressed at all during the previous stages, to be returned to be approved or discussed by the commission and / or plenary considering the bill previously. If it does not, then it is understood that these provisions are unconstitutional vitiated by violation of Article 157 of the Charter. So the principle of consecutiveness not predicated on the exact contents of the articles, but matters or issues regulated in the law that contain them. So
things, to establish whether a particular issue was discussed from the beginning of the legislative procedure will be necessary to examine in each case whether, either in the explanatory memorandum, the report of paper first debate or record consigning the discussion and approval at that stage, references, discussions or proposals that address the same are, that is, without having to check every provision has been proposed to written from the beginning, exactly as it was finally approved.
Second, under this understanding and with reference to the constitutional jurisprudence related to this principle, Case C-141 of 2010 explained:
"Moreover, respect the principle of consecutiveness is declarative sentence C- 539 of 2008, in which it quoted the judgment C-208 of 2005, expressed "developing the principle of consecutiveness is imposed both committees and the plenary of the chambers required to review and discuss all the issues that have been proposed, why it prohibited them give up that duty or decline jurisdiction to defer to another legislative cell in order to postpone the discussion of a particular subject "[135]. In this regard, the Court noted that '... Indeed, all the articles proposed in the paper presented should be discussed, debated and approved or unproved by the permanent constitutional commission or the plenary, as applicable. As for the amendments or additive propositions arising in the course of the debate and deletions, they must also be the subject of discussion, debate and voting, unless the proponent decides to withdraw it before a vote or be subject to change, in accordance with Article 111 of Act 5 of 1992. it is necessary that a decision is taken and not circumvented the same on an issue, failing which a vacuum is conducive in the legislative process that infringe the principle of consecutiveness. '[136]. "
So the principle of consecutiveness be understood as (i) the requirement that both the committees and the plenary should study and discuss all issues before them have been proposed during the legislative process; (Ii) not be postponed to a later stage the discussion of a particular issue raised in committee or in plenary; and (iii) that all the articles proposed for first or second debate, like the propositions that modify or add to, be discussed, debated, approved or improbarse within the legislative body in which are under consideration. "

Also well he understood the Court Sentence C-277 of 2011 [137], declaring enforceable paragraph of Article 8 of Law 1340 of 2009, which had been sued for alleged infringement of the principles and flexible identity consecutiveness , as during the fourth debate it was decided that in addition to the Superintendency of Industry and Commerce, established as the sole authority for protection of competition, the Civil Aeronautics retain its powers to safeguard competition in the sector. The Court said at the time that as seen in the description relating to the processing of the law during the four debates and especially during the discussions given in the House of Representatives, necessity, relevance, appropriateness and constitutionality of discussed centralized monitoring, control and inspection of free competition at the head of a single entity, in this case, the Superintendency of Industry and Commerce, with positions for and against this measure. He concluded that although prior to the fourth debate was not specifically discussed the Civil Aviation as an authority on competition, including the defendant rule reflects the discussions that arose during the process of centralization or not those powers regarding monitoring, inspection and control of free economic competition.
2.2.8.4.2. Amendments introduced during the processing of the bill under study and their consistency with the principles explained.
From the description given by this Court on the evolution of the bill during its passage through Congress, it is possible to identify that content changes [138] introduced the initial project were entered in the final project, which were they will be indicated below. As a methodology, this decision will analyze against each of them, if the principles of unity of matter, relative identity and consecutiveness respected in approval. Let's see:
2.2.8.4.2.1. Adding the phrase "as well as the right to information enshrined in Article 20 of the same" at the end of Article 1 "Object" in the second debate.
It might be thought that the inclusion of Article 20 as part of the object Superior protection bill violates the principle of unity of matter that constitutional provision as regards the right to information, and what the project seeks to protect law is the right to privacy by safeguarding the use and disclosure of their data. However, as will be explained below, the right being protected with the issuance of this draft statute is the autonomous right to data protection, which is related and has platitudes both the right to privacy as with the right to the truth and access to information, which are enshrined in Article 20 of the Constitution. While not fully develop this law, the rules governing other matters relating to the information when it relates to personal data. So the unit of matter is not violated. Nor
flexible identity because it is not changed the regulations so far making the project a different one, nor the principle of consecutiveness because although he added during the second debate, not about regulation of a topic or issue I not been discussed previously, because from the beginning were included and discussed issues related to the right to information.
For example, the bill introduced by the government prescribed the principle of accuracy or quality: "Information subject to treatment must be truthful, complete, accurate, current, verifiable and understandable. Treatment of partial, incomplete, split or misleading "(paragraph d) of Article 4) [139] data is prohibited. In addition, the report of the first debate in the House of Representatives, it was noted on the right to habeas data: "This right has autonomous nature and characteristic features that differentiate it from other guarantees which, however, is in permanent relationship, as rights to privacy and information "[140]
2.2.8.4.2.2. Regarding article 2, adding paragraphs e), f) and g); addition of the phrase "as well as the prevention, detection, monitoring and control of money laundering and terrorist financing" in paragraph b); addition of subparagraph c) and paragraph.

In the second debate they were added paragraphs d), e) and f) and during the fourth debate the literal c added). Literals refer to the types of data that the provisions of the draft law except those that establish the principles-not applicable to it. At the beginning of the legislative process, only the processing of data by a natural person exclusively personal or domestic sphere and that he had intended to security and national defense are exempted.
However, the legislator, during the second and fourth debate, considered that it should be exempted treating other information provided in the above subparagraphs: c) databases that are intended to contain information and intelligence and counterintelligence ; d) to the databases and files of journalistic information and other editorial content; e) to databases and regulated by Law 1266 of 2008 (financial) files; f) to databases and regulated by Law 79 of 1993 (census of population and housing) files.
The creation of these exceptions does not break any of the above explained principles. On the contrary, it is a legitimate manifestation of the democratic principle and freedom of regulatory configuration of the legislator. These are limited to the topic of the bill as exceptions to its scope, while respecting the unity of matter. With its introduction it did not become the bill in a different one, being incidental rather than primary standards for the other items until that time approved, following the mandate of the principle flexible identity. And finally, not the beginning of consecutiveness was violated because although the wording of the exceptions was made during the second and fourth debate, the issue of exempting some data scope, was approached since the bill was filed Congress (Congress Gazette No. 488 of 2010). Remember that this principle refers to the approval of all matters or issues in four debates, not the textual content of each of the provisions.
The above conclusion and argument from which it is derived, are valid to find that the inclusion of the phrase "as well as the prevention, detection, monitoring and control of money laundering and terrorist financing" in paragraph b ), nor it infringed the principles studied.
In addition, in the fourth paragraph of Article discussion, which essentially is still referring to the scope of the law, specifically against exceptions, providing for possible regulation a minimum standard was added. So according to the above parameters, also the inclusion of this paragraph is to respect the principles of unity of matter, identity and consecutiveness: it is not a subject outside the thematic core of the project is really an ancillary rule to the already prescribed regulation, and since the bill was presented was intended to fix its scope or scope.
2.2.8.4.2.3. Inclusion of new sensitive data in Article 5 during the fourth debate: "social, human rights organizations, or promotes interests of any political party or to guarantee the rights and guarantees of opposition political parties."
The bill presented to Congress those anticipated as sensitive data revealing racial or ethnic origin, political orientation, religious or philosophical beliefs, trade union membership, and data concerning health, life sexual and biometric data. In fourth debate the legislature decided to extend the definition, which in no way affects the unity of matter, it does not depart from the essence of the project and, although these specific categories were included at that stage, the issue of sensitive data was approached from the beginning of the process, remaining within the framework of freedom of configuration extending what was meant as sensitive data.
2.2.8.4.2.4. On Article 7, during the first debate, a term of 6 months was established for the government to regulate the processing of personal data of children and adolescents. And in the second debate was clarified that only the information that is public in nature may be subject to treatment in the case of children and adolescents (Article 7)
front of the first of the amendments, it must be stated that only it must be examined respect for the principle of unity of matter, as was approved in four debates (consecutiveness), so that its content will vary so the essence of the project (identity), would range all stages constitutionally required.

In this vein, this Court finds that the fixing of a term for the government to regulate data of children, does not deviate from thematic core of the project. On the contrary, the regulatory order is a common clause to legal systems, where the legislature provides that they require a development application by the executive. In addition, however their absence does not prevent the exercise of a power which belongs to the President of the Republic, under Article 189 of the Charter.
With regard to the inclusion of an exception to the general rule prohibiting the processing of personal data of children, when the information is public, it has to be this exception is part of the data protection regime, at this point, belonging to children and adolescents, confined to the thematic core of the bill. It is also a rule that access to and Article 7 on data under 18, creating an exception to the prohibition, without changing the project by one is different. And finally, to the extent that the issue of the special safeguard data of children as subjects of special constitutional protection was planned and discussed since the processing of the bill began, this amendment respected the principle of consecutiveness.
Front of the latter, it is anticipated that the same analysis will be used for other ordering rules regulating certain matters, with the caveat that this does not reflect the position of the Board against material constitutionality of these provisions, specifically, on the constitutionality of granting regulatory powers in certain matters.
2.2.8.4.2.5. Adding the second part of paragraph e) of Article 8, during the first debate, which sets out the conditions to be from the revocation of the authorization of the owner: "The revocation and / or deletion be available only when the Superintendency of Industry and Commerce it has determined that the treatment the person responsible have engaged in conduct contrary to the law and the Constitution ".
As explained in the preceding paragraph, since this inclusion was submitted in the first debate, the unit is the only matter to be studied now. Neither this amendment is outside the topic of the project is the protection of personal data and, in fact, develops the provisions of this literal e) the possibility of revoking the authorization to provide data indicating the conditions for its admissibility .
2.2.8.4.2.6. During the first debate, in Article 11 within a year to government regulations on the manner in which the responsible and processors must provide the information set Holder.
Faced with this amendment applies the same argument as to the irrelevance of referring to the principles of identity and consecutiveness and the non-violation of the unity of matter because it ordered the government to regulate the matter within of a specific term, faculty enshrined in Article 189 Superior.
2.2.8.4.2.7. With the third debate, the e-mail address as mandatory information that the data controller must provide the holder, Article 12.
The inclusion of this obligation to those responsible for the data is included, is a clear example of a standard incidental to the bill as being an additional requirement for one of the prerogatives arranged so far. No leaves the thematic core, or change the project on the other, and neither unknown consecutiveness since the matter of the obligations of those responsible for processing the data, it was from the beginning of the process with the draft filed bill in Congress ( page 5 of the Congress Gazette No. 488 of 2010) [141].
2.2.8.4.2.8. During the third debate, the literal n) is added in Article 17, and k) literal in Article 18, which indicate the duty of the controllers and informing the Superintendency of Industry and Trade where there are risks or violations the security of the database by third parties.

The introduction of these literal and, with them, the duty of controllers and data to inform the SIC on risks or violations of data security, not departing from the thematic core of the project -for in contrast, it fills it with effectiveness-, or varies the substance of what until then approved. And the fact that it was approved during the third debate does not ignore the principle of consecutiveness, finding by this Court that the issue of the duties of these subjects was regulated since the beginning of the legislative process [142], so the inclusion of this obligation only represents the development of the democratic principle within the parliamentary activity.
2.2.8.4.2.9. In the second debate the second paragraph was established in Article 19; in the third debate, creating a Delegatura Data Protection within the Superintendency of Industry and Commerce is established. Also the first paragraph was incorporated.
The first paragraph says a period of six months for the functions of the Superintendency of Industry and Trade be regulated. The second paragraph states that the monitoring processing of personal data regulated by Law 1266 of 2008 -financieros- be subject to the provisions of this standard. On these inclusions, the Board finds that there is no violation of the principles under analysis, but merely develop and set the scope of the already approved standards.
As for the creation of the data protection Delegatura during the third debate, it must be said that is limited to the subject and object of the project He is the entity that oversees the protection of data-; It is not changing the essence of the project as simply specifies how the Superintendency of Industry and Commerce, in its role of monitoring data protection, will exercise organically; and finally consecutiveness was respected as the establishment and characterization of the authority responsible for data protection was given from the beginning of the legislative process and during the natural course of the discussions, it was setting more clearly how that such authority must act.
2.2.8.4.2.10. In the second debate, a paragraph was added to Article 25 stating:
"To register database, interested parties should contribute to the Superintendency of Industry and Commerce, the policies of information processing, which will force those responsible and in charge of it and whose failure will lead to appropriate sanctions.
The policies shall in no case be less than the duties under this Act. "
As noted, it is an accessory available to and Article 25 on the registration of the bases data and the bill in general, therefore, can not be considered outside the thematic core, and given the scope to vary the essence of the project. Nor violates consecutiveness while the issue of regulation registration database included since the project took root in Congress (Congress Gazette No. 488 of 2010).
2.2.8.4.2.11. In the second debate the second paragraph of Article 26 adds: "The provisions of this Article shall apply to all personal data, including those covered by the 1266 Act of 2008."
This paragraph simply sets the scope of regulated on the transfer of data to third countries, adding that the same applies to financial data. So it is confined to the subject of the project, keeps identity with the approved until the second debate and being accessory to the issue of international data transfers, and discussed and approved in the first debate, fulfilled the requirement consecutiveness in approval .
2.2.8.4.2.12. In the third debate Article 27 "The Government regulate matters concerning the treatment of personal data that require special provisions were added. In any case, such regulations may not be contrary to the provisions of this law. "

About the order of regulation already explained that it is a common clause to legal systems, and which is itself accessory to established therein. Therefore, with no inclusion principles are undermined under review. It is limited to the thematic core of the project, ie the protection of personal data, pointing to the need for the government, following the mandates of the bill, establish special provisions for data require it. Thus it was conceived by the speakers senators: "This power allows the government to regulate more expeditiously special data that require constant changes given the dynamics in their treatment" [143].
With regard to respect for the principle flexible identity, it is observed that order the government to regulate data protection to be provided under special rules, did not change the essence of the bill, especially because the same article states that that government regulation should always stick to ready it for him. And not unknown consecutiveness because it is not a new issue, away from what had been discussed and approved during the proceeding and also befits legislation not rarely leaves it to the executive development standards or the task of creating rules to give more specific application to the general rule implemented by the legislature.
In this regard, recall that already made it clear that this statement is not anticipating the material analysis constitutionality of granting this authority to the executive in this particular case. Only is claiming against the principles flexible identity and consecutiveness not find this room that the clause under consideration is creating a different regime until then approved, nor is a new issue that required to be approved in previous debates.
2.2.8.4.2.13. During the second debate Article 28 on regulation of binding corporate rules it was created.
The BCRs, as will be discussed later when analyzing the material content of the provision are those also known as principles of good governance or codes of good business practices, created by private institutions from their greater knowledge in the sector in which they operate, pointing out the minimum standards to achieve higher quality in performance. Several documents will be referenced by this providence realize the importance of these rules for the protection of personal data so that can not be taken as an alien subject matter of the bill.
With regard to the principles of identity and consecutiveness, it is the same argument the previous paragraph, being an accessory rule that only seeks the regulatory development of the provisions of the rules of good governance in the management of personal data.
2.2.8.4.2.14. During the third debate Article 29 related to data relating to the certificate of no criminal record it was created.
The inclusion of this provision does not violate the unity of matter. The handling of data by the Administrative Department of Security DAS for the purpose of issuing certificates of judicial and access to them is not an alien subject matter of the bill. This is the end of the protection of personal data, in this case, in a specific sector and for particular effects. This can also be checked with the provisions of the title: "why general provisions for the protection of personal data are issued". Similarly, when reading the object of the project: "developing the constitutional right of all people to know, update and rectify information gathered about them in databases or files and other rights, freedoms and guarantees constitutional to Article 15 of the Constitution, and the right to information enshrined in Article 20 of the same concerns. "
it is then observed that the subject of the law is the general protection of personal data as a fundamental right without establishing an exclusive destination to specific data types, which dispenses inescapably data relating to judicial records.

Also contravenes the principle flexible identity, including this article because the project is not changed by another, it consecrated there has no such effect for the essence of the bill approved so far. Yes it is a subject not previously regulated but not ajeno- but can be understood as accessory does not change the substance of the bill. Indeed, with the inclusion of the specific regulation of data accessed by the DAS, no changed from previously approved provisions, or the sense of the requirements hitherto supplied. While during the second debate in the House it was decided to derogate from the scope of the law, the databases in criminal matters and criminal investigations to include a regulation in this regard no project approved in the House by one essentially different replaced.
However, this Court finds that there is an obvious violation of the principle of consecutiveness once the case in the treaty was not even mentioned in previous debates. or the second debate, needed to pass a subject that had not been previously treated is, to no avail and the first and. Not that the issue of criminal records data is outside the thematic core of the bill, but it is an issue that was not addressed at all in the debates of the House of Representatives.
This was verified by the Chamber to read the gazettes comprising the legislative process for the bill, especially those containing their discussions on the various legislative cells [144]. So, it could establish that the issue was discussed for the first time at the public hearing held before he started the discussion of the draft in the First Committee of the Senate. Was the citizen Raul Antonio Vargas Camargo, intervening at the hearing, who proposed the inclusion of a provision dealing of data on criminal records and its management in certificates issued by the DAS, stating: "why not admit that the information contained in the judicial certificate, 'recorded history, but is not required by judicial authority', issued by the Administrative Department of Security (DAS) many Colombians that the criminal penalty imposed have been fulfilled or prescribed, is a fact necessarily sensitive "[145]
in addition, the report report of the first debate in the Senate, realizes that this is a new issue when it justifies its inclusion in the bill so". in that vein, the initiative is not intended to be ordered to DAS that their databases records completed sentences disappear, only against the management of such information is made a call for caution and only for purposes that really demand it is revealed because you can not forget that one of the purposes of punishment is the social reintegration of active subject who was a criminal offense. "[146]
Just so appropriated the reconciliation report [147] to explain reasons to put this regulation in the bill, namely: "this [the regulations in Article 29] was collected from proposals made by citizens at the public hearing on November 25 in order to publicly discuss the project I settled law in the First Committee of the Senate. " What checks in addition to reading what happened in the sessions of the House of Reps was at this time when first mentioned and discussed the issue of the information posted on the records of criminal records issued by the Administrative Department of Security (DAS), so that those who have served a sentence or it has prescribed, this information is not made public in the judicial precedent that asks the owner.

It must be pointed out that this analysis does not contradict the statement by the Chamber in relation to the violation of the principle of relative identity when he said that there was already an exception in the scope of data security and national defense, where They are located related criminal record. This does not mean that then-from before the start of the legislative-process itself had discussed the matter. On the contrary had been discussed and approved as an exception, however, in the third debate a specific regulation on the sector was included, which does not even been proposed previously. That is, what was discussed, established and approved was that specific sectors should be regulated in a different regulatory body of the bill, not the issue of the inclusion of a special regulation on data relating to the certificate of no criminal record then still a new issue that should fill the four regulatory discussions. And it is failing to fulfill this mandate that stems infringement of the principle of consecutiveness.
Indeed, although during the second debate in the House of Representatives, it was proposed to exempt from the scope of the law, specifically in paragraph b) of Article 2 databases in criminal matters and criminal investigations just it checks what it is that you never discussed include a special regulation on criminal records. Indeed, which it passed the House was NOT regulate it. So, actually, there was no way debate. And indeed, during the debate that this exception was approved, he not even debated whether or not it excepcionaba simply the new exception was proposed and voted affirmatively.
Let us see in the minutes No. 24 of October 19, 2010, published in the Congress Gazette No. 868 of 2010:
There is another proposal for Article 2, which adds five paragraphs (C, D, E, F and G) and paragraphs a and B were added as the last paragraph of Article 2 of the following, you will read what is added.
The system of protection of personal data is established in this law shall not apply, and brings the list of exceptions.
Not only is added, changed, then let's read everything.
"The principles and provisions contained in this Act shall apply to personal data recorded in any database, or make them amenable to treatment by public entities or private nature.
This law apply to the processing of personal data in Colombian territory, where the data controller or responsible for treatment not established on national territory, will be applicable Colombian law under international standards and treaties.
The system of protection of personal data is established in this law shall not apply:
(...)
b. . A databases and files intended to security and national defense, washing files, terrorism and databases in criminal matters and judicial investigation "
Firman: Carlos Correa, Miguel Gomez, Alfredo Deluque and other illegible signatures.
That's for Article 2.
After the vote on the proposals was given as follows:
Mr. President, read articles with and without propositions and new articles could be read subject block and be submitted in a separate vote, the proposal Dr. Pablo Salamanca, which is an additive proposition to Article 11, and we will vote on the items that have no proposal at this stage of the proceedings, which are the 4th, 5th, 8th, 23, plus all the propositions read to all read articles, Mr. President, and remain pending vote on a proposal of Dr. Pablo Salamanca.
Can you open the discussion and voting on this body of articles read, with new, propositions and those without proposition.
Address the session by the Chair (Dr. Carlos Alberto Zuluaga):
In consideration of the proposals read by the Secretary, the result of new items, items that have no proposition and fully endorsed by the paper, opens discussion continues the discussion will be closed, is closed. Let's open the registry.
The General Secretariat reports (Dr. Jesus Alfonso Rodriguez):
No one asked to speak, registration opens.
Address the session by the Chair (Dr. Carlos Alberto Zuluaga):
registration closes.
The General Secretariat reports (Dr. Jesus Alfonso Rodriguez):
registration is closed.
By itself: 106.
By no: 0.

Articles have been approved without proposition that were pending, new items and items with their respective proposals which were read by the Secretariat.
From the reading of the minutes, a clear conclusion emerges: the issue of databases in criminal matters and criminal investigations mentioned and approved in general and even determining that they were exempted from the scope of the law that is, it was included in the debate for not regulate in the project. So, with a general mention of a matter it can not be understood fulfilled the principle of consecutiveness, or did exist debate on the specific regulation thereof, to the extent that would render the raison d'etre of the consecration of the constitutional principle, which seeks to guarantee a legislative activity governed by the democratic principle that depends, among other prerogatives, advertising, which not only operates to the knowledge of citizens, but also for them to Congress from initiating the procedure, can foresee what will be approved in fourth debate, ie which regulation will become law of the republic.
For the House of Representatives had something clear, the issue would not be regulated in the draft pending, and therefore never discussed regulation is why it is included as an excepted field of law. Consequently, it can not accept as their own the legislative process that the fourth debate a specific and absolute control is done on all edges of the handling of data relating to the certificate of no criminal record, and not only that, also how to be issued such certificates, how that information should be reported, gratuity thereof, in order, the sectoral regulation of processing of these data, the rights of the holders, the duties of the manager, the means of access, etc.
The Chamber at this point should be strict, because understand that in a draft statute, by its terms, as proposed and approved in second debate in the House, ensured respect for the principle of consecutiveness, is to empty your content and ignore passing the democratic principle, particularly in its dimension of duty advertising throughout the legislative process, whereby, legislators, at all stages of the proceedings, should be able to know what is being regulated or rather, what it is to be regulated when the bill is finally approved fourth debate.
As for the actual knowledge of the discussions, take into account the provisions of the constitutional jurisprudence on the meaning of "debate", fully described in the judgment C-473 of 2004 [148]. In that Order, the Court came to sense that this word has in the Castilian language to illustrate its scope, but also noted that "the correct interpretation of the terms" discussion and debate "is that which conforms to the legal definitions established by the Regulation of Congress and not the natural and obvious sense of such expressions as general use. "[149]
Thus, for example, has recognized inherent parliamentary debate" the exposition of ideas, different concepts and criteria and to opposites and serious and respectful confrontation between them; examining the different possibilities and collective, reasoned and founded, consideration of the impact that will have the decision put into question, [150] but has also accepted that there is "debate" even if there is no dispute. [ 151]
In the same vein, to review the procedure followed in the adoption of a legislative act, the Court stated in Case C-222 of 1997 that "in the case of decisions that will affect the entire population, if laws and more so in the constitutional reforms that compromise nothing less than the basic structure of the legal order in its entirety, the debate requires deliberation, prior to the vote and indispensable to reach it, what exactly it is implicit in the distinction between quorum, deliberative and decision-making, embodied in Article 145 of the Charter. "[152]

The Chamber understands that in this case the principle of consecutiveness breaks even though the issue was introduced has any relation to the subject matter of the project. The reason, in House of Representatives after the issue was regulated by the Senate was not discussed, because for them this question would not be subject to regulation, therefore, was never debated. another thing had happened if in the deliberations the Chamber had addressed the way these bases would treat the data and finally agreed that the matter quedase exempted from the scope.
In thread of the above, the Full Court declared the unconstitutionality of Article 29 of the bill, for violation of Articles 157 and 160 of the Charter, because it worked only two debates of the four ordered by the Constitution.
It should be noted that these defects can not be understood regularized when the plenary of the House of Representatives passed the reconciliation report with the inclusion of this provision, as is the constitutional requirement is that for approval of each item should be the debates both standing committees and plenary. Moreover, as the jurisprudence [153] has been clear in establishing that the object of accidental conciliation commissions and the approval of their reports, confined to overcome the discrepancies in the text of each chamber considering that given the purely accidental nature of conciliation commissions can not meet the legislative function assigned by the Constitution and the law, the permanent constitutional commission and the plenary of each chamber, it is in these, where it must be filled the deliberative process and approval of the different legal standards.
In this vein, it was imperative to refer to the First Committee of the House of Representatives the content of this new article that she and the plenary of the House debated and approved it (Article 179 of the Organic Law Regulation of the Congress).
It should be noted also that the violation of the principle of consecutiveness itself is configured irremediable because when you have omitted one or more of the regulatory debates -because an amendment supplied the essence of the bill and / or because the issue was not discussed previously [154]. So if returned to the authority which ceased to discuss the matter earlier, this would necessarily translate to retake the legislative process with the four debates required by Article 157 of the Charter. And it is the latter that produces the inability to clean up a procedural defect as explained by jurisprudence [155], which has stated that no formal defect can be sanitized if it involves making a new legislative process.
2.2.8.4.2.15. During the fourth debate articles 30 and 31 were included, related data management intelligence and counterintelligence.
The same argument applies to the inclusion in fourth debate of Articles 30 and 31 of the bill. Thus, the content of these provisions is no stranger to the subject of the bill that includes, for it is the regulation of data protection, now, in a special sector that is the intelligence and counterintelligence.
Similarly, include a special regulation on intelligence and counterintelligence, has no bearing on the essence of the project so far approved by the House of Representatives and the First Committee of the Senate. It does not contradict any of the provisions adopted so far. While it was decided in principle regulate data protection in general, can not be that initial intention the control parameter to determine if the identity principle is violated, but, as previously explained this decision, the point to be made is if the inclusion of an amendment during the legislative process the essence of what until then had been approved was varied, which did not happen this time.
However, as was the case with Article 29, if the principle of consecutiveness as it was in the fourth debate in the plenary of the Senate was ignored, when for the first time this issue of the inclusion of a treated special regulation for the intelligence and counterintelligence.

This can be verified by reading the newspapers containing the process and, above all, the Gazette No. 1080 of December 13, 2010 (folios 42 test notebook No. 4), where the paper was published report for second debate in the Senate, where it was stated that for protection of the fundamental right of habeas data, it was necessary to include a special regulation of data protection in this sector and that "an article which seeks to capture is added, storage, processing, dissemination and use of data and sensitive and personal cardholder information in databases related to intelligence and counterintelligence, are handled with the criteria of the protection of sensitive data, determining responsibility for officials who are in charge not only of treatment and collection of information but of those who order their capture and treatment such as heads, directors and deputy directors of the special units, sectional divisions and other delegations that authorization, by its nature or missionary spirit exercise these functions; as well as those authorized in the manuals of these units and who authorized or ordered operations or missions work from agencies that conduct intelligence and counterintelligence or make part of the Joint Intelligence. "It turns out then
a new case against at that time what was discussed and approved. Moreover, it is not possible to identify with any of the provisions of the House bill, because although it had been discussed and approved the issue of national security and defense, it was conceived and established as an exempt sector and what he did the Plenary of the Senate was to include within the scope of the project, a regulation on the same sector, specifically on intelligence and counterintelligence matter, in that light, had not been treated at all or the House of Representatives or by the First Senate Commission transgrediéndose the principle of consecutiveness.
So, for violation of the principles and flexible identity consecutiveness, enshrined in Articles 157 and 160 of the Charter, the Full Court declared unconstitutional articles 30 and 31 of the draft statute under review.
2.2.8.4.2.16. During the second debate Article 32 which establishes the transitional regime it was created.
Generally, the regulatory bodies that create new rules on certain issues, establish a transitional regime for those who apply to them, take the necessary measures to adapt to changes. So this amendment could not be seen as foreign to the theme of the project, or amending of their essence or creator of a new topic previously untreated. It is, as we have said, reflect the dynamics of parliamentary activity within the constitutional and legal limits, which, on this occasion, resulted in the inclusion of the need to provide for a period of up to six (6) months people who at the date of enactment of the bill exercising any of the activities regulated therein, into compliance with the provisions, which lies within the regulation of the issue of protection of personal data.
2.2.8.4.2.17. During the second debate is added the phrase "except those referred to in Article second" in Article 33 on derogations.
Being creating an exception to the general rule already established on the repeal of all rules that are contrary to the bill, must be understood as an ancillary provision, therefore, does not violate any of the principles in question, especially because it reflects what is already estatuido in Article 2 of the project on the treatment of data excluded from the scope of this amendment by technical and legislative coherence still necessary.
2.2.9. Conclusion on the constitutionality of the legislative process for the bill under review.
In thread of the above, it must, in general, the approval of the bill met the constitutional requirements provided for any legislative decision and particularly for such special laws hierarchy. But we can not say the same about the approval of Articles 29, 30 and 31, as the way they were included did not attend the mandates of the principle of consecutiveness -art. 157 and 160 CP, why, the Board will declare unconstitutional.
2.3. REVIEW OF ARTICLE 1: PURPOSE OF THE BILL.
2.3.1. Text of the provision

"Article 1. Object. This law aims to develop the constitutional right of all people to know, update and rectify information gathered about them in databases or files, and other rights, freedoms and constitutional guarantees that refers to the Article 15 of the Constitution; and the right to information enshrined in Article 20 of the same. "
2.3.2. citizen interventions and concept
2.3.2.1 Public Ministry. The Ombudsman requests that the final sentence of Article 1 - "and the right to information enshrined in Article 20 of the same" - is declared unconstitutional, considering that the intention of the legislature to develop the content of the right to information through the project under study is "anti-technical and unsystematic" because (i) the right to information is autonomous and different from the right to habeas data; (Ii) if accepted that the right to information could be regulated in a law on habeas data, such incorporation is justified only to the extent that the first duty is to develop a comprehensive and convenient manner, which does not happen in the this case; and (iii) it can not be overlooked that one thing is the "right to information" as a fundamental right, and a different "information" as well subject to appropriation and commercial transaction by powerful market players. In short, notes that a review of the draft text to the conclusion that the legislature did not deal at all to "develop" the right to information. Therefore, as there is no relationship with the central theme of the project, it says that the term referred violates the principle of unity of matter.
On the other hand, argues that although Article 1 sets out the regulatory parameters established by the Constitution on the right of habeas data, especially the guarantees of "know, update and rectify" the information does not include important safeguards, as (i) the dissociation of personal data, under which a person may request that the treatment of information that holds is conducted through procedures that ensure the condition of anonymity, and (ii) the removal of data, ie, the "right to oblivion" or expiration data, warranty under which no information is intended to be continuity, why, once its purpose fulfilled or after the period provided for use or verified the illegality of treatment or lack of purpose, the holder may request its deletion. For these reasons, the Ombudsman requests that Article 1 specifies that no taxativas claims.
2.3.2.2. Juanita Durán Velez citizen requesting the conditional constitutionality of Article 1, with the understanding that the project scope is limited to data of commercial interest, not intimate or private that are circulating temporarily.
2.3.2.3. The Public Ministry did not rule on the matter.
2.3.3. Constitutionality of Article 1: should not be an exhaustive reading of the guarantees that states
2.3.3.1. Article 1 states that the bill has three purposes: to develop (i) "(...) the constitutional right of all people to know, update and rectify information gathered about them in databases or files "(ii)" (...) other rights, freedoms and constitutional Article 15 of the Constitution refers to guarantees ", and (iii)" (...) the right to information enshrined in Article 20 of the it [the Constitution]. "
2.3.3.2. Regarding the first objective, the Board finds that it is fully compatible with the project title and its content, because it is the development of the fundamental right to habeas data.
However, the precise room, as well as the Ombudsman indicated that the guarantees of habeas data contained in this article are not the only ones that includes the right. Certainly, the right to habeas data faculties know, update and rectify the actions that have been collected on the holder, but also other as authorize treatment, include new data, or exclude or delete a database emerge not only or file. Therefore, although the provision is consistent with the Charter, it should not be construed as an exhaustive list of attached guarantees the right.
2.3.3.3. The second and third objectives, the Court finds that are too broad when compared on the one hand, with the project title and content of the articles and, secondly, with the guarantees contained in Articles 15 and 20 above.

In fact, Article 15 of the Charter recognizes three rights: (i) the right to privacy, (ii) the right to a good name and (iii) the right to habeas data [156]. The Chamber observes that while the right to habeas data is closely linked with the rights to privacy and good name, all previous rights are autonomous and different content. In this case, the Board finds that the project only intends to develop the habeas data and not other rights, so although the provision does not ignore the Charter as being broad in this regard, it should be understood that only develops indirectly the rights to privacy and good name, ie can not be considered a comprehensive and systematic regulation of such rights.
The same applies to the reference to Article 20 above on the right to information. Certainly, the right to information, both active and passive dimension, ie, the right to express and disseminate information -including opinions- own and the right to receive truthful and impartial information, converges in some respects the right to habeas data, as, for example, (i) the right to information can fall back on personal data and (ii) in its active facet includes the right to rectification can be about personal data. However, the right to information includes all types of data, not only the personal data, hence it should be concluded that the two rights include different scopes of protection and that the bill subject to review not comprehensively develops the right to information.
At this point should also be noted that although Article 2 excepts from the application of certain provisions of the project to the databases of journalistic and editorial content, as will be described later, such bases should be held as least the principles set out in Article 4, which means that the right to information itself is regulated in some respects by the project.
In short, according to the Chamber, the bill does not intend a comprehensive regulation of the right to information; regulation is limited to the point where converge or are in tension rights to habeas data and information. Under this understanding, despite the breadth of the provision, it conforms to the Constitution.
2.4. REVIEW OF ARTICLE 2: SCOPE.
2.4.1.
Text of the provision "Article 2 °. Area of application. The principles and provisions of this Act shall apply to personal data recorded in any database that makes them amenable to treatment by public entities or private nature.
This Act apply to the processing of personal data in Colombian territory or when the data controller or processor not established in national territory will be applicable Colombian law under international standards and treaties.
The system of protection of personal data is established in this law shall not apply:
a) A database or maintained in an exclusively personal or domestic sphere files.
When these databases or files are to be provided to third parties should, beforehand, inform the owner and request permission. In this case the controllers and the databases and files will be subject to the provisions of this law.
B) databases and files whose purpose is national security and defense as well as the prevention, detection, monitoring and control of money laundering and terrorist financing.
C) databases that are intended to contain information and intelligence and counterintelligence.
D) databases and archives of news reports and other editorial content.
E) databases and regulated by Law 1266 of 2008.
f) databases and regulated by Law 79 of 1993. Paragraph
files. The data protection principles apply to all databases, including the exception in this Article, within the limits provided in this law without quarreling with the data that have characteristics of being covered by the legal reserve. In the event that the special regulations governing data bases excepted provides principles that take into account the special nature of data, concurrently apply themselves to those provided in this Act. "
2.4.2. citizens and interventions concept of Public Prosecutions

2.4.2.1. The Ombudsman requests that the conditional constitutionality of Article 2 is declared, on the understanding that the data processing is carried out in the framework of the activities referred to in subparagraphs b), c) and f) must submit to the protection principles set out in the project, and to verify their attachment to, the data subject should not be binding on the holder.
2.4.2.2. The Legal Secretariat of the Presidency of the Republic seeks the unconstitutionality of paragraph of Article 2, for the following reasons:
ensures that a rigorous interpretation of the paragraph could annul the exceptions. For example, in the case of databases intelligence or counterintelligence, would be complex to apply the principle of transparency, it could lead to the holder of the data may have access to information collected, to the detriment of other rights and freedoms. Therefore, argues that is required to differentiate between two kinds of exceptions that are within the project: (i) the exception for information that comes from exercise of constitutional personal rights, and (ii) the exception concerning bases or secret data; This distinction brings in mind that exceptions will depend on the nature of the data, as if this was not taken into account, it would undermine mechanisms to protect and defend national security.
On the other hand, indicates that one must question whether the inclusion of paragraph serves the will of the legislature, since analyzing the processed, initially established only absolute and exceptions were then, with the presentation of the paper for discussion at the plenary of the Senate, this paragraph was added, which changed the whole context of the exceptions.
Adds that the application of the principles of habeas data to files or databases that do not circulate or leave the sphere of the person, ruin autonomy, personal freedom, privacy and the right to reserve the documentary.
Finally, with regard to files for security and restricted nature, it argues that the application of the general principles of habeas data would set a danger and a constitutional damage, plus any effectiveness restarles.
2.4.2.3. ACEMI requested the conditional constitutionality of Article 2 in the sense that "excluded from the scope of application databases membership of the General Social Security System in Health and overall System of Social Protection". Exposes the following reasons:
it argues that individuals must provide personal data to the General Social Security System in Health to join either the contributory or subsidized scheme, as well as access to the actual provision of services Health. Remember, with support in paragraph 1 of Article 15 of Law 100 of 1993 and paragraph 2 of Article 25 of Decree 806 of 1998, that membership in the system is mandatory, so that "knowledge and dissemination of this information [by] health sector entities and pension funds, unlike any kind of information that lies in other databases, it is not optional. "According to this, it considers that the data required by the system for affiliation can not hide , while membership is a legal, express, reasonable and justified requirement, so one should not speak of the right to give and to know that information, "but the obligation of any person to give it to the legitimate aim of access guarantee fundamental rights more important. "
Another feature by which believes that the databases of the administrators of Social Security System in Health are special, is because the refusal to supply the data, the report defective or inability to access data obstruct the provision health service in general. For example, no registration of new limits the exercise of rights within the system. In addition, the failure to provide accurate and timely information affects the allocation of resources for service delivery; which is why managers must report monthly to the Ministry of Social Protection information on the status of membership of people for the purpose of ensuring the proper allocation of resources through the control of dual affiliation and situations evasion and avoidance .

Finally, he argues that "(...) not to declare the conditional constitutionality of (...) mechanisms for requests, queries and complaints in time-consuming that ultimately open the doors to delay 'unjustifiably' the effectiveness would be created rights of holders of personal data, to the detriment of rights greater prominence as the right to social security. "
2.4.2.4. ASOBANCARIA asks, first, the conditional constitutionality of item a), on the understanding that the data protection regime does not apply to those circulating internally, that is, that are not provided to third parties.
Argues that given the final wording of paragraph a) who receives a fact will have to assume the obligations and burdens contained in the articles for the treatment of information. Although the Constitutional Court has recognized that the right to habeas data may be subject to restrictions provided that they are suitable for the protection of other constitutional rights or property as the right to information, enabling imposed are loads of protection to information that is not subject to flow, that is, that has not been or is destined to be supplied to third parties constitutes a disproportionate treatment that breaks the balance intended by the jurisprudence itself between rights holders, sources of information, operators of databases and users.
With regard to other than the literal a) which states "[w] hen these databases or files are to be provided to third parties should, beforehand, inform the owner and ask for their permission," says that the wording It leads to a violation of constitutional disposition standards related information flow. In his opinion, this wording establishes a disproportionate restriction because it does not distinguish the types of data that according to the case law does not require authorization for circulation, ie, the norm is no difference between public, private data, semiprivate and reserved, or between personal and impersonal information. So, unless the Court determines that the rule is constitutional in the understanding that does not apply to public data, nor to those set out in paragraph 1.4 of Article 6 of Law 1266 of 2008, considered to be declared unconstitutional.
Second, regarding paragraph, it states that the application of the principles set out in the project to the exceptions set an excessive burden which could ignore constitutional rights and principles such as the right to information, freedom of the press and / or the right to access public documents.
Adds that paragraph does not respect the specificity of regulation of Law 1266 of 2008, when it states: "[i] n the event that the special regulations governing data bases excepted provides principles taking into consideration the nature special data, the same applied concurrently to those provided in this law. " So -a judgment ASOBANCARIA- the project known that the statutory legislator "contemplated the design of regulatory devices aimed to ensure the specificity and nature of the field where the rules for the different scenarios where you may claim would apply respect for right to habeas data, as with the Law 1266 of 2008, specifically designed to establish general rules of habeas data to be applied in the management of the information contained in personal databases, particularly the financial, credit, trade, services and from third countries. " It concludes that ignoring this specificity by requiring the application of general principles of "concurrent" way, set a vice background.
2.4.2.5. Professor Nelson Remolina at the University of the Andes asks, first, declaring constitutional the first paragraph, on the understanding that the project is not only applicable to the processing of personal data contained in databases, but also in the records of public entities and private. In his feel it is important that the Constitutional Court to rule on this point not only because Article 15 explicitly mentions the files but because not every database is a file or vice versa. This is different figures that in some cases may coincide, but not necessarily. He adds that in any case against the two figures, not only for databases, is from the exercise of the fundamental right to habeas data.

Second, requests to be enforceable items a), b), c), d) and f), on the understanding that excepted treatments and pre- and post-shipment of the general statutory law standards, They must respect and ensure the essential core elements of the right to habeas data.
Third, requests to be enforceable paragraph with Article 27 (i) the understanding that special laws and administrative acts on personal data issued before the new law utters be adjusted, reviewed and updated so that they are consistent with the general principles and rules contained in the draft and the case law of the Constitutional Court; and (ii) under the understanding that special laws and administrative acts on personal data issued after the new law utters, must respect and incorporate the principles and general rules contained in the draft and constitutional jurisprudence.
2.4.2.6. Juanita Durán Velez citizen requesting the unconstitutionality of paragraph or, failing that, its enforceability conditional on the understanding that the principles only apply concurrently to a gap in the special statutory regulation adopted by the legislature.
2.4.2.7. The citizen requests Santiago Diazgranados Mesa conditioned constitutionality of item a), that is understood to include personal data "circulating internally, that is not supplied to other legal or natural persons".
2.4.3. Constitutionality of the first paragraph: conditions that define the scope of the law
The first paragraph of Article 2 establishes three conditions for the application of the law: (i) the existence of personal data (ii) registered in a database data that makes them susceptible to treatment (iii) public or private entities.
2.4.3.1. Regarding the first condition, the Board considers that conforms to the Charter, given, first, that the object of the right to habeas data is the protection of personal data and, secondly, that indeed the project It contains general regulations aimed at protecting all kinds of personal information. Therefore, this condition is related to the thematic unity of the project.
2.4.3.2. Regarding the second condition, one of the parties requests that it be declared enforceable as long as they understand that includes the files under the text of Article 15 above, under which habeas data includes "(...) the right [of the people] to know, update and rectify information gathered about them in databases and files of public and private entities. "in the opinion of the intervener, the files are different spaces to the databases, but they have in common which may contain personal data that can be treated in some way. [157]
For the Chamber, the concern of citizens is very important, because certainly the files contain personal data that can be treated and, therefore requiring protective measures; however, the Chamber notes that the files themselves are part of the scope of the law, for the following reasons:
Article 3 of the draft defines the database very broadly as "[c] onjunto organized personal data which undergoes treatment. " Treatment, meanwhile, is defined as "[c] any operation or set of operations on personal, such as collection, storage, use, circulation or deleting data."
The project does not contain a definition file; however, it is defined by the Royal Academy of Language as "[c] onjunto ordered documents a person, corporation, institution, etc., produced in the exercise of their functions or activities" or as the " [l] ugar where guarding one or more files. "files are also defined by Law 594 of 2000" through which the General Archives Act is enacted and other provisions "as" [c] onjunto documents, whatever their date, form and support material accumulated in a natural process by a person or public or private entity, in the course of his administration, preserved respecting that order to serve as testimony and information to the person or institution that produces and citizens, or as sources of history (...) "(Article 3). Finally, the files also have been conceptualized by the Corporation as follows: "(...) an organic set of documents, linked by an originating or source link, which serve to recover swiftly and undue delay all information stored by an office or institution in the course of business. ". [158]

According to these definitions, files-for the sole purpose of the project, as are (i) deposits ordered data, including personal data, and (ii) account for at least the data have been collected, stored and eventually used -Details treatment, they are a kind of database containing personal data that can be treated and, consequently, will be sheltered by the law once into effect.
This also seems to have been the intention of the statutory legislator, since several articles of the draft refer to files (i) as synonyms for databases or modalities of the same genus to which they belong databases, and ( ii) as areas to which regulations are applicable project. For example, the literal a) of the third paragraph of Article 2 states that one of the excepted cases the application of certain regulations of the law are "(...) databases or maintained in an area exclusively personal or household files." Meanwhile, as will be seen below the assumptions of Article 3 are not exempted from the application of the principles, maintained in an exclusively personal or domestic sphere files are sheltered by at least Article 4 of the project. The same can be concluded from the files "(...) whose purpose is national security and defense" and files "(...) of journalistic information and other editorial content" provided for in paragraph b) and d), respectively, the third paragraph of Article 3, that is, to such files principles apply Article 4
it is worth mentioning that while the definition of database that brings the project may differ from the common usage of the term, not therefore it is unconstitutional because the legislature has discretion to set classifications and definitions, as occurred in this case.
In this vein, bearing in mind that the concept of databases is large enough to house the archives, the Chamber concludes that the second condition is enforceable.
2.4.3.3. Finally, concerning the third condition -possibility processing of data by public or private entities, for the Chamber arises the question of whether the use of the term implies an unconstitutional restriction entities, it could limit the scope to personal data likely It is treated only by legal persons, which would exclude cases of treatment for individuals.
However, the Chamber notes that the term entity have several meanings, one of which includes natural persons. Indeed, according to the Dictionary of the Royal Academy of Language, an entity may be a "[c] olectividad considered as a unit. Especially, any corporation, company, institution, etc., taken as a legal person ", but can also be an" [e] efore or being "; this second definition blanket -more widely to individuals.
So, in view of the principles of interpretation under the Constitution and conservation law, the Chamber concludes that need to be understood without condition the constitutionality of precepto- that the interpretation of clause that conforms to the Charter that according to which the term entity includes both natural and legal persons. So thus understood the condition, the Chamber also concludes that it is consistent with the Charter, because the necessary blanket assumptions for the project to fulfill its purpose of providing protection to personal data.
Finally, the Board highlighted the importance of this provision, while recognizing that the processing of personal data can also be made by private persons; in fact, in the globalized world, the private sector carries out a considerable part of data processing, which gives it a large-scale computing power and makes it a potential infringing the right to habeas data. Hence one of the great challenges of the protection of personal data is the creation of mechanisms to hold accountable individuals for improper and abusive treatment of personal data.
2.4.4. Constitutionality of the second paragraph: territorial and subjective scope of application
The second paragraph states that the law applies to the processing of personal data (i) made in Colombian territory or (ii) occurring outside the territory, but is taken out by a person responsible of the treatment that is applicable Colombian law under international standards and treaties.

For the room, this provision is consistent with the Charter, it broadens the scope of protection to some processing of personal data occurring outside the national territory, under subjective factor. In a globalized world in which the transborder data flow is constant, the extraterritorial application of protection standards is essential to ensure adequate protection of personal data of residents in Colombia, as many of the treatments, under the new technologies occur just outside the borders. Therefore, to the room it is an urgent measure to ensure the right to habeas data. This provision should also be read in conjunction with articles on data transfer to third countries of which the Board will address later.
2.4.5. Constitutionality of the third paragraph and paragraph:
2.4.5.1 Excepted cases. Interpretation of the precepts
The third paragraph states that the protection regime of the bill "shall not apply" to the following areas: a) databases or maintained in an exclusively personal or domestic sphere files; b) databases and files whose purpose is national security and defense as well as the prevention, detection, monitoring and control of money laundering and terrorist financing; c) databases that are intended to contain information and intelligence and counterintelligence; d) databases and files journalistic information and other editorial content; e) databases and regulated by Law 1266 of 2008 financial and trade-data files to calculate credit risk; f) databases and regulated by Law 79 of 1993 statistical-information files.
In addition, paragraph states that protection principles contained in the draft "(...) shall apply to all databases, including the exception in this Article, within the limits provided in this law without quarreling with the data having characteristics to be covered by the legal reserve. "it also stipulates that the principles established in the regulations governing data excepted, should be applied concurrently with those stipulated in the project.
A joint reading of the third paragraph and paragraph to the conclusion that the former provides a number of cases exempted rules of the bill, because they require special rules, such as those introduced in the 1266 Act for personal data financial and commercial designed to calculate credit risk. These hypotheses require special regulation, because they are areas where a strong tension between the right to habeas data and other constitutional principles (such as the right to information, national security and public order), tension to be resolved there It requires special and additional rules. However, in accordance with the first part of the paragraph, these assumptions are not exempted from the principles as minimum guarantees habeas data protection. In other words, the assumptions contained in the third paragraph are excepted cases excluidos--not the application of the provisions of the law, under the type of interests involved in each and that merit special and complementary, except with respect to regulation the provisions that have to do with principles. Several reasons support this interpretation:
First, as noted in the paper report for the second debate in the Senate, this paragraph was introduced in order to clarify that Article 2 does not introduce a regime of exclusion, but Exception for areas requiring special regulations, but that the general principles are applicable in the bill. In this regard, it was noted:

"The inclusion of the paragraph is because regardless of the purpose that has the database, as this contains information and personal data must comply with the general principles governing the treatment and protection of data; This has been affirmed repeatedly by the Constitutional Court to state the development and scope must have the principles governing the issue of protection of information. A unified and clear legislation on the subject in development is absolutely necessary always responding to the principles of necessity and proportionality, why pretend to leave databases without applicable to them the principles of data management, it should only be done in response to a particular study of each case on truthful foundations and enough argument to allow, through the test of reasonableness, decide and motivate why the basic principles that develops a fundamental right does not apply, simply analyzed from the perspective of the Court the principles of freedom, necessity, truthfulness, integrity, purpose. And its importance in the development of the fundamental right to habeas data, protection of personal data and computer self-determination "
Second, from the teleological point of view, these provisions must be interpreted within the purpose of the bill.: introducing into the system a number of basic principles applicable to the processing of all personal, regardless of classification data, which is incompatible with the existence of excluded regimes.
Third, and as discussed below, the guarantees provided for in Article 4 are principles that had already been collected by the constitutional jurisprudence as guarantees stemming from the fundamental right to habeas data and therefore, even in the absence of a law provides, are mandatory treatment of all types of personal data.
Consequently, an interpretation of the third paragraph of Article 2 consonant with the Constitution and the content and purpose of the bill is that it does not provide schemes excluded the application of the law but exempt from some of its provisions under interests that are in tension. These excepted cases should be regulated by special and complementary statutory laws, which shall be subject to the requirements of the principle of proportionality.
In this vein, special laws dealing with exempted areas should (i) pursue a constitutional purpose, (ii) provide appropriate means to achieve this objective, and (iii) establish a regulation for the sake of the intended purpose, not unreasonably sacrifice other constitutional rights, particularly the right to habeas data. Furthermore, in accordance with the principles discussed below, compliance with the guarantees and limitation of habeas data within the limits of proportionality should be monitored and controlled by an independent body, either common or sector.
Before closing, as was done in Case C-1011 of 2008 [159], the Chamber wishes to recall that although in principle is constitutional consecration of some exceptions to the application of certain provisions of the law, it does not mean that those areas, as well as all others in which carried out the processing of personal data, are excluded from the basic guarantees of the right to habeas data, as well as guarantees of other fundamental rights in each case can be injured with the processing of personal data. [160]
2.4.5.2. Exceptions are actually provided by law, as required by the Constitution, and must be interpreted restrictively

The Human Rights Committee, in its General Comment 16 on Article 17 of the ICCPR -on right to privacy, said that "(...) can not interference, occur except in cases provided by law. Interference authorized by States can only take place under the law, which in turn must comply with the provisions, aims and objectives of the Covenant "(bold added) [161]. From this statement it follows, as has also indicated the Corporation, which, in principle, exceptions to the application of the guarantees of fundamental rights, in this case the right to habeas data, must be provided by law, as indeed It makes the project under consideration. Certainly, in the opinion of the Corporation, as such exceptions are a strong limitation of rights is a matter for statutory regulating the legislature. [162] In addition, exceptions are made, even if they are contained in a law, be subject to the requirements of the principle of proportionality. [163]
The Human Rights Committee has also stated that "[e] ven with respect to interferences that conform to the Covenant, relevant legislation must specify in detail the precise circumstances in which such interferences may be permitted.". Hence the need for the exceptions provided in this article are developed by the statutory legislator in other laws, which specify the conditions under which the derogation should apply.
Finally, the Committee said that "[t] he implementation of article 17 requires that the integrity and confidentiality of correspondence should be guaranteed de jure and de facto. Correspondence should be delivered to the addressee without being intercepted or opened or otherwise read. monitoring the interception of telephone, telegraph or other communications the interception and recording of conversations should be prohibited by electronic or other means, as well. Records in a person's home should be limited to the search for necessary evidence and should not be allowed to amount to harassment. "In other words, the exceptions provided in this article should in any case comply with the above prohibitions.
2.4.5.3. Constitutionality of subparagraph a): the exception "databases or maintained in an exclusively personal or domestic sphere files."
The literal a) offers three normative contents: (i) states that one of the excepted cases the rules of the project is "databases or maintained in an exclusively personal or domestic sphere files." (Ii) then states that "when these databases are to be supplied to third parties must, beforehand, inform the owner and ask for permission." Finally, (iii) states that in the latter case, ie when the data is supplied to a third party, the person responsible for databases and files respetivo be subject to the provisions of the law.
2.4.5.3.1. In relation to the first normative content, one of the speakers ensures that the exception should shelter any information that circulates internally, that is not only personal and domestic level, but also, for example, at the level of a company, and understands that which delimits the internal circulation is the treatment of data without intending to supply it to others. The Chamber, however, finds that the rule, as it is written in the project is compatible with the Constitution and that the Court can not extend the scope of the exception to hypotheses that were not envisaged by the legislature, for the reasons which are outlined below:
the first normative content of the literal a) has three elements: (i) refers to personal data, (ii) contained in databases (iii) "held in a purely personal or household level ". The last element, which is challenged by the intervener concerns the scope of the privacy of individuals; certainly, the personal and domestic areas are the areas with which traditionally has been linked to the right to privacy, which, as it relates to the possibility of self-determination as an element of human dignity can not be predicated of legal persons . Therefore, this exception seeks to resolve the tension between the right to privacy and the right to habeas data.

So, while the data maintained in these areas (i) are not intended for circulation or disclosure, and (ii) treatment can also lead to adverse consequences for the owner, it makes sense that your treatment is exempt from some provisions of the draft. For example, it would be reasonable for the protection of personal data maintained in these areas (for example, a domestic phone book) was in charge of the Superintendence of Industry and Commerce or who treats data were subjected to the sanctions regime which provides for the draft.
Now, it can be understood that the first normative content of the literal a) extends to the treatment of any data when circulating internally, as intended ASOBANCARIA. First, although it is certainly one of the reasons why the exception of item a) is reasonable it is because the data "maintained in an exclusively personal or domestic sphere" are not intended to circulate, hence it does not follow that all fact that no current or circulates internally should be exempted, because to operate except by the will of the legislature, is also required that the data being maintained by an individual in his intimate sphere. Certainly, there are two different scenarios, why, for example, in the text of the Law 1266, but were treated together, were joined by the conjunction "and", which means they are two different ideas. [ 164]
Second, there is no reason to conclude that, in the context of a general and minimum regulation of habeas data [165], treatment of data circulating internally deserve the same legal consequences of data processing "kept in a exclusively personal or domestic "sphere; in other words, there is no constitutional arguments that lead to the conclusion that the two hypotheses should receive the same legal treatment. The data are not moving or moving internally, does not ensure that your treatment can not have adverse consequences for the owner. Consider, for example in the resumes of employees of a company held domestically; although they will not be disclosed to third parties, its treatment and internal circulation can themselves have negative consequences for the owner of the data (for example, punitive or promotion terms), why they should be subject to the general rules enshrining the bill.
In this vein, provided that the above conditions are met previously and understood that in any case, this hypothesis itself is subject to the principles of Article 4 Room for the exception in the first rule the literal a) conforms to the Charter.
2.4.5.3.2. Regarding the second normative content, this is that "when these databases are to be supplied to third parties must, beforehand, inform the owner and request permission", the Chamber finds that it is not only compatible with the Constitution , but it is developing the principle of freedom whose contents will be examined later, more so if you consider that when you leave personal or domestic sphere, the movement of data can start creating risks to the rights of Headlines.
2.4.5.3.3. Finally, the Board considers that the third normative content which states that "[i] n this case the Heads and Managers of databases and files will be subject to the provisions of this law" is not only compatible with the Charter, but is a manifestation of the principle of responsibility. The Chamber notes that when the data were kept in the personal or domestic sphere are placed in external circulation, a risk for the holder is created, which justifies the manager and controller to be subjected to liability rules which provides for the project, in order to avoid possible abuses. The Chamber then declared enforceable also this part of the literal a).
2.4.5.4. Constitutionality of paragraph b): the exception "databases or files whose purpose is national security and defense as well as the prevention, detection, monitoring and control of money laundering and terrorist financing"
2.4. 5.4.1. As indicated in Case C-251 of 2002 [166], "[o] ne of the basic purposes of the Colombian authorities it is the defense of national integrity and the preservation of public order and peaceful coexistence, not only because as expressly provided for in Article 2 of the Charter, but also because these items are material conditions so that people can enjoy their rights and freedoms. "

The work of defense and security, unlike intelligence and counterintelligence, as will be seen below take place during the existence of current and serious threats to public order and sovereignty, and only they can be executed by the security forces. [167] Threats of such magnitude justifies the processing of personal data for the purposes of national defense and security; Moreover, this Court has indicated that the processing of personal data for these purposes "(...) is an important tool for achieving its constitutional purpose of maintaining constitutional order and the conditions necessary for the proper exercise of the rights and freedoms element under the Charter "[168], ie, it is an important tool available to the authorities to fulfill their duties of defense.
However, as indicated by the Corporation, the defense of public order and the integrity of sovereignty can not be an excuse to ignore the basic guarantees of social rule of law and implement a totalitarian state in which people become objects in the service of the state. [169] Therefore, any work of national security and defense must be compatible with the dignity and fundamental rights of persons who may be affected. In this vein, the Board reiterates that the processing of personal data for these purposes must abide strictly to the requirements of the principle of proportionality manner.
2.4.5.4.2. Similar considerations should be made for exceptions "prevention, detection, monitoring and control of money laundering and terrorist financing" for both money laundering and terrorism are major threats to security and public order.
For example, in Case C-537 of 2008 [170], the Court recognized that the terrorist offense carries a severe impairment "(...) rights and freedoms of the first order, which is compulsory for the State to establish adequate and effective measures, both in the international and domestic law, to prevent, combat and punish such conduct. "Given the seriousness of the offense, the court added that" (...) the decisions of the legislature aimed at implementing measures for the prevention, suppression and punishment of terrorism are prima harmonic facie with the Superior Statute. "[171] the Chamber also notes that measures to effectively combat terrorism is an international obligation of the Colombian State derivative instruments such as the International Convention for the Suppression of Terrorist Bombings, the International Convention for the Suppression of the Financing of Terrorism and the Inter-American Convention against Terrorism, all ratified by Colombia and declared enforceable laws approving by the Corporation.
As regards money laundering, the Court has stated that the establishment of measures to prevent and punish such conduct is an inseparable aspect of the success of measures for the suppression of organized crime. It has also recognized that given the sophistication of networks dedicated to this crime and their transboundary nature, special measures and the use of technology are required. [172]
In this vein, given the entity of the threat to the constitutional order represent criminal behavior of terrorism and money laundering, the Court considers it reasonable that the processing of data for prevention, detection, monitoring and control is exempted from the implementation of the project under review, except in matters of principles. [173]
2.4.5.5. Constitutionality of subparagraph c): the exception "databases that are intended to contain information and intelligence and counterintelligence"
On paper report for the second debate in the Senate [174], the inclusion of proposed paragraph c) for the following reasons:
"the new literal d) is included given that while it is held in the literal c) of the same article a description of databases related to the issue of state security, is well known that the issue of intelligence and counterintelligence should be treated carefully because although closely related to state security, handling and purposes are autonomous, why and respecting the existing case law is preferred clearly identify the conditional exclusion such databases. "
the constitutional jurisprudence has indicated that intelligence and counterintelligence, although they are related to national security and defense, are different concepts that deserve special and different regulation.

As noted in Case C-592 of 1997 [175], the term intelligence is defined by the Royal Academy of the Spanish Language as "[o] rganization in a State secret to lead and organize espionage". This activity therefore is reserved for state bodies and can not be delegated for reasons of national security.
More recently, in Case C-913 of 2010 [176], the Court recalled that the intelligence and counterintelligence terms have the following definition:
"(...) the Dictionary of the Royal Academy of the Spanish Language mentions within the various meanings of the term intelligence, 'treatment and secret correspondence of two or more persons or nations together', and further suggests the concept of intelligence, which is defined as a 'secret organization of a State directing and organizing espionage '. On the other hand, with respect to counterintelligence, refers to the concept of counterintelligence, defined as a 'service of defending a country against espionage by foreign powers'. "
Then, from these definitions and a survey of definitions adopted in other legislation, the Court concluded that these tasks have the following characteristics:
"from the above concepts can be highlighted, among others, the following common elements about the work of intelligence and counterintelligence: i ) it is collection activities, collection, classification and circulation of relevant for achieving goals related to state security and its citizens information; ii) the purpose of these activities and the information that has been referred is to prevent, control and neutralize situations that endanger such legitimate interests and to enable making strategic decisions to the defense and / or advance thereof; iii) it is inherent in these activities the element of confidentiality or secrecy of the information collected and the decisions that it underpins, since freedom of movement and public knowledge of them may cause the failure of such operations and objectives pursued; iv) Since it is possible to detect and prevent illegal and / or criminal proceedings facts, intelligence and counterintelligence information is usually collected and circulated without the knowledge, let alone consent of the persons concerned. "
To this it added that (i) intelligence has a preventive function, which means that, in principle, personal data are treated for this purpose can not be used to the deprivation of liberty of individuals. In addition, (ii) this type of work can only be done to prevent attacks against highly important legal interests, such as public order and national sovereignty, so that can not be used as a tool for prevention of minor crimes and purely individual occurrence . (Iii) Finally, the intelligence and counterintelligence activities can be made until the commission or attempted commission of an offense; At this point, it is the duty of the authorities intelligence put the matter to the judicial authorities and police, so that, in the context of criminal proceedings, with respect for the presumption of innocence and prior collection of evidence as legal and constitutional parameters, adopt appropriate measures.
Therefore, intelligence and counterintelligence should be seen as tools in the service of the rule of law and not as ends in themselves, which explains to be strictly subject to the requirements of the principle of proportionality manner. Understood in this way, to derogate from the application of the provisions of the draft to data processing that takes place on the occasion of activities of intelligence and counterintelligence is not unconstitutional, because it is important work to maintain public order and integrity of borders nationals. [177]

Now, under the constitutional jurisprudence and international standards of human rights protection, which also derive from the requirements of the principle of proportionality that should guide any limitation of a fundamental right, the special regulation is introduced in intelligence and counterintelligence must adhere to the following guidelines: [178] (i) the processing of personal data for this work must be justified in a serious, real and imminent threat to national security and public order; (Ii) the data processed for these purposes can not be revealed until start is given to criminal proceedings [179] and, in any case, can not have probative value inside. The disclosure of this information without proper justification entails criminal liability. [180] (Iii) can not be deduced adverse consequences for the owner of the data of the intelligence and counterintelligence, for example on access to certain public offices, unless previously the information that has been collected will report to the owner and he provide opportunity to controvert the findings of the reports respetivos.
These higher demands are compared with, for example, the limitations that are exposed habeas data in a judicial proceeding, explained that (i) unlike what happens in the judicial process of intelligence and counterintelligence there are no procedural mechanisms to ensure the rights of the owner nor is there a check function by a judicial authority, as well as being impartial and independent, has as one of its duties to ensure the guarantee of fundamental rights the parts; and (ii) when work of intelligence and counterintelligence are made, holders of the data does not come to know they are being watched until the moment, for example, aims to award an adverse consequence to the information collected, in fact in many the owner of the data events never learns that his information was processed by intelligence and counterintelligence agencies. [181]
2.4.5.6. Constitutionality of paragraph d): the exception of "data and files journalistic information and other editorial content"
This restriction is necessary to the extent that through it is ensuring respect for press freedom. The law has been emphatic in stating that the "scope of protection of freedom of expression in a generic sense enshrined in Article 20 Superior, is the freedom of the press, which refers not only to print media but all mass media communication.".
The constitutional jurisprudence has granted enhanced protection to freedom of expression under this guarantee important role plays in a participatory democracy. He said the Court that, like other rights, is not absolute, ie may eventually be subject to limitations, legally adopted to preserve other rights, values and interests constitutionally protected which may come into conflict. However, "the privileged nature of freedom of expression has direct effect generating a series of constitutional assumptions - the presumption of coverage of any expression by the scope of constitutional protection, suspicion of unconstitutionality of any restriction of the freedom of expression, presumption of primacy of freedom of expression on other rights, constitutional values or interests which may come into conflict and the presumption that controls the content of the expressions constitute censorship. "on the other hand
by express mandate of Article 13-2 of the American Convention on Human Rights, the exercise of the right to freedom of expression "can not be subject to prior censorship but should entail subsequent liability". This same Convention states that the only exception to this rule is established in paragraph 4 of that article, which refers to the submission of public entertainment classifications "with the sole purpose of regulating access to them for the moral protection of children and adolescence. " Thus, in Colombia are inadmissible all forms of prior restraint on expression, except for the possibility of establishing legal rules governing access under 18 public performances.

Under such a premise, in the Judgment T-391 of 2007 [182], it was said that the ban on censorship, also enshrined in Article 20 Superior, is absolute and therefore is prohibited "the prior control of what is to be expressed and the veto of certain expressive content before the information, opinion, idea, thought or image is disseminated, preventing both the individual whose expression has been censored, as the whole of society potentially receiving the message censored exercise their right to freedom of expression. The constitutional and international prohibition of censorship is absolute. , And leaves no margin of regulation to the legislator or support interpretations that reduce their scope - Article 20 Superior, in categorical terms that ". There will be no censorship" he says. The prohibition of censorship is established in Article 20 of the Charter peremptorily, without nuance, without exceptions and without trusting the legislator regulating the matter. "
Accordingly, paragraph d) of Article 2 seeks to avoid that the databases and files of newspaper character is subjected to the same limits as general information, which could result in a disproportionate restriction of press freedom, censorship and even-think for example the possibility of the obligation to reveal the sources. However, this Court must reiterate that because of the special consideration that the constituent granted freedom of expression, possible collisions with the right to habeas data shall be settled by a special regulation.
Also should be noted that the databases to which paragraph d) of Article 2 refers are those eminently journalistic content, and not those who are in power communications medium under other activities, such as those aimed at commercial or advertising purposes. Thus, the databases with information from subscribers of a newspaper itself be subject to the regulation of future statutory law.
2.4.5.7. Constitutionality of literal e): the exception of "Data and regulated by Law 1266 of 2008 files"
The 1266 Law 2008 is the statutory law of protection of commercial and financial personal data for the calculation of credit risk, as was defined in Case C-1011 of 2008. These data require special regulations such as the Law adopted in 1266 and declared enforceable by the Corporation, because in this area a tension between the habeas data and presents the development of the financial and stock market activity, activity of public interest under the impact it can have on the whole economic system and, in this way, on the guarantee of fundamental rights and the maintenance of public order. In view of the need to regulate the processing of these data in particular, they should be exempted from the implementation of the project under study. Therefore, the Chamber declared enforceable letter e), in accordance with the foregoing in Case C-1011 of 2008. However, the Board notes that, under paragraph of Article 2, the principles provided for in the project under study should be complementary with those established in the Law 1266.
2.4.5.8. Constitutionality of literal f): the exception of "Data and regulated by Law 79 of 1993 files"
Law 79 of 1993 "Whereby the realization of the Census of Population and Housing is regulated throughout the national territory" establishes special rules for the treatment of statistical data; in these rules it is expected that the personal data supplied for statistical purposes are reserved and can not be used by other public authorities for different purposes. For the Chamber, this exception is also compatible with the Charter thus to ensure the accuracy of the census and statistical data is indispensable reserve. If organizations like the DANE could disclose personal information of those involved in the process, could corrupt data, leading to affect the accuracy of the analysis. The accuracy of statistical information recalls the Salamis is essential for the design of public policies and social programs.
2.4.5.9. Other areas requiring special regulations, although they are not exempted areas
Now, in exercise of their freedom of configuration and addressing the special characteristics of certain types of personal data, the legislature can also establish special rules for other types of data but in no case shall be construed as exceptions, unless the future statutory law be amended to include new exceptions.

An example of other areas that require special regulations are found in section B of Resolution 45/95 of 14 December 1990, the United Nations General Assembly (document E / CN.4 / 1990 / 72.20 February 1990) on "Guidelines for the regulation of computerized personal data files". This document, noting a number of minimum principles to guide the processing of personal data in all countries and are also applicable to governmental organizations, provides that:
"(...) can specifically envisaged an exception to these principles when the purpose of the file is the protection of human rights and fundamental freedoms of the individual concerned or humanitarian assistance. A similar exception should be provided in national legislation for governmental international organizations whose organizational arrangement does not prevent the implementation of the said national legislation as well as international non-governmental organizations which fall under this law. "
The legislator could then, under this provision, establishing a regime of special protection for data managed by non-governmental organizations defending human rights.
The same can happen in the case of health data taking into account that a large part of them are sensitive and medical records are confidential, data processing for construction purposes memory and guarantee the collective right to the truth, or sensitive data are treated in social networks.
2.5. REVIEW OF ARTICLE 3: DEFINITIONS.
2.5.1.
Text of the provision "Article 3. Definitions. For the purposes of this law, it is understood by:
a) Authorization: prior, express and informed consent of the Contractor to carry out the processing of personal data.
B) Database: organized personal data which undergoes treatment set.
C) Personal Data: Any linked information or may be associated with one or more specific or identifiable individuals.
D) Processor: natural or legal, public or private, which by itself or in association with others, perform the processing of personal data on behalf of the controller.
E) Responsible treatment: natural or legal, public or private, which by itself or in association with others, decide on the database and / or treatment of the data.
F) Title: Natural person whose personal data are processed.
G). Treatment: Any operation or set of operations on personal, such as collection, storage, use, circulation or deleting data "
2.5.2. citizen interventions and concept
2.5.2.1 Public Ministry. The Ombudsman's request to declare exequible article 3; however, argues that at the level of definitions, the project under study is even more limited than Enacting Law 1266 of 2008. For example, explains that the 1266 Act brings definitions of concepts such as "information source", "user" "public data", "semi-private data" and "private data", which are absent from the current project. Adds that although the fact that there is no congruence between a law sectoral and general that seek to regulate the same right, is not in itself a vice constitutional, it can lead to situations of contradiction that evidence the lack of proper legislative technique in a complex and delicate matter. To illustrate, it says there are provisions of the sectoral law which may be more beneficial than those of the general law and whose application could legitimately aspire to the owner of the data, although his case is not framed within the financial data or credit. It states that it can happen otherwise this is that in a case involving this kind of data, the application of the general rules of the bill sought. Consequently, says the Ombudsman, will be the judges in charge of setting the limits and scope of the respective fields of application, to the extent that they help resolve cases, although this is not really the right scenario, since such details should made in legislative seat.

2.5.2.2. Professor Nelson Remolina at the University of the Andes requests to be conditional literal e) constitutionality of Article 3 as it wonders whether the definition contained therein is about the person who serves as the source or operator under the terms of Law 1266 2008. consider then that the definition of literal e) is confusing and incomplete because it creates loopholes on the subject which by law must fulfill a number of obligations. Moreover, in its feel, it seems that the new project the source and the operator of the Law 1266 of 2008 merged into the figure of the controller. Given this uncertainty, the Court believes it necessary to clarify the scope of these definitions, because the concepts are important to establish the rights and responsibilities of the different subjects involved in the processing of personal data.
2.5.2.3. The citizen Santiago Mesa Diazgranados expressed in relation to the requirement of consent "prior, express and informed" the literal a), which is a requirement excessive and contrary to the Constitution. Considers that, in each case must be weighed safeguarding the right to privacy with under the free press, freedom of opinion and freedom of movement of ideas, in order to avoid censorship and work for the free flow thought and strengthening a respectful State of the free development of personality. He explains that the requirement of consent, regardless of the type of personal data, involves an unreasonable requirement that entails the violation of the right to information and freedom of expression. It indicates that the Constitutional Court has considered the requirement of the manifestation of consent to particular circumstances in which personal data is sensitive or confidential; and mentions by way of example, the personal data credit, information related to sexual orientation, habits of individual and religious or political beliefs. Based on these considerations, notes that the definition of the principle of freedom (Article 4 literal C) and the qualification of the consent of the holder of personal data (Article 3 paragraph a) contained in the draft law under review, must be declared partially unconstitutional, in order not to limit other freedoms unjustifiably or unreasonably.
2.5.2.4. Alejandro Salas Pretelt citizen requesting the unconstitutionality of "express" a literal term). In its feel, it constitutes an unjustified requirement. It argues that constitutional jurisprudence has recognized that the management of certain personal data should not necessarily be subject to approval, just as the tacit consent. States that face sensitive data or reserved the express consent is required, but to other data, consent may be implied. Concludes that the bill, to qualify as express consent to any provision of personal data, goes against Articles 15 and 20 of the Constitution.
2.5.2.5. Similarly, the citizen Rolfe Hernando González Sosa seeks partial unconstitutionality of item a), specifically the word "express", to the extent that it is an excessive demand. He argues that, in accordance with constitutional jurisprudence, interpretation of the project must be compatible with the exercise of the right to freedom of expression and information. It argues that requiring "express" consent of the holder of personal data or for any kind of treatment is not provided, because the flow of information which may be submitted any personal data is so dynamic and is in many facets of the daily life, "that would really impossible this flow of information if every time the express consent any personal data as if it were a sensitive data, seriously breach of the right to freedom of expression and information required".

States that in Case C-1011 of 2008, the Court determined that the express consent is required only against credit data character, which follows that for other data types, tacit consent is valid within the principle of freedom. It also stresses that in that judgment it was established that was up to the judge to determine in each case "the content of the permit the user of the computer system obtains the owner of the data, with a view to establishing its scope, considering also the general interest demanded the use of the document, in particular, the conditions under which such authorization was granted, whatever that if the consent of the grantor was conditioned by access to the service or credit transaction. " In this sense, he argues that the judge himself is the one who must come to analyze if under the required information is necessary or not the express consent of the owner.
2.5.3. general comments on the constitutionality of Article
Definitions of "technicians" who are used to regulate the objective of the bill, words are essential elements for the protection of habeas data, while allowing a correct and proper interpretation of the law and contribute to determine the responsibilities of those involved in the processing of personal data. However, as noted in the judgment C-1011 of 2008 [183], the setting of such definitions is part of the free choice of the legislature, so that at this point the Congress enjoys a wide margin of discretion. However, it is necessary to make some clarifications on terminology by which the legislature chose and examine whether it complies with the Constitution.
The first thing warns the room, as did some interventions, is that unlike what happened in the 1266 Act, the legislature relied on this opportunity to own concepts of the European model to refer to people linked to treatment of personal data. For some participants this fact is not only a problem of legislative technique (to the extent that leads to the coexistence of two regulatory models that aim to make a complete regulation of such an important matter as the habeas data, but with a different terminology ) but a constitutional problem because the difference in words involves diluting the responsibility of those involved in the treatment of the data.
The Court finds that, indeed, the project under review, the legislature stopped concepts such as source, operator and user side, and not defined subcategories of personal data, definitions themselves were included in the 1266 Act. However, the fact is that, in principle, the difference in concepts is not enough for the unenforceability of the provision is declared, because the legislator freedom of configuration can choose to change the terminology used in the 1266 Act | || to determine whether this change in terminology really is a vice of constitutionality, for the Board to analyze each of the definitions that brings the project and its impact on the regime of responsibility of the actors involved in the treatment the data, in contrast with the constitutional requirements of guaranteeing the right to habeas data.
2.5.4. Constitutionality of subparagraph a): definition of "authorization"
The literal a) refers to the authorization and defined as the prior, express and informed the holder to carry out the processing of personal data. On these characteristics authorization we refer to analyze the guiding principles apart in which we will study in depth the item on the consent and its characteristics for the treatment of data. It is therefore sufficient for now to note that consent is a fundamental aspect of the right to habeas data and despite the many interventions requesting the unconstitutionality of the "express" word, the definition will be declared adjusted to the Constitution, for reasons that will be in recitals 2.8.4.1 and 2.11.3 of this decision.
2.5.5. Constitutionality of subparagraph b): definition of "database"
The literal b) defines databases as "(...) organized personal data to be processed together." Although this definition is fairly broad and seems to coincide more with the data bank used in the 1266 Act, as the legislature has freedom of configuration in the field, you can adopt different definitions depending on the regulation.

Now the definition is consistent with the Charter, because every space blanket where some form of treatment of the data is made, from the simple collection, allowing to extend the protection of habeas data to all sorts of hypotheses. Accordingly, the Chamber recalls, as indicated in the consideration 2.4.3.2., That the concept of database files blanket, understood as deposits sorted data, which means that files are subject to the guarantees provided in the draft law.
2.5.6. Constitutionality of subparagraph c): definition of "personal data"
The literal c) of Article 3 defines personal data as "[a] ny linked information or may be associated with one or more specific or determinable natural persons". This definition, although it is wide, broadly agrees with the line of jurisprudence that this Court has developed in the field as well as with the definition adopted in the 1266 Law on financial personal data. Additionally, setting a definition of personal data is a legitimate exercise of freedom of configuration enjoyed by the legislator, whose boundaries in this case have not been unknown.
2.5.6.1. Indeed, constitutional jurisprudence has stated that the characteristics of personal data-as opposed to impersonal [184] - are as follows: "i) be referred to exclusive and specific aspects of a natural person, ii) allowing identify the person, in greater or lesser extent, thanks to the global picture that is achieved with the same and other data; iii) property resides exclusively in the owner thereof, which is not altered by its acquisition by a third party lawfully or unlawfully, and iv) treatment is subject to special rules (principles) as regards uptake , management and dissemination "[185]
for its part, the 1266 Act, with the approval of the Corporation, although in a different context, personal data defined similarly:". personal data: is any piece of information linked to one or more natural or juridical persons. (...) "(Literal and Article 3).
Personal data, in turn, are usually classified into the following groups despendiendo of their greater or lesser degree of acceptability of disclosure:. Public data, semi-private and private or sensitive [186]
2.5.6.2. Chamber wonders whether the omission of these classifications in paragraph c) is a vice of constitutionality. Room for the answer is no, because these definitions are not a prerequisite for the implementation of the law guarantees ingredient and, in any case, the absence of definitions can be completed by going to the constitutional jurisprudence and other legal provisions.
First, the classification of personal data in public, private or semi-private and sensitive, is only one possible way to categorize the data, but not the only one; other classifications could be the result of different criteria to the degree of acceptability of disclosure of data. The legislator, therefore, is free to choose or not choose a categorization.
Now, it is true that the statutory legislator adopted some of these classifications, such as sensitive data, whose treatment is prohibited with some exceptions in Article 6 of the draft. In order to make sense of this provision, according to the Chamber, simply go to the definitions developed by the constitutional jurisprudence or definitions of other legal provisions such as the Law 1266, Article 3 provides:
"f) Data public. It is qualified as such by the mandates of the law or the Constitution and those who are not semiprivate or private, in accordance with this Act data. They are public, among others, the data contained in public documents, duly executory judgments which are not subject to reserve and those relating to civil status of persons;
G) Data semiprivate. Is semiprivate the data that has intimate nature, reserved, not public and whose knowledge or disclosure may be of interest not only to its owner but to a certain sector or group of persons or society in general, such as financial data and credit commercial activity or services referred to in Title IV of this law.
H) Private Data. It is the fact that by their intimate or confidential nature is only relevant to the owner. "

In this vein, since the classification of personal data is not an indispensable, such gap in any case element of the regulation and can be remedied by resorting to constitutional jurisprudence and other legal definitions, especially Article 3 Act 1266, under the principle of conservation law, the literal c) shall be declared enforceable in this respect.
2.5.6.3. Moreover, the attention of the Board that the definition of literal c) be restricted to the data of natural persons. Therefore, the definition seems quarrel in principle with some statements of the Corporation in which admitted that legal persons may also be entitled to the right to habeas data, as the judgment T-462 of 1997 [187] and C -1011 2008 [188].
However, in the opinion of the Board, there is a restriction that ignores the constitutional doctrine of habeas data protection in head of legal persons, nor the principle of equality. Certainly, the guarantee of habeas data to legal persons is not an autonomous bodies such protection, but protection that arises under the individuals that comprise it. Therefore, the Chamber's view, is legitimate reference to natural persons, which does not prevent that eventually extends protection to legal persons when the rights of the people who make it are affected.
2.5.7. Constitutionality of paragraphs d) and e): definitions of charge and responsible for data treatment
2.5.7.1. In subparagraphs d) and e) of Article 3 expressly mention the charge and responsible for the data, respectively is made. The Chamber notes that the differentiation of these two subjects was decisive, because it depends on the scope of their duties, listed in Title VI of the project so that those definitions are linked to the principle of legality in punitive action and are a guarantee for the owner of information about who is required to comply with different entitlements which are made of habeas data.
However, it should be noted from now, as indicated in the judgment C-1011 of 2008, all management principles of personal data identified in this project -the which will be studied in another acápite- are opposable to all those involved in the treatment of data, understood in collecting, circulation, use, storage, deletion, etc., regardless of denomination that subjects acquire, ie, whether they source, controller, operator, manager treatment or user, among others. Having made these clarifications, passes the Chamber to examine the constitucinalidad definitions.
2.5.7.2. The project defines the processor as natural or legal, public or private, which by itself or in association with others, performs the processing of personal data on behalf of the controller. On the other hand, the controller is defined as the natural person or legal entity, public or private, which by itself or in association with others, decides on the database and / or data processing [189].
These definitions seem inspired by European law, especially Directive 95/46 / EC and in Opinion 1/2010 of the Consultative Group on Data Protection [190], which is worth send us merely for reasons illustrative and in order to approach the correct understanding of both concepts, work sometimes becomes difficult for the advancement of information technology and other challenges posed by globalization. [191]
The Opinion 1/2010 states that allowing identify the responsible for other actors involved in the process, is that he is the one who determines the purposes and means of processing essential data. It also indicates in relation to the media, which will discuss responsible when the subject perform a control or determine essential elements of the media, such as the time that the data must remain stored, the way will be used or put into circulation , access to them, etc. For its part, it states that the charge is the one who performs the treatment on behalf of the responsible, ie by delegation and therefore is legally distinct natural and responsible. [192].

Criteria (i) definition of the purposes and means of processing of personal data and (ii) the existence of delegation, also useful in this case to tell the difference between responsible and manager. Certainly the concept "decide on treatment" used by the literal e) seems to coincide with the ability to define and materialmente- -jurídica the purposes and means of processing. Usually, as recognized by several legislations, responsible is the owner of the database; [193] however, in order not to limit the enforceability of the obligations arising out of habeas data, the Chamber notes that the project definition law is broad and not restricted to this hypothesis. Thus, the concept of responsible can shelter both the source [194] as the user [195], in cases where such agents have the opportunity to decide on the goals of treatment and the means used for this purpose, for example , to put into circulation or use it in some way.
On the other hand, the criterion of delegation coincides with the term "on behalf of" used by the literal e), which implies a relationship of subordination manager responsible, without implying that exempting from its responsibility to the owner of the data.
So, for example, will be responsible for creating hospital information medical history of the patient, college or educational institutions in relation to the data from their students, because they determine the purpose (because of its object it may be stated in a law or by the normal rotation of the activity that takes place) to collect data and how that data will be processed, stored, circulated, etc.
Now, it is worth noting that the processor may not be the same responsible, because it requires that there are two identifiable and independent, natural and legal, including one responsibly -the people pointing him to the other -the wants encargado- as processing some data. In this order, the manager receives instructions on how the data will be managed. Returning to the example of the history, in which the health institution contracts with a company processing the stories for a special program that can determine the person or the company hired, you organize the information contained therein, following the information provided for the hospital. In this case, the processor of the data is the legal entity that is contracted for processing resumes.
Should also be defined, as indicated by the directive appointment, which is not enough that a law or a contract expressly indicated that a particular person or group of people are responsible for treatment, because in each case shall analyze the context the actions of the concerned in the management of data to establish its true position and in this order, its obligations and liability regime agents. [196] In that vein, it is for the competent authority to ensure the monitoring, control and security of personal data, examine the position of each agent in the treatment of the data, especially because as indicated by the very definition of responsible and processor, they may be constituted by a plurality of subjects who may have varying degrees of responsibility [197].
Finally, as exemplified by the Directive referred-examples that the Board considers also apply to our case, the controller may arise: (i) when in compliance with a particular function, data collection is imposed by example, in the case of social security; the directive calls this situation commented explicit legal competence; (Ii) where the own field of activity treatment occurs, it is the case of employers to their workers, which is called implicit legal competence; and (iii) when no previous skills exist, you have the ability to determination made is called ability to influence indeed.
2.5.7.3. Established the difference between responsible and in charge, the Chamber notes, first, that the definitions of paragraphs d) and e) represent legitimate exercise of freedom of setting the statutory legislator justified in how the treatment of data is developed, and in second place, that classification also useful from a constitutional point of view, this is, to define the regime of responsibilities and obligations of those involved in the treatment of personal data.

In fact, according to the definitions accepted by the bill, the controllers have greater commitments and duties as against the holder of the data, as they are called in the first place to ensure the fundamental right to habeas data, and as security conditions to prevent any unlawful processing of data. The quality also responsible imposes a bundle of responsibilities, specifically as regards the security and confidentiality of data subject to treatment. He
In the judgment C-1011 of 2008 [198], it was noted that in the administration of personal data is possible to identify several stages, which allows differentiation ascribed to subjects participating in it certain levels of responsibility. For example, on quality of information, the processor will have duties of diligence and care to the extent that as enshrined in the bill, is obliged to perform in a timely manner, the updating, correction or deletion of data, as appropriate, literal c) of Article 18.
in that vein, the important thing for a real guarantee of the right to habeas data, is to be able to establish clearly the responsibility of each subject or agent in the event that the data holder decides to exercise their rights. When such a determination does not exist or difficult to reach it, the relevant authorities shall assume joint and several liability of all, an aspect on which silent the bill and that the Court should state as a way to make effective protection in Article 15 of the Charter [199] refers.
The above clarification, allow the Chamber to declare the constitutionality of paragraphs d) and e) of Article 3. 2.5.8
. Constitutionality of literal f): definition of "owner"
The bill provides that the holder is the natural person whose personal data are processed. According to the Chamber, this definition is consistent with the Charter and does not ignore the jurisprudence of this corporation [200] which indicated that legal persons are also entitled to the right to habeas data, since as explained in consideration 2.5.6.3, the protection afforded to legal entities in this regard is under the individuals that comprise it. Therefore possibly habeas data protection can be extended to legal persons where the rights of individuals that comprise it are affected.
2.5.9. Constitutionality of literal g): definition of "treatment"
The treatment is defined as any operation or set of operations on personal, such as collection, storage, use, circulation or deleting data. This term, as the two discussed in precedence, is of use in Europe and is found both in Directive 95/46 of the European Parliament and Standards given at the recent conference that took place in Madrid (Spain) in which treatment was defined as "any operation or set of operations, whether automated or not, that apply to personal data, especially its collection, storage, use, disclosure or deletion" [201] the term
treatment for the purposes of project analysis is important because its content and development refers precisely what is meant by the "treatment of personal data". In that order, when the project concerns the treatment, it refers to any operation intended to do with the personal information, with or without the help of computer, because unlike some legislation [202], the definition analyzed here it is not limited only to automated procedures. That is why the principles, rights, duties and penalties which provides the rules under review include, among others, the collection, conservation, use and other forms of data processing with or without the help of computer. Consequently, it is not valid to argue that the law of personal data protection blanket exclusively data processing employing new technologies of information, leaving out the manual databases, which would be illogical, since precisely what the aim with this project is that all operations or set of operations with personal data is governed by the provisions of the bill in question, with the exceptions that will be discussed in another section of this decision. In this vein, this definition does not generate any problem of constitutionality and therefore be declared admissible.
2.6. REVIEW OF ARTICLE 4: PRINCIPLES.
2.6.1. Text of the provision

"Article 4. Principles for the processing of personal data. In the development, interpretation and application of this law, shall apply harmoniously and holistically, the following principles:
a) Principle of legality in the field of data processing: treatment referred to this law is a regulated activity must be subject to the provisions therein and the other provisions implementing.
B) Principle of purpose: treatment should follow a legitimate purpose in accordance with the Constitution and the law, which must be reported to the owner.
C) The principle of freedom: the treatment can only be exercised with the consent prior, express and informed consent of the owner. Personal data may not be obtained or disclosed without prior authorization, or in the absence of legal or judicial mandate relieve consent.
D) Principle of accuracy or quality: the information subject to treatment must be truthful, complete, accurate, current, verifiable and understandable. the treatment of partial, incomplete, split or misleading data is prohibited.
E) Principle of transparency: the holder the right treatment must be guaranteed to obtain from the controller or data processor at any time and without limitation, information about the existence of data concerning them.
F) Principle of restricted access and movement: the treatment is subject to limits deriving from the nature of personal data, the provisions of this law and the Constitution. In this sense, the treatment can only be done by authorized by the holder and / or person covered by this law people.
Personal data, except public information may not be available on the Internet or other mass media or mass communication, unless access is technically controllable to provide knowledge restricted only to holders or third parties authorized under this law.
G) Safety principle: the information subject to treatment by the data controller or data processor referred to this law, it should be handled with the technical, human and administrative measures necessary to provide security to records avoiding adulteration, loss, consultation, use, or unauthorized or fraudulent access.
H) Principle of confidentiality: all persons involved in the processing of personal data that do not have the nature of public are obliged to ensure the confidentiality of information, even after their relationship ended with some of the work comprising treatment can only perform supply or communication of personal data where this is in the development of activities authorized by this law and the terms of it. "
2.6.2. citizen interventions and concept
2.6.2.1 Public Ministry. The Legal Secretariat of the Presidency of the Republic states that as a result of the interdependence between the enshrined principles, of "temporary" and "comprehensive interpretation of constitutional rights," also would be called to integrate the new statutory law. He argues that the two principles referred must not only govern the treatment of commercial, financial and credit data but also for those personal data that are even more worthy of reservation. Between two statutory laws, the present and the Law 1266 of 2008 can not generate a disparity of such importance. Therefore, the Court considers it necessary to perform an integrated interpretation.
2.6.2.2. The Ombudsman states that there is any objections to the definitions of the principles enshrined in this article, considering that in general is consistent concepts with the rules and criteria which governed the scope of protection of personal data .
However, he warns that Enacting Law 1266 of 2008 additionally devoted to those already mentioned principles, the temporality of information and comprehensive interpretation of constitutional rights, which, in response to the statement against paragraph of Article 2 project, should be understood as applicable concurrently with the provisions contained in it.

2.6.2.3. ASOBANCARIA states with respect to subparagraph g) of Article 4 of the Draft Law the term "necessary" raises two questions: Who determines that measures to ensure the protection of data, in a certain event, were necessary to ensure the safety records? And Based on what criteria can determine this? The standard does not provide answers to these questions. This ambiguity in the regulation is what allows determination warn that an open exposes the charge to the criteria of an administrative authority.
2.6.2.4. Universidad de los Andes request to declare the conditional constitutionality of paragraph b) of Article 4, meaning that in accordance with Article 15 of the Constitution the principle of finality should also be observed in the processing, use and movement of personal data, which implies that no personal data incompatible treatments may be carried out for the purpose authorized by the owner or the law, unless he has the unambiguous consent of the owner.
Exequible also requested to declare the second paragraph of paragraph f) of Article 4 of the draft, which states: "Personal data, except public information may not be available on the Internet or other mass media or mass communication, unless access is technically controllable to provide a restricted knowledge only to holders or third parties authorized under this law, "as long as they understand that public information appearing on the Internet about a person must adhere to the following parameters: (i) should be avoided possible access to personal data of the owner or third parties that are private, semi-private, confidential or secret that may be coupled with public data. This implies publish on the Internet only the information that is strictly public and (ii) should eliminate any possibility of indiscriminate access by typing the identification number of the personal data of citizens.
2.6.2.5. Juanita Durán Velez citizen requesting the unconstitutionality of Article 4, not to respect the requirements of completeness. Specifically refers to the project (i) excludes essential normative content of Article 15 of the Constitution, for example the inviolability of correspondence and other forms of private communication, the demands for wiretaps or searches of private communications, and especially the right to privacy, considering that it is a statute that includes rules about personal or intimate details. He adds that this (ii) omits the regulation of habeas data additive, (iii) lacks a type of data that would enable an adequate and guarantor for each treatment, (iv) exclude principles that are part of the structural component right to habeas data, (v) declines to directly set the rules on personal data in various aspects and delegates to the National Government, (vi) contains no regulation on the expiry of negative data and general data retention.
2.6.2.6. The citizen Santiago Diazgranados Mesa, Alejandro Pretelt Salas and Rolfe Hernando González Sosa, requested the conditional constitutionality of subparagraph c) of Article 4 specifically the term "express", based on the same considerations set out to attack the constitutionality of Article 3 of this draft law.
2.6.3. General considerations on Article 4
Technological development has resized the relationship between man and his environment. Now "the collection, storage that could previously only be part of the inner life of each human being or, was known for sector- least, has been gradually changing its environment and structure. That is, the personal data of every person have become standard practice control and storage by both public and private sectors "[203]. This has involved the recognition of new rights to own particularities that "trying to respond to new historical needs, while other means redefining old rights" [204]

As explained in precedence, in principle, the right to habeas data was regarded as a manifestation of the right to privacy. However, this guarantee was marked by an individualistic nuance to protect a private space with no possibility of interference of others or the state, and therefore the limitations of the right to privacy are not sufficient to meet the needs of flow modern information. On the contrary, it is at the birth of a new law, habeas data, in which privacy "does not simply mean the lack of information about us by others, but rather the control we have over information that concern us "[205]
This recent security reentendimiento then requires legal protection instruments and certain principles that meet the needs of monitoring data management. Indeed, two interests are, on the one hand, the special need for availability of information through the creation of personal databases, on the other, the requirement to protect the fundamental rights of the potential risks of data management process. Consequently, this process becomes indispensable subject to certain legal principles, in order to ensure harmony between legal relations.
For the Court, data processing, although it is essential for the normal development of many areas of social life, can injure fundamental rights. Consequently, both in case law and in the international arena have been fixed a set of principles for managing personal data, such as mandates optimization, tend to facilitate the task of balancing between the constitutional prerogatives in tension.
The nature of the principles in the judgment C-228 of 2011 [206] stated that the principles "in the terminology of Robert Alexy is an optimization mandate ordering that something will be done to the fullest extent of possible according to the legal and factual possibilities, but when it collides with other principles such as safeguarding social protection systems or financial sustainability, such conflict must be weighted in the case to determine whether it is justified or not reasonable limitation "
These principles seek to prevent abusive and arbitrary use of computing power. They must also be interpreted in accordance with the second paragraph of Article 15 of the Charter, which states that "(e) n the collection, processing and circulation of information freedom and other guarantees enshrined in the Constitution will be respected".
That is, Article 4 of the Statutory Law defines the axiological context within which to move, the computer process. Under this general framework, there are some general parameters that must be respected in order to affirm that the process of collection, use and dissemination of personal data is constitutionally legitimate.
Since 1994, the Constitutional Court has developed a number of principles that should inform the management process, among which are the principles of freedom, necessity, truthfulness, integrity, inclusion, purpose, usefulness, restricted circulation , expiry and individuality, and were systematized in the Judgment T-729 of 2002. [207]
In Case T-022 1993, the principle of freedom was first established. On that occasion, the Court decided the case of circulation credit personal data without the express consent of the data. Thus the Court, under the need to "encourage full self-determination of the person" and to the "failure to obtain the express written authorization of the holder for the circulation of their personal financial information", decided to grant the protection of rights to privacy and due process and ordered the central financial reporting blocking the actor's personal data.

From there, it was then said that personal data can only be recorded and reported with the free, prior and express consent of the owner [208]. The Corporation has linked the principle of liberty, the prohibition of management information acquired illegally, so that the collection and dissemination thereof, without the prior authorization of the owner or in the absence of legal mandate is prohibited or judicial. Thus, in the judgment SU-082 of 1995, said: "the obtained data, for example, by unlawful means can not be part of the databanks and neither can move." Similarly, in Judgment T-176 1995, was considered as one of the hypotheses of infringement of the right to habeas data the collection of information "illegally, without the consent of data."
in relation to the principle of necessity, the personal data must be strictly necessary to fulfill the objectives pursued with the database in question, so that is prohibited registration and disclosure of data which are not closely related to the target base . data regard, the Judgment T-307 of 1999, said "the information requested by the database, must be strictly necessary and useful to achieve the constitutional objective pursued. Therefore, the data can only remain entered in the file while the objectives are achieved. Once this happens, they should disappear. "
Sheltered by this principle, the Court ruling SU-082 in 1995 considered prohibited the inclusion of information that violates the right to privacy of the owner. In the same terms as in Case T-176 of 1995, the Court made it clear as a violation of the assumption of the right to habeas data, that information falls "on intimate aspects of life of its owner not likely to be known publicly."
to structure the principle of purpose, the Court has outlined the so-called theory of the areas, so that it is recognized that the supply of personal data is carried out in a more or less defined context. Consequently, "the said information shall be for perform exclusive purposes for which it was delivered by the holder, in relation to the purpose of the database and the context in which these are supplied. "[209] Thus, in Case T-552 of 1997, the Court considered as a derivation of the right to informational self-determination, the power to demand "the proper handling of the information that the individual chooses to display another". Therefore, according to this principle "both the collection, processing and dissemination of personal data, should follow a constitutionally legitimate purpose [210], clearly defined, and after sufficient manner; so that data collection without clear specification about the purpose thereof, and the use or disclosure of data for a different purpose than originally planned is prohibited. "[211]
As a consequence of the latter guideline is the principle of utility. Under this, the absence of it results in an abuse of rights. In this regard, in Case T-119 of 1995, the Court found that the single operating license data entities managers did not constitute guarantee of the legitimacy of their behavior.. " Consequently, both the collection, processing and dissemination of personal data, "you must fulfill a specific function, as an expression of the legitimate exercise of the right to administration thereof; therefore is prohibited disclosure of data, lacking function not obey a clear or determinable useful. "
According to the principle of truth [212], personal data must obey real situations, they must be true , so that giving false or misleading data is prohibited.

In ruling SU-082 of 1995, the Corporation established the principle of integrity in handling the data. Thereunder, are prohibited handling of data was incomplete, the reason that this can distort the accuracy of the information. On that occasion, the Court decided to protect the rights of a user of the financial system that had been affected with incomplete information. Therefore, he ordered the managing entity data, complete the information on the commercial behavior of the actor. Consequently, under that principle "the information recorded or disclosed from providing personal data must be complete, so that is prohibited registration and disclosure of partial, incomplete or fractional data. However, except in exceptional cases, integrity does not mean a single database to compile data, without making use of other databases, allow a complete profile of the people. "[213] From the beginning of movement
restricted, it is required that "disclosure and circulation of information is subject to specific limits determined by the purpose of the database, the authorization of the owner and the principle of purpose, so that indiscriminate disclosure is prohibited of personal data. "
In Case T-307 1999 the Court determined the scope of the principle of incorporation. There, the case of a plaintiff that after trying unsuccessfully for several years to inclusion subsidized health regime by SISBEN system, never able to enjoy the benefits due to the mishandling of information was studied. Therefore, from the existence of so-called habeas data additive it was said when the inclusion of personal data in certain bases, derived win situations for the owner, the manager data entity is obliged to incorporate, if the holder meets the requirements that the legal order required for this purpose, so that it is prohibited to deny the unjustified inclusion in the database.
According to the principle of expiration, the holder unfavorable information "should be withdrawn [214] of the databases according to criteria of reasonableness and opportunity, so that the indefinite retention of data is prohibited after they have disappeared causes that justified their collection and administration. "
Finally, the Court has developed the principle of individuality according to which the conduct aimed at facilitating cross-reference data from the accumulation of information from different databases is prohibited [215 ]
2.6.4. International standards on principles governing the right to self-determination computer
European protection system was the first in the year 1981, in urging members of the Community to adopt in their domestic laws minimum principles protection, before the emergence of large databases of information that could jeopardize the rights of citizens at risk. Article 5 of Convention No. 108 of August 28 states that data should be governed under the following guidelines:
a) "be legally obtained and treated in the same way,
b) be registered for purposes specific and lawful, so they can not be used for different purposes,
c) adequate, relevant and consistent with the purposes for which they were intended,
d) be accurate and updated,
e) be kept in such a way that allows the identification of people who were concerned over a period of time not exceeding necessary for which it was registered. "
the latter literal, relates to what might be called the principle temporality, he understood as one who orders the data can not be used beyond the time for which was foreseen, and therefore, the natural consequence is exclusion from the database into which was registered, in order to prevent the information contained there can be used for other purposes, such as those with fraudulent or illegal or commercial purposes.
In the nineties they were adopted two international instruments related to data management. The first, Resolution 45/95 of 14 December 1990 of the United Nations Organization, and the second, Directive 95/46 / EC of the European Parliament and the Council of the Union.
The UN Resolution 45/95, "guiding principles for the regulation of computerized personal data files" develops the following:

1. Principle of lawfulness and fairness. It is specifically aimed at information that people will not be collected or used illegally for purposes contrary to the purposes and principles of the United Nations Charter purposes.
2. Principle of accuracy. It intended that persons responsible for treatment must verify the accuracy and completeness of the data, ensuring the regular updating of the same.
3. Principle of purpose: The purpose for which is used the information contained in files, should be specific and clear. It must also be communicated to the holder of the information on their use, so you can ensure that:
a) "All personal data collected and recorded remain relevant to the aim pursued"
b) None of these personal data it is used or disclosed without the consent of the person concerned, for purposes incompatible with the one you specified.
C) The period of retention of personal data is no more than necessary to achieve the need to have been registered. "
4. Principle of access to the person concerned. It allows the user, once identified, to know if the information that relates to your personal information is being used and to obtain the necessary corrections when the information is inaccurate because it is informed whether the data have been transferred to third parties. In this sense, the term itself indicates a possibility for each order a legal tool that allows the user to exercise a resource is created. Resolution expressly states:
"a remedy should be provided, where appropriate, with the authority of control in accordance with the principle 8 below. If correct, the cost should rectify the data controller [who treats information]. It is desirable that the provisions of this principle should apply to all people, whatever their nationality or residence "
5. Principle of non-discrimination. Prohibits the registration data that can generate in the person some kind of discrimination, especially on the racial or ethnic origin, color, sex life, political opinions, religious, philosophical or other convictions, or participation in an association or the union membership.
6. Power to make exceptions: Set exceptions to principles 1 to 4, in the case of: i) protect national security, ii) public order, iii) health or public and iv moral) "in particular, rights and freedoms of others, especially persecuted (humanitarian clause), provided that such departures are expressly provided by law or equivalent regulation adopted in accordance with the national legal system, which expressly define the limits and appropriate safeguards are in place ".
7. Security principle: They must adopt pollution necessary to protect files against natural hazards, such as accidental loss or accidental destruction and human dangers, such as unauthorized access measures, fraudulent misuse of data or computer virus .
8. Principle on checks and sanctions: "Every law should designate the authority which, in accordance with the domestic legal system, is responsible for monitoring compliance with the above principles." As this postulate, the authority must provide guarantees of impartiality, independence from organizations or persons responsible for data processing and application. It also points out that there should be criminal or other sanctions where the provisions of each law are violated.
9. Beginning on the flow of data across borders. The flow of information between two or more countries can always be and when their laws are comparable with respect to ensuring protection of privacy, so that information can flow freely and in the country of origin. Finally that "when there is no comparable guarantees may not obtain unjustified limitations on such circulation, and only insofar as required to protect privacy."
For its part, Directive 95/46 / EC guidelines systematizes data management and recognizes that such provisions are aimed at "the protection of freedoms and fundamental rights to individuals and, particular their right to privacy with regard to the processing of personal data "(Article 1). The instrument principles divided into two categories: (i) those relating to the quality of data and (ii) concerning the legitimacy of the management information.

In relation to the first available (Article 6) that personal data must be: "(i) processed fairly and lawfully, (ii) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible such purposes; not be deemed incompatible further processing of data for historical, statistical or scientific purposes, provided that Member States provide appropriate safeguards, (iii) adequate, relevant and not excessive in relation to the purposes for which they are collected and for they are further processed, (iv) accurate and, when necessary, updated; must take reasonable steps to ensure that inaccurate or incomplete, having regard to the purposes for which they were collected or for which they were further processed, are erased or rectified, (v) kept in a form which permits identification of stakeholders for a period no longer than necessary for the purposes for which they were collected or for which they are further processed. Member States shall provide the appropriate safeguards for personal data stored for longer the aforementioned period, with historical, statistical or scientific purposes guarantees. "
As for the latter, the Directive provides that the management of data can only be done with the unequivocal consent of the owner and when necessary: (i) ". for the execution of a contract to which the data subject is party or for the implementation of precontractual measures", (ii) "for compliance with a legal obligation to which is subject the controller "(iii)" to protect the vital interests of the individual ", (iv) to fulfill a mission of public interest or in the exercise of official authority vested in the controller or a third party to whom the data "and (v) for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed provided they are overridden by the interests or fundamental rights and freedoms of the person concerned to communicate requiring protection under paragraph 1 of this directive. "
The literal b) to f) a series of events that is cash and other personal data may be processed without authorization holder present. However, this freedom to use data by one who is always going to have a component that limit, this is "the vital interest of". The vital interest of may be associated with the non-involvement of its sphere of privacy or information processed jeopardize their physical or mental integrity. In any case, protection of premium individual over any other right that is generated from data processing, that is, one might say that the measures taken by Directive 95 of the European Union, responds to a garantista philosophy of individual rights of their fellow citizens.
Finally, the Convention prohibits creating a profile based on the data crossing. This results in proscription that people are subjected to adverse legal effects, through the assessment of his personality, by an automated processing of data intended to evaluate certain aspects of his personality, it is what is usually called a "profile individual ", based on the intersection of data stored in data bases. Article 15 of the Directive provides for this situation as follows:
"Article 15
1. Member States shall grant people the right to not be subject to a decision with legal effects on them or affect them significantly, which is based solely on automated processing of data intended to evaluate certain aspects of his personality, as work performance, creditworthiness, reliability, conduct, etc. "

Finally, in the inter-American level, the Organization of American States, OAS, instructed the CJI prepare several reports on access and protection of information and personal data. In November 2010, it issued the "Draft principles and preliminary recommendations on data protection." The work done by the Inter-American Juridical Committee noted that there are two systems of protection of databases "Europe is today the most strict system of state regulations with legislation governing the collection of personal data by government and private entities. The US system follows a bifurcated approach, which allows economic sectors regulate personal data collected by the state. Finally, several countries in Latin America have developed protection mechanisms based on the concept of habeas data, which allows people to access their own personal data and provides the right "data.
Now, taking as reference documents issued at the level of the European Union such as those generated in the regional environment by some countries in the Americas, the OAS, designed a catalog of 15 guidelines, which he defined as "the basis of data protection legislation worldwide and that could be the basis for an international instrument or model legislation on data protection. "
The principles are: the principle of legitimacy and justice -the legitimacy is related to the legality of data processing and justice, based on the Madrid Resolution [216], refers to the process is unfair personal data will lead to discrimination against the person. The principle of specific purpose limitation and the need [217], the transparency [218], the accountability [219]. The principle of conditions for data processing, which in turn contains the rules for data processing to be considered valid, that is there "a) consent, b) legitimate interest of the controller, c) contractual obligations, d ) a legal authority e) exceptional circumstances, such as when the information is necessary to mitigate or prevent irreparable injury. ".
The project also designated as the principles of disclosure of information to data processors, whereby the controller can use such systems if: a) ensure the protection level and b) the level of protection is established by a contractual right of the individual to correct and delete your personal data [222] the principle relationship, the principle on international data transfers, [220] concerning the right person to access information [221], guarantee to object to the processing of personal [223] data, the right to correction and deletion of personal data [224], the principle on security measures to protect personal data [225] the confidentiality [226], the principle of Control, compliance and accountability in the management of data by the operator or principle of independent authority to ensure the implementation of the regulations. [227]
Is then observed that the different systems of protection of rights, both universal and regional urge States to establish within their jurisdictions minimum principles that should govern the management of data information, and the interpretation of the guidelines should be in accordance with the standards of protection.
2.6.5. The principles set out in the project is reviewed and the analysis of their constitutionality
2.6.5.1.
Extent of Article 4 of the draft states, the principles of legality on the processing of data, of purpose, of freedom, of accuracy or quality, transparency, access and movement restricted, security and the principle confidentiality.

First, it should be noted that the project receives a special classification of principles that does not include all the predicables principles of data management and have been developed by both the jurisprudence of this Court, as international standards on the subject. However, as considered in the Judgment C-1011 of 2008, to study the constitutionality of predicables to data management in the financial system and credit principles, forecasts that integrate Article 4 should be interpreted in a way that makes compatible with the Constitution. Consequently, if the Court -Interpreter authorized Constitution, defined by the principles of personal data management the content and scope of the fundamental right to habeas data, the statutory rules should be interpreted in harmony with the plexus of guarantees and prerogatives that make up that right. In addition, they will also be analyzed in the light of international standards on the subject.
Moreover, it should be understood that the enunciation of these principles can not be understood as negating others come to integrate or integrate the content of the fundamental right to habeas data.
2.6.5.2. Analysis of the constitutionality of the provisions
2.6.5.2.1. Principle of legality in the field of data processing: The Constitutional Law states that the treatment is a regulated activity which must be subject to the provisions therein and the other provisions implementing.
The principle embodies the main purpose of statutory regulation: data processing subject to the provisions of the rules, set limits against those responsible and processors and ensure the rights of the holders thereof. In these terms, as explained above, from the beginning of freedom, constitutional jurisprudence noted that the data should be acquired, processed and handled lawfully. It responds to the call principle of lawfulness and fairness referred to international standards on the subject.
2.6.5.2.2. Principle of purpose: Under this principle, treatment should obey a legitimate purpose in accordance with the Constitution and the law, which must be reported to the owner.
The statutory definition established by the legislator meets one of the criteria established by the Corporation for managing databases. However, some clarifications should be made.
On the one hand, personal data should be processed for a specific and explicit purpose. In that sense, the aim should be not only legitimate but such information will be used to make the sole purpose for which it was delivered by the owner. Therefore, he must inform the Holder of the data clear, adequate and prior way about the purpose of the information provided and therefore data can not be collected without clear specification about the purpose thereof. Any different use must be authorized expressly by the Contractor.
This accuracy is relevant to the extent that allows control by the owner of the data, while it is possible to verify whether it is being used for the purpose authorized by him. It is a useful tool to avoid arbitrariness in the management of information by who is the data.
Likewise, personal data should be processed only in the way that the affected person may reasonably be expected. If, eventually, the use of personal data changes to forms that the person would not reasonably expect, the prior consent of the owner must be obtained.
On the other hand, according to constitutional jurisprudence and international standards related previously, it is observed that the principle of finality implies also: (i) a temporary field, ie the period of retention of personal data does not exceed necessary to fulfill the need that have been registered and (ii) a material level, which requires that the collected data is strictly necessary for the objectives pursued.
In view of the above, the literal b) should be understood in two ways.
First, under the principle of necessity it is understood that the data must be kept in a form which permits identification of data subjects for no longer than necessary for the purposes for which they were collected. That is, the period of retention of personal data should not exceed necessary to fulfill the need that have been recorded.

In Ruling C-1011 of 2008 [228], the Corporation reiterated the importance of the existence of reasonable criteria for retention of personal data in information sources. He further argued that this period is in close relation to the purpose it purports to serve. Thus, from the study of jurisprudence, he built a comprehensive constitutional doctrine on the expiry of negative data on financial and concluded that within the same prerogatives of the right to habeas data, this warranty is, as a consequence of the right to oblivion . On this particular providence observed:
"According to what is stated in Article 15 Superior, the Court identifies as powers that make up the content of the right to habeas data, those of (i) know the personal information contained in the bases data, (ii) request to update such information through the inclusion of new data and (iii) require the rectification of the information is not adjusted to reality. Along with the prerogatives stated above, the Court, given the previous precedents that indicated the need to set a limit to the negative financial report, established a new component of the right to habeas data, the expiration of negative data. "
(...)
the Court reiterates that the management processes personal data credit content fulfill a specific purpose: to provide entities engaged in financial intermediation activities and in general, subjects who attend the market related information with the degree of compliance with the obligations entered into by the concerned subject as important for decisions on the signing of commercial contracts and credit prospects tool. This activity is consistent with the assumptions above, it meets legitimate purposes from a constitutional perspective, such as financial stability, confidence in the credit system and protection of public savings administered by the banking and credit facilities.
It is precisely the verification regarding the specific purpose that operators have financial and credit information which, in turn, determines the limits on the exercise of the activities of collection, processing and dissemination of data. "(Emphasis off text)
Second, the personal data must be strictly necessary to fulfill the objectives pursued with the database in question, so that is prohibited registration and disclosure of data which are not closely related to the target database. Consequently, efforts should be made reasonable efforts to limit the processing of personal data to the minimum necessary. That is, the data must be: (i) adequate, (ii) relevant and (iii) consistent with the purposes for which they were intended.
2.6.5.2.3. Principle of freedom: Treatment may only be exercised with the consent prior, express and informed consent of the owner. Personal data may not be obtained or disclosed without prior authorization, or in the absence of legal or judicial mandate relieve consent.
This principle, fundamental pillar of the data management allows citizens to voluntarily choose whether your personal information may be used or not in databases. It also prevents the information already registered a user, which has been obtained with their consent, can move to another organism that use for purposes other than for which it was initially approved.
The literal c) of the Draft Statutory Law not only develops the fundamental purpose of habeas data protection, but is closely related to other fundamental rights such as privacy and the free development of personality. Indeed, the human being enjoys the guarantee determine what data you want to be known and has the right to determine what might be called his "computer image".
For its part, the United Nations General Assembly in resolution 45/95 of 14 December 1990, I consider consent as the essential element in managing data management. Meanwhile, Directive 95/46 / EC [229] of the European Parliament and the European Council refers specifically to consent and defines it as "any manifestation of freely given specific and informed by the person concerned consents to the processing personal data relating to him. "accordingly, this instrument states that Member States shall provide that the processing of personal data can only be made if the person concerned has given his consent unambiguously.

It was under the principle of freedom that the Constitutional Court began developing the minimum content of the fundamental right of habeas data. Thus, in Case T-414 of 1992 [230] established that in the Constitutional State, management processes personal data were only legitimate from the exercise of freedom of the individual, which necessarily involved the power to permit and control access to your personal information. Providence said:
"the possibility of accumulating information in unlimited quantities, to confront them and add them together, to follow it up in an unfailing memory, objetivizarlas and transmit them as a commodity in the form of tapes, rolls or magnetic disks, example, allows a new power of social control over the individual, the so-called computer power. || As a necessary counterbalance this new power has engendered computer freedom. Is it the right to provide information, to preserve the computer identity, that is, to permit, control or rectify the data concerning the personality of the owner thereof and, as such, they identify and individualize before the rest. It is, as seen, a new social dimension of the diverse individual freedom, and because of the circumstances that explain its appearance, other classic manifestations of freedom. ".
Similarly, in Judgment T-176 of 1995 [231] Corporation said the lack of consent results in a violation of the rights to habeas data "so that there is a violation of the right to habeas data you must be ignored any of the three aspects statements. That is, the information contained in the file must have been collected illegally, without the consent of the data (i) be wrong (ii) or fall on intimate aspects of life of its owner not likely to be known publicly (iii). By contrast, the provision of accurate data, whose circulation has been previously authorized by the owner, is not in principle adversely affecting a fundamental right. "
Likewise, in the judgment SU-082 1995 [232 ] the Court based all the ratio decidendi in the concept of computer self-determination, whose essential element rested on consent. On the particular court he asked: "What is the essential core of habeas data? According to the Court, it is composed of the right to information self-determination and freedom in general, and especially economic. Computer self-determination is the right of the person to whom the data relates to authorize its conservation, use and circulation, in accordance with legal regulations. "This position has been reiterated, among many others, in the Judgments T-580 1995 2004 T-448, T-526 of 2004, T-657, 2005, 2006 TT-684, C-1011, 2008, T-017
2011. regarding handling of personal information, the required consent is also qualified, because it must be prior, express and informed. On this, in Judgment C-1011, 2008 it was held that such characteristics materialize the freedom of the individual against the computing power:

Freedom in the management of personal data means that the subject concerned maintain, at all times, the power of knowledge, update and correction of personal information contained in databases. If this is so, it is clear that the freedom of the individual to the computing power is specified, among other things, the ability to control personal information about himself rests in databases, competition is subject to express consent for incorporating the information into the appropriate database or file. This exercise of freedom in computer processes, in the opinion of the Court, embodied in the requirement for prior express sufficient authorization by the owner of the information, predicable requirement acts of administration of personal data of commercial content and credit. The elimination of the consent of the holder additionally generates a distortion of the financial, commercial and credit data, which violates the fundamental right to habeas data, while unjustifiably restricts self-determination of the subject to your personal information. For the Constitution, freedom of the concerned subject means that the management of personal data can not be at their backs, but should be a transparent process, at all times, anywhere can know where is your personal information, what purposes has been collected and what mechanisms at its disposal for updating and rectification. The elimination of prior express sufficient authorization for the incorporation of data in files and banks managed by operators allows, ultimately, the running of hidden acts of collection, processing and dissemination of information, operations at all incompatible data the rights and guarantees of habeas data. (Emphasis added)
In relation to the previous character, authorization must be provided in a stage prior to the incorporation of data. For example, in the Judgment T-022 of 1993 [233], it was said that the veracity of the data does not imply that the controller does not have the duty to obtain a previous authorization. Likewise, Judgment T-592 of 2003 [234] said that the right to habeas data is affected when managers collect and disseminate information payment habits without the consent of its owner. The Court stated that the consent of the owner of the information on the registration of their economic data "on computer processes, coupled with the need for that count with real opportunities to exercise their powers of correction and update during the various stages of that process are essential to safeguard their right to information self-determination. "
regarding the express character, authorization must be unambiguous, reason why, contrary to what is claimed by some participants is not possible to accept the existence within the Colombian legal system, a tacit consent. This, for several reasons:
First, the constitutional jurisprudence has demanded such a condition and has said that consent must be explicit and concrete the specific purpose of the database.
In these terms, in Judgment T-580 of 1995 [235], studying sending information to the Banking Association of Colombia, without there being prior express authorization, the protection was granted by considering that he pledged the right "to self-determination computer or habeas data, since there is no prior express authorization of the owner of the data to make it public." In the same vein, the Corporation consolidated judgment 1995 SU-089 mentored among other reasons because no express authorization is requested to report the data. On this particular Judgment T-580 of 1995 said: "It is essential to legitimately pass credit information to a database, the express consent of the owner requirement. There is no provision requiring financial institutions to transfer commercial references or credit to private information centers, apart from the express prior authorization of the owner of the data. "Likewise, Judgment T-657 of 2005 [236] where the negative report by a real estate was analyzed, it was reiterated that disclosure of the data should be "the result of an explicit and specific authorization from the owner."

Likewise, in Case T-729 of 2002 [237], this Court granted guardianship, arguing that the driven body did not adjust their actions to the principle of freedom, and proceeded to publish data actor in the based on the Internet without your consent. At that time the company was ordered to cease driven behavior that violated the law, "so that henceforth refrain from publishing, with the possibility of indiscriminate access without the prior consent, personal information."
Is to highlight the Judgment T-592 of 2003 [238], in which it was stated that the express consent also resulted in the prohibition of granting open and non-specific authorizations. In this regard, the Corporation considered that although it has granted authorization to report credit information, they were "open and ancillary credit operations" so it did not indicate an actual consent of the contracting parties "as they were not accompanied by timely information on their use, coupled the scope of the report or its contents, nor the name and location of the charge of managing information. "
second, a harmonious interpretation of all the articles follows that the statutory legislator had a clear intention was always express consent. Thus, since Article 3 says that it must be "prior, express and informed." This is repeated in Article 4. Subsequently, Article 8 ordinal b) guarantees the holder the right to request proof of authorization, and notes that this can only be considered waived in cases enshrined in Article 10. Article 9 orders the authorization to be "obtained by any means that may be subject to further consultation"
on the other hand, Article 10 states, in an exhaustive manner, the cases where no authorization is required, and makes no reference to the existence of a tacit consent, which require express statutory authorization.
Regarding the character informed the owner must not only accept the treatment of data, but also must be fully aware of the effects of their authorization. In this sense, in the Judgment T-592 of 2003 [239], the Court noted that the authorization must be qualified and should contain an explanation of the effects of it. Moreover, despite that this authorization, the Head and Data Processor must act in good faith. On the particular said
"Therefore thus user such as financial services ordinarily predisposes acontece- third parties are informed about their financial condition and payment habits, the recipient of the authorization is the duty to inform how, to whom, since when and for how long your authorization will be used, because a generic acquiescence does not subsume the total content of computer self-determination, under the Constitution to associates respected them their power to actively intervene without restrictions, during various stages of the process computer.
Consequently the creditor abuses the prior authorization, impelled by him and likewise granted by the debtor, when, based on that, disclosed specific data without apprising the holder properly and creates account for the effect with the acquiescence without . limits affected, because the assumption of good faith requires the parties to temper the contractual imbalances in all stages of the negotiations, under the terms of Article 95 of the Constitution "
from the foregoing, it can then be deduced: (i) personal data can only be recorded and reported with the free, prior, express and informed consent of the owner. That is, is not allowed tacit consent of the owner of the data and can only be dispensed with by express legal mandate or by order of a judicial authority, (ii) consent to provide the person must be defined as a specific and informed indication freely issued, their agreement to the processing of personal data. Therefore, silence Holder could never be inferred as authorization of the use of information and (iii) the principle of freedom involves not only before the collection of data consent, but within it is understood including the possibility of withdrawing consent and limit the period of its validity.
2.6.5.2.4. Principle of accuracy or quality: The information subject to treatment must be truthful, complete, accurate, current, verifiable and understandable. the treatment of partial, incomplete, split or misleading data is prohibited.

The law includes two of the principles developed by case law: (i) the veracity and (ii) the principle of data integrity. According to the first, personal data must obey real situations, current and verifiable. Under the second, it prohibits the handling of the data is incomplete and misleading.
2.6.5.2.5. Principle of transparency: The literal e) establishes that the holder the right treatment must be guaranteed to obtain from the controller or data processor at any time and without limitation, information about the existence of data concerning them.
There is no constitutional objection on this principle, and instead establishes the right of the holder of access at any time to information about it rests in a database. However, it must be stated that the information should be provided to the Holder of the data must be qualified and therefore when processing personal data, the controller or processing should provide at least the following information to the person concerned: ( i) information on the identity of the data controller, (ii) the purpose of processing personal data, (iii) to whom it may disclose the data, (iv) how the affected person may exercise any rights granted legislation data protection, and (v) any other information necessary for fair processing of data information
on the other hand, it should be understood that there is not only a right Holder's data to access your information but this guarantee implies when the inclusion of personal data in certain bases, derived win situations for the owner, the managing entity data will be obliged to incorporate, if the holder meets the requirements of the legal order required for this purpose, so that it is prohibited to deny the unjustified inclusion in the database.
2.6.5.2.6. Principle of access and restricted circulation: Because of this guideline, the treatment is subject to limits deriving from the nature of personal data, the provisions of this law and the Constitution. In this sense, it can only be done by authorized by the holder and / or person covered by this law people. In addition, it prohibits personal data, except public information, are available on the Internet, unless a technical control is offered to ensure restricted knowledge.
With regard to the first paragraph, the following points should be made. As explained above, this Enacting Law, to establish the minimum conditions in the handling of information, does not exhaust the regulation on habeas data, and therefore the treatment is also subject to the regulations that were subsequently issued.
As to the second paragraph, the norm should be understood that all behavior is prohibited also aimed at crossing data between different databases of information, except when there is an express legal authorization, ie, what the Court has called the principle of individuality data. As a result of the above, it is prohibited to cause adverse legal effects Holders, based solely on information contained in a database.
Moreover, and in relation to the second paragraph, one of the intervener to the Corporation, declare its constitutionality under the following conditions: (i) should prevent private data, semi-private, confidential or secret may be along with public data, and therefore the former can not be published online unless all the technical requirements are offered and (ii) should eliminate any possibility of indiscriminate access by typing the identification number to personal data of citizens.
Consider the Chamber that such constraints are not necessary, because the same standard eliminates these possibilities. Indeed: (i) prohibits non-public information to be published on the Internet and (ii) could only be published if all guarantees are offered. From the above it follows that if the system allows access by simply typing the card, is not a system that meets the requirements of the second paragraph of paragraph f) of Article 4.
However, it must be reiterated that the nonpublic information management should be under all security measures necessary to ensure that unauthorized parties can access it. Otherwise, both the charge and the processor will be responsible for damages caused to the Contractor.

Moreover, it should be noted that even in the case of public information, dissemination and circulation is subject to specific limits determined by the object and purpose of the database.
2.6.5.2.7. Security principle: Under this principle, the information subject to treatment by the person responsible, must be managed with the technical, human and administrative measures necessary to provide security to records avoiding adulteration, loss, consultation, use or unauthorized access or fraudulent.
This principle is then derived responsibility lies with the administrator data. Strengthening the principle of accountability has been one of the current concerns of the international community, due to the effect "data deluge" [240], through which every day the mass of existing personal data, processed and further transfers, continues to increase. Technological advances have produced a growth of information systems, are no longer just simple databases, but there are new phenomena like social networking, commerce through the network, providing services, among many others. It also increases the risks of data leakage, which made necessary the adoption of effective measures for their conservation. On the other hand, the misuse of information can have serious negative effects, not only in economic terms but also in personal areas and good name.
In these terms, the charge or processor should take measures consistent with the corresponding information system. For example, in social networks, begins to present a concern to establish improved protective measures, because the handling of classified data. In 2009, the Working Group on Data Protection of the European Union noted that the social networking services "or" SRS must be protected profile information on the user by setting "parameters respectful default privacy and free to limit access to selected contacts. "[214]
There is thus a duty both responsible and responsible for establishing security controls, according to the type of database in question, which ensure protection standards enshrined in this Enacting Law.
2.6.5.2.8. Principle of confidentiality: All persons involved in the processing of personal data that do not have the nature of public are obliged to ensure the confidentiality of information, even after the end of his relationship with some of the work comprising the treatment can only make delivery or communication of personal data where this is in the development of activities authorized by this law and the terms of it.
This standard does not offer any qualms, and on the other hand, operators are looking for data continue keeping the secret of certain data, even when finished the relationship with the source of information.
2.6.6. Other principles included in the project understand
2.6.6.1. Principles derived directly from the Constitution
addition to the obligations under the guiding principles for the management of personal databases, there are others who have their direct origin in constitutional norms, namely: (i) the prohibition of discrimination on the information collected in databases, (ii) the principle of comprehensive interpretation of constitutional rights and (ii) the obligation to compensate the damage caused by possible failures in the process of data management.
So things under the principle pro homine own interpretation of the rules of the Constitution, administration of personal data must, in any case, be subordinated to the effectiveness of the fundamental rights of the individual . Likewise, the principles must be understood in a harmonious, coordinated and systematic manner, always respecting the basic content of the fundamental right to habeas data.
2.6.6.2. Principles derived from the thematic core of the draft statute

Moreover, the Board warns that there are principles that, despite not being numbered Article 4 are understood incorporated because of a systematic reading of the Draft Statutory Law: (i) principle of proportionality of the establishment exceptions: the law establishes, but not excluded, the general system of data management excepted materials, as explained in the analysis of the scope of the standard. However, such special treatment must be justified in terms of proportionality and meet international standards of protection, (ii) the principle of independent authority: the adoption of a regulation is only effective if it is ensured that within the state structure there is a body responsible for ensuring compliance with the above principles developed. This authority must ensure impartiality and independence, and (iii) principle requirement standards equivalent protection for the international transfer of data: As is clear from Article 26 of the Draft Constitutional Law, there is a ban on international transfer to any type of countries that do not provide adequate levels of data protection.
2.7. REVIEW OF ARTICLE 5: SENSITIVE DATA DEFINITION.
2.7.1.
Text of the provision "Article 5 °. sensitive data. For the purposes of this Act, is meant by sensitive data those affecting the privacy of the Contractor or whose misuse can lead to their discrimination, such as those revealing racial or ethnic origin, political orientation, religious beliefs or philosophical, membership of trade unions, social organizations, human rights or promote interests of any political party or to guarantee the rights and guarantees of opposition political parties, as well as data concerning health, sexual life and biometric data. "
2.7.2. citizen interventions and concept
2.7.2.1 Public Ministry. Computec SA - Datacrédito says it is concerned that the project allows the treatment of all types of personal data, including sensitive data, the scope offers serious risks for citizens. This is because, in this way could be structured any company to negotiate the profiles of people, without any control authority supervising its constitution and purpose, exposing the owners of the data to an unclear management and insurance the same.
Adds that although the Act 1266 of 2008, initially was designed to regulate data from financial or credit activities of citizens, so is it established a sufficient framework from which can be structured securities suitable for collection and management of data that are part of commercial activities (Call Centers, Contact Center and BPO & O) that have become the main justification for promoting this new law.
2.7.2.2. The Public Prosecutor has not ruled on this issue.
2.7.3. Constitutionality of the definition of sensitive data
In accordance with Article 5, are sensitive data for the purposes of the project, "(...) that affect privacy Holder and whose misuse can lead to their discrimination, such as those revealing racial or ethnic origin, political, religious or philosophical beliefs, trade unions, social organizations, human rights or promote interests of any political party or to guarantee the rights and guarantees of opposition political parties and data concerning health, sex life and biometric data. "
The Chamber finds that this definition is consistent with the constitutional jurisprudence and its delimitation, besides protecting the habeas data it is a guarantee of the right to privacy, which is why the Board finds compatible with the Constitution.
Indeed, as the Court explained in Case C-1011 of 2008 [242], sensitive information is that "(...) relating, among other things, sexual orientation, habits of individual and religious creed and political. In these events, the nature of the data belongs to the core of the right to privacy, understood as that 'sphere or private living space not subject to arbitrary interference of others, that being considered an essential element of being, is embodied in the right to be able to act freely in the said sphere or nucleus, in exercise of personal freedom and family, no limitations other than the rights of others and the legal system. [243] "

According to this explanation, the definition of Article 5 is compatible with the constitutional text, as long as not understood as an exhaustive list but merely illustrative of sensitive data, as the data pertaining to the intimate sphere are determined by changes and historical development.
2.8. REVIEW OF ARTICLE 6: PROHIBITION OF SENSITIVE DATA PROCESSING AND EXCEPTIONS.
2.8.1.
Text of the provision "Article 6. Processing of sensitive data. Treatment of sensitive data is prohibited, except when:
a) The Contractor has given its explicit consent to such treatment, except in cases required by law not to grant such authorization.
B) processing is necessary to protect the vital interest of the Contractor and this is physically or legally incapacitated. At these events, the legal representatives must give their authorization.
C) The treatment is carried out in the course of legitimate activities with appropriate guarantees by a foundation, NGO, association or any other non-profit organization whose purpose is political, philosophical, religious or trade union, always they relate exclusively to its members or persons who have regular contact because of their purpose. In these events, the data can not be provided to third parties without the authorization of the owner.
D) the processing relates to data which the Contractor has manifestly made public or are necessary for the establishment, exercise or defense of a right in judicial proceedings.
E) Treatment has a historical, statistical or scientific purpose. In this event the measures leading to the suppression of identity of the Holders shall be taken. "
2.8.2. citizen interventions and concept
2.8.2.1 Public Ministry. The Ombudsman requested the unconstitutionality of paragraph d) of Article 6 because it is not clear justification, reasonableness or necessity, in relation to the holder has made public such data, for the following reasons: First
instead, it states that the data to be made public by the holder of sensitive information does not justify per se the collection and processing, as data are defined as public, private or confidential due to its nature not because of their degree disclosure, even if the same owner who chooses to reveal them. In this vein, it would be admitting treatment without consent of the owner and for a purpose not authorized by him, by individuals, authorities or entities that may not have legal authorization to do so.
Second, it states that there is no constitutional purpose that justifies lift the ban the processing of sensitive data in the event stated, nor can it be regarded as a necessary and proportionate measure. On the contrary, because of data involving a risk of discrimination, segregation and violence against certain groups or segments of the population, it is clear to the Ombudsman to issue a manifestation of conditions, preferences, opinions, origins, from of which data "sensitive" nature does not justify in any way the authority to create databases such connotation or to carry out treatment are deducted.
Addition to the above, to the Ombudsman, the second than the literal d) of Article 6, ie, which exempts from the prohibition of processing of sensitive data to those who "are necessary for the establishment, exercise or defense a right in judicial proceedings "is also unconstitutional for the following reasons:
argues that it is not clear the meaning and scope of this provision, because it does not say who defines sensitive data is" necessary "to the exercise of a right in judicial proceedings and referred not to the person who would rightholder that needs to be guaranteed and defended. It could be the same personal data holder or a third party who has knowledge of such data.
However, indicates that even in the event that the personal data of a sensitive nature become exposed in a public process for reasons inherent in the strategy of the parties to take forward their claims, it nevertheless is authorized to form a sensitive database from data that can be collected from processes information.

Explains that although there are certain situations, behaviors, traits, preferences and other sensitive data associated with certain people from public court proceedings made, quite another to draw up a register of individuals who share a trait associated with a factor potentially discriminatory, as one of those listed in Article 13 of the Constitution.
Therefore it requested the Ombudsman declare unconstitutional the second than the literal d) of Article 6.
2.8.2.2. The Public Prosecutor has not ruled on this issue.
2.8.3. Constitutionality of the prohibition of processing of sensitive data
Article 6 provides two normative content: on one hand, establishes the general rule prohibiting to treat your sensitive data, and other, provides for certain exceptions to that general rule, which they will be examined later.
With regard to the first normative content, the Board considers that it is not only compatible with the Charter, it is a requirement of the right to privacy and developing principle of habeas data access and restricted circulation.
Indeed, as explained in Case C-1011 of 2008 [244], while sensitive data belong to the sphere of personal privacy, "(...) acts of disclosure by generic management processes personal data, other than the exceptional possibilities disclosure described in the legal basis 2.5. the present analysis, is outlawed. This to the extent that allow information of this nature may be subject to ordinary processes of gathering, collection and circulation violate the essential content of the right to privacy. "
2.8.4. Review of the constitutionality of the exceptions to the prohibition of processing of sensitive data
The second normative content of Article 6, on the other hand, provides for exceptions to the prohibition of processing of sensitive data. Before examining the constitutionality of each hypothesis, the Board considers necessary to make the following clarifications:
As indicated in previous asides, the prohibition of processing of sensitive data is a guarantee of habeas data and the right to privacy, and also it is closely related to the protection of human dignity. However, in certain cases the processing of such data is essential for the proper provision of services such as health care and education-or for the realization of rights linked precisely to the intimate sphere of people such as freedom of association and the exercise of religious freedoms and opinion. Article 6 Exceptions respond precisely to the need for treatment of sensitive data in such scenarios.
Now, as is excepted cases and therefore can generate high risks in terms of violations of habeas data, privacy and even the dignity of data subjects, agents engaged in these cases treatment have enhanced responsibility which translates into greater demand in terms of compliance with the principles of Article 4 and the duties of title VI. That greater burden of care must also be translated into administrative and criminal punitive action.
Finally, exceptions, while general restrictions on the right to habeas data, as in the case of the exceptions of Article 2 must be developed for the statutory legislator.
Spend the Chamber to examine the constitutionality of these exceptions:
2.8.4.1. Constitutionality of subparagraph a)
The Chamber considers that, in accordance with the principle of freedom, it is possible that individuals give their consent, of course, express and informed that their personal data are undergoing treatment. In these cases must be complied with all the principles governing the processing of personal data, in particular the principle of finality will be important, according to which sensitive data can only be treated for the purposes expressly authorized by the holder and which in any case must be important from a constitutional point of view. In this vein, the Board finds that the first normative content of the literal a) conform to the Constitution.

Regarding the second normative content, that is, the ability to treat sensitive data without explicit authorization of the owner when "(...) is not required by law granting such authorization", the Chamber considers that it is compatible with the Constitution, as long as it is understood, as will be mentioned later, that authorization would also be contained in a law, complies with the guarantees provided by habeas data, for example in terms of purpose and meets the requirements of principle of proportionality.
2.8.4.2. Constitutionality of subparagraph b)
The literal b) establishes three conditions for it to operate the second objection: (i) the treatment of sensitive data search safeguard the vital interest of the holder, (ii) the holder is physically or legally incapable and (iii) authorization is then granted by the legal representative of the holder.
The Board considers that under the conditions provided in paragraph b) to operate the exception, it conforms to the Charter and complies with the principle of proportionality. Certainly in this case the exception only plays an important but not urgent purpose this is to safeguard the vital interests of the holder of sensitive data, which must be understood in relation to their life and health from serious damages. The means chosen by the legislature is appropriate because of the impossibility of obtaining the express consent of the owner, the project allows it to be given by his legal representative, who is presumed guardian of the interests of the owner. Finally, the exception establishes a fair balance between the rights to habeas data, privacy, health and life of the holder. For these reasons, the Chamber declared the literal b) exequible, but not before reiterating that exceptions to the protections of habeas data, in this case the ban to treat your sensitive data are interpreted restrictively.
2.8.4.3. Constitutionality of subparagraph c)
The Chamber finds that the exception of item c) is justified as (i) refers only to data circulating within the stated organizations; and (ii) it is typical of such organizations collect and process sensitive data of its members or persons who have contact with them, precisely because the reason for their existence is linked to any of the personal areas which results in sensitive data. For example, in the case of a political organization, it is natural to collect and classify information on the political preferences of its members. In the case of an NGO, for example, is dedicated to the defense of human rights, by virtue of their work must collect sensitive data of those seeking his intervention for the purpose of, among other things, prepare defenses judicial or design programs Attention.
In addition, the reserve of sensitive data is guaranteed in this literal, in accordance with the principle of freedom, with the requirement that any provision of this data to third parties compulsorily preceded by the express authorization of the owner. For these reasons the Chamber declared enforceable item c).
2.8.4.4. partial unenforceability of literal d)
The literal d) has two normative content that actually represent two different exceptions: on the one hand, indicates that the processing of sensitive data is possible when its owner the manifestly made public and on the other It notes that it is also possible treatment when necessary "(...) for the establishment, exercise or defense of a right in judicial proceedings".
With regard to the first normative content, the Chamber considers that it is unconstitutional, because the fact that sensitive data be made public, does not make it a fact of public nature that anyone can be treated. Therefore, despite the disclosure of the data by the owner, the possibility of submitting to treatment must be subject to the express, prior and informed -principle of liberty and other requirements imposed by the principles enshrined in Article 4 consent and other guarantees of habeas data. For these reasons declared unconstitutional the phrase "the Contractor or manifestly made public".
For the room, by contrast, the second regulatory content itself conforms to the Charter, provided, in accordance with a systematic interpretation under the Charter, it is understood that in any case prior authorization is necessary and expresses the holder of sensitive data, the existence of a court order and ensuring other privileges derived from habeas data.

In fact, sensitive data (of the parties, witnesses and other participants) in many trials are essential to resolve a dispute; Consider, for example in a guardianship proceeding on discrimination or criminal proceedings in which a victim claims compensation for violations of their rights as a result of political or religious persecution. In these cases sensitive data should be made known to the relevant judicial authority not only to resolve the dispute, but also for the adoption of protective measures.
However, in these cases, reiterates, under the principles of freedom, purpose, legality and confidentiality, (i) the owner must give express consent, (ii) court order required -when is the case (iii) the data can not be used for purposes own the judicial process and (iv) the judicial authorities and the parties involved in the process must ensure the secrecy and confidentiality of sensitive data, among other requirements.
2.8.4.5. Constitutionality of literal e)
Finally, the literal e) exempts from the ban on the processing of sensitive data "(...) have a historical, statistical or scientific purposes". However, the provision requires that "measures leading to the abolition of the identity of the holders (...)" adopted in these cases.
The Chamber finds that the exemption meets the requirements of the principle of proportionality, since (i) meets an overriding purpose, this is the fulfillment of historical reconstruction purposes, statistical and scientific purposes in addition there is an interest of the entire community, all while contributing to the better design of public policies and functioning of the state, to the satisfaction of fundamental rights such as health and life, and even the collective right to the truth. In addition, (ii) the provision chooses a suitable medium, since in any case requires the suppression of the identity of the holder. (Iii) In this way, the arrangement provides an appropriate balance between the right to habeas data and the rights that are satisfied with scientific historical activities, and statistics.
In any case, the Chamber reiterates that these events must respect the guarantees of habeas data, especially the principle of finality and the principle of proportionality.
2.9. REVIEW OF ARTICLE 7: RIGHTS OF CHILDREN ON PERSONAL DATA PROTECTION.
2.9.1.
Text of the provision "Article 7. Rights of children and adolescents. Treatment in respect to the prevailing rights of children and adolescents will be ensured.
Treatment of personal data of children and adolescents, except for data that is public in nature remains outlawed.
It is the task of the state and educational institutions of all kinds provide information and train legal representatives and guardians about the potential risks to which children and teenagers face regarding abuse Treatment of personal data, and provide knowledge about responsible and safe use by children and adolescents of their personal data, their right to privacy and protection of personal information and that of others. The National Government will regulate the matter, within six (6) months following the enactment of this law. "
2.9.2. citizen interventions and concept
2.9.2.1 Public Ministry. The Ombudsman requested the conditional constitutionality of paragraphs 1 and 2 of Article 7, it ensures that there is a contradiction between paragraph 1 and paragraph 2 of Article 7. The first appears to accept the treatment of data of children and adolescents while the second prohibits flat data processing related to the same categories of subjects, except for data that are of "public nature". The reasonable interpretation seems to be that the treatment referred to in paragraph 1 is public data referred to in paragraph 2, although it should be clear that, beyond this possibility is not feasible any treatment that involves private data infants and adolescents.
2.9.2.2. The Legal Secretariat of the Presidency requested the conditional constitutionality of the second paragraph of Article 7 as follows:

States that the interpretation of the second paragraph can not be concluded that processing of information on children is a situation that threatens its integrity. On the contrary, rights such as health and social security, as enshrined in Article 44 of this population may be affected by an interpretation under which under no circumstances is lawful process your data.
In this vein, the interpretation that best consulting the interests of children and adolescents and ensuring its training Indemnity is one that in no way endanger his superior well. Therefore, it should be added to public data, private, whose disclosure appropriate in the concrete to a clear and unequivocal circumstances interests of the child, the child and adolescent and their treatment is in line with this sole purpose.
Said the second clause is enforceable under the understanding above, otherwise it is unconstitutional for violating Article 15 and 44 Superior; for the protection of children, it can not be the point of denying the effective exercise of their rights, including habeas data.
2.9.2.3. ASOBANCARIA manifested in relation to Article 7 that too strong on the right to freedom of information, ultimately, does not translate into an effective realization of the security interests of the child legal restriction is set. The concern arises when it comes to non-public information that, given the different levels of social interaction, can rest in various organizations and institutions whose holders are children and adolescents. The regulatory design by which the legislature chose not distinguished for this standard, the different types that jurisprudence has identified to define the rules that define the core of the right to habeas data regarding the right of information.
2.9.2.4. Universidad de los Andes requested the conditional constitutionality of Article 7 because, first, the processing of personal data of children and adolescents is not banned when it is authorized by law or to comply with the same . Second, in cases permitted by law, the processing of personal data of children and adolescents, prior consent is required, written and informed consent of their legal representatives. Thirdly, the State and educational institutions should not only train but legal representatives and guardians of children and adolescents on the topics mentioned in the final paragraph of Article 7 of the draft.
2.9.2.5. Attorney states that the expression contained in the second paragraph of Article 7 "public nature" should be kept as long as they understand that they can not affected the rights of children and adolescents, because although the data can be authorized and publicly exposed it is possible that some of its guarantees are affected, considering that belong to a vulnerable population. Explains this as follows: i) children and adolescents do not have full capacity to consent, which could be overcome with the authorization of their legal representatives and, ii) this vulnerable population to have free access to the Internet you could publish your personal data thoughtlessly.
2.9.3. conditioned constitutionality of Article 7
Article 7 of the project under study establishes that (i) in the treatment of information the prevailing respect for children and adolescents will ensure; (Ii) the processing of personal data of children and adolescents is prohibited, except those cases that are of a public nature; and (iii) is up to the State and all educational institutions at different levels of training, provide information and train legal representatives and guardians about the risks they may face children and adolescents to improper treatment your personal information. In turn, points to the importance of providing knowledge to children and adolescents about responsible personal data, privacy and protection of personal information and the use of others. Finally, it states that (iv) the National Government will regulate the matter, within six (6) months following the enactment of this law.

The Court considers that the provision under study is extremely important for referring to the processing of personal data of children and adolescents, subject to special constitutional protection. Given this quality, the Court will address the following points: (1) the definition of child and adolescent in the Code for Children and Adolescents; (2) the legal basis of the principle of the best interests of children under 18; (3) the fundamental right of children, girls and adolescents to be heard; and (4) review of constitutionality of Article 7.
2.9.3.1. The definition of child and adolescent
It is important to refer briefly what is meant by child and adolescent in the Colombian legal system. In developing this concept, the Code for Children and Adolescents, in its article 3, stated: "(...) means child people between 0 and 12 years, and for adolescent people between 12 and 18 year old". The above definition was declared enforceable by the Corporation. It is also consonant with the broad definition contained in the Convention on the Rights of the Child as "(...) all under eighteen years of age (...) human being."

2.9.3.2. The legal basis of the principle of the best interests of the under 18
Regarding the quality of subjects of special constitutional protection that hold children, and adolescents, it has its basis in the principles of the Constitution and in international human rights instruments that recognize the best interests of the child of eighteen and who make up the so-called constitutional block.
Now, as subjects of special protection Superior becomes Article 44, which states, inter alia, that the family, society and the state have an obligation to assist and protect children to ensure their harmonious development and comprehensive and full exercise of their rights. Also it stipulates that the rights of children take precedence over others. In turn, the Universal Declaration of the Rights of the Child (1959), Principle II states that the child shall enjoy special protection and that through laws and other means necessary to enable physical, mental develop will be available, morally, spiritually and socially as well as in conditions of freedom and dignity; and also it provides that the enactment of laws for this purpose, the paramount consideration which will be addressed will be the best interests of the child. In addition to this instrument, there are other international treaties and conventions that enshrine the principle of the best interests of children under eighteen, among which are: the International Covenant on Civil and Political Rights, 1966 (Article 24), the American Convention on Human rights of 1969 (Article 19) and the Convention on the rights of the child 1989 [245].
The best interests of the child of eighteen, enshrined in various human rights conventions, is expressly provided for in Article 8 of the Code for Children and Adolescents, and "(...) is understood interests of the child and adolescent, the imperative that requires all people to ensure comprehensive and simultaneous satisfaction of all their human rights, which are universal, prevalent and interdependent. " Moreover, Article 25 of the same Code, following the above provision of the prevalence of rights under 18 on the other, stated: "(...) In any event, decision, administrative, judicial action or any nature to be taken in relation to children, and adolescents, these rights prevail, especially if there is a conflict between their fundamental rights with those of any other person (...) ".
In short, the quality of subjects of special constitutional protection of children, girls and adolescents, becomes the (i) Article 44 Superior stating that their rights take precedence over the rights of others, and (ii) Framework international, which enshrines the principle of the best interests of children under eighteen.
About the legal criteria to be observed specifically apply the principle of the best interests of children, girls and adolescents in the jurisprudence of this Court have established the following:
"In this regard, Case T-510 of 2003 [246] and T-572 of 2009 [247], the Court fixed constitutional, legal and jurisprudential rules apply to determine the best interests of each child, depending on their particular circumstances. Let's see:

(I) Guarantee development of the child. It should, as a rule, ensuring the smooth, full, normal and healthy development of children, from the point of physical, psychological, emotional, intellectual and ethical and full development of his personality. It corresponds to the family, society and the state, providing protection and assistance necessary to realize the right of children to fully develop, taking into account the conditions, capabilities and limitations of each child. Article 7 of the Code of Childhood and Adolescence means comprehensive protection "recognition as subjects of rights, guarantees and compliance with them, preventing their threat or violation and the security of their immediate restoration developing the principle of best interests. "the constitutional mandate in question, which should be realized taking into account the conditions, capabilities and limitations of each child, is reflected in articles 6-2, 27-1 of the Convention on the Rights of the child [248 ] and Principle 2 of the Declaration on the Rights of the Child.
(Ii) Ensuring the conditions for the full exercise of fundamental rights. The rights of children should be interpreted in accordance with the provisions of treaties and instruments of public international law binding on Colombia. Article 6 of the Code for Children and Adolescents contains a strong mandate in this regard: "The rules contained in the Constitution and in international treaties and human rights conventions ratified by Colombia, particularly the Convention on the Rights of the Child , will make an integral part of this Code, and will guide their interpretation and application. In any case, it shall apply the absolute best interests of the child or adolescent standard. "
(Iii) Child protection against risks prohibited. It must protect children from all forms of abuse and arbitrariness, and protect against extreme conditions that threaten their harmonious, such as alcoholism, drug addiction, prostitution, physical or moral violence, economic or labor exploitation, development and in general, the lack of respect for human dignity in all its forms. Not surprisingly Article 44 of the Charter states that children "will be protected against any form of abandonment, physical or moral violence, abduction, sale, sexual abuse, labor exploitation and hazardous work." Meanwhile, Article 20 Code for children and Adolescents establishes the set of serious risks to children that should be avoided (...)
in any case, it must be stated that this statement does not exhaust all the different situations that may constitute threats to the welfare of each individual child, which should be determined according to the circumstances of the particular case.

(Iv) Balancing the rights of children and the rights of their parents, on the basis of prevailing child rights. It is necessary to preserve a balance between the rights of children and parents, but whenever this balance is altered, and a conflict that can not be solved through harmonization in this particular case, the solution should be the one that best meets is present the best interests of the child. In this context, the rights and interests of parents may only be prefixed to the child when it meets its prevalent interest. The way in which to harmonize the rights and resolve conflicts between the interests of parents and the child's interests, can not be established in the abstract, but depending on the circumstances of each individual case and it may not be, in any case , endanger the life, health, stability or development of the child, or generate risks for development prohibited under penalty of the state to intervene to protect the prevailing interests of the child at risk. "The same sense of the verb 'prevail' [249] necessarily implies the establishment of a relationship between two or more competing interests in specific cases, including one (child) has priority if not found a way harmonization". Therefore, in situations that have to determine which is the most favorable for a particular child option, must necessarily take into account the rights and interests of persons connected with such minor, especially their parents, biological or parenting; "Only in this way is achieved fully meet the mandate of priority of the interests of children, as they are entitled to the fundamental right to be part of a family, so their situation should not be studied in isolation but in the context real relationships with parents, guardians and relatives and other stakeholders. This is the rule set out in Article 3.2 of the Convention on the Rights of the Child, which states' States undertake to ensure the child such protection and care as is necessary for their welfare, taking into account the rights and duties their parents, guardians or other persons responsible for it before the law '[250]. "[251]
(v) Provision of a suitable family environment for child development. The integral and harmonious development of children (art. 44 CP) requires a family in which the parents or guardians fulfill the duties arising from his position, and enable properly function in an atmosphere of love, understanding and protection. About art. 22 of the Code for Children and Adolescents provides that "children, and adolescents have the right to have and grow within a family, to be accepted and not be expelled from it."
(Vi) need powerful reasons to justify state intervention in the paternal / maternal relations - subsidiaries. The mere fact that the child may be in better economic conditions not justify itself an intervention in the relationship with their parents; powerful additional grounds must exist that make you fear for their welfare and development, and justify the protective measures that have the effect separate him from his biological family. "This would amount to make an unreasonable discrimination between rich children and poor children, as to guarantee their right to have a family and not be separated from it - a frontally treatment in violation of articles 13 and 44 of the Charter." it also provided for in Article 22 of the Code for Children and Adolescents "[252] (Bold added)

In short, (i) the principle of the best interests of children, girls and adolescents is done in the study of each particular case and is intended to ensure their full development; (Ii) this principle also pursues the effective realization of the fundamental rights of those under 18 years and also protect them from the risks that threaten prohibited its harmonious development. These risks are not confined to those states the law but must also be analyzed in the study of each particular case; (Iii) must move towards finding a balance between the rights of parents or legal guardians and children, girls and adolescents. However, when such harmonization is not possible, they must prevail the higher guarantees of those under 18 years. In other words, whenever prevail rights of parents, it is because it has been understood that this is the best way to give effect to the principle of the best interests of children, girls and adolescents.

The quality of subjects of special constitutional protection under eighteen is founded on the vulnerability and defenselessness in which they are, for their physical, mental and emotional development it is in the process of maturity required for decision making and autonomous participation in society. The degree of vulnerability and helplessness has different degrees and is given from all the processes of interaction that children under 18 should perform with their physical and social development of his personality environment. [253] Therefore, the state, society and family should provide special protection in all areas of life of children and adolescents, in order to ensure harmonious and integral development. [254]
In addition to the above, the reinforced constitutional protection which they hold children, and adolescents has its basis in (i) respect for human dignity, and (ii) the importance of building a promising future for the community through the realization of all their fundamental rights. [255]
In this vein, this Court finds that in the case of processing of data of children and adolescents, there is a risk that this population prohibited vulnerable is at risk, mainly due to the overflowing evolution of information technology, including the Internet and found social networks. While access to different communication systems, allowing them to enjoy all its benefits and advantages, also its misuse can cause a conflict in the exercise and effectiveness of their fundamental good name rights, honor, privacy, among others. The above approach was addressed in the Memorandum on the protection of personal data and privacy in online social networks, particularly children and adolescents, adopted in Montevideo on 28 July 2009. [256] While this document is not part of the so-called block of constitutionality and therefore its recommendations are not binding for the Colombian State, it constitutes a valuable document on the issue of the protection of personal data of children, girls and adolescents. [257 ]
2.9.3.3. The fundamental right of children, girls and adolescents to be heard
The principle of the best interests of children under 18 is closely related to their right to be heard. Article 12 of the Convention on the Rights of the Child defines as follows:
"1. States Parties shall assure to the child who is capable of forming his or her own views the right to express their views freely in all matters affecting the child, with due regard to the views of children, depending on the age and maturity of the child.
2. To this end, it shall in particular be the child an opportunity to be heard in any judicial or administrative proceedings affecting the child, either directly or through a representative or an appropriate body, in accordance with the rules of procedure of the national law ".

The Committee on the Rights of the Child "The Committee", through the General Comment No. 12 regarding the right of children, girls and adolescents to be heard, made the following analysis: (i) recognizes this warranty as full subjects of rights, whether they lack the autonomy of adults; (Ii) this right should be taken into account for the interpretation of the rest of their guarantees. (Iii) With regard to the precept that children and adolescents should be heard depending on their age and maturity, the Committee stated: 1- First exercise their right to express their opinion is an option not an obligation of minors 18. 2- States parties should proceed from the assumption that the child or teenager has the capacity to make their own judgment on matters that affect their lives and recognize their right to express themselves. That is, not their previously that can do this show. It is the State that must, in particular, to assess their ability to form an independent opinion. 3- There is no age limit for those under 18 free to express their opinion in all matters affecting them, further, the Committee recommended that States set an age to restrict their right to be heard. [258] 4- The provision is analyzed no evidence that age in itself determine the significance of the opinion that emit under 18, because in many cases their level of understanding of all that surrounds it is not linked to their biological age. "It has been shown in studies that the information, experience, environment, social and cultural expectations and the level of support contribute to the development of the child's ability to form an opinion. For this reason, the child's views must be assessed by a case by case. " 5- Regarding maturity, it is linked with the level of understanding of a subject and assessing their consequences, could be defined as "the ability of a child to express their views on the issues in a reasonable and independent (...) the greater are the effects of the result in the child's life, the more important the correct assessment of the maturity of that child. " (Iv) The opinion of the child, the child or adolescent must be heard in all matters that affect them when they are able to express their own views against it.
Moreover, in accordance with paragraph 2 of Article 12 of the Convention, the Code for Children and Adolescents of our country in Article 26 recognizes the right to due process in the following terms: "In all administrative, judicial or other nature that are involved children, and adolescents, action shall be entitled to be heard and their views should be taken into account ". (Stresses added)
front of the contents of this fundamental guarantee, in particular the provisions of paragraph 2 of Article 12 of the Convention, the Committee recommends that where possible the child is given the opportunity to be heard any procedure. That is, if a person under 18 years demonstrates ability to express an opinion knowledgeably about their treatment, States should duly take this view.
2.9.3.4. The review of constitutionality of Article 7
In light of the foregoing, the Corporation believes that the principle of the best interests of children, girls and adolescents concrete, in the particular case, in the establishment of conditions that allow guarantee the rights of those under 18 years in the Information society and Knowledge, within which are the tools of the Internet and social networks.
We conclude then, on the evidence of the immediate environment surrounding the process of growth and development of children, girls and adolescents in the physical, mental and emotional aspect; and the urgency of the recognition of their human dignity, that all those involved in securing and realization of the rights of those under 18 must fulfill its responsibilities in protecting them, specifically in the salvarguarda of personal data .

To start, the participants show a possible contradiction between the content of the first paragraph and the second paragraph of Article 7 of the draft because the first paragraph states that the processing of data of children, girls and adolescents must be ensured the prevalence of their rights, and the second paragraph indicates that the processing of personal data under 18, except those that are public in nature is outlawed. In this regard, they argue that an absolute restriction on the processing of personal data and any kind would become excessive, and that in any case should authorize such treatment but based on the principle of the best interests of the under 18 and prevalence of their rights .
The Chamber notes that the interpretation of the second paragraph, should not be understood in the sense that there is an almost absolute ban on processing of data under 18, except public nature, as this would lead to the denial of other higher rights of this population such as the social security health, an interpretation that is not in accordance with the Constitution. What is it, then, it is to recognize and ensure the full enjoyment of all fundamental rights of this population, including habeas data.
In this sense, is the expression "public nature". That is, the processing of personal data under 18, regardless of their nature, can be processed as long as the aim pursued with such treatment in the best interests of children, girls and adolescents and ensure without exception prevalent respect for their rights.
In addition to the effectiveness of the interests of this population, it is also important to be secure in their right to be heard in all matters affecting them; and the processing of data, without any doubt, is a matter that concerns them directly.
In short, following the recommendations issued by the Committee on this important guarantee, the Court considers it important that the views of under 18 years is always taken into account, since the maturity express their judgments about the facts the impact should be analyzed case by case. Maturity and autonomy are not associated with age, they are more related to cultural, social, family environment in which they have grown. In this context, the opinion of the child and adolescent should always be considered, and the subjective element of the standard "maturity" should be analyzed in particular, ie, the ability they have to understand what is happening (the issue that concerns them) and derive its possible consequences.
In short, the second paragraph of article object of study is enforceable if it is interpreted that the data of children, girls and adolescents can be processed as long as they do not jeopardize the prevalence of their fundamental rights and unequivocally responds to the realization of the principle of their best interests, whose specific application will become the analysis of each particular case.
As to paragraph 3 of Article 7 of the project it should also be noted that not only the state and educational institutions must develop actions to prevent misuse of personal data under 18 but are also responsible in securing this guarantee (i) the parents or others who are in charge of their care and educators; (Ii) the legislator, who must ensure that compliance with its legislative functions, specifically, with regard to the processing of personal data under 18, those rules no longer contain the appropriate protective measures to ensure its development harmonious and comprehensive, and the effectiveness of their fundamental rights contained in the Constitution and international standards that exist on the subject; (Iii) the judicial system; specifically public servants must protect the rights arising from the use of personal data of children under 18 years observing international standards or specialized documents on the subject; (Iv) the media; (V) companies that provide access services to the Internet, develop digital applications or social networks, who are warned to engage in the defense of fundamental rights of children and adolescents.
In short, there is a shared responsibility of all stakeholders against the handling and processing of information of children and adolescents.

Regard to the content of paragraph 3 of Article 7 states: "The National Government will regulate the matter, within six (6) months following the enactment of this law," this Court finds that there are two possible interpretations of the scope of the term "matter".
The first is one that has to do with the regulation of the matter by the national government, in the sense that the government may regulate concerning the processing of personal data of children, girls and adolescents. Given that this regulation has legal reserve, as outlined in the study of Article 27 of this project, this interpretation is contrary to the Constitution. Therefore, the content of paragraph 3 referred to under this would inexequible understood. applying the principle of conservation law [259]
However, the Court finds that there is a second interpretation of the scope of the expression in question, in the sense that the regulatory powers that the legislature gives the Government national for regulating the matter, is related to (i) all actions that must be deployed to provide information and train legal representatives and guardians about the risks faced by children and adolescents to make misuse of their data personal and (ii) provide knowledge to children, girls and adolescents about the importance of giving responsible use handling of your personal information, respect for their right to privacy and the protection they should give their personal data and others. [260]
In this vein, the constitutionality of the content of paragraph 3 of Article 7, which states: "The National Government will regulate the matter, within six (6) months following the enactment of this law months" should be understood that such regulation is limited to the development of the content of paragraph 3 of article in question, as above remain exposed. Similarly
be understood that the term "(...) within six (6) months following the enactment of this law months," should not be understood as a term expiration of regulatory power, because on the contrary, constitutional jurisprudence has indicated that it is not possible limitations to it, which is exercised permanently and under express constitutional mandate.
Indeed, the Court has said that the regulatory authority has no basis in the provisions of Article 189-11 CP, and implies that the Executive is covered with the power to issue decrees, resolutions and orders necessary for the execution of the laws fulfilled. The regulatory authority therefore has "ordinary, derivative, limited and permanent" nature. It is ordinary because it is a function of the Executive Branch without exercise required for enabling different from the constitutional provision that confers. It has derivative character, since it requires the prior existence of legislative material for exercise. Similarly is limited because "its limits and range in the constitution and the law; which is why we can not alter or modify the content and spirit of the law, nor can go to regulate laws that do not run the administration, nor can regulate materials whose content is for the legislature ". Finally, "the regulatory authority is permanent, given that the Government can make use of it as often as it sees fit for law enforcement accomplished in question and until it retains its validity."
2.10. REVIEW OF ARTICLE 8: RIGHTS HOLDERS.
2.10.1.
Text of the provision "Article 8 °. Rights holders. The holder of personal data shall have the following rights:
a) To know, update and rectify your personal data against data controllers or processors. This right may be exercised, among others against partial, inaccurate, incomplete, split data, misleading, or those whose treatment is prohibited or not authorized.
B) Request proof of authorization granted to the controller unless expressly excepted as a requirement for the treatment, in accordance with the provisions of Article 10 of this Law.
C) Be informed by the controller or the processor, upon request, regarding the use that has given personal data.
D) To submit to the Superintendency of Industry and Commerce complaints for violations of the provisions of this Act and other regulations that modify, add or supplement.

E) Revoking the authorization and / or request the deletion of data when the treatment not the principles, rights and constitutional and legal guarantees are respected. The revocation and / or deletion will only proceed when the Superintendency of Industry and Commerce has determined that the treatment the person responsible have engaged in conduct contrary to the law and the Constitution.
F) Access free of charge to your personal data that have undergone treatment.
2.10.2. citizen interventions and concept
2.10.2.1 Public Ministry. Universidad de los Andes requests to be enforceable items a), b) and c) of Article 8 of the draft, but under the understanding that under Article 15 of the Constitution, the holder of personal data may also exercise the rights provided in such literal against users of personal data.
On this point, it warns not to be understood that the bill also involves users, you would be creating a situation of inequality in violation of Article 13 of the Constitution to the holders of personal, commercial and financial data governed by Enacting law 1266 of 2008 and the holders of other types of personal data is governed by the new law.
In fact, he says, the first if they confer rights against users while the latter are not. In this vein, he argued, there is no legal reason to give greater relevance and importance to the commercial and financial data against other personal data such as data on health, family, work, wealth, sensitive data, etc.
Reiterates that treatment is consistent with the minimum requirements of the Constitution is necessary for users to meet a series of obligations so that their action or omission does not compromise, violate, injures or endangers the rights and freedoms of holders of personal data. For this reason, it is necessary for the Court stating that the holders' rights under subparagraphs a), b) and c) of Article 8 of the project can also be exercised to users of personal data.
Requests also declare enforceable the literal f) of Article 8 of the draft, on the understanding that the total gratuity also applies to the exercise of habeas data on commercial and financial data that is Law 1266 of 2008. It argues
that paragraph of article 10 of the Statute Law 1266 of 2008 establishes a limited gratuity to once per calendar month, ie from the second monthly consultation the owner of the data must pay for exercising the fundamental right to habeas data, respect of your personal data.
Given the above, it says, the total charge for the exercise of the right of habeas data should be imposed in respect of any personal data, including the commercial and financial dealing Law 1266 of 2008. If not understood that the gratuitousness of literal f) of Article 8 of the project is extended to the exercise of habeas data of commercial data and financial a real situation of violation inequality of Article 13 of the Constitution to the holders of personal, commercial and financial data will be consolidated governed by law 1266 of 2008 and the holders of other types of personal data is governed by the new law.
Therefore, for reasons of equality and in order to avoid abusive situations against the holder of personal data, it is imperative to clarify that the total gratuity which enshrines the literal f) of Article 8 of the draft also applies in the case of commercial and financial information regulated by Law 1266 of 2008.
2.10.2.2. The Public Ministry did not rule on the matter.
2.10.3. Introduction

The Permanent Council of the OAS in the Draft Preliminary Principles and Recommendations on the Protection of Personal Data of 19 November 2010, he said that States should at least provide the holders of the following data: ( ii) to request and obtain from the data controller information on your personal data, (ii) how and why the personal data is processed. The latter includes information about the source of personal data, the purpose of processing and for whom is done, which may include the categories of recipients to whom the personal data will be disclosed, (iii) unless the personal data to be amended and / or deleted as routine, the data controller must disclose personal data in its possession to the date of application. However, if personal data are amended and / or deleted regularly, the data controller may, alternatively, to disclose personal data in their possession at the time of responding to the request, (iv) how and when to disclosed personal data, (v) the information to be provided to the person must be clear and easily understandable, (vi) the person has the right to request that the data controller correct or delete personal data that may be incomplete, inaccurate , unnecessary or excessive. If personal data has been disclosed to third parties, the data controller must also notify such change, if known, and (vii) the right to revoke the data, or the right to object to the processing of personal data, claiming a person and legitimate reason and you can not object them if they are necessary for the fulfillment of a duty imposed on the data controller by national legislation or the implementation of a contractual obligation between the person and the data controller, or if the person expressed feelingly.
For its part, Directive 95/46 / EC of the European Parliament points as rights of Holders of Fact:
Member States shall ensure all stakeholders the right to obtain from the controller:
to ) freely, without constraint at reasonable intervals and without excessive delay or expense:
- confirmation of the existence or nonexistence of data processing concerning you, as well as information at least the end of these treatments, categories of data to which they relate and the recipients or categories of recipients to whom the data are disclosed;
- Communication in an intelligible form of the data undergoing processing and any available information on the origin of the data;
- Knowledge of the logic involved in any automatic processing of data concerning him at least in the case of the automated in paragraph 1 of Article 15 refers to decisions;
B) where appropriate, the rectification, erasure or blocking of data processed not in accordance with the provisions of this Directive, in particular because of the incomplete or inaccurate nature of the data;
C) notification to third parties to whom the data have been disclosed of any rectification, erasure or blocking carried out in accordance with the letter b), unless this proves impossible or involves a disproportionate effort.
Member States shall grant the data subject the right:
a) oppose, at least in the cases referred to in points e) and f) of Article 7, at any time and for legitimate reasons relating to his particular situation, to the data relating to him being processed, unless national legislation provides otherwise. If justified objection, the processing instigated by the controller may no longer involve those data;
B) to object, on request and without charge, the processing of personal data relating to him which the controller anticipates being processed for prospecting; or to be informed before personal data are disclosed for the first time to third parties or used on their behalf for the purposes of prospecting, as it expressly offered the right to object free of charge to such disclosure or use.
Member States shall take all measures necessary to ensure that interested parties are aware of their right in the first paragraph of the letter b) refers to measures. "
Article 8 states that are rights holders data:

"A) To know, update and rectify your personal data against data controllers or processors. This right may be exercised, inter alia, against partial, inaccurate, incomplete, split data, misleading, or those whose treatment is prohibited or not authorized, b) Request proof of authorization granted to the controller unless expressly excepted as a requirement for the treatment, in accordance with the provisions of Article 10 of this law, c) be informed by the controller or the processor, upon request, regarding the use that has given your personal data, d) submit to the Superintendency of Industry and Commerce complaints for violations of the provisions of this Act and other regulations that modify, add or supplement, e) Revoking the authorization and / or request the deletion of data when the treatment not the principles, rights and constitutional and legal guarantees are respected. The revocation and / or deletion will only proceed when the Superintendency of Industry and Commerce has determined that the treatment the person responsible have engaged in conduct contrary to the law and the Constitution. f) Access free of charge to your personal data that have undergone treatment. "
Actually, the rights set forth in the Project, are a concrete development of the principles set out in Article 4. Indeed, under principle of legality Holder is entitled to their data being processed in accordance with the limits established by current regulations, especially take action when their treatment is prohibited (ordinal a). Because of the purpose, the Contractor has the right to exercise constant control over the data, in order to determine whether it is being used for purposes against which lent his authority and request the charge or charge information on the use given your personal data (ordinals b, c and e). Because of the principle of freedom, the Contractor is guaranteed to verify that the data circulating about him have been previously authorized, request proof of this and may also revoke your authorization (ordinals a, b, c and e). By the principle of accuracy or quality, the Contractor has the right to know, update and rectify their personal data in cases where these are inaccurate, incomplete or fractionated, misleading or whose treatment be prohibited (ordinal). By the principle of transparency, the Contractor is entitled to know the information about it rest in databases, request proof of the provided authorization, it is informed management that has been made of their data and access free of charge to your data personal (ordinals a, b and f). For the sake of the principle of access and restricted movement, security and confidentiality, the Contractor is entitled to demand that your information is treated in accordance with the limits imposed by the law and the Constitution and in case of failure there is an effective remedy to achieve restoration of their rights (ordinals and d).
In the same way, it should be noted that like the principles, can not be considered that this is an exhaustive list of guarantees, but are included all those prerogatives resulting from the comprehensive guarantee the fundamental right to habeas data . Similarly, the rate of emergence of new information systems also makes it necessary that rights are integrated into each own information system. [261]
2.10.4. Review of paragraph e)
This provision states in Colombia called right opposition. The rule states that the holder of data may revoke the authorization and / or request the deletion of data when: (i) the principles, rights and constitutional and legal guarantees are not respected and (ii) provided the Superintendency of Industry and Commerce it has determined that the treatment the person responsible have engaged in conduct contrary to the law and the Constitution. However, as will be explained these conditions to constitute a disproportionate restriction on the Holder data.
The opposition right allows the holder of the data avoid treating your information or request cessation thereof. [262] This warranty is provided for in Article 14 of Directive 95/46 / EC as follows:
"Member States shall grant the data subject the right:

A) Oppose, at least in the cases referred to in points a) and c) of Article 7, at any time and for legitimate reasons relating to his particular situation, to the data concerning them are being processed, except where national law provides otherwise. If justified objection, the processing instigated by the controller may no longer involve those data. "
B) to object, on request and without charge, the processing of personal data relating to him which the controller anticipates being processed for prospecting; or to be informed before personal data are disclosed for the first time to third parties and used on their behalf for the purposes of prospecting, and to be expressly offered the right to object free of charge to such use or communication. "|| | So the interested party or individual owner of the data under the European standard, is entitled to object to their use: (i) for personal reasons, if there is no legal obligation that imposes the permanence of data, (ii) in any moment when the data has been treated without their consent; (Iii) treatment is used for purposes other than those initially established and, (iv) when treated with prospecting marketing purposes by third parties. That is, when used for advertising purposes, and the Holder of data no longer wish to receive more information about the product.
The comparative legislation have also established the right to opposition. In Mexico, the Federal Law on Protection of Personal Data Held by Private Parties, of 5 July 2010, allows the revocation of consent at any time, provided they do not produce retroactive effect in the same direction is the Argentina legislation. Spanish law states in article 34 of Royal Decree 1720/2007, which the holder may revoke the authorization where: (i) in cases where although it is not necessary consent requests his retirement because of a legitimate personal reason and always when the law does not enjoin processing, (ii) where the information provided has the purpose to carry out activities of advertising and market research and (iii) when the data processing is being used for a profile, based solely on the sources of information, which has been called, the automated processing of data.
Is then observed that the right to opposition implies the possibility, headed by the holder of the data, to request removal even for personal reasons, unless there is a legal provision that compels your personal data remains in the database.
For its part, the literal e) of Article 8 of Project study, limits the right to opposition to: (i) the misuse of information by the violation of the principles, rights and constitutional guarantees and (ii ) when the Superintendency of Industry and Trade certifies that the person responsible have engaged in conduct contrary to the Constitution and the law.
that is, just drafted Article 8, once the holder of the data has given its consent for the use of your information, I could never revoked, unless the person responsible, have made improper use. That is, the authorization would involve an indirect loss of ownership of the data. This results in a limitation of the right to self-determination computer habeas data, with no valid reason to justify it.
In fact, Article 15 of the Constitution states that "In the collection, processing and circulation of information freedom and other guarantees enshrined in the Constitution were respected." Habeas data conferred in the words of the Corporation "according to cited constitutional provision, a group of powers to the individual so that, in exercise of the general freedom clause, you can control the information itself has been compiled by a central information. "[263] This control not only preached prior authorization for the treatment of data, but the individual is also free to decide which information you want to continue and which should be excluded from a source of information, as long as there is no legal mandate that imposes such a duty, or when there is a contractual obligation between the person and the data controller, necessitating the permanence of data.
Consider
otherwise would mean that managers of information could freely without defined term, personal data subject concerned and, consequently, that would be private materially from the possibility of exercising the guarantees provided to it by the Constitutional text. In addition, the constitutional jurisprudence has established that there is a necessary link between freedom in computer processes the personal data collection and expression of the consent of the owner. In each of these decisions has been raised "the concrete content of freedom of the concerned subject and simultaneously limit which prevents the abuse of computing power, lies in the requirement for authorization of the owner as the year's budget of competences constitutional knowledge, update and correction of personal data. "[264]
on the other hand, the Corporation has indicated that the right to habeas data empowers the holder of personal data require that data managers" the access, inclusion, exclusion, correction, addition, renovation and certification of data and limiting the possibilities of disclosure, publication or assignment thereof, in accordance with the principles governing the management process personal data. " [265]
therefore, developing and Article 15 Superior and the principle of freedom in data management, declaring unconstitutional the expression "only" the second paragraph of paragraph e), the reason that this expression limited the revocation of consent to a declaration of breach of the duties of the Responsible or Data Processor, by the Superintendency of Industry and Commerce.
Consequently, the literal e) must be understood in the sense that the Holder may revoke the authorization and request the deletion of data when: (i) the principles, rights and constitutional and legal guarantees are not respected. In this case, and in order to ensure due process, as long as the Superintendency of Industry and Commerce has determined that the treatment the person responsible have engaged in conduct contrary to order and (ii) under the free application and Holder's data voluntarily, where there is no legal or contractual obligation to impose the holder the duty to remain in said database.
2.10.5. Review of paragraph f)
The University of the Andes requests that the literal f) is conditional upon the principle of free education should also be applied to paragraph 2 of Article 10 of Law 1266 of 2008 which states that "The consultation financial, credit, business information, services and from third countries by the owner, will be free at least one (1) time each calendar month. "
However, such an interpretation is not possible due to the statutory legislator in Article 2 expressly states that "the regime of personal data protection established by this Act shall not apply: (...) e) databases and regulated by Law 1266 of 2008 files" . In addition, despite orders to these bases exempted principles on data protection also apply to you, then provides that: "In the event that the special regulations governing the basis of Excepted data provides principles that take into account the special nature of data, the same applied concurrently to those provided in this law. "
Therefore, the criterion of premium specialty, taking into consideration also that such a rule already had the previous and automatic review of the Constitutional Court Ruling C-1011 of 2008, which was not repealed by the Project Enacting law discussed today. On Article 10 of Law 1266 of 2008 the Court held on that occasion:
"However, the Court found against the above conclusion can be argued that the provisions for the statutory legislator is not opposed to the Constitution, while free access holder is permitted, but that the charge for the case of the second monthly query set; this with the aim of providing a degree of rationalization access by the concerned subject and thus discourage a runaway use of the power of consultation provided by the Constitution.

According to the Chamber, must start from considering what the rules proscribe analyzed above is that access to personal information is subject to payment of a charge or fee, which is not inconsistent with the legislature set the collectability, as long as it does not constitute unavoidable for access to personal data by the owner requirement. In that sense, the analyzed rule does not preclude the Constitution, to the extent that allows the holder cashless access to your data at least once per calendar month, a power that allows to realize the right of access to personal information in the terms set forth above. In that regard, the Court finds that the monthly gratuity of access to personal data not shown restriction disproportionate or unreasonable. Indeed, (i) the possibility exists that the holder free access to their personal information each month; and (ii) commercial practice demonstrates that financial obligations and credit are also agreed with maturities of monthly payment, which is why it is physically possible for reports on compliance are made in the payment of obligations for shorter periods. Thus, the measure of rationalization in the inquiry which provides the statutory legislator does not affect the constitutional authority that has the owner know, update and rectify their personal data concerned in files or databases. "
2.11. REVIEW OF ARTICLE 9: AUTHORIZATION HOLDER.
2.11.1.
Text of the provision "Article 9. Authorization of the owner. Subject to the exceptions provided by law, in the treatment prior and informed consent of the Contractor is required, which must be obtained by any means that may be subject to further consultation. "
2.11.2. citizen interventions and concept of Public Prosecutions about
interventions were not presented. On the other hand, the prosecution did not address the constitutionality of the provision.
2.11.3. Review of constitutionality
No constitutional objections are presented, and on the other hand, reiterated explained in connection with consent, to develop the principle of freedom. Consequently, personal data can be recorded and released only with the free, prior, express and informed consent of the owner. The only possible exceptions are laid down in Article 10 of the bill under consideration.
Therefore is not allowed tacit consent of the owner of the data. Consent to provide the person must be defined as a specific and informed indication freely issued, their agreement to the processing of personal data.

2.12. REVIEW OF ARTICLE 10: CASES IN WHICH IT IS NOT NECESSARY OK.
2.12.1.
Text of the provision "Article 10. Cases where the authorization is not required. Holder's authorization is not required in the case of:
a) Information required by a public or administrative entity in the exercise of their legal functions or by court order.
B) information of a public nature.
C) Cases of medical or health emergency.
D) Treatment of information authorized by law for historical, statistical or scientific.
E) data related to the Civil Registry of Persons. Who
access to personal data, without prior authorization should in any case comply with the provisions of this law. "
2.12.2. citizen interventions and concept
2.12.2.1 Public Ministry. The Legal Secretariat of the Presidency of the Republic seeks the conditional constitutionality of Article 10, on the understanding that this provision is constitutional as long as a consistent interpretation of the same with the principles of law and the constitution is made.
Ensures that the literal c) of Article 10 is constitutional, provided they understand that this event must obey the existence of exigent circumstances of medical emergency, either to the holder or others warranting treatment is carried out without authorization. The same could be said of a health emergency. However, these exceptions should be interpreted restrictively, only to truly compelling circumstances.
Claims that the last paragraph of Article 10 is constitutional but warns that its interpretation should be restrictively and in accordance with the principles of the law under study, and have been endorsed by the Constitutional Court.

Finally, in relation to the literal c) of Article 10, it is important that any law granting an authorization of this kind should be respectful of the principles outlined in the bill under study and have been repeated by the Constitutional Court on previous occasions. It states that the general rule is that it should mediate an authorization and the exception is not has the same when there are higher constitutional interests, especially those within a rule of law matter to the whole social conglomerate.
2.12.2.2. The Ombudsman requested the conditional constitutionality of literal c) of Article 10. He stated that in cases of medical or health emergency, the situation can make particularly onerous satisfaction of the condition of the authorization.
However, since in these cases may be involved data "sensitive" character, as are precisely those related to health, this exception should be read not as an unrestricted authorization to dispense with the consent, but as an extreme alternative which it is reached when it has not been possible to obtain the consent of the owner or the urgency of the situation prevents it.
Therefore, the Ombudsman considers that the constitutionality of this exception must be conditional to understand that it operates only in cases where given the particular situation of urgency, not possible to obtain the authorization of the owner or is particularly problematic manage, given the circumstances of urgency, risk or danger to other fundamental rights, either the holder or third parties.
On the other hand, it seeks the declaration of unenforceability of the last paragraph of Article 10; because it is contrary to the rights and guarantees of the fundamental right to protection of personal data. In fact, such laxity is equivalent to set aside specific effect, not only constitutional guarantees provided for in Article 15 of the Charter but those provided for in the law itself.
In other words, the Ombudsman considered useless enshrined as law and principle of data processing, authorization or consent of the owner, if the law does not provide an adverse consequence for those who carried out without the prior treatment with such authorization or without being authorized by law to do so. Consequently, he requested the declaration of unconstitutionality of the last paragraph of Article 10 of the draft.
2.12.2.3. The Public Prosecutor has not ruled on the constitutionality of the provision.
2.12.3. The Court's
develops Article 10 Where authorization is not required, specifically when: the information is required by a public or administrative entity in the exercise of their legal or court order functions, data of a public nature , cases of medical or health emergency, authorized by law for historical, statistical or scientific data related to the civil registration of persons treatment purposes.
The consent of the information is a budget for the constitutional legitimacy of management processes personal data. In accordance with the exposed face of "the principle of freedom" in the handling of data may not be a tacit authorization.
With regard to the possibility of excluding consent, there are important constitutional interests that justify such a restriction in these cases.
Meanwhile, in the international order as in comparative law, exempting causes the need for authorization is available. Thus, in Resolution 45/95 of 14 December 1990 of the United Nations, restrictions relating to "national security, public order, public health or morals enshrined; and to protect the rights and freedoms of others, especially people who are being persecuted, provided that such exceptions are specified explicitly in a law or equivalent regulation promulgated in accordance with the internal legal system which expressly states their limits and provide for appropriate safeguards "

Directive 95/46 / EC [266] of the European Parliament and the European Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and the free movement of such data also points out that it is necessary consent unless "the information is necessary for the execution of a contract to which the data subject is party or for the implementation of pre-contractual measures taken at the request, or when necessary for compliance a legal obligation to which the controller is subject treatment, or necessary to protect the vital interests of, or necessary for the performance of a task of public interest or in the exercise of official authority vested in the controller or a third party to whom the data are disclosed, or for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, provided they are overridden by the interests or fundamental rights and freedoms of the data subject requiring protection. "
Article 10 of the Bill under study indicates situations in which authorization is not required, which respond to the nature of the data and the type of functions they perform. However, the following points should be made:
First, it is noted that authorization be dispensed when the information is "required by a public or administrative authority in the exercise of their legal functions or by court order." However, the Board considers to be made the same observations as those contained in the Sentence C-1011 of 2008, by making the study of the Bill of Statutory Law of financial data.
In connection with public or administrative authorities, said the Corporation that such power "can not become a prone to abuse of computing power stage, this time at the head of state officials. Thus, the fact that the statutory legislature has determined that personal data may be required by any public entity under the conditioning that the petition is sustained by direct connectedness with some of its functions, pace themselves with the unconditional guarantee of the right to habeas dating back to the owner of the information. Indeed, in addition to the endless possibilities that under this file can be accessed personal data, the application of the provision under analysis must be subordinated to the administrative entity receiving fulfill its obligations to protect and ensure that derive from the fundamental right said, in particular the validity of the principles of purpose, usefulness and restricted circulation.
For the Court, this is achieved through two conditions: (i) the qualified link between the release of data and compliance functions of the entity of the executive branch character; and (ii) the assignment to such entities of the duties and obligations that the statutory regulations preaches users of information, taking consideration that this group of conditions allows adequate protection of the law.
With regard to the first he said the Corporation that "the form of disclosure of personal information under the precept analyzed will become legitimate when the motivation of the request for information is based on a clear and specific functional competence of the entity." regarding the second condition, the Court held that once the administrative entity accesses the personal data adopts the legal position of user within the management process personal data, which logically imposes a duty to guarantee the fundamental rights of the holder information provided for in the Constitution and therefore shall: "(i) maintain confidentiality of information supplied to them by operators and use it only for the purposes for which delivery, that is, those related to the functional competence specific prompting the request for supply of personal data; (Ii) inform holders use data that is giving the same; (Iii) you retain with due assurances the information received to prevent deterioration, loss, alteration, unauthorized or fraudulent use; and (iv) comply with instructions given by the supervisory authority in relation to compliance with statutory legislation. "

In relation to the court order, the Corporation that "although there is no express authorization of the owner circumscribing the flow of data, the possibility of access is justified in the legitimacy they have in the constitutional rule of law proceedings he said court, exercise areas subject to civil service rules and controls, supported by the effectiveness of the right to due process and guarantees surrounded by the appended thereto, in particular the rights of the defendants. Thus, recognizing the importance of this activity in the democratic system, understood as a fundamental pillar for achieving state aims to ensure peaceful coexistence and a just order and being noticed, likewise, that the act of disclosure on this case responds to a constitutionally legitimate purpose, the precept is considered enforceable. "
as relates to public data and the civil registration of persons, their nature makes them not subject to the principle of authorization. Public information is information that can be obtained without reservation, between her public documents, given its mandate under Article 74 of the Constitution. This information can be acquired by anyone, without any authorization.
When cases of medical and health emergency, for the sake of the realization of the right to freedom in handling data, the standard should be understood that it operates only in cases where given the particular situation of urgency, not possible to obtain the authorization of the owner or is particularly troublesome to manage, given the circumstances of urgency, risk or danger to other fundamental rights, either the holder or third parties.
In relation to the processing for historical, statistical or scientific purposes, the standard does not provide constitutional objection on the ground that the law delegates to how this data should be protected also be interpreted in accordance with the literal and ) of Article 6 which states that in these cases "measures leading to the abolition of identity Headlines be taken".
Finally, it should be noted that the Ombudsman requested the unenforceability of the last paragraph of Article 10 because it would result in a general authorization for access to personal data without consent of the owner. However, a reading of the standard to interpret what seeks the statutory legislator is that in no uncertain cases permitted by Article 10, which do not need the consent of the Contractor, the use of data should also be subject to all principles and limitations set forth in the Act. on the contrary, could never be interpreted as an authorization to open that access to personal information without consent of the owner.
2.13. REVIEW OF ARTICLE 11: PROVISION OF INFORMATION.
2.13.1.
Text of the provision "Article 11. Provision of information. The requested information may be supplied by any means, including electronic, as required by the Contractor. The information should be easy to read, no technical barriers to access and must correspond as a whole to that which rests in the database.
The Government shall determine the manner in which the data controllers and processors must provide the information the Contractor, based on the nature of the personal data. These regulations shall be no later than the day following the promulgation of this law year. "
2.13.2. citizen interventions and concept of Public Prosecutions about
interventions were not presented. On the other hand, the prosecution did not address the constitutionality of the provision.
2.13.3. Constitutionality of Article 11: provision of information
Article 11 regulates matters relating to the delivery mechanisms of the information provided to the Contractor, which shall be regulated by the national government. The rule mandates that it must be easy to read, without technical barriers and must have all the information that is related in the database.
The constitutionality of this first part of the provision does not pose major problems, given that develops one of the rights of the Holders: access to your information.

Moreover, there is no objection as to the power granted to the national government because it is a highly technical, delimited matter and not about the essential aspects of the fundamental right, much less offers a comprehensive regulation same. Therefore, in this context, the statutory legislator directs the National Government, through its regulatory power, concrete how the information will be delivered to the Contractor. On this, it should be recalled that the Court has admitted the constitutionality of such provisions, as long as the legislature has established a legislative material content as a basis for the exercise of that power. Opposite the point jurisprudence has said:
"It is possible that the legislative branch with the use of broad language to recognize the administrative authority a sufficient margin for the specific development of some of the assumptions defined by law in order to realize the application of certain legal provisions to various circumstances and changing. That's typical of a regulatory state. However, in those events the action of the administration and enforcement of public policies that encourage the law and administrative regulations that materialize depend on the laws establish intelligible, clear and guiding criteria within which they must act the administration so that the basic principles of a social and democratic state of law are preserved. "[267] Similarly
be understood that the expression" These regulations shall be no later than one year after the enactment of this law "should not be understood as a term expiration of regulatory power, because on the contrary, constitutional jurisprudence has indicated that it is not possible limitations to it, which is exercised permanently and under express constitutional mandate .
Indeed, the Court has said that the regulatory authority has no basis in the provisions of Article 189-11 CP, and implies that the Executive is invested with the power to issue decrees, resolutions and orders necessary for the execution fulfilled laws. The regulatory authority therefore has "ordinary, derivative, limited and permanent" nature. [268] It is ordinary because it is a function of the Executive Branch without exercise required for enabling different from the constitutional provision that confers. Has derivative character, since it requires the prior existence of legislative material for exercise. [269] Similarly is limited because "its limits and range in the constitution and the law; which is why we can not alter or modify the content and spirit of the law, nor can go to regulate laws that do not run the administration, nor can regulate materials whose content is reserved to the legislature. "[270]. Finally, "the regulatory authority is permanent, given that the Government can make use of it as often as it sees fit for the accomplished law enforcement concerned and until it retains its validity." [271]
2.14. REVIEW OF ARTICLE 12: DUTY inform the holder.
2.14.1.
Text of the provision "Article 12. Duty to inform the holder. The controller, when requesting the authorization holder shall inform clearly and states the following:
a) which will undergo treatment their personal data and the purpose of it.
B) The optional nature of the response to the questions that will be made when these relate to sensitive data or data on children and adolescents.
C) his rights as a starter.
D) Identification, physical or electronic address and telephone number of the controller.
Parágrafo. The controller must keep proof of compliance with the provisions of this Article, the Contractor's request, provide a copy of this. "
2.14.2. citizen interventions and concept
2.14.2.1 Public Ministry. The Ombudsman requested the unenforceability of other than the literal b) of Article 12 stipulates: "when these relate to sensitive data or data of children and adolescents" for the following reasons:

It argues that a coherent conception with the principles of freedom, authorization and purpose of data processing, necessarily leads to the assertion that the answers to the questions that are posed to the holder, should be optional or discretionary, whether in the case of sensitive data or data which are not. Limit that power to sensitive data involves forcing responses in other cases, thus, are completely distorted the guarantees inherent data protection, such as computer self-determination, privacy and freedom.
Moreover, he says, include questions on sensitive data and then be treated, clearly violates the prohibition of treatment.
Addition to the above, the Ombudsman noted that the treatment of children and adolescents data, except with respect to data of a public nature, should be understood outlawed by the superior system, according to estimates of the prevalence of their rights and ensuring the interests they hold, prohibition is contained in Article 7 of the draft. In this sense, there would not even the possibility to ask such questions or their parents or their guardians, let alone own children and adolescents.
2.14.2.2. The Public Ministry had no particular considerations against the norm
2.14.3.
The Court's Article 12 provides the characteristics of the information to be provided by the controller. The provision is constitutional, but the literal b) should be conditioned by the following reasons.
The rule states Holders shall include information "the optional questions that would be done, when they relate to sensitive data or data on children and adolescents."
At first glance it could be understood that the standard is authorizing the processing of sensitive data and children and adolescents, despite being prohibited. However, there is one way to interpret the provision in a way that is aligned to the constitutional principles.
First, the optional nature, because of the principle of freedom, is predicable of all questions. However, in the case of one of the situations in which exceptionally Treatment of sensitive data or a child or adolescent, allows the controller must inform the limitations and rights that are predicable of such data .
2.15. REVIEW OF ARTICLE 13: PERSONS TO WHOM THEY CAN PROVIDE INFORMATION.
2.15.1.
Text of the provision Article 13. Persons who can supply them with information. The information that meets the conditions set out in this Act may be provided to the following persons:
a) holders, their heirs or their legal representatives.
B) A public or administrative entities in the exercise of their legal functions or by court order.
C) authorized by the Holder or by third law. "
2.15.2. citizen interventions and concept of Public Prosecutions about
interventions were not presented. On the other hand, the prosecution did not address the constitutionality of the provision.
2.15.3. Constitutionality of Article 13
The rule states that the information may be provided to the following persons: (i) holders, their heirs or their legal representatives, (ii) public or administrative entities in the exercise of their legal functions or by court order and (iii) authorized by the Holder or by third law.
as for the first case, this possibility, in the opinion of the Court, is constitutional, while Article 15 gives CP the subjects concerned the right to know what information about them has been incorporated into an automated information system, and within them are their representatives and those who happen because of cause of death.

Front of the second allowed by the legislature scenario, this is the delivery of information to the public and under a court order, the same observations that by studying Article 10 on authorization excepted cases be made. Therefore, the ordinal b) should be understood that the administrative entity receiving fulfill its obligations to protect and guarantee the fundamental arising that right, especially the application of the principles of purpose, usefulness and restricted circulation. Therefore, it must be demonstrated (i) qualified the link between the release of data and compliance functions of the entity of the executive branch character; and (ii) the assignment to such entities of the duties and obligations that the statutory regulations preaches users of information.
Finally, as to the ordinal c) establishing the possibility of delivery of information to "third parties authorized by the owner or by law", the Court also reiterate what is stated in the Judgment C-1011, 2008. for the Court, such authorizations could "be misleading, on the understanding that would establish a generic clause, based on which a subsequent law would allow disclosure of personal information to others, regardless of the guarantees the fundamental right to habeas data and enforcement of the principles of management of personal data. In this regard, the unconditional extension of the possibilities of disclosure would contradict the principle of restricted circulation, understood by the statutory legislator as imposing restrictions on disclosure of data due to their nature, the purpose of the database and the validity of these principles. "
Consequently, given this prerogative the legislator should be understood in the understanding that is subject to the validity of the prerogatives that derive the right to habeas data and, in particular, the management principles of personal data.
2.16. TITLE V. REVIEW PROCEDURES. ARTICLES 14, 15 AND 16: QUERIES, COMPLAINTS AND procedural requirement.
2.16.1. Text of the provisions
"TITLE V

PROCEDURES Article 14. Consultations. Holders or beneficiaries may consult the personal information of the Contractor rest in any database, whether it is public or private sector. The controller or processor shall provide these all information contained in the individual record that is linked to the identification of the Contractor.
The query is formulated by means enabled by the data controller or processor, as long as they can maintain proof of this.
The consultation will be attended by a maximum term of ten (10) working days from the date of receipt thereof. When it is not possible to attend the consultation within that term, it will inform the person concerned, stating the reasons for the delay and indicating the date your inquiry will be addressed, which in no case exceed five (5) working days expiration of the first term.
Parágrafo. The provisions of special laws or regulations issued by the National Government may establish lower terms, given the nature of the personal data.
Article 15. Claims. The holder or his successors consider that the information contained in a database should be subject to correction, updating or deletion, or when alerting the alleged breach of any of the duties under this Act may file a complaint with the Head of treatment or the processor which will be processed under the following rules:
1. the claim shall be made by writing to the Head of tajamiento to the processor, identifying the Holder, the description of the facts giving rise to the claim, management and accompanying documents you want to enforce. If the claim is incomplete, the interested party will be required within five (5) days following receipt of the claim to remedy failures days. After two (2) months from the date of request, without the applicant submits the required information shall be deemed to have waived the claim.
If the recipient of the claim is not competent to solve, will transfer to the appropriate within a maximum term of two (2) working days and report the situation to the person concerned.

2. upon receipt of the completed claim be included in the database is a legend that says "claim in process" and the reason thereof, in a term not exceeding two (2) business days. The legend should be maintained until the claim is decided.
3. the maximum term to meet the claim will be fifteen (15) working days from the day following the date of its receipt, if not possible to meet the demand within that term, will inform the person concerned the reasons for the delay and the date your claim will be met, which in no case exceed eight (8) business days following the expiration of the first term. Article 16.
procedural requirement. The holder or beneficiary may only raise complaint before the Superintendency of Industry and Commerce once you have exhausted the process of inquiry or complaint with the controller or processor. "
2.16.2. citizen interventions and concept
2.16.2.1 Public Ministry. The Legal Secretariat of the Presidency states with regard to Articles 14 and 15 which is necessary and appropriate to fix terms and procedures to deal with inquiries and complaints submitted by holders of information, an issue that was addressed by the Constitutional Court when it analyzed the constitutionality the bill that led to the 1266 Act of 2008. Faced with Article 16 states that the Superintendent must act on its own initiative or at the request of a party, to require the controller or data processor compliance with the legislation on protection data and to take appropriate administrative measures.
Therefore, it is useful to establish a procedure to expedite the resolution of the inquiry or claim filed by the owner or beneficiary to whom has the duty to collect, store, use, circular or delete your personal data without thereby relieve the supervisory authority to act through those granted legal mechanisms to ensure respect for the rights of the holder.
2.16.2.2. The Ombudsman, requesting the conditional constitutionality of Article 15 because it must incorporate other guarantees as the suppression of information or dissociation data when the data has served the purpose of treatment or dealing with sensitive data that impose reserve identity of the holder. Consequently, since Article 93 of the Charter in accordance with paragraph 2 of Article 15, the other does not express enunciation own guarantees the fundamental right to data protection, it can not be understood as its negation. Therefore, the Ombudsman asked the Constitutional Court to make a broad interpretation of rights resulting in the processing of claims Article 15 so that it is understood that the guarantees stemming from the right to the protection of data include, in addition rectification and updating, deleting and dissociation of information.
2.16.2.3. The Public Ministry remained silent.
2.16.3. The consultation to the agents involved in the processing of data is necessary to make effective the right to habeas data
Article 14 of the bill regulates the mechanism of consultation by pointing mechanism: (i) that the holders or his representative can consult the personal information of the holder to rest on any basis of public or private data, (ii) responsible and processors must provide the holder all information contained in the database because a single record you have or there some associated with identification, (iii) responsible and the processor must have some means enabled for consultation can be made, which should allow leave proof, (iv) consultation must be resolved within a maximum 10 working days from the date of receipt of the application and (v) in the event of not being able to answer in that term, he must inform the owner about the reasons. Anyway the answer must be received within 5 days after the expiration of the first term.
For its part, paragraph states that special laws or regulations issued by the Government may establish lower terms, considering the nature of the data.
The Chamber finds that this article bears some similarity to article 16, section I of the Law 1266 of 2008, found tight to the Constitution in Case C-1011, 2008.

This standard does a typical regulation of the right of petition enshrined in Article 23 of the Constitution both in the first paragraph and second, because the first states that everyone has the right to present petitions to the authorities for reasons of general or particular interest, a fact that in the case study results in the right of holders of habeas data or their successors to present to the databases that handle public authorities, requests to establish what information or data have about them.
In the second paragraph of Article 23 states that the legislature may regulate against private organizations to guarantee fundamental rights. It is this regulation that does Article 14, which stipulates that those responsible and / or processors of data, in this case private, must address questions which raise before them holders of the right to habeas in the precise terms data as a way of ensuring the exercise of the right enshrined in paragraph a) of article 8 of the draft under review, specifically to meet.
In this vein, the right of petition which is regulated in the standard under analysis becomes an instrument with which the owner of the data has to enforceable or workable the autonomous right of habeas data. That is why the constitutional jurisprudence has defined the right to petition as an instrumental right through which the citizen approaches to management or those deprived that because of the activities performed hold a privileged position over other individuals, which obliges the State to regulate mechanisms that allow the latter to have a tool that requires them to respond to the concerns and disagreements that may arise by reason of the activity they deploy, seeking to achieve the satisfaction of other fundamental rights.
In that regard, the statutory legislator to regulate generally the protection of personal data, was entitled to point out the terms under which those responsible and processors of information, public and private, must answer queries or requests that they raise the head of the data or its assignees, in order to make enforceable among others, the right to know what personal data has a certain databases and how they are handled. Compatible with this, Article 17, paragraph k) and 18 literal f) project, established as one of the duties of the controller and processor of data, the adopted an internal manual of policies and procedures especially for the attention of inquiries and complaints from the headlines. Also, as a way to achieve a better understanding by the owner of the databases that operate in the country and what may be trying your information, the project creates the National Register of databanks, Article 25, which shall be later analysis.
Accordingly, the revised provision is adjusted to the Constitution. However, the Chamber must note that the constitutional jurisprudence [272] has outlined some features that should have the answer for that right to request is understood satisfied. In that order, both makers and data processors are obliged to observe these parameters generally can be summarized as follows: (i) the answer must be substantive, ie, can not escape the object of the request, (ii) that is complete and clear answer to the questions raised by the applicant, (iii) timely issue that forces to respect the terms set out in the defendant norm.
Regarding paragraph is sufficient to note that it is confirmed that according to the nature of the data, the legislature is clear that sectoral regulations are issued, which may set shorter periods for managers and controllers are responsive to requests to present the owner of the data, reduction of terms that in no way affects the constitutional order, as it is clear that what is setting the law under review is the maximum that can be one of the agents in the treatment of the data for respond to holders or assignees.

Regarding the possibility that the National Government issued regulations according to the nature of personal data and the terms are reduced them to respond, it is necessary to refer to the analysis that will make the Hall of article 27 of the draft related to the special provisions, in which it is concluded that in relation to the processing of data by type or specialty exists a legal reserve, which prevents the national government to make regulations outside its constitutional regulatory power.
2.16.4. The claim: other mechanism to make effective, inter alia, rectification, updating, correction, opposition and suppression
Article 15 regulates the claims that can make the owner of the data or its assignees responsible or data processor in order to correct, update or delete the information contained in the database or whenever deemed that it has breached any of the duties outlined in articles 17 and 18 of the draft analysis.
Also sets the rules to be observed for this purpose, which can be summarized as follows: (i) request that although it is not stated, because it seems written notes that should contain the identification and address of the applicant, the description of the facts giving rise to the claim, and documentaries media that want to assert, (ii) the application is not complete, it should require the applicant within five days of receiving the request to remedy the shortcomings. If, within two months of the requirements demanded requirement is not present is understood to have withdrawn the claim.
In the event of lack of competence of the person receiving the request, it must send it to the competent within a maximum of two days.
As for the procedure, it is stipulated that: i) once the claim is received must include the term "claim pending" and the reason for it in the record you have, note that must be maintained until the same is resolved, ii) a maximum period of fifteen working days from the day following the date of application is set to meet the demand, extended up to eight, when not possible to meet the request within the initial period, prior information reasoned that fact to the person concerned.
This article regulates a similar procedure provided for in Article 16, II, paragraphs 1,2 and 3 of Law 1266 of 2008, found enforceable by the Court in Case C-1011
2008. On this complaints mechanism that is devoted to the controllers and data, it can be noted that the terms were given for the forced answer the requirements facts are the same who devote themselves to the right of petition in the Administrative Code, reason which they can be transpolar the comments left inscribed on the instrumental nature of the right of petition, in order to enable the holder to exercise the powers of data derived from habeas data.
In that vein, unlike the intervention of the Ombudsman, the Chamber considers that the complaint mechanism will allow the owner of the data or his successors ask the manager or controller, compliance with all principles governing data managers and the rights of the owner of the data, why not consider it necessary to condition the provision under review in the sense that requests that entity, because although the standard refers only to the update, correction or deletion does not mean that they can not apply for other dimensions of this right if it no place.
Therefore, no constitutional problem seen in this precept, why is declared enforceable, as this mechanism is considered expedient for the attention of the holder's data requirements and timely response.
2.16.5 Constitutionality of procedural requirement of Article 16
This provision states that can only raise complaint with the Superintendent of Industry and Commerce as the data protection authority, once it has exhausted the process of consultation or claim to the person responsible treatment.

The provisions of this Article does not conflict with the Constitution, on the other hand allows the owner of the data corresponding exhaust the instances in a logical way, since it makes no sense to go to the data protection body to activate its surveillance powers , control and sanction, to name just a few, in relation to the controller or data when it does not even know the claims of the holder and has not had the opportunity to decide whether to attend or not right, because he has not exercised mechanisms for consultation and claim must implement all responsible and processor, according to articles 17 and 18, subparagraphs k) and f), respectively.
In addition, because most duties that the legislator set to each of these subjects is based on the fact that the owner of the data appear before them for the effective protection of their rights. In that vein, it is proportionate and reasonable except that makes the norm in the study, since (i) no fixed terms or unreasonable deadlines for treatment agents answer inquiries and complaints, (ii) is regulated in detail the procedure, which guarantees the holder of the fact that to get the answer to a query or a complaint, the required subject will not put obstacles that hinder the exercise of their right, and in the event that this happens, because it will be enough to go before the data protection authority.
The above here without prejudice to attend the tutela as a judicial mechanism to protect the fundamental right to habeas data. He
the foregoing, be declared constitutional article 16 on review.
2.17. CONSIDERATION OF ARTICLES 17 AND 18: DUTIES OF MANAGERS RESPONSIBLE TREATMENT AND PERSONAL DATA.
2.17.1. Text of the provisions
"Article 17. Duties of controllers. Data controllers must meet the following duties without prejudice to the other provisions of this Act and other governing their activity:
a) guarantee that the patentee, at all times, full and effective exercise of the right of habeas data.
B) Request and preserve, as provided in this Act, a copy of their authorization granted by the Contractor.
C) Report to the Contractor duly about the purpose of the collection and the rights given by virtue of the authorization granted.
D) Retain the information under the security conditions necessary to prevent adulteration, loss, consultation, use, or unauthorized or fraudulent access.
E) Ensure that the information supplied to the Data Processor is truthful, complete, accurate, current, verifiable and understandable.
F) Update information, communicating in a timely way the processor, all the news in the data previously supplied him and take other necessary steps for the information provided this is kept current measures.
G) Rectify incorrect information when relevant and communicate what the processor.
H) Provide the processor, as appropriate, only data processed is previously authorized in accordance with the provisions of this law.
I) Require the processor at all times, respect the security and privacy of cardholder information.
J) Processing inquiries and complaints made under the terms stated in this law.
K) Adopt an internal manual of policies and procedures to ensure proper compliance with this law and, especially, for answering inquiries and complaints.
L) Inform the processor when certain information is under discussion by the Contractor, after the complaint was filed and not yet completed the respective procedure.
M) Inform request of the Holder on the given data use.
N) Inform the data protection authority when violations of safety codes are presented and there are risks in information management Holders.
O) Comply with the instructions and requirements that imparts the Superintendency of Industry and Commerce.
Article 18. Duties of processors. Treatment Managers must meet the following duties without prejudice to the other provisions of this Act and other governing their activity:
a) guarantee that the patentee, at all times, full and effective exercise of the right of habeas data.
B) Keep the information under the security conditions necessary to prevent adulteration, loss, consultation, use, or unauthorized or fraudulent access.

C) Conduct timely updating, correction or deletion of data in the terms of this law.
D) update the information reported by the data controllers within five (5) working days from receipt.
E) Processing inquiries and complaints made by the Holders under the terms stated in this law.
F) Adopt an internal manual of policies and procedures to ensure proper compliance with this law and, especially, for answering inquiries and complaints from the Headlines.
G) Record in the database marked "pending claims" in the way it is regulated by this law.
H) Insert in database Legend "information on legal discussion" once notified by the competent authority on judicial proceedings related to the quality of personal data.
I) To refrain from circulating information that is being disputed by the Contractor and whose lock has been ordered by the Superintendency of Industry and Commerce.
J) Provide access to information only to people who can access it.
K) Inform the Superintendency of Industry and Commerce as violations of safety codes are presented and there are risks in information management Holders.
L) Comply with the instructions and requirements that imparts the Superintendency of Industry and Commerce.
Parágrafo. In the event that both of the quality of data controller and the data processor the same person will be required to fulfill the duties provided for each. "
2.17.2. citizen interventions and concept
2.17.2.1 Public Ministry. The Ombudsman regarding article 17 of the draft states that did not include any specific obligation in head processor to require the responsible certification on the authorization of the owner. In accordance with constitutional jurisprudence the processor has, in addition to the duties set out in the draft law, to require the copy or evidence of responsible and informed the express authorization of the data processed. Finally, it warns that it is of utmost importance to determine the duties in either case, in order to delimit the sphere of responsibility of each of them with respect to the holders and should be established, depending on the degree of control over the data and the relationship between each of them and the holder.
2.17.2.2. ASOBANCARIA requested the conditional constitutionality of literal n) of Article 17 and k) of Article 18, because you can ignore Article 33 Superior. Therefore, if the managers and controllers are forced to testify against themselves or their family, that ignorance constitutes a fundamental guarantee.
2.17.2.3. Universidad de los Andes requested the conditional constitutionality of a), b), d), m) and o) of Article 17 on the understanding that under Article 15 of the Constitution, the obligations embodied in such literal also must comply with users of personal data and precise so that treatment is consistent with the minimum requirements of the Constitution is necessary for users to meet a series of obligations so that their action or omission does not compromise, violate, injure or put in risk the rights and freedoms of the holders of personal data. For this reason, it is necessary for the Court specifies that users must fulfill the obligations of a), b), d), m) and o) of Article 17 of the draft.
Adds that such accuracy must be done on the basis of equality, since Article 9 of Law 1266 of 2008 imposed duties users as subjects of the processing of personal data, content that was declared constitutional by the Court. In this vein, not to be understood that the Bill also involves users, they would be creating a situation of violation inequality of Article 13 of the Constitution among users of commercial and financial personal data governed by Law 1266 2008, and users of other types of personal data is governed by the new law. This discrimination is not justifiable constitutionally, nor are there in the background of the project no certain reason or valid to explain the silence of the legislature regarding the duties of users

2.17.2.4. The Legal Secretariat of the Presidency expresses respect to Article 17, that it is not any specific obligation is included in head manager demanding the controller certification on the authorization of the owner. However, it is appropriate to interpret according to constitutional jurisprudence, that the processor in addition to the duties set is in the draft law, to require the copy responsible or evidence of the express and informed consent of the owner of the data processed.
Considers that the principle of freedom established in paragraph c) of Article 4, both responsible as the processor must ensure that the information holders is processed is obtained, managed, stored and circulation with the express consent of the owner, why it is the duty manager responsible require the copy or evidence of prior authorization and responsible for suministrársela as a means to strengthen and effectively guarantee the rights of the holders.
Finally, he warns that it is of the greatest importance to determine the duties in either case, in order to delimit the sphere of responsibility of each of them with regard to holders and must be established according to the degree of control over the data and the relationship between each of them and the holder.
2.17.2.5. Citizen Juanita Durán Velez request the unconstitutionality of Article 17 stating that Articles 17 and 18 provide for differentiated liability regimes for each of the agents, which requires owners of data, in many cases, have to use the mediation the responsible thing to exercise their rights against the charge. It says a context of responsibility dithered as producing the outline of the Draft Statutory Law prevents the exercise of "the powers of knowledge, update and correction of personal information contained in databases" that are structural components of the right to habeas data.
2.17.2.6. The Public Prosecutor has not ruled on these precepts.
2.17.3. Constitutionality of Articles 17 and 18 of Title VI
"DUTIES OF MANAGERS RESPONSIBLE AND TREATMENT OF DATA," the legislator enlisted in separate duties of leaders and managers of treatment precepts. The duties listed, in general, seek to ensure the full exercise of the right to habeas data from the headlines, as the principles of managing personal data analyzed in another chapter of this decision. These duties refer, as the concerned subject to the following:
In connection with the controller, ie, one that defines the purposes and essential means for the treatment of data, including those who serve as source and user, duties that respond to the principles of data management and rights and habeas data- -intimacy holder's personal data are established.
It specifically states that are duties of this part of the relationship:
(i) Request and retain authorization for the treatment of data -under previously described, which fully complies with the principle of freedom and consent express the owner of the data.
(Ii) Inform the holder the purpose of the authorization and act accordingly; therefore responsible can not be conducted outside the guidelines of the authorization, which means that, for example, can not supply the processor more data than were subject to authorization or may subject them to treatment purposes different from those reported. In this vein, the duties set out in subparagraphs a), b) and h) are developing the principle of finality.
(Iii) Adopt measures to ensure the security of data, in order to not lose, do not commit adultery, do not use or access outside the authorization, which is developed in paragraph d) in accordance with the principle of safe transfer of data. Therefore responsible is obliged to demand and monitor security conditions that are using the treatment -literal manager), as promptly report to the authority responsible for the protection of data on violations of safety codes and the existence of risk management information banner headlines literal n); It is these duties, without doubt, also development of the principle of legal certainty.

(Iv) To update the data, a fact that makes him promptly inform the processor to update the -literal f) duty corresponding to the principle of truthfulness and quality as the right holder's data to update all information about it will be on the basis of public or private data.
(V) Rectify and report in a timely manner the processor on that particular -literal g) for purposes of renovation.
(Vi) Processing inquiries and complaints, a fact that forces him to make known to charge these eventualities so that it includes the information in the database, with entries that allow easily identify the status of the information, say, to always be up to date -literales j) and l), and similarly adopt clear regulations for the owner of the data may make enforceable rights to consult and claim -literal k).
(Vii) Report usage data to the holder when required -literal m), under the principles of purpose and freedom.
(Viii) To comply with all instructions and requirements of the Superintendency of Industry and Commerce.
For its part, Article 18 states that the charge of processing the data, as well as those responsible are obliged to guarantee the right to habeas data to the holder. Consequently, they have duties: (i) update, modify and delete data when it applicable and at the indicated times for effect, literal c) and d). Therefore, as a way of fulfilling these duties it is imposed (ii) the obligation to include in the information you provide, legends such as "information in legal dispute" when the judicial authority notifies thereon, or "claim pending ", as stated in Article 15, paragraph 2 of the draft under review, literal g) and h), (iii) not circulate information by order of the supervisory authority is blocked while the final decision is taken; (Iv) processing claims and queries. For this purpose, it must adopt a manual that will not only allow proper enforcement of the law but effectively and efficiently respond to complaints and inquiries to be made in the terms stated in Title IV of the law form; (V) as well as those responsible, report any violation of safety codes and information management and (vi) comply with the instructions and requirements of the supervisory and control of personal information.
These duties responsible head and data processor, allow secure, prima facie, the scope of protection of the right of habeas data, because, as he said this Corporation in the judgment C-1011, 2008, all " management principles of personal data identified by the constitutional jurisprudence, are binding on all subjects involved in the process of collection, processing and circulation of data "(bold and underlined added), is now added, regardless of the position occupy in the treatment of data.
Consequently, as noted in the section on definitions, it is possible that a processor resulting becoming responsible to define the purpose and the essential elements of the environment, why not just that his duties will be pointing the project to its initial condition but for coming to hold. In that sense, it conforms to the constitutional text paragraph of Article 18 when expressly provides that in the event that both of the qualities of responsible and processor in the same person will be required to fulfill those provided for each duties. In the same vein, when that quality comes to move by the treatment that one of them reaches to the personal data.
It is also necessary to insist that despite the difficulties caused by the use of a different terminology to that used by Law 1266 of 2008, the fact is that both responsible as the processor have clear responsibilities, concrete and precise against the holder of the data, because both subjects, under the terms of the precepts in analysis are required to ensure full and effective exercise of the right to habeas data, which radiates all the principles governing the treatment of data, where the holder has all the means to achieve the update, correction and deletion or cancellation of the information, as discussed in the previous section.

In that vein, it is necessary to reiterate as did the Court in Case C-1011 of 2008, which both responsible as the processor have a concurrent responsibility to the accuracy, completeness, purpose and incorporation of data, taking into account that the collection and processing of data is not a neutral activity that prevents the processor respond, even for the accuracy of the information subject to process, because it corresponds to ensure that the requirements are met for a personal data can be processed.
Consequently, the Board notes that if you can not clearly identify the position of each other, will have to respond with solidarity and can not excuse their duties updating, rectification and exclusion or deletion of data.
In that regard, it should be understood that when the literal a) of Articles 17 and 18 impose duties both as responsible as the processor, ensure the holder at all times, full and effective right of habeas data, this includes the principles for data management and rights holders are met.
For example, while it is true that Article 17 indicates that the controller is the one who must apply for and retain authorization stating the express consent of the owner for the processing of data and inform clearly the purpose of it, so is that, in compliance with the principles of freedom and purpose, the data processor to receive the delegation to discuss the data in the terms in which determined responsible, must ensure that that is the authorization for treatment and that treatment will be performed for the purposes informed and accepted by the owner of the data. This means that because of the position that each of these subjects occupies in the stages of the treatment process the data, is responsible to the rightful obtain and retain authorization of the owner, an issue that does not prevent the manager ask your principal display the corresponding authorization and verify that the reported purpose is fulfilled and accepted by the owner of data.
Consequently, although Article 18 does not list this duty by the custom treatment, understood that under literal a) encompassing all the powers that derive from the right to habeas data, the manager treatment must also account for the existence of authorization to treat the data as to ensure the purpose of it, because in order to develop the object of their activity, must ensure that the holder extended consent for effect. This does not mean that the charge should be who seek authorization. His duty in relation to this is to verify its existence and scope.
This means that correspond to the data protection authority as judicial authorities in the field of competence, ensure the holder of the data or its assignees, the protection required by the exercise of their right to habeas data, the which can not be subject to limitations based on the exclusion of liability against the duties that each individual involved in the treatment of data can argue, based on the law. It is true that the statutory legislature made an effort to describe the duties that attend one and another man involved in the treatment of data, but this does not mean that the right holder can not demand others that may result for the full warranty same in accordance with the principles governing the management of data. In other words, the duties set out in Articles under study, from the holder of the right to habeas data are not taxative but declarative, meaning that controllers and have other duties arising from the right to habeas data, which correspond to the prerogatives which grants the right, as taxpayers of this constitutional guarantee.
However, the list of duties set forth in these articles, from the point of view sanction and under the principle of legality, do operate as an exhaustive list, ie, managers and responsible can not be sanctioned for non-compliance duties are not in the provisions under consideration, at least with regard to administrative penalties under the same bill.
For the foregoing, the Court declared the constitutionality of Articles 17 and 18 of the bill.
2.18. REVIEW OF ARTICLE 19: DATA PROTECTION AUTHORITY.
2.18.1.
Text of the provision "
TITLE VII MONITORING MECHANISMS AND PUNISHMENT Chapter 1

From Data Protection Authority
Article 19. Data Protection Authority. The Superintendency of Industry and Commerce, through a Delegatura for the Protection of Personal Data, exercise vigilance to ensure that the processing of personal data Principles, rights, guarantees and procedures under this law are respected.
Paragraph 1. The national government within six (6) months from the date of entry into force of this law will incorporate within the structure of the Superintendency of Industry and Commerce an office of Deputy Superintendent for Authority to exercise the functions of data protection.
Paragraph 2. Monitoring the processing of personal data regulated by Law 1266 of 2008, subject to the provisions of this standard.
2.18.2. citizen interventions and concept
2.18.2.1 Public Ministry. The Legal Secretary of the Presidency ensures that Article 19 has 3 points that should be considered separately for the study of constitutionality, as follows:
First, the Superintendency of Industry and Commerce as the highest authority monitoring and control for the treatment and protection of personal data. On this, he referred to Case C-1011 of 2008, in which the Court made a detailed study of the subject and described conditions of autonomy and independence of the superintendency, and the importance to be assigned to that entity the power to regulate and sanction management and data management.
Further states that the fact that this superintendence, regardless of which depends on the executive power, be autonomous, develops the principle of specialty, as being filed in this technical body functions that ensure greater effectiveness in the task of control, regulation and supervision over financial, credit, business data and services.
It concludes on this first point that, by law, supervisory bodies are independent and autonomous in its supervisory role; the powers conferred by statute law to these technical entities are within the administrative police functions; and all guidelines given to the Superintendency of Industry and Commerce and Finance are consistent with the Constitution and are framed within the aims of a social state of law.
Second, it is studying the creation of the Delegation for Data Protection and its incorporation into the structure of the Superintendency of Industry and Commerce. He said the project within a period of 6 months for the incorporation of this office is established to the SIC, which is based on the constitutional role attributed to Congress in Article 150 of the Constitution.
Third, on the referral to Law 1266 of 2008, points out that this transfer is concatenated with the provisions of the same bill in article 33 which provides for the repeal of all legislation contrary to it, except the exception in Article 2, within which the law is 2008. this, he said, has support in paragraph 7 of Article 150 Superior, because in this case the legislator's aim was to keep control of personal data content commercial, financial and credit at the head of the financial Supervisory Authority and the Superintendency of Industry and Trade when the regulated agent is not part of the financial sector.
Finally, it refers to the decision to centralize administrative responsibilities at the head of the SIC, is grounded not only in the Constitution, but considers it highly desirable in order to have minimal control to individuals and companies process personal data.
2.18.2.2. The Ombudsman's request to declare the conditional constitutionality of this article, considering that Case C-1011, 2008 noted that the superintendents, as authorities data protection, must act independently and autonomously, especially since paragraph 2nd keeps dual control for data protection.
2.18.2.3. The Public Ministry remained silent.
2.18.3. Constitutionality of Article 19
2.18.3.1. Article 19 regulates the authority of data protection, and is designated as such to the Superintendency of Industry and Commerce, through a Delegatura for the protection of personal data involving the creation within the structure of the superintendency, an office for Deputy Superintendent to exercise the functions of the data Protection Authority.

In the guiding principles for the regulation of computerized personal data files, adopted by the UN General Assembly Resolution 45/95 of 14 December 1990, noting the minimum principles to be envisaged in national law principles , is the control and punishment. For this purpose, it is noted that each State should establish in their domestic legislation an independent and impartial authority with respect to individuals and agencies responsible for data processing or application, with technical competence. Similarly, the legislation should provide for criminal and other sanctions when the principles governing the treatment of the data breach.
In Europe, Convention 108 did not provide something similar, however, the free movement of data, among others, in matters of justice, product Schengen Convention, imposed the need for government or independent agencies for data protection one sanction [273] capacity. That fact and the increasing need for data protection, made in Directive 95/46 / EC of the importance of the existence of an independent entity for the effective guarantee of personal data by expressly noted in Article 28 stipulating that "one or more public authorities are responsible for monitoring the application within its territory of the provisions adopted by them ... These authorities shall exercise the functions that are attributed with complete independence. " In the same vein, the European Charter of Fundamental Rights stipulates in Article 8.3 "respect for the fundamental right to protection of personal data is subject to control by an independent authority" and the failed European Constitution enshrined similar requirement in Article 1.5. 1.3., noting that "compliance with these rules be subject to the control of independent authorities" [274].
In this context there is a European Data Protection Supervisor, an independent supervisory authority whose main objective to ensure that European institutions and bodies respect the right to privacy and protection of personal data and develop new policies in the scope of protection [275].
A level of European countries, it is observed that almost all meet the standard of the independent authority. Spain, for example, regulated the regional agencies Data Protection as independent bodies, established as a public law entity with legal personality and full public and private capacity, operating in the autonomous regions, and a central body called Spanish Protection Agency of data.
This agency acts independently against the government in the exercise of their functions, among which are those of: (i) ensure compliance with data protection legislation, particularly that meets the access, rectification, opposition and cancellation of data; (Ii) to consider complaints and petitions of those affected; (Iii) exercise the power to punish; (Iv) order the cessation of treatment and deletion of data; (V) authorize international transfers of data; (Vi) make policy recommendations on safety and control databases.
In Portugal there is a Data Protection Council has similar functions to those of the Spanish [276] Agency.
In Latin America found that exists in Argentina the National Data Protection [277] created in 2002 as a watchdog of records, files, databases or data banks, whose main function is to ensure compliance with the rights enshrined in Law 25,326. In addition, corrective and punitive functions. It is attached to the Ministry of Justice and Human Rights of the Nation, which must have a technical background and decentralized sanctioning body functions.
In Uruguay, Law No. 18,331 created the Agency for the Development of Electronic Government and the knowledge society -AGESIC-, a body that depends on the Presidency of the Republic, with technical autonomy. As deconcentrated this agency body, the Regulatory Unit and Control of Personal Data, led by a three-member Council it was created: the Executive Director of AGESIC and two members appointed by the Executive Branch between individuals whose personal background, professional and knowledge in the field, ensure independent judgment, efficiency, objectivity and impartiality in the performance of their duties.

In that sense, it is clear that the protection of personal data requires not only regulation that enshrines the principles governing the treatment of data, the rights of the owner, the duties and responsibilities of persons involved in their treatment, whatever the denomination they receive, but an express penalty system as an institutional framework allowing for the control and scope of effective guarantee of the right to habeas data.
The above statement is accurate, because you need to understand that this right, as autonomous fundamental, required for effective protection mechanisms that guarantee, which should not only depend from the judges, but also administrative institutions control and monitoring for both subjects of public law and private, to ensure the effective enforcement of data protection and, because of its technical nature, have the ability to set public policy on the matter, without political interference for compliance those decisions.
Some indoctrinators, following Ferrajoli, said the concept requires the legislator to guarantee instruments "adequate to ensure the satisfaction of the expectations generated by the rights" because without it the rights are simple statements without coercion vocation [278 ]. That guarantee in respect of the Chamber, required for certain rights such as habeas data from a network of mechanisms, institutions and actions that allow their real satisfaction.
Precisely within this idea of institutional guarantee of the right to habeas data and based on international standards, have created autonomous and independent institutions for the protection of personal data, entities centralized can only set policy on key protection of the right to habeas data and enough coercive power to ensure their effective protection, without interference by authorities or persons that may limit its correct functionality [279], especially against private actors today have a high capacity for handling of personal data. Obviously in public, automation data has become essential for the fulfillment of the functions assigned to the State, for example, in areas such as health and finance, to name just a few that required by the citizen of mechanisms clear protection for public and private entities are trying their data.
In this regard, in 2001, as part of the 23rd International Conference of Data Protection Commissioners held in Paris, characteristics that must display these authorities to be accredited to the conference were agreed, taking into account the importance that they meet in the protection of personal data. These peculiarities can be summarized as follows [280]: i) public body of legal creation; (Ii) a legal basis to ensure their independence and commitment to the effective protection of this right. For this purpose, it is said that this body should have the type of public agencies within the state of protection of rights. (Iii) In relation to the autonomy and independence, it notes that they must allow adequate compliance function.
The guidelines presented, allow the room to the examination of constitutionality of Article 19, clarifying that these standards are not mandatory for the Colombian state, but a valuable source for the constitutional court when making a decision, it is precisely the aim of the project under study, and to achieve protection of personal data in the terms as required by the Constitution, is to ensure that the country meets international standards in this area to achieve the necessary certifications to be inserted in the market, as a territory with adequate levels of protection of personal data.
In that sense, European guidelines brought it up, in respect of the room, are not only an excellent tool to achieve more effective protection of the fundamental right to habeas data, which is a purpose clearly it prevailed in the Constituent article 15, but a guide that the Government must continue to meet the challenges of a globalized market in which the individual increasingly loses space for freedom and self-determination.
2.18.3.2. This Corporation, in Case C-1011 2008 analyzed the constitutionality of the Financial superintendents and Industry and Commerce, fungieran as authorities data protection with regard to the financial, commercial or credit information for the purpose of risk control.

At that time, it was argued that, although the superintendents are within the scope of the executive branch of government and under the President of the Republic can not ignore its independent and autonomous because it is technical bodies administrative and forced to meet in exercise of its powers principles that, under the terms of Article 209 of the Constitution, governing the administrative function autonomy. It was expressly stated:
"Although in accordance with Article 115 CP Superintendencies up the Executive Branch and, therefore, depend on the President of the Republic as supreme administrative authority, this does not alter the nature of technical agencies and administrative autonomy who is predicable. In this regard, it should be noted that in accordance with the rules establishing the legal nature of the Superintendency of Industry and Commerce and Finance, [281] is in both cases of technical agencies, which have administrative autonomy. In addition, these entities are required to comply strictly with the principles that guide the administrative function compliance, that is, equality, morality, efficiency, economy, speed, impartiality and publicity, set by Article 209 Superior. In this regard, the entities in comment are an impartial body, invested with the sufficient degree of independence to set objective criteria for operators of information credit, commercial, financial content and services from third countries to verify whether the legislation bank target data provides sufficient protection for the rights of the holder guarantees. "
also he argued that given the nature of economic agents regulated by these entities, each exercise control of them depending on their activity. In that sense, it was indicated, based on Articles 333 and following of the Constitution, the State is obliged to intervene in the economy and exert through their technical entities -the superintendencias- control and regulation of the various actors economic, acting for effect as an administrative police with a technical knowledge of the sector, a fact that "justifies the allocation of power to control and sanction, in terms of management and data management, the Financial Superintendency and the Superintendency of Industry and trade, in relation to the agents under their control and surveillance ".
To conclude:
"However, it should be noted that the exercise of each of these functions necessarily implies that the Superintendency of Industry and Commerce and Finance, act autonomously and independently, for the purposes of ensure the effectiveness of the fundamental rights of the holder of the financial and credit information, interfered in the management processes personal data ... such organic membership of the superintendents the executive branch is not incompatible with respect to those entities a margin of autonomy is preached enough to allow adequate protection of the fundamental rights of the owner. This conclusion is based on two separate considerations. The first is related to the duty of the superintendents to exercise the administrative function based on the principles of equality, morality, efficiency, economy, speed, impartiality and publicity (Art. 209 CP), all conditions that advocate the existence of watchdogs, monitoring and sanctions to carry out its functions under the premise of protecting the general interest and the observance of constitutional rights (Art. 2 CP). The second has to do with the fact that the Colombian legal system has provided the Superintendency of Industry and Commerce and Financial eminently technical and administrative, financial and budgetary autonomy, [282] conditions these concurring in the guarantee impartiality and independence necessary for adequate protection of the fundamental rights of the holder of personal data "[283]
It was accepted
yes, the data protection authority should be autonomous and independent reason why the rule was to review those authorities act in this way was conditioned. On this point I the point was: "... the concurrence of conditions of autonomy and independence of the Superintendency of Industry and Commerce and Finance, is essential for the proper protection of predicables constitutional prerogatives of the concerned subject, especially the fundamental right to habeas data. Accordingly, the Court considers it necessary to condition the constitutionality of Article 17 of the Draft Constitutional Law on the understanding that the Superintendents, in any case, should act independently and autonomy in its monitoring role. "[284] Finally
the Board said that these new powers to superintendents did not involve a shift of powers constitutionally or legally have been assigned to other organs within the Colombian State as the Ombudsman, especially for the promotion of human rights.
2.18.3.3. Considerations raised by the Corporation at that time are valid under the bill under review because on this occasion is being sought, and more so because it is the regulation of the minimum standards of the general data protection personal, that the authority responsible for the protection function has independent and autonomous against people who try these data, in addition to its technical, specialized and punitive nature. This is already guaranteed with the creation of a Delegation for the protection of personal data within the Superintendency of Industry and Commerce, along with the reassurance that, despite being part of the executive, the law has granted the superintendence characteristics of autonomy and independence to ensure compliance with the above-explained set international standards on the authority responsible for data protection.
However, as ordered by the Court in that judgment, for the purpose of ensuring that the autonomy and independence is not dissipated in any of the performances of the Delegatura, the constitutionality of the first paragraph of Article 19 is conditional upon that that authority should always act in accordance with those characteristics. Similarly, the National Government, when regulating this dependence, you must ensure that conforms by people with technical knowledge and administrative career are part of the entity.
2.18.3.4. As for the paragraph first, find this room to give the executive the function of creating the Delegatura data protection within the structure of the Superintendency, it is framed within the provisions of paragraph 16 of Article 189 Superior "by the President of the Republic (...): Modify the structure of ministries, administrative departments and other national administrative entities or agencies, subject to the general principles and rules defined by the law ". So it is declared enforceable as no compunction of constitutionality is observed but, on the contrary, develops the aforementioned constitutional provision.
Finally, as to the second paragraph, it appears that maintaining planned by Law 1266 of 2008 on the monitoring of financial data, it sympathizes with the general character of the regulation adopted by the bill, which is reflected in the consecration of exceptions to the scope of the bill in Article 2 of the project, and analyzed in this decision, precisely exempted -for their specialty and sectoral nature of the data processing regulated by law 1266 of 2008, including, of course, related to its surveillance and authority that exercises -Superintendencia financially. From the foregoing no problem of unconstitutionality is not derived and is part of freedom of setting the legislator, taking into account that the Law 1266 of 2008 -to which refers the provision he commented was declared enforceable in terms surveillance authority, as long as it acts autonomously and independently, as ratified in this providence ..

2.19. REVIEW OF ARTICLE 20: RESOURCES Supervisory Authority.
2.19.1.
Text of the provision "Article 20 Resources for the performance of their duties. The Superintendency of Industry and Commerce will have the following resources to perform the functions entrusted to it by this law:
a) The fines imposed on under surveillance.

B) The resources that are allocated in the General Budget of the Nation.
Article 21. Functions. The Superintendency of Industry and Commerce shall perform the following functions:
a) ensure compliance with the legislation on protection of personal data.
B) Further investigations into the case, on its own initiative or upon request and as a result of them, order the measures necessary to implement the right of habeas data. For this purpose, provided that the right is unknown, it may provide that access to and supply of data is granted, correct, update or delete them.
C) Provide temporary blocking of data when the application and the evidence provided by the Contractor, a certain risk of violation of their fundamental rights is identified, and such blocking is necessary to protect them while a decision is adopted final.
D) To promote and disseminate the rights of individuals regarding the processing of personal data and implement teaching to train and inform citizens about exercise and guarantee the fundamental right to data protection campaigns.
E) Provide instructions on measures and procedures necessary for adapting the operations of data controllers and processors to the provisions of this law.
F) To request the data controllers and processors the information necessary for the effective exercise of their functions.
G) Uttering declarations of conformity on international data transfers.
H) Manage the Public National Register of Databases and issue orders and acts necessary for administration and operation.
I) Suggesting or recommending any adjustments, corrections or adjustments to the regulations that are consistent with the technology, computer or communications evolution.
J) To require the collaboration of international or foreign entities when the rights of the Holders outside Colombia on the occasion, among others, international collection of personal data are affected.
K) Other functions as assigned by law. "
2.19.2. citizen interventions and concept
2.19.2.1 Public Ministry. ASOBANCARIA requesting the unconstitutionality of Article 20 on the grounds that the product resources sanctions imposed on law enforcement should go to the Superintendency of Industry and Commerce, violates the Constitution because it would be a violation of due process by the fact punish whoever is ultimately the beneficiary of the sanction, boasting a privileged condition that can result that violated the rights of the beneficiaries of the norm. He asked the Court to consider whether such regulations exceed the settings freedom of the legislator, because the nature of -multas- collection must be aimed at Treasury.
2.19.2.2. The Legal Secretariat explained that the powers granted to the Superintendency are framed within the Constitution in Article 150; For this reason, within the budget of the superintendency already they included monies collected from fines imposed to serve for the functioning of the body, but clarifies that all actions of the superintendency must be set to general principles of law and law, empowering people who have been fined for remedy or recourse to the contentious jurisdiction to resolve disputes that arise decisions.
2.19.2.3. The Public Ministry remained silent.
2.19.3. Analysis
constitutionality of Article 20 Article 20 refers to the resources with which it has to operate the Delegate. ASOBANCARIA states that if the product monies of fines are a valid factor of funding for the new Delegatura that is created in the Superintendency of Industry and Commerce to carry out the functions entrusted to it by law. In this sense, the answer if the destination of this income is in accordance with Article 359 of the Constitution, which enshrines that "There will be earmarked revenues."

Now, this constitutional principle is closely related to the principle of unity cash stipulated in Decree 111 of 1996 (Organic Budget Statute), which states that "With the collection of all income and capital resources the timely payment of all authorized appropriations in the General Budget of the Nation will be addressed ", it ie that all government revenue must enter without prior destination to a common fund from which are allocated to finance public spending.
On the other hand, Article 27 of Decree 111 of 1996 establishes the classification of the current revenues of the Nation, noting that fall between "tax" and "non-tax". The first turn, are classified as "direct and indirect taxes" and the latter "fees" and "fines". So we have that the fines are considered non-tax revenues but belonging to current income of the nation, which are intended for the national budget. This is consistent with the constitutional provision that defines the meaning of current income as "consist of tax and non-tax income excluding capital resources".
Therefore, this Court concludes that the allocate operation of the Superintendency of Industry and Commerce, the fines generated in the performance of functions under the project will review the ban contradicts destination specific income and box unit established by the Organic Statute of the National Budget, on which the Court has said it is developing economic Constitution. Therefore, the Chamber declared unconstitutional paragraph a) of article 20 of the bill.
In this order, the financing of this new unit will depend on the resources of the national budget mentioned in paragraph b) of Article 20 review, which consequently will be declared enforceable as set out in compliance with the principle of public spending enshrined in Article 345.

2.20. CONSTITUTIONAL REVIEW ARTICLE 21: FUNCTIONS Supervisory Authority.
2.20.1.
Text of the provision "Article 21. Functions. The Superintendency of Industry and Commerce shall perform the following functions:
a) ensure compliance with the legislation on protection of personal data.
B) Further investigations into the case, on its own initiative or upon request and as a result of them, order the measures necessary to implement the right of habeas data. For this purpose, provided that the right is unknown, it may provide that access to and supply of data is granted, correct, update or delete them.
C) Provide temporary blocking of data when the application and the evidence provided by the Contractor, a certain risk of violation of their fundamental rights is identified, and such blocking is necessary to protect them while a decision is adopted final.
D) To promote and disseminate the rights of individuals regarding the processing of personal data and implement teaching to train and inform citizens about exercise and guarantee the fundamental right to data protection campaigns.
E) Provide instructions on measures and procedures necessary for adapting the operations of data controllers and processors to the provisions of this law.
F) To request the data controllers and processors the information necessary for the effective exercise of their functions.
G) Uttering declarations of conformity on international data transfers.
H) Manage the Public National Register of Databases and issue orders and acts necessary for administration and operation.
I) Suggesting or recommending any adjustments, corrections or adjustments to the regulations that are consistent with the technology, computer or communications evolution.
J) To require the collaboration of international or foreign entities when the rights of the Holders outside Colombia on the occasion, among others, international collection of personal data are affected.
K) Other functions as assigned by law. "
2.20.2. citizen interventions and concept of Public Prosecutions
No citizen or Attorney ruled on the constitutionality of this provision
2.20.3. Exequibilidad Article 21.

This provision lists the functions that exercise the new Delegatura protection of personal data. By studying the functions assigned to it, is this court that all correspond and deploy international standards established on the supervisory authority. Indeed, develop monitoring functions compliance, investigation and punishment for non-compliance, monitoring of international data transfer and promotion of data protection.
It must also be said that, as the Court established in Judgment C-1011 of 2008, the nature of the powers attributed to the Superintendency -through Delegatura-, "fall within the scope of functions administrative police that correspond to those assigned to the executive (Art. 115 CP) technical bodies, as an expression of the power steering and state intervention in the economy (Art.334), and strengthened government intervention in financial activities, securities and insurance (Art. 335 CP). "
Finally, as clarified the statement in quotes, the allocation of powers of surveillance, promotion and sanctioning the Superintendency of Industry and Commerce," can not be interpreted as the displacement or reallocation of powers constitutionally or legally have been attributed to other institutional supervisory bodies. In this regard, subject to the monitoring functions assigned to the Superintendents referred to in the project, bodies such as the Ombudsman, for example, retain fully their legal constitutional powers (Art. 282 CP) and (Act 24 of 1992 ) that impose ensure the promotion, exercise and dissemination of human rights, and therefore the fundamental right to habeas data. "
In thread above, it shall be declared constitutional article 21 of the draft statute under consideration.
2.21. REVIEW OF ARTICLE 22: PROCEDURE AND SANCTIONS.
2.21.1. Text of the provision. Chapter 2

Procedure and Sanctions Article 22. Procedure. The Superintendency of Industry and Commerce, once established breach of the provisions of this law by the controller or the processor, adopt measures or impose appropriate sanctions.
In matters not regulated by this law and the relevant procedures relevant rules of the Administrative Code shall be followed.
2.21.2. citizen interventions and concept
2.21.2.1 Public Ministry. The Ombudsman notes that the project does not include a specific procedure for the processing of sanctions, so that will always be necessary to resort to internal procedures and / or the provisions of the Administrative Code. However, the Ombudsman considered that the legislator can not ignore its responsibility to design and consecration of procedural mechanisms required to enforce the law regulated. Therefore, based on Article 152 of the Constitution states that the procedure to which Article 22 has had expressly regulate the statutory legislator without making remissions listed in the second paragraph. Therefore it considers that the reference is contrary to the Constitution. He notes that in the absence of such standards, the Constitutional Court in developing its attribution modular failures may: (i) urge Congress to issue a contentiva Enacting Law of the mechanisms and resources to be ahead to the protection authority data, that is, before the Superintendency of Industry and Commerce; and (ii) as this process moves forward, the rules of the Statutory Law 1266 of 2008 could be applied, despite having the same problems regarding special procedures.
2.21.2.2. Universidad de los Andes. Considers that not being regulated the user, the rules of this chapter become in unconstitutional because the penalties and the procedure also have had to contemplate this subject.
2.21.2.3. The Public Ministry made no pronouncement on this article.
2.21.3. Constitutionality of the administrative penalty system applied to the data protection

2.21.3.1. Undoubtedly regulation makes the statutory legislator in Chapter II is part of what has been called the sanctioning power of the state, in this case, head of an administrative body such as the Superintendency of Industry and Commerce, through the new delegate that creates the statutory legislator to fulfill the role of authority of personal data protection, in compliance with the principle of control and sanction of Resolution 45/95 of the UN General Assembly.
This state sanctioning power has been defined as "an instrument of self-protection, as helps preserve the institutional legal order by assigning powers to the administration that enable it to impose its own officials and individuals compliance, including by punitive means, of a discipline whose observance contributes to the performance of its tasks ".
This power is a manifestation of jus punendi, reason is subject to the following principles: (i) the principle of legality, which results in the existence of a law regulating it; that is, it applies only to ordinary or extraordinary definition legislator. (Ii) The principle of criminality that although it is not as rigorous criminal, does oblige the legislature to make a description of the conduct or behavior that results in the application of the sanction already explicitly determine the sanction [285] . (Iii) The due process requires, among others, the definition of a procedure, whether summary, to ensure due process and, in particular, the right to defense, including the express designation of the competent authority to impose the sanction . (Iv) The principle of proportionality means that the penalty must be proportionate to the misdemeanor or administrative offense that seeks to punish [286]. (V) The independence of the criminal penalty; this means that the sanction can be imposed regardless of whether the event giving rise to it may also constitute violation of criminal regime.
These principles are those that must meet each of the requirements of Chapter under review.
2.21.3.2. Article 22, first paragraph, complies with the principle of due process, to the extent that points that correspond to the Superintendency of Industry and Commerce take measures and punish those responsible and in charge of data processing. Therefore, it complies with the obligation to designate the competent authority to impose sanctions for the lack of data protection rules.
With regard to the principle of criminality, find the room that despite the generality of the law, is determinable administrative offense to the extent which states that constitutes the breach of the provisions of the law, that is, in specific terms, regulation making articles 17 and 18 of the bill, in which the duties of controllers and data treatment are indicated.
In the same generality it suffered the project that gave rise to the Law 1266 of 2008, and the Court, in Case C-1011, 2008, interpreted the administrative offense was the ignorance of the duties of users, sources and operators. That interpretation is the same as used in this opportunity the Chamber to declare the constitutionality of the first paragraph of Article 22 when it refers to "breach of the provisions of this law by the controller or the processor".
At that time, the Chamber noted that:
"Finally it must be emphasized that the proper scope of the sanctioning administrative law, the typicality of the lack credited when the sanctionable conduct is specifically described and accurate, well because it is determined in the same body of law that is ascertainable from the application of other legal norms. In the proposed case, the list of obligations and duties predicables operators, sources and users, offering statutory law gives a definite enough for accurate identification of faults "framework.
With regard to the second paragraph, the Board is making a forwarding to the Administrative Code in making the procedure to be applied for the imposition of sanctions. That is, although the statutory legislature expressly not consecrated "the procedure" for the application of the sanctions referred to in Article 23, that remanded to point out that paragraph is consistent with Article 29 of the Constitution, since there is indeed a specific procedure to be applied by the authority of data protection.

The procedure for the imposition of sanctions administrative nature, under the terms of the jurisprudence of this Court imposes "certainty about the rules applicable to the investigation, make the appropriate allocation of responsibility, and impose the appropriate sanction the offender, if this any place. This procedure must ensure, through appropriate mechanisms, adequate exercise of the right of defense "[287].
It is now for the Court to determine whether the procedure governing the Administrative Code, meets the right to due process and defense. In that sense, we find that Article 28 et seq of this coding, a procedure that guarantees discretion of the Chamber rights to due process and defense of persons subject to the control of the data protection authority is regulated. Let's see:
Article 28 says the duty to communicate the actions when a performance is indicating that there are individuals who may be affected, in this order, it is to be understood that communication must ensure that the person responsible treatment is indeed indeed aware of the initiation of administrative action, which is why your personal notification is necessary.
Article 30 establishes the guarantee of impartiality and therefore establishes the grounds for objecting to the official who should conduct an investigation, with this precept transparency and the principle of impartiality for public service is guaranteed. Article 34 states that it may request and order tests without requirements or special terms, this provision guarantees the right of defense and contradiction and 35 regulates the decision, foreseeing that before adopting appropriate measures, will have to listen to stakeholders and motivate, so be summarily resolution. The notification, under the terms of Article 44 should be personal.
Finally, Article 47 provides that report on the resources that come against the decision, and appeal.
The previous regulatory route, allows the Board to conclude that the procedure which establishes the Administrative Code guarantees the rights to due process and defense, reason will be declared constitutional article 22 of the draft law under review || | Notwithstanding the foregoing, the Court agrees with the intervention of the Ombudsman, in the sense that the legislature must make an effort to regulate systematically and clear penalty procedures without remissions that sometimes hinder their application.
2.22. EXAMINATION OF ARTICLE 23: SANCTIONS.
2.22.1.
Text of the provision Article 23. Sanctions. The Superintendency of Industry and Commerce may impose on data controllers and processors the following sanctions:
a) fines personal and institutional character in favor of the Superintendency of Industry and Trade up to the equivalent of two thousand (2000 ) monthly legal minimum wage at the time of the imposition of the sanction. Fines may be as long as there successive failure that originated.
B) Suspension of treatment-related activities for a term of six (6) months. In the event of suspension corrective to be taken must be indicated.
C) Temporary closure of operations related to treatment once the term of suspension has elapsed without had taken corrective ordered by the Superintendency of Industry and Commerce. immediate and definitive
d) Closing of the transaction involving the processing of sensitive data.
Parágrafo. The sanctions referred to in this article only apply to people of a private nature. In the event that the Superintendence of Industry and Commerce notice in alleged breach of a public authority to the provisions of this Act, shall refer the matter to the Attorney General's Office to forward the investigation.
2.22.2. citizen interventions and concept of Public Prosecutions
In relation to this standard no intervention or the prosecution presented conceptualized.
2.22.3. Violation of the principles of typicality and correlation or proportionality between the offense and the sanction.

Article 23 of the draft establishes the penalties that can apply the Superintendency of Industry and Commerce to the data controllers and processors, within which includes fines, suspension of activities related to treatment, closure temporary operations related to treatment and finally the immediate and definitive closure of the operation:
This rule is a provision of punitive nature and therefore must comply with all the proper principles of due disciplinary procedure contemplated in the Constitution and recognized by the jurisprudence of this Court:
first, the principle of legality, according to which: "sanctionable conduct should not only be described in previous standard but also must have a legal basis for definition which can not be delegated to the administrative authority "[288].
This axiom has a less rigorous interpretation in the sanctioning administrative law in criminal law, for a reasonable relaxation of the typical description is possible:
"reiterated the Court, that the administrative law sanctioning" although the typicality is part of the right to due process in any administrative action is not actionable in this field the same degree of rigor required in criminal matters ", because the nature of the conduct repressed, the legal interests involved and the teleology of the sanctioning powers in these cases also make possible a reasonable relaxation of the typical description, in any case, always eradicating and preventing arbitrariness and authoritarianism, which is made that the principles of legality and social justice as well as other principles and State purposes, and to ensure constitutional rights, legitimate interests and rights of legal or conventional origin of all people "[289].
This rule complies with the principle of criminality, for which should be read in conjunction with Article 22 of the future statutory law, which provides for the possibility of imposing sanctions when breach of the provisions of this law. In this sense, the assumption made that completes the sanctioning legal norm consists of the infringement of the statutory provisions of the future law that general provisions for the protection of personal data are held.
On the other hand, this Court ruled in Case C-1011 of 2008 on the constitutionality of a similar standard to article 23, which stated that the Superintendency of Industry and Commerce and the Financial Superintendency may impose on operators, sources or users of financial, credit, trade, services information and from third previous countries explanations in accordance with the procedure applicable sanctions fines, suspension of the activities of Databank, Close or closing operations Databank and immediate and definitive closure of the operation data Banks [290].
On that occasion, this Court upheld the constitutionality of the norm considering that the standard met the basic elements of typicality:
"The sanctions regime under the Act of habeas data respects the principles of legal reserve, legality and typicality, the degree of rigor required in the disciplinary administrative law. The precepts examined, with remissions and indicated concordances, (i) define the basic elements of the offenses that generate sanctions and criteria for its determination; (Ii) establish the material content of the sanction; (Iii) allow for a correlation between the content of the standard of conduct and the standard sanction; (Iv) establish - via referral - an established procedure rules with material force of law; and (v) determines the bodies responsible exercise of sanctioning power "[291].
In the same way as manifested on that occasion, it is considered that Article 23 of the draft statute also meets these requirements because forwarding via is clear that sanctions be imposed for the established violation of the rules on data management.

Second, the standard must comply with the principles of proportionality and reasonableness, against which the bill establishes a series of criteria in Article 24 to determine the applicable sanction such as: "a) The extent of the damage or danger to the legal interests protected by this law. b) The economic benefit obtained by the infringer or third parties under the commission of the offense. c) Repeated commission of the offense. d) resistance, refusal or obstruction to the research or surveillance of the Superintendency of Industry and Trade action. e) The reluctance or disrespect to comply with orders issued by the Superintendency of Industry and Commerce. f) The express recognition or acceptance by a research on the commission of the offense prior to the imposition of the sanction as may be appropriate "[292].
In this sense, it is estimated that there are sufficient criteria to determine the specific tax penalty, which have been identified by the statutory bill itself.
Finally it should be noted that the standard clearly respects due process by referring to the Administrative Code in relation to the applicable procedures. Consequently, the constitutionality of Article 23 shall be declared unless the expression "in favor of the Superintendency of Industry and Commerce" contained in paragraph a) of Article 23 INEXEQUIBLE be declared following the declaration of unenforceability of the literal a) Article 20
2.23. EXAMINATION OF ARTICLE 24: SANCTIONS CRITERIA FOR GRADUATION.
2.23.1.
Text of the provision Article 24. Criteria for graduated sanctions. Penalties for violations referred to in the previous article, will graduate attending the following criteria, as are applicable:
a) The extent of the damage or danger to the legal interests protected by this law.
B) The economic benefit obtained by the infringer or third parties under the commission of the offense.
C) recidivism in the commission of the offense.
D) resistance, refusal or obstruction to the research or surveillance of the Superintendency of Industry and Trade action.
E) The reluctance or disrespect to comply with orders issued by the Superintendency of Industry and Commerce.
F) The express recognition or acceptance by a research on the commission of the offense prior to the imposition of the sanction as may be appropriate.
2.23.2. citizen interventions and concept of Public Prosecutions
There was no intervention and the Public Ministry remained silent.
2.23.3. The constitutionality of Article 24
This provision is consistent with the Constitution, to the extent that for the legislature to establish parameters for the authorities, when applying certain penalty, can make gradations depending on factors or circumstances of the investigation or his performance. In that sense, the precept analyzed enshrined in the first 5 literal circumstances of aggravation of the sanction, while the latter, the literal f) establishes a causal decrease.

2.24. REVIEW OF ARTICLE 25: NATIONAL REGISTRY OF DATABASES.
2.24.1.
Text of the provision "CHAPTER III
National Register Database
Article 25. Definition. The National Registration Database is the public directory databases subject to treatment that operate in the country.
The registry it will be administered by the Superintendency of Industry and Commerce and will be free consultation to citizens.
To register database, interested parties should contribute to the Superintendency of Industry and Commerce policy information processing, which forced those responsible and in charge of it, and whose failure will lead to appropriate sanctions. Treatment policies in no case be lower than the duties under this Act.
Parágrafo. The national government shall regulate, within the year following the enactment of this Act year, the minimum information required in the registry, and the terms and conditions under which this must be enrolled in the data processors. "
2.24. 2. citizens and interventions concept of Public Prosecutions

2.24.2.1. The Legal Secretary of the Presidency requests to declare the constitutionality of this rule arguing that the creation of the National Register of Databases, finds support in Articles 150 and 152 of the Constitution; He contends that his creation tools to help protect the right of habeas data are sought, and becomes an element that complements the functions of supervision and control by the superintendency, in order to ensure compliance with the principle of transparency in the handling and processing of personal data.
2.24.2.2. The Public Ministry remained silent.
2.24.3. conditioned constitutionality of Article 25
Article 25 defines the National Register of Data as public directory databases subject to treatment that operate in the country. Register administered by the Superintendency of Industry and Trade, which aims to: (i) that all citizens know what the databases are operating in the country; (Ii) that the Superintendent have precise control over them, to the extent that you can establish who and how the information in Colombian territory concerned; (Iii) knowledge by the body control and monitoring for the protection of data on treatment policies of information with those responsible and processors of personal data, which must at least contain the duties stipulates the project under review, policies as explained in precedence, are mandatory and allow the watchdog impose appropriate sanctions for non-compliance.
Paragraph of this rule stipulates that the National Government shall regulate within the year following the enactment of statutory law under review year, the minimum information that must contain the registry and the terms and conditions under which it must be enrolled in the Treatment responsible.
In principle this provision does not offer objections against its constitutionality. However, it is imperative to make some clarifications that are not apparent from its wording. Let's see.
In the international context it shows that this kind of records are intended to enable all people, as a way to realize their right to habeas data, to know exactly which databases are admitted for treatment of their personal data and thus exercising all the rights plexus derived from habeas data: update, amend, delete, etc. Accordingly, it is understood that the record to which the provision refers under review does not seek to simply keep a public record databases, as would seem to follow from his text, but allow any citizen to establish exactly who is responsible and responsible for the processing of data, as another way to realize the principle of transparency guiding the management of databases. In other words, the aim of centralizing this kind of information by a State organ is to facilitate the exercise of one of the key areas of habeas data: know who is doing the processing of personal data, so that you can be an effective control of these by the holder, which explains why such registration is open to consultation by the general public. In that order ideas, the inscription on it should be imposed as an obligation for both public foundations and private, because this is an instrument that will allow the state effectively guarantees that the holder of the data may have effective control over their personal data. That is to say, this is another way that an instrument can help materialize the exercise of a fundamental right such as the habeas data.
In this regard, when the defendant paragraph states that the National Government shall regulate the minimum information that must contain this record and the terms and conditions must register for the controller, you must do considering that it should allow anyone who is doing the processing of personal data to thereby ensure that the person can have effective control over their personal data to be able to know clearly and accurately on what basis your personal data is handled. Therefore, the Government will in its regulatory to go to international standards and the experience of other states in this area [293] to achieve the above-described purpose of this record is met.
2.25. ARTICLE 26 exequibilidad CONDITIONAL PARTIAL E unenforceability LITERAL F).
2.25.1. Text of the provision

"Article 26. Prohibition. the transfer of personal data of any kind to countries that do not provide adequate levels of data protection is prohibited. It is understood that a country provides an adequate level of data protection it meets the standards set by the Superintendency of Industry and Commerce on the subject, which in no case be lower than the present law requires recipients.
This prohibition shall not apply in the case of:
a) Information regarding which the Contractor has given its express and unequivocal authorization for the transfer.
B) Exchange of medical data, when required by Title Treatment for health reasons or public hygiene.
C) stock exchange or banking transfers, under the law applicable to them.
D) Transfers agreed under international treaties to which the Republic of Colombia is a party, based on the principle of reciprocity.
E) Transfers necessary for the implementation of a contract between the Contractor and the controller or for the implementation of precontractual measures if and when they have obtained the consent of the Contractor.
F) transfers necessary or legally required to safeguard the public interest or for the establishment, exercise or defense of a right in judicial proceedings.
Paragraph 1. In cases not listed as an exception in this Article, it is for the Superintendency of Industry and Commerce, proffering the declaration of conformity on the international transfer of personal data. For this purpose, the Superintendent is empowered to require information and processing the actions aimed to establish compliance with budgets that requires the viability of the operation.
Paragraph 2nd. The provisions of this Article shall apply to all personal data, including those covered by the 1266 Act of 2008. "
2.25.2. citizen interventions and concept
2.25.2.1 Public Ministry. The Legal Secretariat of the Presidency notes that in order to conduct an analysis of constitutionality of Article 26 of the Statute Law, should be aware of both the rights holder the obligation of those who are responsible for handling the data. He claims that within globalization is important to give recognition to international standards that become mandatory to ensure the protection of personal data of the holder and ensure the effectiveness of those rules.
In this respect, protection analysis should be made taking into account the content of the rules applicable and the means to ensure its effective implementation. All this creates the need for the existence of a ban on the transfer of personal data to third countries, it is difficult to establish as a starter if the country to which you are making the transfer meets the minimum security and data protection ; this the need to stipulate such exceptions on the subject as are follows:
referenced to the express, informed and unequivocal consent to do the holder to transfer to a third country is made, but if some reason the consent is not complete, the exception does not apply. All this analysis to conclude that this exception does not represent a limitation on the right of Article 15 of the Constitution.
The exception refers to the transfer for medical reasons, health or public health, is justified and consistent with the Constitution because it is seeking the protection of fundamental rights such as life and health of the owner, without there is no import authorization. It is required to make this exemption effective medical application or, in extraordinary case, which comes from the request administrative or judicial authority; the Court must address this except for what is past searches, as he said in Case C-1011 of 2008, it is the fulfillment of a constitutional objective and proportionate character.
The third exception relates to banking and securities transfers, which is useful for international trade, but this exception is not absolute, since for deemed constitutional must meet the requirement of the existence of authorization owner of the information.

The fourth objection refers to the transfer because of international treaties signed by Colombia, this exception does not bring a major constitutional problem because for the approval of these treaties is necessary a process that goes through the hands of the Congress of the Republic and by the Constitutional Court as part of judicial review.
The fifth exception covers transfers between the holder and the controller, argues that it seems that this is very broad but limited and their loyalty to the Constitution is checked, in addition to their application must attend two elements are: authorization by the owner of the data and the necessity test, ie it is found that actually transfer the data object is essential to the implementation of the contractual activity.
The last exception, it raises two situations. The first, which raises the literal f) is the one that has as its primary purpose and finds its justification in safeguarding public interests, but this considering that the administrative authority has the legal right not to require the authorization of the owner and, in the second event, we want to achieve legal and necessary for the defense of legal rights exercise and therefore have understood not authorization but there is a court order, all to determine that this exception is justified legal level and constitutional.
The first paragraph of the article is analysis determines that the Superintendent in charge of giving the parameters which should make the transfers as granting adequacy level to third countries; the constitutionality of that paragraph by the analysis made by the Court in Case C-1011 of 2008, which reiterates the autonomous and independent character who hold the superintendence and that this is enough to empower them reason to set criteria given for operators of information and qualify whether or not there safety in the treatment given to third countries data transferred by Colombia. In the last paragraph allusion to the provision given by paragraph 1 you have to be extended to the law 1266, as statutory law is an unfair and violative situation of fundamental right as the law already named who has the function becomes which is given to the Superintendency in this new law it is developed by the same national operator providing this level of insecurity in handling the data.
2.25.2.2. Meanwhile, the Ombudsman, against the literal b) requests the conditional constitutionality is declared, on the understanding that the transmission for the reasons mentioned in letter b) does not relieve the operator to obtain the authorization of the information .
Regarding the literal f) makes the following points:
It states that the "necessary" character transfer is open in the sense that it does not establish as to who is deemed such a need, or who defines it and how It sets. In addition, the character contravenes the principles of legality and purpose of treatment because it is not conditional upon the prior written consent of the owner. In addition, the definition of "need" to be made in each particular case, which the discretion to its definition is too vague and general.
On the other hand, he contends that if the term "necessary" expression "safeguarding the public interest" is added, the effectiveness of fundamental rights is reduced to a minimum. Indeed, the "public interest" is a concept in principle, devoid of specific legal content, and therefore can not be used as foolproof way to limit or restrict the fundamental rights of citizens formula. The eventual withdrawal of such expressions "necessary" and "safeguarding the public interest" would not affect the meaning of the remaining standard, since the literal f) limit the exception that it consecrates transfers "legally required". Therefore, the Ombudsman requests such expressions are declared contrary to the Constitution.

On the other hand, it considers that the term "or for the establishment, exercise or defense of a right in judicial proceedings" is ambiguous as not specify whether the trial involves the owner of the data directly as a defendant or as a witness ; in what capacity and under what circumstances is imperative transmission, or if, on the other hand, refers to the rights of a third party. That is, that the circumstances justify the international transfer of data fall back into the generality and vagueness that contradict the fundamental right of data protection; in particular the principles of purpose, authorization, restricted circulation.
Addition to the above, states that if it comes to the establishment, exercise or defense of a right holder information, be it the most interested in enabling the international transfer of data. In the case concerned the rights of a third party, there must be authorized by the owner of the information. In any case, always returns to the exception contemplated by paragraph a) of article 26.
2.25.3.
2.25.3.1 constitutional review. The international transfer of personal data has emerged as a result of globalization and the phenomena of economic and social integration, in which both companies and government agencies require transfer personal data for different purposes [294].
Because of the need for international circulate personal data are arranged rules to be observed in order to protect the internal efforts of each country are not useless when export to other countries.
Europe has been considered a pioneer in establishing aimed at data protection legal forms when they are transferred to third countries. Thus, one of the budgets required for the transfer can be made is that the recipient country has an adequate level of protection in the light of European standards.
In this sense it is successful established by Article 26 of the Bill, to the extent that establishes the general premise prohibit the transfer of personal data of any kind to countries that do not provide adequate levels of data protection. This, in order not to impede the processing of data but avoid harming rights of persons during the same constitutional rights as the right to privacy.
On this point, the question about what is an appropriate level of protection arises. The Director of the Study Group on Internet, Electronic Commerce, Telecommunications and Informatics (GECTI) of the University of the Andes, Nelson Remolina Angarita, said that the appropriate level of protection of personal data refers to the importing State has a higher degree of protection, equal, similar or equivalent to the exporting State [295], giving effect to the principle of continuity in data protection.
Similarly, the United Nations Organization (UN), the Council of Europe, the European Parliament and the Council of the European Union have noted that international data transfer is feasible if it is established that the importing country offers guarantees of protection comparable to those offered by the exporting country.
As indicated above, Europe has pioneered data management, establishing rules for transfer to third countries. Thus, the Group Protection of Individuals with regard to the Processing of Personal [296] Data in the framework of the European Commission adopted two documents of major importance, namely: The first guidelines on the transfer of personal data to third countries: possible ways to assess the adequacy (Brussels, 1997) and transfers of personal data to third countries: applying articles 25 and 26 of the data protection Directive EU (Brussels 1998)
in short, it was determined that the appropriate level of protection is subject to the fulfillment of two factors; the first regulatory in nature, namely the existence of rights legislation containing head data owner and obligations for those who process personal information or exercise control over the treatment and; the second, related to the mechanisms to ensure the effective implementation of regulatory content, which involves a set of appropriate offenders and a supervisory body sanctions.

Considering that countries do not have a system of uniform data protection, the hotel group from what is contained in Directive 95/46 / EC, Convention 108 of 1981, the guidelines of the Organization for Cooperation and the 1980 OECD Economic Development and principles of UN 1990, set a series of common principles to determine whether the rules of a particular country provide an adequate level of protection.
In this vein, it has the minimum principles according to European standard:
· the purpose limitation;
· Data quality and proportionality;
· Transparency;
· Safety;
· Access, rectification and opposition;
· Restrictions on subsequent transfers to other countries;
· Sectoral or additional provisions for data processing special type where sensitive data, direct marketing and automated individual decision is included.
In this order, it is understood that a country has an adequate level of protection of personal data, if it establishes a general rule on protection of personal data that incorporates the aforementioned minimum principles, as well as sectoral or additional provisions should surround the treatment of such information.
2.25.3.2. In connection with the now bill that is under consideration, it must be said first that differs from what is stated in Law 1266 of 2008 [297], but agrees with the European model, as provides the authority to determine which countries They provide an adequate level of data protection in the control body, that is, the Superintendency of Industry and Commerce, not operators who handle the data.
Consequently, and even integrating it under Law 1266 of 2008, by provision of paragraph 2 of Article 26 of the Bill under study [298], will be the Superintendency of Industry and Commerce responsible for determining whether a country provides guarantees data protection.
About the Law 1266 of 2008, should not be forgotten that the Constitutional Court Sentence C-1011 of 2008, declared unconstitutional certain provisions and upheld the constitutionality of other but under certain constraints:
Specifically, relation to the literal f) of Article 5, which provides the ability to deliver information to a foreign operator, after verification by the operator that the laws of the respective country or recipient grant sufficient for the protection of the rights of the holder guarantees the Court conditioned the aforementioned verification by the operators, parameters determined by the Superintendency of Industry and Commerce and Finance, who shall analyze compliance with standards guarantee predicable rights holder's personal data, legislation bank foreign destination data. Thus, these entities may, even expressly identify foreign legal systems on which, after sufficient analysis, can be predicated said sufficient degree of protection of the rights of the concerned subject.
In this sense, and subject as indicated by said Working Group on Data Protection of the European Union shall mean that a country has the elements or assurance standards needed to ensure an adequate level of protection personal data, if their legislation account; with principles, covering the rights and obligations of the parties (owner of the data, public authorities, enterprises, agencies or other organizations processing personal data), and data (data quality, technical security); a procedure involving data protection authorities takes effective mechanisms and protection of information. It follows from the country to which the data is transferred, you can not provide a lower level of protection provided for in this regulatory body that is being studied.
2.25.3.3. However, Article 26 of the bill creates, on the other hand, a set of exceptions to the general rule prohibiting the transfer of personal data to a third country which does not ensure an adequate level of protection. That is, allows the transfer of data to countries that can not guarantee an adequate level of protection in the following cases:
a) Information regarding which the Contractor has given its express and unequivocal authorization for the transfer.
B) Exchange of medical data, when required by Title Treatment for health reasons or public hygiene.
C) stock exchange or banking transfers, under the law applicable to them.

D) Transfers agreed under international treaties to which the Republic of Colombia is a party, based on the principle of reciprocity.
E) Transfers necessary for the implementation of a contract between the Contractor and the controller or for the implementation of precontractual measures if and when they have obtained the consent of the Contractor.
F) transfers necessary or legally required to safeguard the public interest or for the establishment, exercise or defense of a right in judicial proceedings.
In connection with these objections, the Court will make some specific details in order to determine its constitutionality. In this order, with respect to item a) no objection is not perceived, as to their origin the express and unequivocal authorization of the owner of the data is prescribed above, developing the principle of the free will of the owner of authorizing the movement of information. Therefore, it is clear that although the data transfer to a country that does not provide adequate standards of protection allowed it is carried out under the responsibility of the owner.
In this way, since already has ruled that the premise of having the authorization of the information that is subject to transfer, is the budget that allows the circulation of the data set forth in the other exceptions provided for in this Bill article and that will be your condition for the respective declaration of constitutionality.

The literal b) For its part, refers to the processing of medical data, as required for the holder for reasons of public health or hygiene. This Court finds that the exception is justified, since in this case is to preserve and guarantee fundamental rights range. It is pertinent to point out that this time, the power to authorize the transfer of medical data lies not only in its holder but also in their family or legal representative, since such data may be required in circumstances where the owner is not in capacity grant the authorization.
In relation to bank or stock transfers provided in subparagraph c), the same shall be governed in accordance with the provisions of Law 1266 of 2008, which regulates the management of financial, credit and commercial information, but under the understanding that the transfer will be made with the prior express authorization of the owner of the data.
Similarly, the origin of the exception enshrined in paragraph d is supported), for as is as indicated, such a transfer is governed by the provisions of international treaties signed by Colombia.
For its part, the literal e) refers to transfers necessary for the implementation of a contract between the Contractor and the controller or for the implementation of precontractual measures if and when they have obtained the consent of the Contractor. This exception provides those transfers made taking as a foundation a contractual relationship, which is governed under the provisions of the Indenture and in accordance with the duties and rights under head contract ends, being in this measure Responsible treatment of the data, who must ensure proper handling of information, not forgetting that for transfer requires the authorization of the owner, authorization, as repeatedly stated, means must be prior express.
So, following the same line Case C-1011, 2008, noted that in the above exceptions, except consecrated in b), must necessarily exist prior express authorization of the owner that allows transmitting your personal data , thus ruling out any possibility of data transfer to a third country without the consent of the owner. In this regard, will be declared enforceable subparagraphs c), d) and e), on the understanding that only proceed except upon the prior express authorization of the data.
Finally, in relation to the literal f) the Court finds that there handles stipulated terms that may be subject to inaccuracies and that given its broad and ambiguous nature generate problems at the time of application.
Match the Court
conceptualized by the Ombudsman in the sense that the terms "necessary" and "or for the establishment, exercise or defense of a right in judicial proceedings" do not provide sufficient clarity about its scope application and if, on the contrary, they go against the principles of purpose, authorization and restricted movement of personal data. The above consideration, is based on the following observations:
On the one hand, the term "necessary" is open, ambiguous and general in the sense that it establishes respect to whom such a need is deemed, or who defines it, nor how it is set. On the other hand, the words "or for the establishment, exercise or defense of a right in judicial proceedings" does not specify whether the trial involves the owner of the data directly as a defendant or as a witness; in what capacity and under what circumstances is imperative transmission, or if, on the other hand, refers to the rights of a third party.
Consequently, considering that it is regulating the fundamental right to habeas data, it must be remembered that the limitations imposed on their exercise through the consecration of exceptions, to be precise without using concepts by their degree uncertainty may compromise the exercise or enjoyment of other constitutional rights.
It is a defense of the rule of law that aims to provide legal certainty to individuals and to this extent, know with certainty when it would be feasible to transfer of personal data to countries that do not grant guarantees of adequate protection. In accordance with the above, the provisions of paragraph f) has a degree of uncertainty that may affect the protection of personal data, why, its unconstitutionality is declared.
2.26. REVIEW OF ARTICLE 27: SPECIAL PROVISIONS.
2.26.1.
Text of the provision "TITLE IX

OTHER PROVISIONS Article 27. Special Provisions. The National Government will regulate regarding the treatment of personal data that require special provisions. In any case, such regulations may not be contrary to the provisions of this law. "
2.26.2. citizen interventions and concept
2.26.2.1 Public Ministry. The Ombudsman finds that the law is unconstitutional for its vagueness and generality, to the extent that allows through the regulatory authority, regulations that could affect the core of the right to data protection, matters are introduced, according Superior Article 152, paragraph a), have statutory legal reserve character.
Bill is quite general, so that the scope of regulation that would be available to the Executive would be excessive and unacceptable, being a matter reserved to the legislator, because it is unclear what kind of data would be subject to regulation . Ultimately, although there are matters of a technical nature that could be left to the regulatory powers or powers of control and supervision, the "general" jurisdiction to regulate the treatment of data requiring "special measures", exceeds the technical field and presupposes attribution of a delegable power.
2.26.2.2. The Foundation for Press Freedom notes that the regulation is made must conform not only to regulations are under review, but to the Constitution, the constitutional case law on habeas data and access to information, to block constitutionality and international treaties and agreements.
2.26.2.3. Professor Nelson Remolina at the University of the Andes requests to be constitutional article on the understanding that: i) special laws and administrative acts on personal data issued before this law are punished be adjusted, reviewed and updated so that they are consistent with the general principles and rules contained in the draft under study and the jurisprudence of the Constitutional Court and ii) special laws and administrative acts on personal data issued after the enactment of the law review should respect and incorporate the principles and general rules contained therein and in the jurisprudence of this Court.

2.26.2.4. The Legal Secretary of the Presidency of the Republic states that the constitutional analysis of this article should be made on the basis of: i) the general nature of the law and ii) the regulation of the substance of the law. Accordingly, it should be understood that the bill under review is a general regulation of the right of habeas data, which is based on the power conferred on the national government to address a general law in this area, it is not the role of the legislature to define certain situations, but give a general framework on the subject.
2.26.3. Unenforceability of Article 27
This rule states that the National Government will regulate regarding the treatment of personal data that require special provisions and adds that, in any case, such regulations may not be contrary to the provisions of this law | || it is up to the Chamber, against this precept, determining its scope and whether as pointed out by some of the interventions, the Government may exercise its regulatory power in this area.
Article 27 refers to: (i) the processing of personal data; (Ii) requiring special provisions; (Iii) regulation for the national government; (Iv) if the provisions are respected in the bill under review.
The processing of personal data under the terms that were defined in Article 3, paragraph g) study of the project in accordance with the latest international standards on the subject "is any operation or set of operations, whether or not automated, which apply to personal data, especially its collection, storage, use, disclosure or deletion "[299]. This process of processing of personal data, which can be public or private, required under the terms of the jurisprudence of this Court, clear definitions of "object or activity of the administrative bodies of databases, internal regulations, technical mechanisms for the collection, processing, storage, security and disclosure of personal data and regulation of users of services managers databases. "[300]. Understood
treatment of personal data, it is clear that regulation is a competition that is for the legislator, because it touches on aspects of the right to habeas data and is a state duty head of the legislature to "prevent management processes personal data become excluded scenarios observance of rights, which in this case means the establishment of rules of legal protection of the freedom of the individual to acts of management information "[301] and can in no way be left to be the executive who does his ordination, because it corresponds to the organ of popular representation as their own scenario of deliberative democracy, establish clear and precise regulations that prevent harmful interventions both state and private, in the rights of individuals through the possibility for these, as a result of advances in new information technologies to access and manipulate personal data.
We must insist that the project under review, which is a policy of principles, the legislature did not exhaust its obligation to continue to develop through what have been called "sectoral laws" data processing according to their specificity v.gr . intelligence and security; health, social security, etc., as discussed in previous paragraphs.
Chamber understands that when the review article refers to "personal data that require special provisions" these are none other than those which by their nature require what the doctrine on the protection of habeas data has called "sectoral laws", regulations that undoubtedly must be issued exclusively by the legislature and not by the executive. Therefore, the Government has no jurisdiction to issue regulations according to the type of data. In that sense, for the legislature ordination, as it did for the data management of a commercial or financial nature, for the calculation of credit risk services, where besides observing the general principles in another paragraph of this providence have stated, any exception against them must be reasonable and proportional.

This leads to the conclusion that it is unacceptable that by the authorization provided for in the standard under review, the statutory jurisdiction legislator emptying resulting in an authority that constitutional provision, has no power to do so. In this regard, we can not fail to mention that the Human Rights Committee in General Comment No. 16, interpretation of Article 17 of the International Covenant on Civil and Political Rights expressly stated that "The collection and recording of personal information on computers , data banks and other devices, whether by public authorities and by private persons or bodies, must be regulated by law "(highlights added).
In this regard, the Chamber must insist that there is a clear legal reserve in regard to regulating the processing of personal data, which the Government can not ignore or expressly delegated to him by the legislature on the matter , since when the Constituent assigned in head that this explicit function, made among others to ensure the full exercise of the right. On this, in Case T-396 of 1998 reiterated at the C-295 in 2002 compared to an act that was passed to regulate an aspect of the statutory law of the administration of justice, it was expressly stated that "It is not acceptable ... you can issue a regulatory act not to develop, implement or make applicable statutory mandates of that law, but to regulate matters on which she has not been busy. " similar to what is being studied, because the fact that the draft law under review does not regulate essential aspects of what the same project called "special data" aspect and as explained throughout this decision, require sectoral regulations , does not empower the Government for its regulation as this is a reserved exclusively to the legislature appearance.
Finally, it should be understood that the power to which the defendant refers precept is not related to the constitutional competence of the President of the Republic of regulation referred to Article 189, paragraph 11 of the Constitution. This power does not require legal authorization, as it has repeatedly stated the jurisprudence of this Court, noting that the regulatory authority is common and does not require legislative authorization, as if a law needs to be regulated for proper execution and implementation, by the President of the Republic to exercise that power without authority to another within the state, as is the legislative branch of government, set you terms for their exercise, because it is a permanent competition. This can not be interpreted as an all-embracing competition as is its natural limits in the law that seeks to regulate and of course in the Constitution, for example, when the matter is trying to regulate through regulations is subject to legal reserve, as is the case In analysis.
In that vein, the Court must declare the unconstitutionality of Article 27 of the bill under review.
2.27. REVIEW OF ARTICLE 28: BCRs.
2.27.1.
Text of the provision "Article 28. Binding Corporate Rules. The National Government will issue the corresponding regulations on BCRs for certification of good practices in protection of personal data and their transfer to third countries. "
2.27.2. citizens and the Public Ministry
2.27.2.1 interventions. The Legal Secretary of the Presidency of the Republic requesting the declaration of enforceability of this standard for the following reasons:
The project concerns the BCRs are codes of good practice to inject dynamism in the exchange of data and speed international relations, rules can not be understood either as the possibility of making own statutory regulations legislator, or that may contradict those issued for the purpose of protecting personal data.
The corporate rules must be reviewed by the Superintendency of Industry and Commerce to obtain certification of good practice. Additionally, they will have a filter that is the certification issued by entities duly accredited by the National Accreditation Body (ONAC) to complete the approval process.
2.27.2.2. The Public Ministry remained silent.
2.27.3. Constitutionality of Article 28

This article states that the National Government will issue the corresponding regulations binding corporate rules for certification of good practices in protection of personal data and their transfer to third countries.
As is clear from the discussions of the bill and the intervention of the Secretariat of the Presidency of the Republic, these rules refer to principles of good governance or regulations of good practices created directly by organizations with a character binding on its members.
In Europe, before standards were issued in protection, self-regulation became a mechanism for the protection of personal data, to the extent that they are substantive and procedural encodings in search of a suitable model data protection.
In international practice, data are also protected by these international codes of conduct. In that sense, they are a complement to regulation of States for the effective protection of personal data in particular in its flow.
The Article 29 Working Party has indicated that the binding corporate rules (BCR), which are used in the context of international data transfers, are a clear manifestation of the principle of responsibility, to the extent they are self-regulations of conduct drafted and follow multinational organizations and should contain measures to implement and make workable principles for data protection, such as auditing, training programs, network officials privacy, system of handling complaints, etc.
Consequently, the delegation makes the standard to be the national government which regulates the minimum content that should contain these corporate standards conforms to the Constitution, for developing the principles governing the administration of personal data these codes of conduct for good practice in this area, become an additional tool for the effective guarantee of the right to habeas data.
These self-regulatory standards in international practice are generally reviewed by national data protection authorities, which should monitor and ensure adequate consecrate themselves for transfers or categories of transfers of personal data between companies that are part of the same group safeguards corporate. Accordingly, the Court considers that these rules serve their purpose, once the national government's regulating and organizations implement them, must be reviewed by the protection authority, a role that was not listed on the functions you will assigned to said entity.
In the terms set under the condition that the rules to revise protection authority, Article 28 shall be declared enforceable.
2.28. CONSIDERATION OF ARTICLES 32, 33 AND 34: EFFECTIVE DATE AND TRANSITION REGIME.
2.28.1.
Text of the provision "Article 32. Transitional regime. People who at the date of entry into force of this law from exercising any of the activities regulated here have a period of up to six (6) months to conform to the provisions in this law.
Article 33. Waivers. This law repeals all provisions that are contrary except those referred to in Article second.
Article 34. Validity. This law governs from its promulgation. "
2.28.2. citizens and the Public Ministry
interventions No specific comments were presented in front of the point.
2.28.3. Constitutionality of Articles 32, 33 and 34
The regulatory bodies that create new rules on certain issues, establish a transitional regime for those who apply to them, take the necessary measures to adapt to changes. Similarly, the entry into force and derogations stipulated.
These items do not contradict any constitutional provision while limited to establish the mechanisms of entry into rigor of the regulatory body as well as the means of resolving disputes concerning transit legislation.
3. DECISION
In light of the foregoing, the Constitutional Court, administering justice on behalf of the people and by mandate of the Constitution, Resolves

First.- To declare, by its formal aspect, the bill bylaw No. 046/10 House - 184/10 Senate "by which general provisions for the protection of personal data are issued" except articles 29, 30 and 31 are declared INEXEQUIBLES procedural defects in approval.

Second.- enforceable declare Articles 1, 2, 3, 4, 5, 7, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 21, 22, 24, 25, 28, 32, 33 and 34 of the bill, in accordance with the foregoing in relevant part of this decision.
Three.- To declare Article 6 of the bill under review, except the term "Holder manifestly made public or" literal d) INEXEQUIBLE is declared. Fourth
To declare Article 8 of the bill under review, except the term "only", the literal e) which states INEXEQUIBLE. Similarly, the literal e) should be understood that the Holder may revoke the authorization and request the deletion of data, where there is no legal or contractual duty imposed upon him the duty to remain in said database .
Five.- To declare Article 19 of the draft law under review, with the understanding that the Delegatura Protection of Personal Data, in the exercise of their functions shall act autonomously and independently.
Sixth.- To declare Article 20 of the bill, except the literal a) INEXEQUIBLE is declared.
Seventh.- EXEQUIBILE declare Article 23 of the bill, except the expression "in favor of the Superintendency of Industry and Trade", the literal a) INEXEQUIBLE is declared.
Eight.- To declare Article 26 of the bill, except the term "necessary or" contained in paragraph f), which INEXEQUIBLE is declared.
Nine.- declare unconstitutional Article 27 of the draft law under review.
Cópiese, report, communicated, published, be fulfilled and filed the record. Juan Carlos Henao PÉREZ

President CORREA MARIA VICTORIA STREET Judge

With dissenting vote With voting clarification

MAURICIO GONZÁLEZ CUERVO Judge
With partial dissenting vote GABRIEL EDUARDO MENDOZA MARTELO

Judge JORGE IVAN PALACIO PALACIO Judge

with dissenting vote with voting clarification

Judge NILSON PINILLA PINILLA

JORGE IGNACIO Pretelt Chaljub Judge HUMBERTO ANTONIO SIERRA PORTO

Judge LUIS ERNESTO VARGAS SILVA Judge

with dissenting vote with voting clarification
VICTORIA Sáchica MENDEZ MARTHA Secretary General

* * *
1. The Chamber considers it necessary to reiterate the note introduced in the judgment C-1011, 2008, MP Jaime Córdoba Triviño, on the use of the term habeas data "It should be noted that the designation 'habeas data' has not been the only one used by the jurisprudence to identify the powers of the concerned subject from databases. Thus, during the development of the concept in the decisions of the Court they have used the expressions 'computer self-determination' or 'informational self-determination'. In any case, these three definitions refer to the same legal reality, so do not offer major difficulties in their alternative use. However, given the need for a uniform description and given the widespread use of the term in the context of the Colombian constitutional law, this ruling will use the term habeas data in order to appoint the right of all persons to exercise the faculties of knowledge, update and correction of personal information contained in databases. "the equivalence between the terms habeas data and informational self-determination had also been announced in Case T-729 of 2002, MP Eduardo Montealegre Lynett.

2. However, the first time he spoke of the right to privacy, or privacy Anglo-Saxon legal language was in 1890, when Americans Samuel Warren and Louis Brandeis published the article 'The Right To Privacy' advocated by establishing legal limits prevented the interference of journalism in the private lives of people. Warren, Samuel. Brandeis, Louis. "The Right To Privacy". Harvard Law Review. . 1890. p 193. See also Gregory, Carlos G. "Personal Data Protection: Europe vs. United States, a real dilemma for Latin America" to make transparent the State: the Mexican Experience Access to Information. Autonomous University of Mexico, 2004. p. 301. The original idea of the right to privacy was marked by its individualism accentuated the point that was made reference to the right to be alone or the right to be left alone.

3. Events like those that occurred during the Second World War in Germany, where census information and government records were used to detect Jews and other populations victims of genocide, carried once the war ended, the right to privacy It had reinforced at national and regional levels protection. This same reason inspired the introduction of Article 12 of the Universal Declaration of Human Rights.

4. It is worth noting the law of data protection of the German Federal State of Hesse 1970, the Swedish Act of 1973, article 35 of the Portuguese Constitution of 1976, the German federal law of 1977, the French and Austrian laws of 1978 and Article 18.4 of the Spanish Constitution of 1978. These regulations set limits on the use of information against personal data from two fundamental principles: prior authorization for the establishment of databanks and control and subsequent inspection. See Bru Cuadra, Elisenda. "Data protection in Spain and the European Union". IDP. Internet magazine, Law and Politics, No. 5, 2007. University of Catalonia. Pp 78-92. González García, Aristeo. "The protection of personal data: the fundamental right of the century. A comparative study ". Mexican Comparative Law Bulletin [online], XL (September to December), 2007. Available at: ISSN 0041-8633.

This decade was also issued the Privacy Act of 1974 in the United States, also inspired by the need to protect privacy against new technologies. Unlike what happened in Europe, this law has faced serious difficulties in its implementation. See Bignami, Francesca. "European versus American Liberty: A Comparative Analysis of Antiterrorism Privacy Data Mining". Boston College Law Review, 2007. P. 609.

5. See Bru Cuadra, Elisenda. "Data protection in Spain and the European Union". IDP. Internet magazine, Law and Politics, No. 5, 2007. University of Catalonia. Pp 78-92. Specifically, Article 8 provides: "Any person shall be enabled:

A) Knowing the existence of an automated personal data, its main purposes, as well as the identity and habitual residence or principal place of business of the controller of the file.

B) obtain at reasonable intervals and without excessive delay or expense confirmation of whether or not in the automated file of personal data concerning that person, and communication of such data in intelligible form. "| ||

6. The Convention was preceded by the "guidelines on privacy protection and transborder flows of personal data" adopted by the Organisation for Economic Co-operation and Development (OECD) in 1980, in which basic principles of protection of personal data is defined, applicable to both the public and private sectors, as the principle of limitation of data collection, the principle of specificity of the purpose, use limitation principle, and the principle of security safeguards, among others. In the explanatory memorandum of the guidelines, the tendency to base the protection of personal data in a broader notion of privacy is recognized. In this regard, it states: "(...) is still a tendency to broaden the traditional concept of privacy (the right to be left to one alone ') and to identify a more complex synthesis of interests that perhaps can qualify more correctly privacy and individual liberties. "

7. Ireland in 1980 and England in 1984.

8. Cited by Gutiérrez Prieto, Juan Jose. "Data protection in the Library of the Complutense University", 2006. Available at: http://www.scribd.com/doc/42380514/Proteccion-de-Datos-en-La-Biblioteca-de-La-Universidad- Complutense de Madrid, in this ruling, the court declared certain aspects of the Law of Population Census 1982. unconstitutional

9. See judgment 254 of July 20, 1993. Cited in: Garriaga Dominguez A. The protection of personal data in the Spanish law. Dykinson - Human Rights Institute Bartolomé de las Casas of Carlos III University of Madrid, 1999. Later, in the judgment 292 of 30 November 2000, the Spanish Court stated that the fundamental right to informational self-determination is different from the right to privacy, because while the second protects people against any invasion to the area of your personal or family life, the right to informational self-determination guarantees people a power of control over their personal data, as well as their use and destination , in order to prevent illicit and damaging to the dignity of titular traffic. See González García, Aristeo. "The protection of personal data: the fundamental right of the century. A comparative study ". Mexican Comparative Law Bulletin [online], XL (September to December), 2007. Available at: ISSN 0041-8633.

10. Since 1990, the European Community sought to ensure proper functioning of the single market, for which it was necessary to establish a uniform personal data protection, as the differences in the laws protecting them could set an obstacle in the flow the data. To achieve this objective the Directive 95/46 / EC was issued. The Directive requires Member states fair and lawful processing of personal data, taking into account the processing of sensitive data, reporting of data collection to interested and pursue the collection of data explicit and legitimate purpose. It also recognizes the right of interested parties to access data and object to their treatment, the principle of conservation only for the time necessary for the purposes for which they were collected, and the establishment of an independent supervisory authority for the protection of personal data. The Directive also includes a provision under which the transfer of data to third countries depends on the latter ensuring an adequate level of data protection

11. The Committee states: "10. The collection and recording of personal information on computers, data banks and other devices, whether by public authorities and by private persons or bodies, must be regulated by law. States must take effective measures to ensure that information concerning the private life of a person does not fall into the hands of unauthorized by law to receive, process and use and that is never used for purposes incompatible with the Covenant persons. For the protection of privacy is as effective as possible, every individual should have the right to verify whether his personal data stored in automated data files and, if so, to obtain intelligible information on what those data and what purpose have been stored. Also, everyone should be able to ascertain which public authorities or private individuals or bodies control or may control their files. If such files contain incorrect personal data or have been collected or processed in contravention of the laws, every person should have the right to request rectification or elimination. "

12. See the T-414 Case 1992, MP Ciro Angarita Baron; 1993 T-161, MP Antonio Barrera Carbonell; and C-913, 2010, MP Nilson Pinilla Pinilla.

13. Cf. Case T-340 of 1993, MP Carlos Gaviria Díaz.

14. See the ruling SU-082 1995 MP Jorge Arango Mejía and T-176 of 1995, MP Eduardo Cifuentes Muñoz.

15. MP Jorge Arango Mejía.

16. MP Eduardo Cifuentes Muñoz.

17. MP Eduardo Montealegre Lynett.

18. See also Case C-1147, 2001, MP Manuel José Cepeda Espinosa.

19. "In this regard, in its judgment T-414 of 1992, the Court stated:" computer freedom, it is the right to provide information, to preserve the computer identity, that is, to permit, control or rectify data concerning the personality of the owner thereof and, as such, they identify and individualize to others. " Likewise, in ruling SU-082 of 1995, he said: "Computer Self-determination is the right of the person to whom the data relates to authorize its conservation, use and circulation, in accordance with legal regulations." And in judgment T-552 of 1997 stated: "... the right to informational self-determination entails, as recognized by Article 15 of the Constitution, the power of all people" know, update and rectify information that they gathered about them in databases and files of public and private 'entities. "

20. "The foundation of validity of the so-called principles of management of personal data, is in the second paragraph of Article 15 of the Constitution, which is in terms of the Court, 'the normative and axiological context within which to move, integrally computer processing 'and which derive' general rules that must be respected in order to affirm that the process of collection, use and dissemination of personal data is constitutionally legitimate 'and which in turn are the result' of direct application of constitutional norms to computer process'. "

21. MP Jaime Córdoba Triviño.

22. for absolute majority approval is required and not simple, in addition, the law should be approved within .. a single term and should be subject to prior review by the Constitutional Court (articles 153 and 441-8 of the Constitution)

23 See Case C-319 of 2006, MP Alvaro Tafur Galvis. | ||
24. MP Alejandro Martinez Caballero.

25. Cf. Case C-319 of 2006, MP Alvaro Tafur Galvis.

26. Cf. Case C-055 of 1995, MP Alejandro Martinez Caballero. In this sense, in Case C-037 of 1996, the Court explained that corresponds to the normal statutory laws "(...) the general structure of the administration of justice and the substantial and procedural principles that should guide judges in its role in resolving the various conflicts or matters submitted to the Court "

27. Cf. Case C-580 of 2001, MP Clara Inés Vargas Hernández.

28. Cf. Case C-013 of 1993, MP Eduardo Cifuentes Muñoz.

29. Cf. Case C-226 of 1994, MP Alejandro Martinez Caballero. See also Case C-319 of 2006, MP Alvaro Tafur Galvis.

30. In Case C-313 of 1994, MP Carlos Gaviria Diaz, the Court stated: "Note, finally, that the statutory law refers, in each case, a specific law and its purpose is to develop its scope from its core essential defined in the Constitution. " Then, in Case C-408 of 1994, MP Fabio Moron Diaz, the Court stated: "(...) when the regulation of a fundamental right it is, the demand that is made by a statutory law, be understood limited to closest to the core of that right content as they would, according contrary interpretation, to the ordinary law, legislative rule, without the possibility to exist; since, it repeats, somehow, all legislation more or less far way, is linked with fundamental rights ". (Bold added) See also Case C-981 of 2005, MP Clara Inés Vargas Hernández.

31. In some judgments it is not spoken but essential core minimum content of the right or essential structural elements. See for example, Case C-646 of 2001, MP Manuel José Cepeda Espinosa.

32. In this regard, in Case C-993 of 2004, MP Jaime Araujo Renteria, the Court held: "When a law regulating main and important aspects of the essential core of a fundamental right, in this case of habeas data, the training process this law should have been that of a statutory law on pain of being expelled from the law by procedural defects. "(bold added).

33. See Case C-425 of 1994, MP José Gregorio Hernández Galindo, C-247, 1995, MP José Gregorio Hernández Galindo, C-374, 1997, MP José Gregorio Hernández Galindo, C-251, 1998, MP José Gregorio Hernández Galindo and MP Alejandro Martinez Caballero, C-1338, 2000, MP (E) Schilesinger Cristina Pardo, C-981, 2005, MP Clara Inés Vargas Hernández, and C-319, 2006, MP Alvaro Tafur Galvis.

34. See Case C-319 of 2006, MP Alvaro Tafur Galvis.

35. This thesis can be seen in statements such as the T-227, 2003, MP Eduardo Montealegre Lynett, T-881 of 2002, MP Eduardo Montealegre Lynett, and T-760 of 2008, MP Manuel José Cepeda Espinosa. In the first the Court recalled that the concept of human dignity evolves and therefore also fundamental rights. The Court stated: "(...) the concept of human dignity that has collected the Constitutional Court only be explained within the value system of the Constitution and according to the same system. So, the constitutional status of 'freedom of choice of a concrete plan of life under social conditions in which the individual develops' and' real and effective opportunity to enjoy certain goods and certain services that enable every human being to function in society according to their special conditions and qualities, under the logic of inclusion and the possibility of developing an active role in society ', define the outlines of what is considered essential inherent and inalienable therefore for the person, why translates into subjective rights (understood as negative positive expectations (benefits) o) whose essential contents are subtracted from the transitional majorities. || In this vein, any constitutional right which functionally is aimed at achieving human dignity and is translatable into a subjective right is fundamental. That is, insofar as is necessary to achieve the freedom of choice of a concrete plan of life and ability to function in society and develop an active role in it. This need is not determined a priori way, but defined from existing consensus (dogmatic constitutional law) on the functionally necessary nature of certain provision or abstention (Translatability in subjective right) and the particular circumstances of each case (topical). For example, there is now consensus on the absolute need for judicial and administrative procedures set normatively (principle of legality) and provide for the possibility to challenge evidence, present themselves and rebut arguments and offer own (right of defense), so that the person can be free and active in society; while will be the specific circumstances that define whether a cosmetic surgery only pursues narcissistic interests or respond to a functional need, so that the person can be active in society (v. gr. physiological and pain that require a breast reduction). It exemplifying the discussion about the recognition of fundamental rights to legal entities, in which the only consensus is explained by the need to protect functionally essential elements for the correct legal operation of these institutions. || This, it must be stated, not in itself imply that constitutional rights are not fundamental. The existence of consensus (in dogmatic constitutional principle) about the fundamental nature of a constitutional right implies that this right is prima facie considered essential in itself. This is explained because the consensus are based on a common understanding of the fundamental values of society and the legal system. Thus, there is a consensus on the fundamental nature of the right to life, liberty and equality. The consensus about the fundamental nature of these rights clearly explained by the urgent need to protect such rights so that they can qualify for constitutional democracy and social state of law the Colombian model. Needless to indicate that in the current conception of human dignity, these rights are sine qua non to preach respect for that value. "

36. This work of delimitation and updating is recognized in the T-227 2003 ruling in which the Court explained that the definition of claimable obligations and makes a demand of human dignity translates into a subjective right, is the product of decisions constitutional, legislative and even jurisprudential.

37. See the judgments C-646, 2001, MP Manuel José Cepeda Espinosa, C-319, 2006, MP Alvaro Tafur Galvis.

38. The general limitations are different from those that arise in the case from weight exercises when there is collision between rights or between rights and other constitutional principles, and therefore are only applicable to this specific case.

39. See Case C-372 of 2011, MP Jorge Ignacio Pretelt Chaljub.

40. See Case C-981 of 2005, MP Clara Inés Vargas Hernández.

41. MP Jorge Ignacio Pretelt Chaljub.

42. See Bignami, Francesca. "European versus American Liberty: A Comparative Analysis of Antiterrorism Privacy Data Mining". Boston College Law Review, 2007. P. 609.

The implementation in the European Union today with a centralized common standards of protection model aims to facilitate cross-border data flow, essential in areas such as banking and insurance, by setting appropriate standards of data protection.

43. In circumstances where there is no similar protection law, you can go to other tools such as private safe harbor (Safe Harbor Privacy Principles).

44. See Bignami, Francesca. "European versus American Liberty: A Comparative Analysis of Antiterrorism Privacy Data Mining". Boston College Law Review, 2007. P. 609.

45. See Bignami, Francesca. "European versus American Liberty: A Comparative Analysis of Antiterrorism Privacy Data Mining". Boston College Law Review, 2007. P. 609.

46. According to the Latin American Network of Data Protection in the context of the protection of personal data, self-regulation refers to "(...) the rules adopted by the entities to define their policies and commitments relating to the processing of personal data.". See Red Iberoamericana Data Protection. Self-regulation and Personal Data Protection. Document prepared by the Working Group meeting in Santa Cruz de la Sierra - Bolivia. From 3 to 5 May 2006. In a similar vein, the European Commission has referred to self-regulation as "the set of rules applying to a plurality of controllers belonging to the same professional activity or the same sector Industrial, whose content has been determined primarily by members of the industry or profession concerned. " See European Commission. Working Group on the protection of individuals with regard to the processing of personal data people. Working Paper DG XV D / 5057/97: Judging industry self-regulation: In what cases makes a significant contribution to the level of data protection in a third country? Adopted on 14 January 1998.

47. The implementation of this law has been limited by its federal nature and the lack of enforcement mechanisms. For example, the violation of any term of this law can only argued before the courts in a process of accountability with a compensatory purpose. These processes also rarely result in decisions in favor of the owner of the data, because it is very difficult the collection of evidence, especially in areas such as defense and intelligence. Other difficulty is related to the scope of the law, because its articles mentions only "file systems", which has led to debates on whether also applies "databases". Finally, it is noteworthy that this law is only required to, not the individual federal authorities that carry out processing of personal data, and that you can declare the responsibility of an authority must prove their intent or desire to infringe the law. See Bignami, Francesca. "European versus American Liberty: A Comparative Analysis of Antiterrorism Privacy Data Mining". Boston College Law Review, 2007. P. 609.

48. See Gregory, Carlos G. "Personal Data Protection: Europe vs. United States, a real dilemma for Latin America" to make transparent the State: the Mexican Experience Access to Information. Autonomous University of Mexico, 2004.

49. MP Jaime Córdoba Triviño.

50. The Court stated: "(...) attend several arguments to conclude that the bill statute under review is a partial regulation of the fundamental right to habeas data, focusing on the rules for managing personal information of a financial nature intended calculation of credit risk, why not be regarded as a legal regime governing, in its integrity, the right to habeas data, understood as the power of all people to know, update and rectify information has been collected about them in files and databases of public or private nature. To support this conclusion there are arguments systematic, teleological and historical ".

51. MP Jaime Córdoba Triviño.

52. Cf. Constitutional Court. Judgment C-425 of 29 September 1994

53. See, inter alia, Case C-371 of 2000, MP Carlos Gaviria Díaz; and C-292 of 2003, MP Eduardo Montealegre Lynett.

54. See, among many others, Case C-011 1994 1994 C-179, C-180, 1994, 1996 BC-037 and C-371 2000.

55. MP Jorge Ignacio Pretelt Chaljub.

56. Rodrigo Escobar Gil MP.

57. See pages 492-501 of the test booklet No. 2 (pages 3 to 12 of the Gazette)

58. See pages 424-443 test Notebook # 2

59. See pages 437 and 438 of the test booklet No. 2 (pages 14 and 14 of the Official Gazette No. 625 of 2010)

60. See pages 542-546 test Notebook # 2

61. View Notebook Folio 580 tests No. 2 (page 24 of the Official Gazette No. 957 of 2010)

62. See pages 586-588 test notebook No. 2 (pages 12 to 14 of Gazette No. 958 of 2010)

63. Cfr. Folios 557-568 test notebook No. 2.

64. View Notebook Folio 561 tests No. 2 (p. 10 of the Official Gazette No. 706 of 2010)

65. No work copy of the Gazette in the record, but the office of Magistrate managed to place it on the website of the Secretariat of the Senate: http://servoaspr.imprenta.gov.co:7778/gacetap/gaceta.nivel_3

66. See Folio 274 tests notebook No. 3 (page 54 et seq Gazette No. 849 of 2010)

67. It can also be verified in the certificate signed by the Secretary General of the House of Representatives on March 15, 2011, at page 2 test booklet No. 3.

68. See Folio 279 tests notebook No. 3 (page 59 of the Official Gazette No. 849 of 2010)

69. See pages 158-169 test notebook No. 3 (pages 24 to 35 of the Gazette)

70. See sheet 3 test booklet # 3

71. See pages 57 to 64 of the test booklet # 2

72. See Folio 57 Notebook Test No. 2 (page 9 of the Official Gazette No. 833 of 2010) and 162 sheet notebook test No. 3 (page 28 of the Official Gazette No. 868 of 2010)

73. See Folio 57 Notebook Test No. 2 (page 9 of the Official Gazette No. 833 of 2010) and 163 sheet notebook test No. 3 (page 29 of the Official Gazette No. 868 of 2010)

74. See Folio 59 Notebook Test No. 2 (page 11 of the Official Gazette No. 833 of 2010) and 163 sheet notebook test No. 3 (page 29 of the Official Gazette No. 868 of 2010)

75. See Folio 61 Notebook Test No. 2 (page 13 of the Official Gazette No. 833 of 2010) and 163 sheet notebook test No. 3 (page 29 of the Official Gazette No. 868 of 2010).

76. See Folio 62 Notebook Test No. 2 (page 14 of the Official Gazette No. 833 of 2010) and 163 sheet notebook test No. 3 (page 29 of the Official Gazette No. 868 of 2010).

77. See Folio 62 Notebook Test No. 2 (page 14 of the Official Gazette No. 833 of 2010) and 164 sheet notebook test No. 3 (page 30 of the Official Gazette No. 868 of 2010).

78. See Folio 63 Notebook Test No. 2 (page 15 of the Official Gazette No. 833 of 2010) and 164 sheet notebook test No. 3 (page 30 of the Official Gazette No. 868 of 2010).

79. See Folio 63 Notebook Test No. 2 (page 15 of the Official Gazette No. 833 of 2010) and 164 sheet notebook test No. 3 (page 30 of the Official Gazette No. 868 of 2010).

80. See Folio 63 Notebook Test No. 2 (page 15 of the Official Gazette No. 833 of 2010) and 164 sheet notebook test No. 3 (page 30 of the Official Gazette No. 868 of 2010).

81. See Folio 63 Notebook Test No. 2 (page 15 of the Official Gazette No. 833 of 2010) and 164 sheet notebook test No. 3 (page 30 of the Official Gazette No. 868 of 2010).

82. See Folio 63 Notebook Test No. 2 (page 15 of the Official Gazette No. 833 of 2010) and 164 sheet notebook test No. 3 (page 30 of the Official Gazette No. 868 of 2010).

83. See pages 88 and following tests Notebook # 4

84. See pages 13 to 36 of the test booklet # 4

85. Judgment T-1037/08 Reference: Docket T-1829618, rapporteur: Dr. Jaime Córdoba TRIVIÑO Bogotá DC, twenty-three (23) October two thousand and eight, 2008).

86. See Folio 59 Notebook Test # 4

87. See pages 1 and 2 of the test booklet # 4

88. See certification pages 3 and 4 of the test booklet # 4

89. See Folio 64 Notebook Test No. 4 (page 5 of the Gazette No. 39 of 2010)

90. See pages 37 to 55 of the test booklet # 4

91. See sheet 1 test notebook # 5

92. See pages 254 and 462 of the test booklet # 5

93. See certification sheet 1 of the test booklet No. 5. Also, see pages 78 to 83 of Gazette No. 80 of 2011, at pages 179-182 of the same test booklet.

94. See 183 and 184 notebook test No. 5 (pages 82 and 83 of the Official Gazette No. 80 of 2011.

95. See 158 sheet notebook test No. 7.

96. See sheet 1 of the test booklet No. 6

97. See pages 21 and 22 of the test booklet No. 6

98. See pages 31 and 32 test notebook No . 5

99. See sheet 1 of the test booklet # 5

100. See paragraph 2.1.2. (b), page 6, Supra.

101 . See paragraph 2.1.4. (b), pages 9 and 10, supra.

102. See paragraph 2.2.3. (b), page 14, Supra.

103. See paragraph 2.2.5. (b), page 20, Supra.

104. See paragraph 2.3.2. (b), pages 21 and 22, supra.

105. See paragraph 2.3 .3. (b), pages 22 and 23, supra.

106. this is stated in the minutes No. 12 of the same date, published in the Congress Gazette No. 958 of November 24, 2010 .

107. See Act No. 23 of the same date, published in the Congress Gazette 849 of November 2, 2010.

108. As stated in the Act No. 33 of the same date, published in the Congress Gazette 39 of 11 February 2011.

109. Plenary Session contained in the Act No. 34 of the same date, published in the Congress Gazette No. 80 of 11 March 2010.

110. This can be seen in Act No. 43 of the plenary session of the House of Representatives that date contained in the Congress Gazette No. 237 of May 6, 2011. And also, in the Act No. 35 of session plenary of the Senate of the same date contained in the Congress Gazette No. 81 of 14 March 2011

111. Cfr. Judgment C-644 of 2004, MP Rodrigo Escobar Gil, Auto 038 2004 MP Manuel José Cepeda Espinosa and Judgment C-533 Alvaro Tafur Galvis MP 2004

112. Auto A-089 MP: Manuel José Cepeda Espinosa; SV: Jaime Araujo, Alfredo Beltran, Jaime Cordoba and Clara Inés Vargas.

113. Judgment C-576 of 2006

114. This is stated in the Act No. 11 of this date, published in the Congress Gazette No. 957 of 24 November 2010

115. As it stated in the Act No. 12 of that same date, published in the Congress Gazette No. 958 of 24 November 2010.

116. As it stated in the Act No. 22 of the same date, published in the Congress Gazette 925 of 18 November 2010.

117. This can be seen in Act No. 23 of the same date, published in the Congress Gazette 849 of November 2, 2010

118. Session contained in the Act No. 32 of this date, published in the Congress Gazette No. 38 of 11 February 2011

119. As it stated in the Act No. 42 of this date, published in the Congress Gazette No. 287 of 20 May 2011

120. See Case C-486 of 2009, MP Maria Victoria Street Correa. The Court has clearly stated that a vice ignorance of the principle of unity of matter has substantial and therefore "can not be remedied" (Judgment C-025 MP 1993. Eduardo Cifuentes Muñoz); and "therefore action against a law for violating Article 158 of the Charter does not expire" (Judgment C-531 MP 1995. Alejandro Martinez Caballero). See also the judgments C-256 MP 1998 Fabio Moron Diaz, C-006 MP Eduardo Montealegre 2001 Lynett, 2001 C-501 MP Jaime Córdoba Triviño, C-120, 2006 MP. Alfredo Beltran Sierra, C-506, 2006 MP Clara Inés Vargas Hernández, C-211 MP Alvaro Tafur Galvis 2007, C-214 Alvaro Tafur Galvis MP 2007 and C-230 MP 2008 Rodrigo Escobar Gil.

121. The Court, inter alia, in the judgment C-501 of 2001 (MP. Jaime Córdoba Treviño), in relation to the process of drafting the law has recognized as manifestations of the principle of unity of matter, i) the allocation granted to the presidents of the legislative committees to reject bills that do not relate to one subject, and ii) realize the democratic principle in the legislative process to propender because the initiative, discussions and approval of laws comply with a predefined materials since the emergence of the proposal itself and that discussions in that direction and input prior to the enactment of the law are channeled

122. MP Jorge Ignacio Pretelt Chaljub

123. Cfr. Judgment C-025 of 1993, MP Eduardo Cifuentes Muñoz. In the same vein, see also Judgment C-1067, 2008, MP Marco Gerardo Monroy Cabra.

124. See íbidem

125. Cfr. Ibid

126. Judgment C-714 of 2008, MP Nilson Pinilla Pinilla.

127. Cfr. Judgment C-786 of 2004, MP Marco Gerardo Monroy Cabra.

128. Ibídem

129. Cfr. Judgments C-025 of 1993, MP Eduardo Cifuentes Muñoz, reiterated in the judgment C-992 of 2001, MP Rodrigo Escobar Gil.

130. See Judgment C-1025 MP 2001. Manuel José Cepeda Espinosa

131. The second paragraph of Article 160 Superior states: "During the second debate each chamber can enter the draft amendments, additions and deletions it deems necessary".

132. Paragraphs 2 and 3 of Article 157 of the Charter point:

"No bill shall become law without meeting the following requirements:

(...)

2nd) have been approved in the first debate on the relevant standing committee in each chamber (...).

3rd) have been approved in each chamber in second debate

(...) "

133. On the characterization of the identity principle, see Case C-141 of 2010, MP Humberto Antonio Sierra Porto; C-539, 2008, MP Humberto Antonio Sierra Porto; C-178, 2007, MP Manuel José Cepeda Espinosa; C-305, 2004, MP Marco Gerardo Monroy Cabra; C-312, 2004, MP Alfredo Beltran Sierra; C-1056, 2003, MP Alfredo Beltran Sierra; C-1147, 2003, MP Rodrigo Escobar Gil; C- 801, 2003, MP Jaime Córdoba Triviño; C-839, 2003, MP Jaime Córdoba Triviño; C-922, 2001, MP Marco Gerardo Monroy Cabra; C-950, 2001, MP Jaime Córdoba Triviño; 1488 and C-2000 MP Martha Victoria Sáchica Mendez.

134. MP Humberto Antonio Sierra Porto

135. Judgment C-208 of 2005 "is contrary to the principle of consecutiveness in the adoption of laws that a proposed within the commissions text is not subject to the appropriate procedure, but simply study delegated to the plenary of each camera, since such a situation, in which the corresponding commission waiving their constitutional jurisdiction in favor of the plenary, prevents proper conduct the first debate of the bill, not knowing thus the provisions of paragraph 2 of Article 157 CP "

136. Judgments C-801 2003, C-839 2003, C-1113, 2003, C-1056, 2003, C-1147 2003 and C-1152, 2003, 1092, 2003, C-312 2004, C-313 2004, 2004 C-370, C-372, 2004.

137. MP Jorge Ignacio Pretelt Chaljub

138. It is clarified that the changes will be discussed in the content of the provisions, therefore, by impertinent, not be subject to study those modifications related to writing, grammar and terminology.

139. See Gazette No. 488 of 2010. Folio 493 tests Notebook No.2

140. See Gazette No. 625 of 2010. Folio 425 tests Notebook # 2

141. Notebook Folio 493 Test # 2

142. Pages 11 and 12 of the Official Gazette No. 488 of 2010, where the bill and its explanatory statement (pages 494 and 495 of the test booklet No. 2) was published

143. On page 10 of the Congress Gazette No. 1023 of 2010, folio 22 test notebook # 4

144. See: 1. Gazette No. 488 of 2010, where the bill is published.

2. Gazette No. 625 of 2010, in which the paper first debate in House of Representatives was published.

3. Gazette No. 958 of 2010 with the Act No. 12 of September 14, 2010, when the project was approved in first debate.

4. Gazette No. 706 of 2010, publication paper
second debate
5. Gazettes 849 and 868 of 2010, containing the minutes No. 23 and 24 of 13 and 19 October 2010 respectively, which consist discussions and project approval in second debate.

145. See Congress Gazette No. 60 of February 28, 2011 at pages 90 to 94 test notebook # 4

146. On page 10 of the Congress Gazette No. 1023 of 2010, folio 22 test notebook # 4

147. See the Gazette No. 1102 of 1101 and 2010 which is published the report of the Accidental Conciliation Commission.

148. MP Manuel José Cepeda Espinosa

149. Judgment C-013 of 1993, MP Eduardo Cifuentes Muñoz.

150. C-222, 1997, MP José Gregorio Hernández Galindo, where the Court examines the constitutionality of an amendment to a legislative act during the second period and precise rules on procedure laws that apply to legislative acts.

151. This was recognized by the Court in Case C-013 of 1993, MP Eduardo Cifuentes Muñoz, in which the Court examines a complaint against the law 1st 1991 (Statute Seaports), demanded, among other things, because as in the discussion of law in the sessions of Commission III of the House of Representatives and in the plenary sessions of the House and Senate, there had been controversy and opposing positions, there had not been so debate. The Court rejects this colloquial view of "debate" and states that should be made to the legal definition.

152. In this regard, the Judgment C-222 of 1997, MP Jose Gregorio Hernandez Galindo states that the debate is a prerequisite for the decision and that under its constitutional importance the need for a deliberative quorum was established.

154. I see, amongst other, Case C-141 of 2010, MP Humberto Antonio Sierra Porto; C-033, 2009, MP Manuel José Cepeda Espinosa; C-1488 2000 Victoria Sáchica MP Martha Mendez; C-702 of 1999, MP Fabio Morón Díaz.

154. See Judgment C-141 of 2010, MP Humberto Antonio Sierra Porto

155. As long as there occurred after completion of the structural stages of the legislative process, that is, discussion and approval of the bill both in committee and in plenary of one of the chambers. See, among others, the Auto 309 2009, MP Juan Carlos Henao Pérez orders; Auto 081 2008, MP Jaime Córdoba Triviño; Judgment C-241 of 2006, MP Marco Gerardo Monroy Cabra; C-576, 2006, MP Manuel José Cepeda Espinosa.

156. See Case T-729 2002 MP Eduardo Montealegre Lynett.

157. The intervening punctually raises the following questions: "(...) in Colombia there are many records of public and private entities that contain personal data. For example, traders have personal data about their customers, and despite that exists in Colombia legislation on the regulation of the files, it is scattered and refers to the correct treatment of the files but not the processing of personal data. This is a reason not to exclude from the scope of the bill under study, personal information that rests in files. "He adds that" it is extremely important that the personal information is on file in public or private entities is treated observing the content of Article 15 Superior as jurisprudential rules developed this Corporation, in the sense of recognizing that the databases and files are different figures. "

158. Cf. Case T-443 of 1994, MP Eduardo Cifuentes Muñoz.

159. MP Jaime Córdoba Triviño.

160. The Court stated the following in Case C-1011, 2008, MP Jaime Córdoba Triviño: "However this test, the Court notes necessary to stipulate that the constitutional legitimacy of the consecration of areas of exclusion to the rules contained in the Bill It does not mean, in any way, that both these areas, such as those in which they carry out tasks of collecting, processing and movement of personal data, are excluded from the protection that incorporates the fundamental right to habeas data and generally , freedom and other guarantees in the Constitution, according to the formula set out in Article 15 CP and in accordance with the principles identified by the constitutional jurisprudence and described in paragraph 2 of this materials analysis. Therefore, in each of the activities of management of personal data must be complied with plexus of rights, freedoms and own the fundamental right to habeas data guarantees, according to the considerations throughout this sentence. Even, the Chamber notes that the same rules of statutory law, as envisaged by the management principles of personal data, as well as the rights and duties of holders, sources and users; can serve as a parameter for assessing the legitimacy of other treatment modalities personal information, as those provisions are relevant and applicable.

This conclusion is supported by the fact that the enactment of a statutory provision does not detract from the normative value of the constitutional text and the immediate application of the provisions enshrining fundamental rights (Art. 85 CP). "

161. While this observation refers to the right to privacy, as explained in previous asides, the right to habeas data in the universal system of human rights protection is still guaranteed through the right to privacy, for autonomy first it has not yet been recognized, at least at the level of international treaties.

162. For example, the T-396 1998 judgment, MP Antonio Barrera Carbonell, the Court held that entities that fulfill administrative functions can not derogate from the rules of statutory law, because that is a matter of exclusive competence of the statutory legislator.

163. The Committee said the following about it in the General Comment 16: "With the introduction of the concept of arbitrariness is intended to guarantee that even interference provided for by law should be in accordance with the provisions, aims and objectives of the Covenant and should be, in any event, reasonable in the particular circumstances of the case. "

164. Article 2 of Law 1266 provides in that regard: "(...) are excluded from the application of this law those data maintained in an exclusively personal or domestic sphere and those circulating internally, that is not supplied to others legal or natural. " We also were treated as two different hypotheses in Case C-1011, 2008, MP Jaime Córdoba Triviño, in which the Court said about the content of the fifth paragraph of Article 2: "(...) the Board considers it appropriate to identify two different contents, who preach the fifth paragraph. The first, which prescribes the inapplicability of statutory regulations to any information held in a personal or domestic sphere. The second, related to the exclusion of the application of the statutory standard for data circulating internally, that is not supplied to other legal individuals. "

165. In the 1266 Act the legislature decided to give them the same treatment, ie, resolved to exclude the two hypotheses of the application of its provisions; however, as explained by this Court in Case C-1011 of 2008, this was due to the Act 1266 refers only to financial and commercial personal data for calculating the credit risk of individuals, area to where itself is reasonable to exclude the data flowing internally, since precisely can not be used to calculate credit risk.

166. MP Eduardo Montealegre Lynett and Clara Inés Vargas Hernández.

167. In Case C-251 of 2002, MP Eduardo Montealegre Lynett and Clara Ines Vargas Hernandez, the Court explained: "The possibility of imposing duties on public order and defense is also defined by the Charter itself, which attributes this paper primarily the security forces. Thus, the Armed Forces corresponds to the defense of the sovereignty, independence, national territorial integrity and constitutional order, while the police must maintain the conditions necessary for the exercise of public rights and freedoms conditions and ensure that the inhabitants of Colombia live together in peace (CP Articles 217 and 218). This means that the security forces is the guarantor of civic life, and can not move to the citizens themselves this role, without distorting the constitutional structure of the Colombian State, as will be explained later. "

168. Cf. Judgement C-1011, 2008, MP Jaime Córdoba Triviño.

169. In Case C-251 of 2002, MP Eduardo Montealegre Lynett and Clara Ines Vargas Hernandez, the Court stated: "Thus, the constitutional formula implies a proscription of any totalitarian long shot. Indeed, as we know, totalitarian states like Nazism and fascism that developed in Europe between the two world wars, had some distinctive features: regimes were not only terror but nations where there were no boundaries between the State and society, so that society was absorbed by the state. Moreover, in such societies people they were paid by the State, which was considered an end in itself. In radical opposition to such political philosophies, the 1991, which is essentially personalistic and not statist, makes the dignity and rights of the person the basis of the state, and therefore, instead of putting the individual at the service State, puts authorities serving the community and individuals (CP arts 1st, 2nd and 5th). "The subject, reason and purpose of the 1991 Constitution is the human person," he reiterated the Court since its first decisions. And therefore, it is clear that they are banned from our constitutional policies that allow absorption of society by the State or the instrumentation of people benefit simple aggrandizement and glorification of the state.

9- These defining features of the Colombian state, have obvious implications on security and defense policies. If the state is based on the dignity and rights of the person, then the preservation of public order is not an end in itself but is, as this Court has said, 'a subordinate value to respect for human dignity' so, 'the preservation of public order achieved by the suppression of civil liberties is therefore not compatible with the democratic ideal'. And on the other hand, if the State is at the service of the community and people, then obviously up to the authorities to protect and be guarantors of security of persons State and not people protect and be guarantors of security State. "

170. MP Jaime Córdoba Triviño.

171. Similarly, in Case C-127 of 1993, MP Alejandro Martinez Caballero, the Court concluded "that the international community has recognized unanimously and repeatedly that terrorism is a crime to be heinous has a different deal." Then in Case C-762 of 2002, MP Rodrigo Escobar Gil, the Court recognized that terrorism seriously affects various fundamental rights and therefore is conduct whose need for investigation and punishment has been provided by the rules of law international, including those that have the character of ius cogens. See also Case C-1055, 2003, MP Marco Gerardo Monroy Cabra, and C-037, 2004, MP Jaime Córdoba Triviño.

172. See Case C-931 of 2007, MP Marco Gerardo Monroy Cabra. The Court stated the following on that occasion: "Indeed, in recent times, criminal organizations have joined the globalized world to leverage their technology and business benefits. The development of the media, electronic commerce, transportation has allowed the sophistication of criminal mechanisms, making it increasingly difficult to detect those responsible and more difficult the apprehension of their profits. "|| |
173. The need to give effect to the principles of habeas data in the work of detecting terrorist financing had already been announced by the Court in Case C-537 of 2008, MP Jaime Córdoba Triviño, in which the Corporation explained: " (...) the exchange of financial information which provide for the provisions analyzed shall, in any case, be preceded by the guarantee of the right to informational self-determination of those affected by the measures, under the terms of Article 15 CP therefore, actions running the State in order to fulfill their commitments interdiction resources for the financing of terrorism, must ensure that information holders retain the right to know, update and rectify the data concerned. Similarly, treatment of that information is subject to the effectiveness of the principles of freedom, necessity, truthfulness, integrity, inclusion, purpose, usefulness, restricted circulation, expiry and individuality, as it has stated the constitutional jurisprudence ". | ||
174. Report published in the Gazette No. 1080 of 13 December 2010.

175. MP Alejandro Martinez Caballero and Jorge Arango Mejía.

176. MP Nilson Pinilla Pinilla.

177. In its judgment T-066 of 1998, MP Eduardo Cifuentes Muñoz, the Court stressed the importance of intelligence work in a constitutional and state: "(...) the Court asks whether the security agencies are authorized to collect information on the people. This question has already been answered in the affirmative by the Corporation. This on the basis of the State's obligation to ensure the constitutional order and provide partners both necessary conditions for the exercise of the rights and freedoms as an environment of peace, duties they whose fulfillment lies in a very important degree the military and the national police (CP, arts. 217 and 218) ".

178. In its judgment T-066 of 1998, MP Eduardo Cifuentes Muñoz, the Court had already stated that while the collection of personal data for intelligence and counterintelligence is authorized by the Constitution, in any case must respect fundamental rights, because process and principles of reserve, own need and purpose of habeas data. The Court stated: "But this power is not unlimited. Note that in the same transcript separate states that in the process of gathering information must respect human rights and due process. In addition, in the same judgment it was established that the aforementioned security agencies must maintain the strictest secrecy on data obtained, ie that "can not diffuse outside the information about a person, except in the only event of a 'history' criminal or misdemeanor, which allows third parties to disclose official information on a person

(...)

On the other hand, it should be noted that the information must be collected strictly necessary, so that not the right partners to privacy is affected. In addition, for an investigation of certain individuals is undertaken should be grounds to reasonably presume that they may have committed an offense. In the absence of this condition the doors to a state controller would be opened at the expense of the freedom of citizens. "

179. See Case T-444 of 1992, MP Alejandro Martinez Caballero; T-525 of 1992, MP Ciro Angarita Baron; and T-066 of 1998, MP Eduardo Cifuentes Muñoz. According to these statements, the intelligence and counterintelligence is reserved and therefore can not be disclosed to the media or "press conferences". In addition, in the first judgment, the Court stated: "(...) so that it may even collect and store information about a person, within the framework of its legitimate and democratic functions, provided they do not disclose or advertising for any means information about that person, unless the event that she has a criminal or misdemeanors history, that is, having a conviction handed down in final court judgment, as provided in Article 248 of the Constitution, reproduced in Article 12 of the code of procedure criminal, as a guiding principle of the new procedural system. "

180. See Judgment T-634 of 2001, MP Jaime Araujo Rentería.

181. See Bignami, Francesca. "European versus American Liberty: A Comparative Analysis of Antiterrorism Privacy Data Mining". Boston College Law Review, 2007. P. 609.

182. MP Manuel José Cepeda Espinosa

183. MP Jaime Córdoba Triviño.

184. See Judgment T-729 of 2002, MP Eduardo Montealegre Lynett.

185. Cfr. Judgment T-414 of 1992, MP Ciro Angarita Baron.

186. See Case T-729 of 2002, MP Eduardo Montealegre Lynett; C-491, 2007, MP Jaime Córdoba Triviño; and C-1011, 2008, MP Jaime Córdoba Triviño and Article 3 of the 1266 Act

187. MP Vladimiro Naranjo Mesa.

188. MP Jaime Córdoba Triviño. The Court stated: "Although the cited precedent contemplated that the information on this condition is characteristic of natural persons, with the Board's nothing precludes category extends to legal persons. This because, in line with the provisions with regard to the analysis of constitutionality of paragraph a) of article under review, the application of the right to habeas data financial and, in general, management principles of personal data, it preaches for any legal subject that is able to produce information likely to be the subject of acts of collection, processing and circulation referred to in Article 15 CP accordingly, is compatible with the Constitution that within the definition of personal data , included the one produced by legal persons, as they are entitled to the right to habeas data. "(bold added).

189. These concepts seem to be taken from Article 2 of Directive 95/46 / EC, which defines it as 'controller' means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; in case the purposes and means of processing are determined by national laws or regulations or community, the controller or the specific criteria for his nomination may be designated by national or Community law; 'Processor' means a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller.

190. ARTICLE 29 DATA PROTECTION. This Group was set up under Article 29 of Directive 95/46 / EC. It is an independent European advisory body on data protection and privacy. .

191. On the importance of this distinction, the Opinion 1/2010 of 16 February 2010 states: "(...) the practical application of the concepts of data controller and data processor is being increasingly complex. This is due primarily to the increasing complexity of the environment in which these concepts are used and, in particular, a growing trend in both the private sector and the public, towards organizational differentiation, combined with the development of ICT and globalization, which can lead to new and difficult issues arise because sometimes it is diminished the level of protection of stakeholders ".

192. In Directive 1/2010 on the concept of data processor, states: "(...) to act as a processor must be two basic conditions: first, be an independent legal entity responsible for treatment and, on the other, make the processing of personal data on his behalf "

193. Article 2 of Law 25,326 of 2000, the Argentine legislator referred to responsible file, register, base or database as the owner of the respective file, register, base or database. In Uruguay, Law 18.331 of 2008, defined in Article 7 responsible as the "owner of the database or that determines the purpose, content and use of treatment." The Organic Law on Personal Data Protection Spanish 1999 defines the controller's "natural or legal person, public or private, or administrative body which determines the purpose, content and use of treatment." Law 19.628 of 1999 in Chile and the Law 8969 of 2011 in Costa Rica, define responsible as the person who "administer, Gerencie or be responsible for the database, (...) under the law, to decide the purpose of the database, which categories of personal data must register and what type of treatment will apply ".

194. The source is defined by Article 3 of the 1266 Act as follows: "b) Source of information. Is the person, entity or organization that receives or know personal details of the holders of information, under a business relationship or service or any other and that due legal authorization or the holder, provided such data an operator of information, which in turn deliver to the end user. If the source delivers information directly to users rather than through an operator, that will have the dual role of source and operator and assume the duties and responsibilities of both. The source of information is responsible for the quality of the data supplied to the operator which, in terms of access and provide personal information to third parties, is subject to compliance with the duties and responsibilities envisaged to ensure the protection of the rights of the holder of the data; "

195. The user is defined by Article 3 of Law 1266 as follows: "d) User. The user is the natural or legal person who, under the terms and conditions provided in this law, can access personal information from one or more holders of the information provided by the operator or by the source, or directly by the holder information. The user, as has access to personal information to third parties, is subject to compliance with the duties and intended to ensure the protection of the rights of the data subject responsibilities. In the case where the user in turn deliver information directly to an operator, that will have the dual status of user and source, and assume the duties and responsibilities of both; "

196. Directive states: "The determination of the" end "of treatment is the responsibility of 'controller'. Therefore, whoever takes this decision is (de facto) the controller. This may delegate the determination of the "means" of processing to the extent that the case of technical and organizational issues. The substantive issues that are essential for the purposes of the legitimacy of treatment are the responsibility of the controller. A person or an entity to decide, for example, how long the data is stored or who has access to data processed acts as controller on this part of the use of data and therefore must comply with all obligations incumbent on a controller. "

197. Opinion on the particular 2010 said "... there is joint control when different parties determine, with respect to a specific treatment operations or the purpose or those essential elements of the media that characterize the controller.

"However, in the context of joint control the participation of the parties to the joint determination may take different forms and the distribution does not have to be necessarily equally. In fact, when several agents, they may have a very close relationship with each other (and sharing, for example, all purposes and means of treatment) or laxer (relationship and, for example, sharing only purposes or means, or a portion thereof). Therefore, consideration must be given a wide variety of types of joint control and analyzed its legal consequences, proceeding with some flexibility to take into account the growing complexity of the current reality of data processing. Given these circumstances, it is necessary to examine the different degrees of interaction or relationship that may exist between the many parties involved in the processing of personal data. First, the mere fact that different parties cooperate in the processing of personal data, eg chain, does not imply that they are jointly responsible for the treatment in all cases, since data exchange between two parties who do not share purposes and means for a common set of operations could only be considered as a transfer of data between controllers acting separately. "

198. Ibid p. 194

199. In this connection Directive 10 is emphatic in pointing out that: "Given these circumstances, it can be argued that joint and several liability of all parties involved should be considered a means of eliminating uncertainties and therefore should only be presumed that there such joint and several liability where the parties involved have not established an alternative, clear and equally effective allocation of obligations and responsibilities or when it is not clearly emanating from the factual circumstances "p. 27.

200. Cfr. Ruling SU-1193 2000

201. International standards on data protection and privacy, adopted on November 5, 2009 in Madrid within the framework of the 31st International Conference of Data Protection and Privacy. Definition largely coincides with that contained in the 9546 Directive of the European Parliament and of the Council of 24 October 1995

202. For example, the Spanish Constitution in Article 18.4 which states that the law will limit the use of information technology, where some authors conclude that the regulations for data processing applies only to automated processes.

203. González García, Aristeo. The protection of personal data: the fundamental right of the century. A comparative study Mexican Comparative Law Bulletin [online] 2007, XL (September to December): Available in: ISSN 0041-8633

204. Cit Ob

205. Lusky, L., "Invasion of Privacy: a Clarification of Concepts. Quoted by Aristeo García González. Cit Ob

206. MP Juan Carlos Henao Pérez

207. MP Eduardo Montelagre Lynett

208. See this qualification of consent free, prior and express, in a ruling SU-082 1995 (sixth and tenth considerations). Also in Case T-097 1995 1997 T-552 T-527 and T-578 2000 2001.

209. MP Eduardo Montealegre Lynett

210. In its judgment T-022 of 1993, the Court recognizes the existence of a true "general interest" in the activity of management of personal data credit content when the same in terms of the Court it "meets the requirement of the interest ", ie, when disclosure of information is adjusted solely for the purpose for which is given: that financial institutions can measure credit risk and the level of their future customers.

211. Cf. Case T-729 of 2002

212. On the principle of truthfulness, in the judgments SU-082 1995 and SU-089, 1995, the Court stated as content of the right to habeas data, the right to request correction of information that does not correspond to the truth (consideration fifth ) it also stated that no bar to "disclose information that is not true" (consideration sixth) right. Settled in Case T-097 1995. See also Case T-527 and T-578 2000 2001, among others. In its judgment T-1085 of 2001, the Court protected the right to habeas data when considering the administering entity vitiate information bias, by providing negative data without having complied with the request for payment in kind to present the actor.

213. Judgment T-729 de2002

214. The scope of the obligation to remove the negative information, the Court, in its judgment T-022 of 1993, said that once the budgets pleased to request cancellation of the data, "it must be full and final. That is, the financial institution can not move them or store them in an archive file. nor just doing a simple update of the database when coming is the total and definitive exclusion of the name of the petitioner favored with guardianship. Because it not only would undermine the right oblivion but would become suitable instrument control to prolong abusive or undue freedom and privacy of its owner interference. "

215. On the description of this risk, the Court, in its judgment T-414 of 1992, said: "It is necessary, on the other hand, remember that from the fifties such machines as computers have made it possible not only to create and interconnect huge "databases" that can provide immediately a vast amount of personal information over long distances and in a more comprehensive way, but also to establish correlations between data that are individually harmless most of the time but gathered can discover aspects whose attentive revelation against freedom and privacy of the citizen. "

216. The "Madrid Resolution" is a document product of the "Joint Proposal for a Draft of International Standards on the Protection of Privacy in relation to the Treatment of Personal Data", welcomed by the 31st International Conference of data protection and Privacy, held on November 5, 2009 in Madrid.

217. The limit to the data processing means that this should be adequate, relevant and not excessive in front of the purposes for which they were collected. The need indicates that efforts must be made to limit data processing to what is necessary.

218. It is referred to the data controller must give the person enough information so that it has the option to establish a relationship of transparency with that.

219. It argues that the data controller is responsible for taking all necessary measures to follow the guidelines of the processing of personal data imposed by national legislation or other competent authority.

220. It notes that international data transfers shall take place only if the recipient country provides at least the same level of protection of personal data brindas the principles outlined here.

In addition, this principle develops the factors to determine whether a host country provides minimum standards for data protection: 1) the nature of the data; 2) the country of origin; 3) the host country; 4) the purpose for which the data are processed, and 5) the security measures in place for the transfer and processing of personal data.

221. The right of access to the right of the individual to request and obtain from the data controller information on your personal data.

222. The person has the right to request that the data controller correct or delete personal data that may be incomplete, inaccurate, unnecessary or excessive.

223. The person may object to the processing of their personal data in cases where there is a legitimate reason, such as unwarranted and substantial damage or distress to her.

224. Which it is recognized on the principle of legitimacy of personal data.

225. It states that the data controller and the data processor must have reasonable technical measures and organization to ensure the integrity, confidentiality and availability of personal data.

226. Data controllers and data processors have the duty to maintain the confidentiality of all personal data, even beyond terminate the relationship between the personal and the data controller.

227. In order to ensure compliance and implementation of the principles of data protection, the OAS states that should be available a supervisory authority and a judicial remedy for people established. On the authority he says that this must be impartial and independent. It must have technical capacity, powers and adequate resources to conduct investigations and audits to ensure compliance with the relevant standards.

228. MP Jaime Córdoba Triviño

229. http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:ES:NOT

230. MP Ciro Angarita Baron

231. MP Eduardo Cifuentes Muñoz

232. MP Jorge Arango Mejía

233. MP Ciro Angarita Baron

234. MP. Alvaro Tafur Galvis

235. MP Eduardo Cifuentes Muñoz

236. MP Clara Inés Vargas

237. MP. Eduardo Montealegre Lynett

238. MP Alvaro Tafur Galvis

239. MP Alvaro Tafur Galvis

240. The term is used by the Opinion 3/2010 on the principle of responsibility, issued by the Data Protection Group of the European Union.

241. Safety is one of the elements that must have the necessary guarantees of protection of personal data in the SRS. Consequently, the Working Group designed certain parameters under which access to personal information on social networks should be protected, because otherwise, generate distrust of the user, not having the certainty that your information will not be treated properly. In this regard he stated: "The SRS should therefore establish parameters for respectful default privacy, which allow users to accept freely and specifically that different to your chosen contacts people from accessing your profile, in order to reduce the risk of treatment illegal by third parties. Unlimited access profiles should not be reachable by internal search engines, including the search function parameters such as age or place (...) ".

242. MP Jaime Córdoba Triviño.

243. "Cf. Constitutional Court judgment C-517/98 concept reiterated in Case C-692/03. "

244. MP Jaime Córdoba Triviño.

245. Constitutional Court judgment C-853 of 25 November 2009. MP Jorge Ivan Palacio Palace.

246. "MP Manuel José Cepeda Espinosa"

247. "MP Humberto Antonio Sierra Porto"

248. "Article 6:" (...) 2. States Parties shall ensure to the maximum extent possible the survival and development of the child ".

Article 27: '1. States Parties recognize the right of every child to a standard of living adequate for their physical, mental, spiritual, moral and social development. 2. Parents or others responsible for the child have the primary responsibility to secure, within their abilities and financial capacities, the conditions of living necessary for the child's development (...) .' "

249. "According to the Dictionary of the Royal Academy of the Spanish Language," prevail "means, in the first sense," stand a person or thing; have some superiority or advantage among others. "

250. "Likewise, Article 5 of the Convention on the Rights of the Child provides that" States Parties shall respect the responsibilities, rights and duties of parents or, where appropriate, members of the extended family or community as provided for by local custom, legal guardians or other persons legally responsible for the child, to provide, in line with the evolving capacities, appropriate direction and for the child to exercise the rights recognized in the present convention orientation. "

251. "Judgment T-510 of 2003, MP. Manuel José Cepeda Espinosa) "

252. Cfr. Judgment T-502 of 2011. MP Jorge Ignacio Pretelt Chaljub.

253. See Case C-318 MP 2003. Jaime Araújo Rentería.

254. See Case T-466 MP 2006. Manuel José Cepeda Espinosa.

255. See Case C-318 MP 2003. Jaime Araújo Rentería.

256. The Memorandum of Montevideo hosts a series of recommendations that are the result of Working seminar "Rights, adolescents and social networks on the Internet" that was held in Montevideo on 27 and 28 July 2009, with the participation of several academics and experts from many Latin American countries, Canada and Spain. http://www.iijusticia.org/Memo.htm

257. This memorandum seeks to balance the exercise of the right of access to information and knowledge, and also mitigate the risks that misuse may involve the exercise of other fundamental rights of those under 18 years because they could be victims of discrimination , sexual exploitation, pornography, among others, negatively impacting their harmonious and comprehensive development.

Elaborating on the contents of the Memorandum of Montevideo, is presenting a series of recommendations to all stakeholders involved in the protection of personal data of children and adolescents, (i) may extend aspects positive of the Information Society and Knowledge, including the Internet and online social networks, (ii) warn that harmful practices will be very difficult to reverse, and (iii) prevent the negative impacts these practices entail.

On the other hand, specifies that the actors involved in the protection and processing of personal data, are: first, the state, educational institutions, parents or others who are in charge of their care and educators . In particular, the State and educational institutions should sensitize parents and responsible people about the risks that children, girls and adolescents face in digital environments. In general, it should be transmitted to children under 18 years that the Internet is not a place without rules, without responsibilities or unpunished, and that every action has its consequences. In effect, it establishes a series of guidelines for educating children, girls and adolescents in the safe and responsible use of the Internet and online social networks, as they may be impacted their rights and those of others. (Paragraphs 1 to 5 of section called "Recommendations for states and educational institutions for prevention and education of children and adolescents").

Second, about the role carried out by the legislature in each country, the memorandum states that the creation, reform or regulatory harmonization must be made on primary consideration to the best interests of children, girls and adolescents containing as minimum basic rights and internationally recognized principles and mechanisms for the effective protection of personal data (paragraphs 6 to 9 of chapter "Recommendations to States on the Legal Framework")

Third, highlights that judicial systems are very important in ensuring good use of the Internet and online social networking role. He notes that civil and criminal penalties should apply not only to rectify the violated rights but also to send to citizens and businesses clear rules on the interpretation of laws and fundamental principles (paragraphs 10 to 13 of the separate "Recommendations for enforcement by States ")

Fourth, the Memorandum of Montevideo, states that companies that provide access services to the Internet, develop digital applications or social networks, must engage decisively on the protection of personal data and life private, particularly children, girls and adolescents. For this purpose includes a series of recommendations (paragraphs 19 to 30 of chapter "Recommendations for Industry").

258. First (...) after the day of general discussion on implementing child rights in early childhood in 2004, the Committee emphasized that (...) Studies show that the child is able to form opinions from very early age, even when still can not express verbally. Therefore, the full implementation of article 12 requires recognition and respect of non-verbal forms of communication including play, body and facial expression and drawing and painting, through which very young children demonstrate ability to understand, choose and have preferences. Second, the child should not necessarily have a thorough understanding of all aspects of the case involving, but enough to be able to properly form their own judgment on the matter understanding. Thirdly, States parties are also obliged to ensure the observance of this right for children experiencing difficulties in making their voices heard. For example, children with disabilities (...) minorities (...) Indigenous (...) migrants and other (...) in General Comment No. 12 of 2009 of the Committee on the Rights of the Child.

259. Applying the principle of conservation law, Case C-078 of 2007, said: "The Court has understood that under the principle of conservation law, declaratory simple unenforceability can only thrive when the legislative expression is absolutely incompatible with the Charter and no interpretation of it that can conform to the Constitution. Additionally, as discussed below, the Court found that for the purposes of adopting the relevant decision is essential to weigh the effect of the declaration of unconstitutionality on the rights of subjects of special protection to modulate the sense of failure for not check constitutionally protected. "

260. It stresses the importance of the State forward a serious campaign to raise awareness among children, and adolescents about the importance of proper use should give their personal data.

261. For example, in social networks begin to draw new rights. Thus, the Working Group on Data Protection of the European Union argues that these systems should adopt the following measures: "Obligations of SRS1. SNS should inform users of their identity and provide them with clear and comprehensive information about the purposes and different ways in which they will treat personal data. 2. The SRS should set default parameters respectful of privacy. 3. The SRS should inform and warn their users against the risk of attacks to privacy when transferring data to the SRS. 4. The SRS should recommend to their users put online images or information about others without their consent. 5. At least on the home page of the SRS should include a link to a claims office, for both members and non-members, covering data protection issues. 6. Commercial activity must conform to the standards set by the directive on data protection and the Directive on the protection of privacy in the electronic communications sector. 7. The SRS should set maximum limits for storing data inactive users. Abandoned accounts must be deleted. 8. With regard to minors, SNS should take appropriate measures to limit the risks. "

262. Swirling, Nelson. Does Colombia an adequate level of protection of personal in light of the European standard data ?.

263. Cf. Judgement C-1011, 2008 MP Jaime Córdoba Triviño

264. Cf. Case C-1011, 2008 MP Jaime Córdoba Triviño

265. Cf. Ibid.

266. http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:ES:NOT

267. Cf. Case C-265 of 2002, MP Manuel José Cepeda Espinosa. On this occasion the Court declared unconstitutional the third paragraph of Article 64 of Law 675 of 2001, deeming that "(...) condition the possibility of closing an administrative authorization, without indicating criteria that prevent such appropriation and exclusion, is insufficient to protect the constitutionally guaranteed "goods.

268. Auto 049 2008 MP Jaime Córdoba Triviño

269. Cf. Constitutional Court, Case C-734/03 and C-852/05.

270. Cf. Constitutional Court, Case C-028/97 and C-290/02.

271. Auto 049 2008 MP Jaime Córdoba Triviño

272. Cf. Case T-220 of 1994, T-158 and T-2005 1160A / 01, among others.

273. TRONCOSO REGAIDA, Antonio "The Protection of Personal Data. In search of balance "Editorial Tiralt to blanchtratados" Valencia 2010. Pp. 1727 et seq. According to him, this cooperation agreement forced some European states to regulate internally in their legislation the issue of data protection. Spain specifically states that this was an engine for the approval of the organic law governing the subject, LORTAD.

274. This policy is in TRONCOSO count REGAIDA, pp. 1737-1739

275. www.ec.europa.eu

276. Law 67 of 1998. Law on Personal Data Protection, Article 25.

277. Law 25,326 of 2000. Article 29. Article 29. "1) Create the NATIONAL ADDRESS PROTECTION OF PERSONAL DATA, in the context of the Secretary of Justice and Legislative Affairs Ministry of Justice and Human Rights, as a supervisory body of the Law No. 25,326. The Director shall have exclusive dedication to their function, exercise its duties independently and not be subject to instructions. 2) NATIONAL ADDRESS PROTECTION OF PERSONAL DATA will be integrated with National Director, Level "A" with Executive Function I, appointed by the Executive Branch for a period of four (4) years and shall be selected from persons with a history in the matter. "(Bold outside the original text). www.jus.gov.ar/datospersonales.aspx

278. BRUNO J GAIRO E IGNACIO M SOBA. "The procedural rules of Habeas Data". Editorial IB F. Montevideo-Buenos Aires, citing Ibanez, Perfecto Andrés, p. 28

279. According TRONCOSO REGAIDA, one of the biggest drawbacks of data protection agencies in Europe is its lack of enforceability. Meanwhile, on the American model and characteristics of sectoral laws, it misses the existence of a central body responsible for monitoring, control and protection of personal data.

280. Free English to Spanish.

281. In this regard, Article 2 of Decree 4327/05 provides that the Financial Superintendence of Colombia, is attached to the Ministry of Finance and Public Credit, with legal, administrative and financial autonomy and its own patrimony technical body. Similarly, Article 1 of Decree 2153/92 defines the Superintendency of Industry and Commerce as a technical agency under the Ministry of Economic Development, which enjoys administrative, financial and budgetary autonomy.

282. Article 2 of Decree 4327/05 provides that the Financial Superintendence of Colombia, is attached to the Ministry of Finance and Public Credit, with legal, administrative and financial autonomy and its own patrimony technical body. Similarly, Article 1 of Decree 2153/92 defines the Superintendency of Industry and Commerce as a technical agency under the Ministry of Economic Development, which enjoys administrative, financial and budgetary autonomy.

283. Cf. Judgement C-1011, 2008. Pp 233 and 234

284. P. 236

285. Cf. Judgement SU-1010 2008

286. Cf. Case C-401 2010. MP Luis Ernesto Vargas Silva.

287. Cf. Ruling C-1011 of 2008. Considering 3.6.2.

288. Judgment C-406 of 2004, MP Clara Inés Vargas Hernández.

289. Judgment C-406 of 2004, MP Clara Inés Vargas Hernández.

290. Article 18 of the Draft Statutory Law number 221 of 2007 House, Senate accumulated 027 2006 with the number 05 2006 Senate: "Sanctions. The Superintendency of Industry and Commerce and the Financial Supervisory Authority may impose on operators, sources and users of financial, credit, business information, services and from third countries previous explanations in accordance with the applicable procedure, the following sanctions: || | Fines
personal and institutional character up to the equivalent of 1500 (1,500) minimum monthly wages in force at the time of imposition of penalty for violation of this law, rules that regulate as well as non-compliance orders and instructions issued by the Superintendency. The fines provided herein may be successive long as there is a breach that originated.

Suspension of activities Data Bank, for a term of six (6) months when the person was carrying out information management in serious violation of the conditions and requirements of this law, as well as by not complying with orders and instructions issued by the Superintendents mentioned to correct such violations.

Closure or closure of operations Data Bank when, after expiry of the term of suspension, it has not adapted its technical operation and logistics, and its rules and procedures required by law, in accordance with the provisions of the resolution who ordered the suspension.

immediate and definitive closure of the operation of databases that manage data prohibited ".

291. Judgment C-1011, 2008, MP Jaime Córdoba Triviño.

292. Judgment C-1011, 2008, MP Jaime Córdoba Treviño.

293. Argentina, for example, by decision of 30 June 2003, it was certified to ensure an adequate level of protection with respect to personal data transferred from the Community under Directive 95/46 / EC of the Parliament and the European Council among others by having a public record database.

294. For States it is recurrent justify the international transfer of data for reasons of public safety, national security, terrorism investigations, needlework military or police intelligence, judicial cooperation, immigration controls, etc. At the corporate front, multinationals need to circulate information between different branches have in several countries, or require information to provide telephone service to customers through international call centers.

295. Nelson Remolina-Angarita, Colombia has an adequate level of protection of personal in the light of European standard data? 16 International Law, International Journal of International Law, 489-524 (2010).

296. The Working Group was established by Article 29 of Directive 95/46 / EC. It is an independent EU advisory body on data protection and privacy. Its functions are defined in Article 30 of that Directive and Article 14 of Directive 97/66 / EC.

297. Law 1266 of 2008, which the general provisions of habeas dictate data and management of the information contained in personal databases, particularly the financial, credit, trade, services and from third countries and is regulated dictate other provisions.

298. Article 26 Paragraph 2: the provisions of this Article shall apply to all personal data, including those covered by the 1266 Act of 2008.

299. International standards on data protection and privacy, adopted on November 5, 2009 in Madrid within the framework of the 31st International Conference of Data Protection and Privacy. Definition largely coincides with that contained in Directive 95/46 of the European Parliament and of the Council of 24 October 1995

300. Cf. Case T-729 of 2002

301. Judgment C-1011, 2008. P. 106

By Which Dictate General Provisions For The Protection Of Personal Data

Original Language Title: Por la cual se dictan disposiciones generales para la protección de datos personales

Subscribe to a Global-Regulation Premium Membership Today!

Search Translated Laws of Colombia