Colombia: The Superintendence of Industry and Commerce published a draft External Circular on the processing of personal data in the Fintech ecosystem

08 May 2025    3 minute read

In brief

On 6 May 2025 the Superintendence of Industry and Commerce (SIC), in its role as national authority for the protection of personal data, published a draft External Circular, which establishes specific guidelines for the processing of personal data in the Fintech ecosystem (“Draft Circular”). This draft seeks to provide guidance to those data controllers for offering financial services through technological means on the legal obligations regarding the protection of personal data, in accordance with the provisions of Laws 1266 of 2008 and Law 1581 of 2012.

Contents

  1. Key takeaways
  2. Recommendations for Fintech ecosystem data controllers
  3. Additional information

Key takeaways

The most important points addressed in the Draft Circular are the following:

  • Legitimate purpose and proportionality: The processing of personal data must have a legitimate purpose, be necessary and and be used in time proportional to the financial service offered.
  • Data minimization: Only the information strictly necessary to fulfill the purpose of the processing should be collected.
  • Prior, express and informed consent: It is mandatory to obtain a clear and differentiated consent from the data subject before or at the same time of processing his/her personal data, in cases where consent is requested for the processing of personal data for purposes additional to those strictly necessary for the provision of the service.
  • Consent: Consent for the processing of personal data may be expressed by the data subject in writing, by a data message, orally or through unequivocal conduct that makes it reasonably possible to determine that consent was granted by the data subject and that it may be consulted later.
  • Transparency in automated decisions: Data subjects should be informed if their data will be used in automated decisions and have the possibility to challenge them through the channels provided for the submission of petitions or complaints.
  • Protection of sensitive data: It is prohibited to condition access to financial services to the provision of sensitive data, such as biometric data, unless there is a differentiated and express consent, and strict security measures are implemented.
  • Mechanisms for the exercise of rights: Companies should establish visible and effective channels for data subjects to exercise their rights of access, rectification, updating and removal, among other rights granted by the regulation.
  • Transmissions and transfers: Specific parameters are established for the transmission or transfer of data.
  • Privacy Impact Assessments: It is recommended that privacy impact assessments be conducted to identify and mitigate risks associated with the processing of personal data.

Recommendations for Fintech ecosystem data controllers

The Draft Circular includes the following recommendations for those data controllers for the Fintech ecosystem, among others:

  • Policy review and adjustment: Update privacy policies and internal procedures to align with the proposed new guidelines.
  • Implementation of consent and preference mechanisms: Establish clear processes for obtaining informed consent from users. Additionally, enable mechanisms that are visible and intuitive, allowing data subjects to manage their privacy preferences and decide on the sharing of their personal data with third parties.
  • Evaluation of technologies used: Analyze and adjust technologies involving automated decisions to ensure transparency and the right to challenge.
  • Strengthening security measures: Reinforce technical and organizational measures to protect personal data, especially sensitive data. Similarly, the security measures implemented must be recorded and reviewed periodically, adapting to the evolution of risks.
  • Access to personal data: Establish simple and agile mechanisms that are permanently available to data subjects so that they can access their personal data and exercise their rights. Likewise, the agents in the fintech ecosystem must implement procedures that guarantee the maintenance of detailed records on requests for access to personal data by third parties authorized.
  • Improve the collection and processing of sensitive data: At the time of collection of this kind of data, which in any case must be exceptional, the data controller must inform the data subject of the following:
  1. That since it is sensitive data, he/she is not obliged to authorize its processing.
  2. Which of the data to be processed are sensitive and what are the specific purposes of such processing, for each type of sensitive personal data.
  • Subscription of clauses: The subscription of the Model Contractual Clauses included in the "Implementation Guide Model Contractual Clauses for the International Transfer of Personal Data (TIDP)" of the Ibero-American Data Protection Network and its annex "Model Contractual Clauses".

Additional information

The SIC encouraged those data controllers for the Fintech ecosystem to heed the above guidelines, in order to ensure regulatory compliance, and guarantee the protection of data subjects' rights.

For more information, the SIC's Draft Circular can be consulted at the following link. Remember that those interested may send comments and observations on the Draft Circular until 21 May 2025.

Please do not hesitate to contact us in case you have any questions or require our advice.

Spanish version

Contact Information
Angelica Navarro Acevedo
Partner
Bogota
Read my Bio
angelica.navarro@bakermckenzie.com
Maria Carolina Pardo Cuellar
Partner
Bogota
Read my Bio
carolina.pardo@bakermckenzie.com
Carlos Arboleda
Associate
Bogota
Read my Bio
carlos.arboleda@bakermckenzie.com
Julieth Sanclemente Perez
Associate
Bogota
Read my Bio
julieth.sanclemente@bakermckenzie.com

Copyright © 2025 Baker & McKenzie. All rights reserved. Ownership: This documentation and content (Content) is a proprietary resource owned exclusively by Baker McKenzie (meaning Baker & McKenzie International and its member firms). The Content is protected under international copyright conventions. Use of this Content does not of itself create a contractual relationship, nor any attorney/client relationship, between Baker McKenzie and any person. Non-reliance and exclusion: All Content is for informational purposes only and may not reflect the most current legal and regulatory developments. All summaries of the laws, regulations and practice are subject to change. The Content is not offered as legal or professional advice for any specific matter. It is not intended to be a substitute for reference to (and compliance with) the detailed provisions of applicable laws, rules, regulations or forms. Legal advice should always be sought before taking any action or refraining from taking any action based on any Content. Baker McKenzie and the editors and the contributing authors do not guarantee the accuracy of the Content and expressly disclaim any and all liability to any person in respect of the consequences of anything done or permitted to be done or omitted to be done wholly or partly in reliance upon the whole or any part of the Content. The Content may contain links to external websites and external websites may link to the Content. Baker McKenzie is not responsible for the content or operation of any such external sites and disclaims all liability, howsoever occurring, in respect of the content or operation of any such external websites. Attorney Advertising: This Content may qualify as “Attorney Advertising” requiring notice in some jurisdictions. To the extent that this Content may qualify as Attorney Advertising, PRIOR RESULTS DO NOT GUARANTEE A SIMILAR OUTCOME. Reproduction: Reproduction of reasonable portions of the Content is permitted provided that (i) such reproductions are made available free of charge and for non-commercial purposes, (ii) such reproductions are properly attributed to Baker McKenzie, (iii) the portion of the Content being reproduced is not altered or made available in a manner that modifies the Content or presents the Content being reproduced in a false light and (iv) notice is made to the disclaimers included on the Content. The permission to re-copy does not allow for incorporation of any substantial portion of the Content in any work or publication, whether in hard copy, electronic or any other form or for commercial purposes.