Collection and processing of personal data in business premises due to COVID-19’s government measures

20 Aug Collection and processing of personal data in business premises due to COVID-19’s government measures

On August 18, 2020, the Superintendence of Industry and Commerce (Superintendencia de Industria y Comercio – “SIC”) issued the External Notice 008 of 2020, to instruct the people and companies who collect personal data to comply with the biosafety protocols and other measures adopted by the National Government in the context of COVID-19. Although the Notice is addressed to all persons who are controllers or processors of personal data, it should be noted that in official communications the SIC has stressed that these measures are mandatory “for all business premises that, because of the COVID-19 State of Emergency, have collected personal data form citizens”.

The Notice begins by recognizing that authorities from different sectors of the economy have adopted measures and protocols in order to counter the effects of the pandemic. These measures were enacted under the State of Health and Sanitary Emergency that was decreed by the National Government in response to the COVID-19’s emergency. For example, the Health and Social Protection Ministry issued biosafety protocols that seek to mitigate, control and manage the risks that may arise from COVID-19. In this post, we will explain six main implications of the External Notice 008 of 2020 of the SIC, regarding the collection and processing of personal data due to COVID-19’s government measures.

1. Personal data protection laws are fully applicable in the COVID-19 context.

The main purpose of the Statutory Law 1581 of 2012 is to the develop the fundamental rights to privacy and personal data protection. The law aims at guaranteeing the right of everyone to know, update and rectify the existing data about them in databases or archives. In the External Notice 008 of 2020, the SIC highlighted that the Resolutions adopted by the Ministry and Social Protection do not suspend the fundamental right of personal data protection or affect the validity of the regulations on this matter.

2. Duties and special care in the collection of personal data.

Regarding the collection of data, there are two relevant points established in the External Notice 008 of 2020. The first point refers to the fact that “no deceptive or fraudulent means may be used to collect” personal data, and controllers or processors have to adhere to the rules regarding the prior authorization to be granted by the data subject. The second point is that only data “relevant and appropriate to the purpose for which they were collected” should be collected. In addition, to comply with the biosafety protocols, only data explicitly required by the Health and Social Protection Ministry should be collected. 

3. Duty to inform the purposes of the processing and to justify the need to collect personal data.

In addition to reiterating the duty of controllers and processors to inform the purposes of the specific collection of data through appropriate means, the External Notice also warns that they should be able to justify the need to collect the data from the data subjects.

4. Limitations on the use of personal data.

Data that is collected in order to comply with the biosafety protocols cannot be used for purposes other than the ones established by the said protocols. Such data can be “stored for a reasonable period of time necessary to comply with such protocols”. Additionally, once the purpose has been achieved, the controller of the data must automatically delete the information.

5. Registration of new databases in the RNBD.

The creation new databases may be required to comply with the biosafety protocols. In this case, the controllers will have to register them in the National Database Registry (Registro Nacional de Bases de Datos – RNBD) administered by the SIC.

6. Reinforced protection for the processing of sensitive data.

The processing of sensitive data implies reinforced duties to ensure its security though technical, human and administrative measures. Furthermore, the External Notice recalls that no activity can be conditioned to the provision of sensitive information by the subject.

Finally, the External Notice also reiterates some of the duties that controllers have, such as: i) making the Data Processing Policy known to the subjects, ii) obtaining a prior, express, free and informed authorization from the data subject for the collection and processing of its data, except in cases expressly excluded by the law, and iii) ensuring the principles of security, confidentiality, access and restricted movement.