May consent be used as a legal basis for processing worker information? (Y/N – if N, please explain)
Are there any specific worker data collections or processing operations that require prior consent? (Y/N – if Y, when is consent required)
Yes. Pursuant to Law 1,581 of 2012 and Decree 1377 of 2013 any operation or set of operations performed on Personal Data must be authorized by the owner of said information.
Are there exceptions that will allow employers to collect and treat workers data without consent? (Y/N – if Y, list the exceptions)
Yes. Employers may treat employees’ data without employees’ if the workers data is public information.
Is the company required to provide a privacy notice to workers? (Y/N)
Does the worker privacy notice need to address security measures?
Are there any other unique disclosure requirements with respect to the privacy notice (e.g. list data retention periods, state legitimate bases, etc.)?
Yes. Employees shall be informed about the employers name and address; the purpose/s for which their data will be used; and their rights regarding such data (i.e., access, rectification and deletion).
Data Subject Rights
Are there data subject rights for workers? (Y/N – if Y, please list)
Yes. Workers have the same rights as any Data Subject (i.e. Know, update and rectify their Personal Data with the Data Controller or Data Processor, request proof of authorization granted to the Data Controller; etc.)
What is the timeframe to respond to data subject requests from workers?
In case of a worker’s query or claim related to the processing of the Personal Data, the timeframe is 10 business days.
Are there exceptions to responding to data subject requests from workers?
Special Rules for Worker Information
Are there employment rules about privacy-related discrimination (e.g., unlawful to terminate employment due to worker submitting an access request)?
Yes. According to Sensitive Data Processing, it is prohibited, except for cases expressly indicated in article 6 of Law 1581 of 2012
Are there any unique requirements for transfers of employee information to third parties (i.e., contractual restrictions or otherwise)?
Yes. Employees must sign a special authorization for the processing of personal data that is included in their labor contract or in an amendment (in accordance with Law 1,582 of 2012 and Decree 1377 of 2013).
Are there rules about automated decision making involving workers (e.g., hiring decisions)?
Are there rules about processing sensitive information or information about worker households or families (e.g., biometric data, health/medical information, sexual orientation, religious affiliation, union membership, etc.)?
Yes. Sensitive Data Processing is prohibited, except in cases expressly indicated in article 6 of the Law 1,581 of 2012.
Are there specific security requirements for storing and processing worker information?
Yes. The Data Processor and the Data Controller must implement the necessary technical, human, and administrative security measures at its disposal to ensure confidentiality and prevent adulteration, loss, consultation, and unauthorized or fraudulent use or access of the collected data.
Are there rules about using worker information for marketing?
Yes. Generic rules about use of personal data for marketing is applicable also to worker information for marketing. Therefore, a specific authorization for marketing use must be given.
Are there rules about surveillance of workers?
Yes. The worker’s consent is required and the employer may not engage in any activity that violates the employee’s constitutional and legal rights and human dignity.
Are there other specific privacy rules or issues involving worker information (e.g., BYOD policies, monitoring technology use, automated tracking of workers)?
Yes. The general principle is that any activity involving the employee’s right to privacy must respect his/her human dignity and his or her consent is require.
Government and Recourse
Is there a legislative body or government entity that regulates employment-related privacy matters?
Yes. The Superintendency of Industry and Comerce.
In the event of a violation, is the recourse regulatory, a private right of action, or other?
Expected Changes to Worker Privacy Laws:
Yes. Through work at home (Law 2,088 of 2021) and remote work (Law 2121 of 2021), the right of the worker to disconnect from work and to privacy in times of rest is pursued.
Is business-to-business (B2B) data treated differently than consumer or employee data? (Y/N – If yes, please explain).