Skip to content


New Decree to Guarantee the Protection of Personal Data Processed by Business Groups

The Colombian Ministry of Commerce, Industry and Tourism issued Decree 255 of 2022 which establishes the minimum conditions and requirements that the Binding Corporate Rules implemented in a business group must comply with. These rules consist of principles, policies and codes that impose duties and obligations to the members of a business group in charge of processing personal data, in order to guarantee the protection and respect of the data holders’ rights and compliance with all regulations. All companies that are part of the same business group and that transfer personal data to a member of the group located outside Colombian territory, who will be responsible for the processing of these data, must comply with these provisions. In this regard, according to Law 222 of 1995, a business group exists when there are several related companies with relation of subordination between them and have unity of purpose and direction. As such, there is a parent company that sets an objective and controls the other subordinate companies so that together they all pursue said objective.

This new decree establishes that Binding Corporate Rules must be aligned with the general obligations imposed on individuals in charge of the processing of personal data, and must implement mechanisms that guarantee the data holders’ rights and ensure fulfillment of their duties. In case of non-compliance with these rules, all companies that are part of the business group will be jointly and severally liable, in other words, the Colombian Superintendence of Industry and Commerce (SIC) may investigate and penalize any of the members for the actions of any other member.

Business groups must submit these rules for the approval of the corresponding corporate body as established in the by-laws or the business group’s agreements in order to formally submit them to the SIC who will verify compliance with all the requirements and issue a certification so that they may be applied. However, the SIC must first publish on its website the date from which it will begin to receive requests for this review and certification.

Remember that, in case your company is part of a business group and transfers personal data to a member located outside of Colombia, you must implement these Binding Corporate Rules; contact us to help you in this process and solve any doubts you may have.