The Colombian data protection authority ('SIC') published, on 14 March 2022, its Resolution No. 14679 of 2022 ('Resolution No. 14679'), in which it upheld its Resolution No. 61479 of 2019 ('Resolution No. 61479') to impose a fine of COP 3,195,104 (approx. €774) on CONDIVAL S.A.S., following an appeal from CONDIVAL against the same.

Background to the case

In particular, the SIC noted that in its original decision in Resolution No. 61479, it had imposed a fine on CONDIVAL for failing to adopt necessary security controls relating to sensitive health data that allow the protection of standards provided in Article 17(d) of Statutory Law 1581 of 17 October 2012 Which Issues General Provisions for the Protection of Personal Data ('the Data Protection Law'). However, the SIC recalled that, in its appeal, CONDIVAL provided that the reports to the SIC in the proceedings of Resolution No. 61479 citing the processing of sensitive health data, were an involuntary error, claiming that CONDIVAL does not process sensitive data.

Findings of the SIC

In determining CONDIVAL's appeal, the SIC concluded that in the evidence provided for its original decision, CONDIVAL had reported information in the National Registry of Databases ('RNDB') which contained sensitive personal data, thereby acknowledging that it deals with sensitive data, namely that related to the health of persons. Accordingly, the SIC found that CONDIVAL failed to introduce information security provisions necessary to prevent the sensitive health data's unauthorised or fraudulent tampering, loss, consultation, use, or access, thus violating Article 17(d) of the Data Protection Law.

Outcomes

In light of the above, the SIC upheld Resolution No. 61479 in its entirety.

You can read the decision, only available in Spanish, here.