Will this be a game-changer for Privacy Compliance in Latin America? We expected LGPD to have a a similar affect as GDPR did in Europe but it’s been much more nuanced. Now we’re seeing changes from other LatAm countries that will only ramp up from here.
In a significant boost for cross-border data governance in Latin America, Colombia’s Superintendence of Industry and Commerce (SIC) has officially introduced standardized model contractual clauses to help organizations manage international flows of personal data more securely and consistently.
Issued on December 19, 2025, and published in the Official Gazette in early January 2026, Circular Externa No. 003 of 2025 provides clear, ready-to-use contractual templates for both international transfers and transmissions. The move strengthens Colombia’s already sophisticated data protection regime under Law 1581 of 2012 and aligns it more closely with emerging regional standards.
For global companies, privacy officers, and legal teams handling data from Colombian residents, this development offers practical guidance while underscoring the need for thoughtful implementation in an increasingly interconnected digital economy.
Why This Matters for International Data Flows
Colombia has long maintained strict rules on sending personal data abroad. Under Article 26 of Law 1581, transfers to countries without an officially recognized “adequate” level of protection are generally restricted unless specific exceptions apply or sufficient safeguards are in place.
The new circular addresses a longstanding gap by endorsing model clauses developed through the Ibero-American Data Protection Network (RIPD). These standardized templates give companies a reliable, regulator-endorsed tool to demonstrate compliance and reduce legal uncertainty when moving data across borders.
A Hybrid Approach: Voluntary to Adopt, Mandatory to Follow
One of the most interesting features of the Colombian model is its balanced legal design. The SIC explicitly states that use of the clauses is completely voluntary – no organization is required to adopt them to carry out lawful international data operations.
However, once a company chooses to include the model clauses in its contracts, they become fully enforceable. The circular warns that any failure to comply with the adopted clauses can be treated by the SIC as a breach of its official instructions under Law 1581, potentially leading to administrative investigations, sanctions, or fines.
This “opt-in with real teeth” structure encourages organizations to think twice before signing on, turning the clauses into a meaningful commitment rather than a simple formality.
Separate Clauses for Transfers and Transmissions
Colombian law draws a precise line between two types of cross-border data movements:
– International transfers: when personal data moves from a Colombian controller to another controller located outside the country.
– International transmissions: when data is disclosed from a Colombian controller to a processor (service provider) abroad.
The circular supplies two distinct sets of model clauses tailored to each scenario. These templates do not change the legal classification of the operation – they simply add an extra layer of contractual protection while preserving all existing statutory duties of controllers and processors.
Core Protections Built Into the Clauses
The model clauses reflect widely accepted privacy principles, including:
– Purpose limitation and data minimization
– Transparency and accountability
– Robust data security measures (administrative, physical, and technical safeguards)
– Strict confidentiality obligations
– Timely breach notification (with specific timelines referenced in supporting materials)
– Rights for data subjects, who are explicitly named as third-party beneficiaries with direct enforcement rights
Organizations may add extra protective provisions, but they are strictly prohibited from modifying the core clauses in any way that reduces or weakens the safeguards for individuals. In any conflict, Colombian law and SIC guidance always prevail.
Important Clarification: These Are Safeguards, Not a Free Pass
The SIC is very clear on one critical point – the model clauses do not replace or satisfy the requirements of Article 26 of Law 1581 on their own. They serve only as complementary safeguards.
Companies must still perform the required prior legal analysis, confirm that the transfer falls under a valid exception, and ensure overall compliance with adequacy or authorization rules. This is especially relevant for multinational groups used to relying on EU-style standard contractual clauses as a complete legal basis for transfers.
How Colombia’s Model Differs from the EU Approach
While sharing many similarities with the European Union’s Standard Contractual Clauses – such as third-party beneficiary rights and strong accountability mechanisms – Colombia’s framework takes a more supplementary role.
In the EU, approved clauses can often stand alone as a valid transfer tool. In Colombia, they function as an additional layer of protection within the existing statutory framework. This creates a pragmatic, regionally harmonized approach that respects national sovereignty while promoting consistency across Latin America through the RIPD framework.
Strategic Takeaways for Privacy and Compliance Teams
This circular should be on the radar of every organization that moves personal data involving Colombia. Here are the key actions to consider right now:
1. Map all international data flows that include personal data of Colombian individuals.
2. Review current transfer and transmission agreements to identify opportunities for standardization.
3. Decide whether adopting the SIC model clauses would strengthen your compliance position, demonstrate due diligence, and potentially reduce regulatory scrutiny during any future investigations.
4. If implementing the clauses, integrate them carefully with vendor contracts, data processing agreements, internal policies, and incident response plans.
5. Monitor SIC enforcement trends and any future guidance as the authority begins applying the new framework in practice.
Looking Forward
Colombia’s introduction of these model contractual clauses marks another step in the country’s evolution toward a modern, globally compatible privacy regime. It reflects a broader regional push for greater harmonization while maintaining strong protections for individuals.
As digital commerce, cloud services, and AI-driven operations continue to expand across Latin America, tools like these will help companies operate with greater confidence and lower risk.
The full text of Circular Externa No. 003 of 2025, including the complete model clauses and annexes, is available on the SIC’s official website.
