On March 11 of this year, the Financial Superintendence (SFC for its initials in Spanish), published the Circular Externa 005 of 2019 (Circular) titled Rules relative to the use of cloud based computing services. The reach of this document extends to accounting, financial and corporate fulfilment processes that entities monitored by the SFC want to support with cloud based computing services.
Highlighting said document is a transition period, established as six months after the publication of this document (meaning it ends on September 11 of 2019). This span of time is meant to give the corporations subject of this regulation a period of time to adjust to the new guidelines set forth, additionally asking them that fifteen days prior to the start of processing of information stored on the cloud, they will have to gather a set of documents required by the sixth disposition of the Circular.
As for the material content of the Circular, it establishes clear requirements about how these type of contract relationships will have to be organized in the future. Some of the most important of these are listed below.
There are minimum requirements about provider certifications, such as having a certified ISO 27001, 27017 and 27018. Verification of the places where information will be processed, with it being necessary that those countries have equal or superior data protection laws than the ones in place in Colombia. This extends to all legislation on the subject, including crimes against confidentiality, integrity and availability of personal data and information systems. In terms of referral to past legal documents, there is a disposition that establishes that in the subject of Data Privacy there needs to be an analysis of what countries are allowed to gather information from Colombian entities covered by this Circular. Given the international character of data treatment, it is imperative for these entities to consult not only Statutory Laws 1266 of 2008 and 1581 of 2012, but they should also pay close attention to the developments of the countries that continue to be added to the list of those who are qualified to treat the data subject to this Circular. There is a strict list, whose latest development can be consulted in the Circular Externa 008...