Superintendencia de Industria y Comercio

Colombia’s Superintendence of Industry and Commerce (SIC), as the National Data Protection Authority, has instructed WhatsApp LLC to comply with data protection regulation for Habeas Data and data processing for its 39 million Colombian users.

The decision was announced in Resolution 29826 of May 2021, after finding out that WhatsApp LLC’s existing Information Handling Policy failed to comply with 57.89% of Colombian data protection regulations.

During its investigation, the SIC established that WhatsApp LLC collects and processes the data of at least 39 million active monthly users in Colombia, and that the company uses ‘cookies’ to collect and process personal data within the national territory.

This means that Law 1581 of 2012 is applicable as WhatsApp LLC is capturing personal data via a tool that is installed on mobile devices and computers located in Colombia.

The SIC instructed WhatsApp LLC to:

• Create an Information Handling Policy that complies with all Colombian regulation and that this new policy be made known to the owners of the personal data who are resident in Colombian territory.
• Implement an appropriate mechanism whereby at the point of requesting authorization from users, they are informed in clear, simple Spanish.
• Register their databases in the National Database Registry, managed by the SIC, ensuring the inclusion of all data that is collected or processed in Colombian territory.

The SIC also urged WhatsApp LLC to share a contact email with the SIC so that they can receive communications and notifications about administrative procedures and other decisions.