Our Office

Calle 10 A # 34 11 Hotel Diez Categoría, office 4014


+57 318 5324130


Nowadays, companies are increasingly relying on technological solutions, which generally provide greater efficiency and effectiveness than traditional ones. This is the case of cloud computing services.

Three requirements when using Cloud Computing Services

This is the case of cloud computing services, through which a businessman can share hardware and software, as well as its licenses, platforms, storage capacity and others, with other users, in order to obtain data processing over the Internet, which provides great accessibility, as it can be consulted from anywhere, and optimization of business processes.
The above, as we can see, are the considerations that every businessman takes into account to hire the services of a cloud server that has the necessary means to treat all the information of his company. However, it should be noted that if the information to be provided to the cloud computing service provider is personal information, such contractual relationship should be regulated by the existing rules on Habeas Data in the country.
In order to understand under what conditions the contractual relationship takes place and what guarantees must be provided for the information that is transferred or entrusted, it is necessary to clarify which parties or actors are involved:
First, we find as an actor the Data Controller, who is a natural or legal person who has the ability to decide on the databases that are delivered to the Cloud Computing Service Provider; this situation must be approved and known by the owner of the personal information. When such delivery of the databases is made for their deposit, consultation and in general for the processing of the data, the figure of the Personal Information Processor is perfected, a situation that turns the provider of the Cloud Computing Services into the person in charge of the processing of the personal data.
It is really important that, when using this type of Cloud Computing services, in order to comply with the Colombian regulation on Habeas Data, the following requirements must be met:

  1. To have the authorization of the owner of the personal data.

When personal information is captured in organizations, which is almost inexorable, it is necessary to follow the regulations on the subject, namely, the personal data law 1581 of 2012 and the decrees that regulate it, roughly speaking, this rule seeks that each private data obtained, follow the provisions of the policies of treatment of personal data of the company, which must be known by the owner, as well as the purpose and use that will be given to the data, specifically, that these will be delivered to third parties to execute their treatment, for the case in question.
Having personal data processing policies will generate other business needs, such as the registration of databases before the SIC 1, having privacy notices, authorizations, physical, logical and administrative security controls of the information and in general a comprehensive system that regulates the entire life cycle of the data that enters the company; for which we recommend the accompaniment of a lawyer in Medellin.

  1. Verify the security levels provided by the data processor.

When a holder of personal information authorizes the Controller to process his/her data, he/she does so because he/she trusts that these will be safeguarded in the best way, as shall be indicated in the Controller’s personal data processing policies; for this reason, when ordering a third party Cloud Computing Service Provider, the latter shall identify which security levels it has and they shall correspond to those provided by the Controller for the processing of personal information.

  1. Enter into a contract for the assignment of personal information.

Once the security guidelines to be provided to the personal information by the person in charge have been validated, a contract for the processing of personal data must be signed, which must specifically stipulate the procedure to be carried out with the data, the type of data to be processed, the databases to be processed, the duration of the processing and the commitments made by the person in charge with respect to the data to be entrusted to him/her. Additionally, the Data Controller shall report to the Superintendence of Industry and Commerce the situation of information entrusted.
The above could be a little more complex when the providers of cloud computing services happen to be companies from abroad, in which case they must sign an International Transmission of Personal Data Agreement, where the Data Controller shall be bound to the following:

  • Safeguarding the security of the database.
  • Comply with the principles of personal data processing.
  • To keep the confidentiality of the personal data to which it has access.

In the event that this is not possible to achieve, it will be necessary to advance a procedure before the Superintendence of Industry and Commerce to issue a Declaration of Conformity with the commercial relationship recently established with the Cloud Computing Services provider.
To conclude, we wish to emphasize the obligation that rests on the companies responsible for the processing of personal data, their commitment to the security and integrity of the good name and privacy of the people who entrust their information to the care and custody of Colombian companies; an obligation that more than a legal duty becomes a social purpose, to venture into new technologies in an ethical and integrated manner.
Written by: Katherine Alvarez Gil.
Publisher: Néstor Bedoya
1 Superintendency of Industry and Commerce.

Scroll to Top