Latest Posts:
Search for:

Analyzing critical legal trends and developments across data, cyber, AI and digital regulations from around the world and beyond borders

In Data

Colombia: New SIC guidelines for the registration of technology transfer contracts

by , , and 2 Mins Read

On 7 October 2025, the Superintendence of Industry and Commerce (SIC) issued the External Circular No. 002 of 2025 (“Circular”), establishing new guidelines and requirements for the registration of technology transfer contracts in Colombia in which personal data is transferred.

This Circular updates and clarifies the procedures for the registration, modification and cancellation of contracts involving technology transfer, technical assistance and trademark licenses, among others, in which personal data is transferred or the object is the processing of personal data.

Key points

The SIC instructs data controllers and data processors that process personal data of data subjects located in Colombia, in the context of technology transfer processes in which personal data are transferred or in which technologies that allow or have as object the processing of personal data are transferred, in the following obligations:

  • Preliminary verification of regulatory compliance
    • Technology providers and recipients must identify whether the transferred technology involves the processing of personal data and, if so, describe and characterize such functionalities.
    • To assess that the technology complies with personal data protection regulations.
    • If personal data are transferred as part of the process, compliance with the rules for international data transfers should be ensured, where applicable.
  • Accountability
    • Effective mechanisms in place to demonstrate compliance, such as:
      • Identifying, measuring and controlling risks at all stages of personal data processing.
      • Establish risk management systems proportionate to the impact on the right to data protection.
      • Document decisions and mitigation measures taken.
      • Define and execute corrective actions before implementing the transferred technology.
  • Include data protection by design and by default: In technology transfer processes, it is recommended to incorporate personal data protection measures by design and by default, as part of the principle of accountability. The technological architecture should integrate principles such as freedom, necessity, and confidentiality. Security measures must be adapted to the type of technology, context, and associated risks. Additionally, data collection should be limited to what is strictly necessary, promoting data minimization and anonymization or pseudonymization whenever possible.
  • In contracts related to technology transfer, it is recommended to include clauses regarding the processing of personal data. These should define the responsibilities of the parties, technical and administrative measures to ensure data security, guarantees for international data transmissions, and mechanisms for supervision and auditing.

Click here to read the Spanish version

Categories:
Tags:
Author

Carolina Pardo is a lawyer and specialist in International Contract Law graduated from Universidad de los Andes. She obtained a LL.M. with specialization in International Private Law and Competition Law from the London School of Economics and Political Science. Over 20 years, she has advised major national and international clients on matters related to compliance with data protection, competition and consumer law rules. She has also successfully coordinated and prepared proposals for submission to national authorities on behalf of major industrial groups in Colombia.

Author

Angelica Navarro is a partner in Baker McKenzie’s Bogotá office. She is a lawyer from Pontificia Universidad Javeriana in Bogotá, where she also completed a specialization in Administrative Law. She holds an LL.M. from the University of California, Berkeley, awarded through the Colfuturo Scholarship. She served as an advisor to the Superintendent of Industry and Commerce on antitrust and merger control. Prior to that, she was an adviser to the director of the National Protection Unit, where she was in charge of the formulation and execution on protection and human rights programs.

Author

Carlos Ignacio Arboleda is a Lawyer graduated from Pontificia Universidad Javeriana in Bogota. He holds a post-graduate course in Competition Law and Free Trade from the same University and earned an LL.M. degree from the University of Chicago.

Author

Julieth Sanclemente is a senior associate within the competition law, consumer protection and protection of personal data practices; and has 9 years of experience in these areas. Julieth is a lawyer from the University of Los Andes (Bogotá) and has a master's degree (LL.M) by the London School of Economics and Political Sciences, specialized in competition, innovation and commercial law (London).Julieth has 9 years of experience in the competition law, consumer protection, protection of personal data and intellectual property practices.

Related Posts