Colombia Issues Guidelines on Personal Data in the Fintech Sector

By Castillo Grau Abogados

The Superintendence of Industry and Commerce (SIC), Colombia’s national authority for personal data protection, has issued External Circular No. 01 of 2025, in order to provide guidance on the processing of personal data in the offering of products and the provision of financing services, small-amount deposits, and other related services that facilitate financial inclusion through the use of digital technologies.

The purpose of the circular is to ensure that personal data processing activities in this sector are carried out in accordance with the Political Constitution, Law 1266 of 2008, Law 1581 of 2012, and other applicable regulations. These instructions are particularly relevant in a context of increasing dynamism in business models and applications that offer credit operations, financing, small-amount deposits, and digital wallets through technological means.

Main instructions of Circular 01 of 2025:

The circular establishes instructions that must be observed by the actors within the fintech ecosystem. Among them, the following stand out:

Legitimate purpose and duration: The processing of personal data must respond to constitutionally legitimate purposes and be carried out only for the time strictly necessary.

Principle of minimization: Only appropriate and necessary data should be collected for the established purposes. For example, applications should not access the image gallery or contact list of a device for collection purposes.

Informed and differentiated consent: When requesting the authorization of the data subject, there must be a clear distinction between necessary purposes (such as the provision of the service) and ancillary purposes (such as sending advertisements or offering other services).

Protection of biometric data: The processing of biometric data for the provision of financing services, credit operations, and other related services must comply with strict rules given the sensitive nature of such information. When processing such data, the following must be observed:

a. Inform the data subject of the precise purposes for which their biometric data will be processed and explain why the collection of such data is necessary.
b. Obtain the explicit authorization of the data subject for the processing of their biometric data.
c. Refrain from using these data for purposes not authorized by the data subject.
d. Implement additional security measures to ensure the protection of biometric data.
e. Take reasonable steps to ensure that the processing of biometric data is proportionate to the level of risk of the activity in question.
f. Refrain from sharing the collected biometric data with third parties or feeding centralized or integrated biometric databases.
g. Proceed with the deletion of such data within a reasonable period once the contractual relationship with the data subject has ended and the purposes for which the processing was authorized no longer exist.

Transparency in automated decisions: The data subject has the right to receive a clear and understandable explanation regarding any automated decision that may be unfavorable to them.

It is important to emphasize that the fintech ecosystem has a strong democratizing impact; it promotes social, economic, and financial inclusion and drives economic activity. It also adds value and fosters competition. However, it is essential that the processing of personal data inherent to these activities respects fundamental rights. With this circular, the Superintendence of Industry and Commerce fulfills its mission of “ensuring compliance with legislation on personal data protection,” promoting a culture of responsibility and transparency in the digital environment.