Colombia’s new tech transfer circular - what to look out for when dealing with data‑driven tech transfers

Andrés Fernández de Castro 
Brigard Urrutia, Bogotá
afernandezdecastro@bu.com.co 

Colombia’s Superintendence of Industry and Commerce (Superintendencia de Industria y Comercio or SIC) issued External Circular 002 of 2025 to guide how data protection must be addressed in regard to technology transfer processes. The measure sits at the intersection between innovation policy and fundamental rights. On the policy side, it aligns with the National Science, Technology and Innovation Policy (CONPES 4069) by promoting responsible, scalable technology transfers across public and private sectors. On the rights side, it reiterates the statutory role of the SIC to ensure compliance by businesses with Colombia’s data protection regime and to issue instructions that facilitate adherence. The stated motivation is preventive: to embed data protection into the lifecycle of technology transfers, so the benefits of innovation do not come at the expense of data subjects’ rights. 

Who is covered and when? 

The Circular applies in two circumstances: when a technology transfer includes a dataset that contains personal data and when the technology being transferred enables or is intended to process personal data. It is addressed to entities that are subject to SIC oversight in its role as a data protection authority, as well as technology providers and recipients who are participants to such transfers. It expressly interfaces with the existing laws governing international data flows, including adequacy validations and exceptions for international transfers (controller to controller) and transmissions (controller to processor). In short, it does not regulate technology as such, but the processing of personal data that may occur during the course of a transfer.

A preventive, accountability‑driven rulebook

The Circular operationalises Colombia’s principles of legality and accountability by emphasising the need for ex ante verification and proportional risk management. It calls for a preliminary verification process that identifies the processing functionalities, assesses its compliance with data protection law and, where applicable, confirms that the relevant international data transfer rules have been met. It emphasises the need for demonstrable accountability through documented risk identification, mitigation and the pre‑implementation of corrective actions. It further promotes privacy by design and by default, including data minimisation, the adoption of security measures tailored to the nature and context of the processing and the use of techniques such as anonymisation and pseudonymisation. Finally, it recommends incorporating contractual safeguards that delineate the relevant roles, security measures, international transfer guarantees and supervision or audit mechanisms. 

Industry reactions and key takeaways

During the public consultation for the development of the Circular, interested parties welcomed the clarifications provided, but raised several concerns. Commenters requested a clearer definition of technology transfer and the recognition of the intellectual property dimensions; a differentiated, risk‑based approach reflecting sectoral and operational realities; and flexibility in regard to the relevant contractual clauses to avoid rigidities. They also queried whether pre‑transfer diligence had a statutory basis and warned against duplicative burdens where other regulators already impose technology and security standards. In response, the SIC underscored that Colombia’s privacy regime is technology neutral, that the Circular reiterates existing obligations rather than creating new ones, refined its scope to instances of effective processing, reframed certain items as recommendations and clarified that the initial step in the process involves a compliance verification rather than the requirement to adhere to a formal ‘due diligence’ regime. 

Why it matters and what’s missing 

Guidance that clarifies the respective duties of data controllers and processors is a positive step, particularly in regard to complex cross‑border transfer ecosystems. However, most of the Circular’s instructions largely restate existing obligations already embedded in Colombian privacy law or previous guidance issued by the SIC, particularly concerning legality, accountability, safeguards that are proportionate to the risks, privacy by design/default and international transfer conditions, rather than charting new ground. This fidelity to the existing framework may aid legal certainty, but it also leaves some practical questions unanswered. Chief among them is the question of enforcement: the Circular does not yet illuminate how the SIC will prioritise cases, measure the sufficiency of risk programmes or interpret ‘proportionality’ across diverse technological contexts. Companies may, therefore, face uncertainty about how their documentation, design choices and contractual terms will be judged from a practical supervisory perspective. 

The operational implications for technology providers 

The Circular could present operational challenges, especially for providers, domestic and foreign, whose solutions embed data processing capabilities or are bundled with datasets. That said, many organisations, including multinational vendors, already implement privacy by design, undertake accountability documentation processes and adopt international data transfer controls equal to or above the Circular’s expectations. For such organisations, alignment with the new rules may be incremental. For others, the key will be to baseline the firm’s current practices against the Circular’s verification, risk, design and contractual expectations. In all cases, it is important to assess the actual conditions of each technology transfer that involves personal data, to map the roles and data flows, confirm the lawful bases and cross‑border mechanisms and ensure that the contracts and technical safeguards reflect the processing realities of the transfer.

The bottom line

The SIC’s Circular is best read as a preventive guide that integrates Colombia’s existing privacy principles into technology transfer transactions. It clarifies the ‘when’ and ‘how’ of compliance without purporting to regulate the technology itself. Organisations should treat it as a compliance checklist rooted in known standards. They should also monitor how the SIC interprets proportionality and demonstrable accountability in the context of its supervision and enforcement activities.