On September 18, 2025, the Colombian Superintendence of Industry and Commerce issued Rule Nº 001 of 2025, which provides guidance on the processing of personal data when offering and providing fintech services.
Rule Nº 001 applies to all entities that offer products or provide financing services, low-value deposits, or other instruments that promote financial inclusion through digital technologies. Within this framework, the regulation reinforces the application of the data processing principles set forth in Statutory Law Nº 1581 of 2012, which governs the processing of personal data in Colombia. Accordingly, it reiterates that processing must serve lawful purposes and be limited to data that is relevant, adequate, and strictly necessary to achieve those purposes.
However, certain innovative obligations introduced by Rule Nº 001 are worth highlighting. First, it establishes that, except for the exceptions provided in Statutory Law Nº 1581, data controllers must obtain the data subject’s explicit and informed consent, distinguishing between purposes necessary for the performance of the contract or provision of the service and ancillary purposes, such as sending promotions or offers of other products. Likewise, the regulation provides that data subjects retain the right to object to their data being processed for ancillary purposes.
With respect to biometric data, Rule Nº 001 requires data controllers and processors to implement enhanced security measures to ensure their protection.
It also recognizes the data subject’s right to obtain an explanation of any automated decision that adversely affects them, including the logic and criteria used by the system, unless their disclosure compromised trade secrets, intellectual property rights, or legal obligations. In such cases, the information must be provided in a general manner or grouped by types of factors.
Finally, Rule Nº 001 provides that entities engaged in debt collection must refrain from contacting the data subject’s personal references or third parties related to the data subject, unless the latter has granted express authorization.
To access the full text of Rule Nº 001, click here.
