Retain, for a period of at least five years, the records of local and international transactions and the information of points (1) and (2) above and ensure that they are available to the competent authorities with the appropriate authorization.

In the event of noticing a suspicious operation or attempted operation, any member of the ESAL, may voluntarily inform the Financial Information and Analysis Unit (UlAF its Spanish acronym) and must guarantee the confidentiality of the report.

In accordance with Circular 058 of 2022 issued by the District Legal Secretariat, ESAL under the inspection, surveillance and control of the Mayor’s Office of Bogotá D.C. must implement one of the following PTEE:

7.1 Programa de Transparencia y Ética Empresarial Integra (PTEE-I).

a. Scope of application:

ESAL that comply with one or more of the following conditions:

– The total assets as of December 31, 2022, must be equal to or greater than 1,000 SMLMV (COP $1,000,000,000,000).
– That have implemented a risk management system.

7.2 Simplified Business Ethics and Transparency Program (PTEE-S).

a. Scope of application:

ESAL that comply with one or more of the following conditions:

– The total assets as of December 31, 2022, are less than 1,000 SMLMV (COP $1,000,000,000,000) and;
– They do not have a risk management system implemented.

7.3 Deadlines for submission of PTEE-S and PTEE-I:

For the year 2023, the two programs must be submitted within the deadlines defined in numeral 5 of Circular 016 of 2022 of the District Legal Secretariat

Click here to see the deadlines.

Section 2.3 from Circular 002 of 2015 issued by the Superintendence of Industry and Commerce, establishes that every year between January 2^nd and March 31^st updates to the National Data Base Registry must be performed.

The mentioned updates must include any change that the data base has suffered within the previous year, i.e. if the number of data subjects included in the data base changed, if there was any change on the corporate name of the data controller, among others.

Please note that substantial changes, such as those related with the purposes to handle data, the data processor, the attention lines, classification and types of personal data, and international data transfers and transmissions, must be reported within the first 10 business days of the month in which the changes took place.

If by the time of the annual update there are any substantial changes that have not been registered those should be registered at the annual update.

Please note that when a new data base is created, it must be registered within the NDBR within the following two (2) months in which it was created.

Also, it is necessary to perform the corresponding report of claims presented by data subjects in the previous semester; such report must be performed at the NDBR and shall be complemented every semester during the first fifteen (15) business days of February and August; therefore for year 2023 the first report on claims (positive or negative) presented by data subjects must be filed no later than on February 21^st  2023 in which the claims performed by data subjects during the previous semester (July to December 2022) must be reported. Also, note that the second report of claims performed by data subject, must be filed on the first fifteen (15) business days of August and therefore this year it must be performed no later than on August 23^rd, 2022 (in this case it is necessary to report the claims received from January to June 2023).

At last, it is important to remind you that the companies that must comply with the registry obligation are those with assets of more than 100.000 UVT (for 2023 COP $4.241.200.000), approx. USD$866.589). However, all the entities that perform any data handling activity (i.e. collect, use, storage) must comply with all of the other obligations established in the data protection regulation.