Section 2.3 from Circular 002 of 2015 issued by the Superintendence of Industry and Commerce, establishes that every year between January 2^nd and March 31^st updates to the National Data Base Registry must be performed.

The mentioned updates must include any change that the data base has suffered within the previous year, i.e. if the number of data subjects included in the data base changed, if there was any change on the corporate name of the data controller, among others.

Please note that substantial changes, such as those related with the purposes to handle data, the data processor, the attention lines, classification and types of personal data, and international data transfers and transmissions, must be reported within the first 10 business days of the month in which the changes took place.

If by the time of the annual update there are any substantial changes that have not been registered those should be registered at the annual update.

Please note that when a new data base is created, it must be registered within the NDBR within the following two (2) months in which it was created. Also, it is necessary to perform the corresponding report of claims presented by data subjects in the previous semester; such report must be performed at the NDBR and shall be complemented every semester during the first fifteen (15) business days of February and August; therefore for year 2023 the first report on claims (positive or negative) presented by data subjects must be filed no later than on February 21^st  2023 in which the claims performed by data subjects during the previous semester (July to December 2022) must be reported. Also, note that the second report of claims performed by data subject, must be filed on the first fifteen (15) business days of August and therefore this year it must be performed no later than on August 23^rd, 2023 (in this case it is necessary to report the claims received from January to June 2023).

At last, it is important to remind you that the companies that must comply with the registry obligation are those with assets of more than 100.000 UVT (for 2023 COP $4.241.200.000), approx. USD$866.589). However, all the entities that perform any data handling activity (i.e. collect, use, storage) must comply with all of the other obligations established in the data protection regulation.