The key legislation is the Organic Law on Personal Data Protection (“LOPDP”) and its Regulation. These constitute the fundamental legal framework governing the processing of personal data in Ecuador. The Law establishes fundamental principles such as transparency, legitimate purpose, proportionality, confidentiality, security, and the proactive accountability of data controllers and processors, applicable to both the public and private sectors

Among the important rulings and regulatory decisions applying this legislation are restrictions on invalid contractual clauses, supervision and enforcement by the Superintendence of Personal Data Protection (“SPDP”), which serves as the supervisory authority, and the continuous technical and legal updates required to maintain effective data protection.

Personal data is defined as any information that directly or indirectly identifies or makes a natural person identifiable. It encompasses any data that enables the identification of the individual concerned
Sensitive data constitutes a special category of personal data revealing critical information whose protection is subject to stricter requirements. This category includes data relating to ethnicity, gender identity, cultural identity, religion, ideology, political affiliation, criminal record, immigration status, sexual orientation, health, biometric data, genetic data, and any data whose improper processing might lead to discrimination, or threaten or violate fundamental rights and freedoms.

Under the Organic Law on Personal Data Protection and its Regulation in Ecuador, personal data are safeguarded through a set of principles, obligations, and specific measures designed to guarantee the security, confidentiality, and rights of data subjects. The principal protective mechanisms include:
•    The rights of data subjects
•    Clear and explicit consent
•    Technical and organizational measures
•    Appointment of a data protection officer
•    Supervision and control by the relevant authority

All natural and legal persons, whether public or private entities, that process personal data in Ecuador are subject to the data protection obligations established by law. This applies irrespective of whether their activities occur within or outside national territory, provided such activities have an impact in Ecuador.

“Data processing” is understood as any operation or set of operations performed on personal data of data subjects, including collection, storage, organization, adaptation, modification, extraction, consultation, use, blocking, deletion, or destruction of such data, whether carried out by automated means or otherwise, as defined by the Law and its Regulation in Ecuador.

Without prejudice against other principles established in the Constitution of the Republic, international instruments ratified by the State, or other legal norms, the present Law is governed by the following principles:
a) Legality
b) Loyalty
c) Transparency
d) Purpose limitation
e) Relevance and data minimization
f) Proportionality of processing
g) Confidentiality
h) Quality and accuracy
i) Preservation
j) Security of personal data
k) Proactive and demonstrable accountability

The processing of personal data is specifically regulated by establishing clear rules and protocols concerning the collection, use, storage, updating, retention, blocking, or deletion of personal data, in strict compliance with the principles and rights of the data subjects. Adequate mechanisms must ensure that personal data are used solely for lawful purposes authorized by the data subject.

The Law and its Regulation require that personal data be retained only for as long as necessary to fulfill the purpose for which they were collected. Data controllers and processors must implement technical and organizational measures to ensure the integrity, confidentiality, and availability of personal data. Upon the cessation of their use, data must be either deleted, blocked, or anonymized accordingly.

Data subjects are granted the rights of access, deletion, rectification, and updating of their personal data; the right to object, annul, or limit data processing; and the right not to be subject to decisions based solely on automated evaluations. Accessible and efficient channels must be provided to exercise these rights. 

Consent must be freely given, informed, specific, unambiguous, and revocable. It must be obtained prior to the processing of personal data and provided with clear information regarding the purpose and use of the data.

Authorization for data processing primarily relies on the explicit consent of the data subject, except in legally established exceptions. Without valid consent, the processing, use, or disclosure of personal data is unlawful unless justified by public interest, judicial order, or other statutory provisions.

Yes, international transfers of personal data are regulated. Such transfers may only occur to countries that guarantee an adequate level of data protection in accordance with the LOPDP, or when specific safeguards, contractual agreements, or explicit consent from the data subject exist. Furthermore, measures must be enforced to maintain the security and confidentiality of the transferred data.

A data incident is any event that may compromise the security, confidentiality, integrity, or availability of personal data, including unauthorized access, loss, theft, human error, or cyberattacks.   

A data breach is a security incident resulting in unauthorized disclosure, exposure, or access to personal data, adversely affecting the privacy rights of the data subject.

Yes. Data controllers must immediately notify the Data Protection Authority of any personal data security incidents. If a breach affects fundamental rights and freedoms, the affected data subjects must also be informed without undue delay.

The Superintendence of Personal Data Protection (Superintendencia de Protección de Datos Personales – SPDP) is the regulatory authority responsible for supervising and ensuring compliance with the LOPDP in Ecuador.

The consequences of a data breach may include administrative and financial sanctions imposed by the Personal Data Protection Authority. Additionally, breaches can result in reputational damage, loss of trust, and civil or criminal liability in cases of serious or intentional non-compliance.

Furthermore, data controllers and processors are required to implement immediate corrective measures to contain and mitigate the effects of the breach, ensure data protection, and prevent future incidents

Prior, informed, and explicit consent from the data subject is mandatory before sending any commercial communications. The unauthorized use or collection of personal data for marketing or commercial purposes is strictly prohibited under the Law.

The LOPDP establishes special protection for categories of data and sectors handling such information. This includes sensitive data, health-related data, data concerning children and adolescents, and data relating to people with disabilities, which are subject to enhanced protection measures.

A Data Protection Officer (“DPO”) must be designated in the following cases:
1.    When the processing is carried out by entities within the public sector.
2.    When the activities of the controller or processor require continuous and systematic monitoring due to the volume, nature, scope, or purposes of the processing, as established by the Law, its Regulation, or regulations issued by the Personal Data Protection Authority.
3.    When the processing involves large-scale handling of special categories of data, in accordance with the provisions set forth in the Regulation of this Law.
4.    When the processing does not pertain to data related to national security and State defense that are confidential or classified, pursuant to the applicable specialized regulations.

Data controllers are obligated to maintain records of processing activities, procedures, consents, and the technical and organizational measures implemented. Such records must be made available to the Personal Data Protection Authority upon request.

Conducting a Data Protection Impact Assessment is mandatory when processing poses a high risk to the rights and freedoms of data subjects. The DPIA must identify, evaluate, and mitigate such risks prior to commencing the processing activities.

Contracts or agreements must be established to regulate the processing conducted by third parties. These must guarantee compliance with the LOPDP, specify responsibilities, implement security measures, and set restrictions on the use and transfer of personal data.

The Superintendence of Personal Data Protection (“SPDP”) may impose fines up to 1% of the responsible party’s annual revenue, in addition to corrective measures aimed at ensuring compliance.

Permanent internal evaluation programs, periodic audits, and reporting mechanisms must be implemented to ensure regulatory compliance and continuous improvement of data protection systems.

The regulatory framework is in a state of continuous evolution, with clarifications regarding the roles and the scope of data processing, accompanied by new guidelines issued by the Superintendence of Personal Data Protection (SPDP) and adjustments made to align with international standards. Consequently, it is essential to closely monitor the resolutions promulgated by the Authority.