Top
Top

Global Data Privacy Guide

Ecuador

(Latin America/Caribbean) Firm Pérez Bustamante & Ponce

Contributors Francisco Pérez-Gangotena

Updated 01 Mar 2022
What is the key legislation?

The Ecuadorian Constitution is still a legal regulation to personal data protection and intimacy legislation. Protecting only the personal data of persons. Ecuador does not protect companies' or entities' “personal” information.

The Organic Law on Personal Data Protection (“Ley Orgánica de Protección de Datos Personales”, in Spanish), was approved on May 10, 2021, by Congress, and on May 21, 2021, was approved by President Lenín Moreno. Upon publication in the Official Registry, the Law came into force on May 26, 2021. The sanctions and corrective measures are expected to enter into force on May 26, 2023.

What data is protected?

Applies to all personal data, contained in any format and whether it is automated or not.

Exceptions like: data used in the performance of family or household activities, data of deceased persons, anonymized data, data used for journalistic activities, among others. Personal data the processing of which is regulated in specialized rules of an equal or higher hierarchy in matters of natural disaster risk management, and State defense and security. Data or databases established for the prevention, investigation, detection or prosecution of criminal offenses or the enforcement of criminal penalties, carried out by the competent state organizations in the fulfillment of their legal functions. Data that identify or make identifiable a legal entity.

Who is subject to privacy obligations?

The following are part of the personal data protection system:

  • Data subject
  • Controller
  • Processor
  • Data Protection Officer
What are the principles applicable to personal data processing?

Without prejudice to the other principles established in the Constitution of the Republic, the international instruments ratified by the state or other legal regulations, this law will be governed by the principles of:

  • Lawfulness
  • Fairness
  • Transparency
  • Purpose
  • Relevance and minimization of personal data
  • Proportionality of processing
  • Confidentiality
  • Quality and Accuracy
  • Storage
  • Personal Data Security
  • Demonstrated and Proactive Responsibility
  • Application in favor of the Data Subject
  • Independence of Control.
How is the processing of personal data regulated?

The Constitution establishes that the owner of personal data can access without restriction his data, know how the data is being used, its purpose, where the data was collected and how long will it be kept.

The objective and purpose of the Organic Law on Personal Data Protection is to guarantee the exercise of the right to the protection of personal data, which includes access and decision-making about this kind of information and data, as well as the corresponding protection. To this end, it regulates, provides for and develops principles, rights, obligations and mechanisms of protection.

How are storage, security and retention of personal data regulated?

The personal data will be stored for no longer than is necessary to achieve the purpose for which the data are processed. Extended storage of personal data processing will only be carried out for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, provided that timely and necessary personal data security and protection guarantees are established to safeguard the rights set forth in this law.

The government mechanism for information security must include the measures that should be implemented in the case of processing personal data to address any risk, threat, vulnerability, unauthorized access, losses, alterations, destruction, or accidental or unlawful communication in the processing of data pursuant to the principle of personal data security. The government mechanism for information security will cover and apply to all public sector institutions contained in Article 225 of the Constitution of the Republic of Ecuador ("Constitution"), as well as to third parties who provide public services by means of concession or other legally recognized concepts. These may incorporate additional measures to the government mechanism for information security.

Public and private entities, authorities, public servants and anyone in charge of storing the data has the obligation to "take the necessary security measures" to protect and guarantee the confidentiality of the personal information that is under their custody.

What are the data subjects' rights?

The Constitution guarantees the right of every citizen to know the existence and access all personal information in private or public data banks or archives, as well as the use, origin and purpose of such information.

The Organic Personal Data Protection establishes the following rights:

  • Right to information
  • Right of access
  • Right to rectification and updating
  • Right to erasure
  • Right to object
  • Right to portability
  • Right to suspension of processing
  • Right not to be the object of automatic or partly automated decisions
  • Right to consult
  • Right to digital education
Are there restrictions on cross-border data transfers?

In the case of making an international transfer of data to a country, organization or international economic territory which has not been assessed by the Personal Data Protection Authority as having an adequate level of protection, this international transfer may be made provided the controller or processor of personal data offers appropriate safeguards to the data subject, for which the following must be observed:

  1. Guarantee compliance with the principles, rights and obligations in the processing of personal data to a standard equal to, or greater than, the existing Ecuadorian regulations.
  2. Effective protection of the right to the protection of personal data, by the permanent availability of administrative or judicial actions; and
  3. The right to seek full redress, where necessary.

For the international transfer of personal data to occur, it will be supported by a legal instrument that meets the standards already mentioned, as well as those which the Personal Data Protection Authority establishes, and which must be binding.

Are there any notification requirements for data breaches?

The controller must notify the Personal Data Protection Authority and the Telecommunications Regulatory Agency of a personal data security breach as soon as possible, and not later than five days after having become aware of it unless the security breach is unlikely to result in a risk to the rights and freedoms of natural persons. If the notification to the Personal Data Protection Authority is not made within five days, it must be accompanied by reasons for the delay. The processor must notify the controller of any personal data security breach as soon as possible, and no later than two days after the date on which it becomes aware of it.

Who is the privacy regulator?

The Regulatory Authority will encourage the drawing up of codes of conduct by sectors, industries, companies [and] organizations, aimed at compliance with the existing data protection regulations.

What are the consequences of a privacy breach?

The Personal Data Protection Authority will impose the following administrative penalties:

Penalties for Minor Infringements

  1. Public sector employees or officials who by act or omission have committed any of the minor infringements established in this Law will be penalized with a fine of one to ten consolidated basic salaries of the average worker.
  2. If the controller or processer of personal data or, where applicable, a third party is a private law entity or a state-owned company, a fine will apply for between 0.1% and 0.7% calculated on its turnover corresponding to the fiscal year prior to the year in which the fine is imposed. The Personal Data Protection Authority will establish the applicable fine based on the principle of proportionality.

Penalties for Serious Infringements

  1. Public sector employees or officials who by act or omission have committed any of the serious infringements established in this Law will be penalized with a fine of between 10 to 20 consolidated basic salaries of the average worker.
  2. If the controller or processer of personal data or, where applicable, a third party is a private law entity or a state-owned company, a fine will apply for between 0.7% and 1% calculated on its turnover corresponding to the fiscal year prior to the year in which the fine is imposed. The Personal Data Protection Authority will establish the applicable fine based on the principle of proportionality.

According to our criminal law, the person who without the consent of the owner of the data, accesses, intercepts, keeps, records, reproduces, spreads or publishes any personal data can be sanctioned within one or three years in prison.

How is electronic marketing regulated?

Electronic marketing is subject to the Electronic Commerce, Signature and Data Messages Law.

According to the Electronic Commerce, Signature and Data Messages Law, in case of electronic marketing or promotion, the sender must assure that the recipient may access all the information available about the promoted service or good without restriction. In the case of regular data messages sent through email, the sender must assure that the recipient can unsubscribe from such senders' list.

Are there any recent developments or expected reforms?

Yes. The General Regulation is being reviewed by the National Secretariat for its approbation. In addition, the competent authority has not yet been created. The sanctions and corrective measures are expected to enter into force on May 26, 2023.

Global Data Privacy Guide

Ecuador

(Latin America/Caribbean) Firm Pérez Bustamante & Ponce

Contributors Francisco Pérez-Gangotena

Updated 01 Mar 2022