When was it issued and what is its purpose?

The data protection law was enacted in the Fifth Supplement of the Official Gazette 4569 on May 26, 2021, and its purpose is to guarantee the right to the protection of personal data, the ability to freely access such information, and to make decisions about it. Under this principle, the law “regulates, provides for, and develops principles, rights, obligations, and protection mechanisms.”

What is the scope of application of the law?

According to Article 3, the law shall apply in the following cases:

• When the processing of personal data is carried out anywhere within the national territory.
• When the data controller or processor is domiciled anywhere within the national territory.
• When the processing of personal data of data subjects residing in Ecuador is carried out by a controller or processor not established in Ecuador, provided that the processing activities are related to: i) The offering of goods or services to such data subjects, regardless of whether payment is required. ii) The monitoring of their behavior, to the extent that such behavior takes place within Ecuador. Additionally, if the data controller or processor, not domiciled in the national territory, is subject to the national legislation under a contract or the applicable regulations of public international law.

What rights does the law provide for regarding personal data?

The law recognizes a series of rights and various mechanisms for their protection. These rights are:

• Right to information
• Right of access
• Right of rectification and updating
• Right of erasure
• Right of objection
• Right of portability
• Right to restriction of processing
• Right not to be subject to automated decision-making
• Right to consultation

What is the Data Protection Officer (DPO)?

According to the Organic Law on Personal Data Protection (LOPDP), the Data Protection Officer (DPO) is the “natural person responsible for informing the data controller or processor about their legal obligations regarding data protection, as well as ensuring or overseeing compliance with the relevant regulations, and cooperating with the Personal Data Protection Authority, serving as the point of contact between the authority and the entity responsible for data processing.”

The DPO is obligated to ensure that both natural and legal persons, who are data controllers or processors, comply with the applicable regulations. It is the responsibility of those in charge of data processing to designate a DPO.

According to the LOPDP, it is mandatory to designate a DPO in the following cases:

• When the processing of personal data is carried out in public sector institutions.
• When the activities of the data controller or processor require continuous and systematic monitoring due to the quantity, nature, scope, or purpose of the data.
• When special categories of data are processed on a large scale, such as information about minors or medical information. These parameters will be defined by the Personal Data Authority and the Regulation.
• When data related to national security and defense of the State are processed, which are not subject to reservations or secrecy.

Organizations that do not have a legal obligation to designate a DPO must ensure that they implement all the measures required to comply with data protection regulations. Not having a DPO does not exempt them from their responsibility in this regard.

What about the creation of the National Data Protection Registry?

The LOPDP also contemplates the creation of a National Data Protection Registry, which must be updated permanently by data controllers through reporting to the Personal Data Protection Authority. Natural or legal persons whose activities include the processing of personal data must provide information about the type of database used, the nature of the processed data, the retention period of the data, and the existence of international transfers, among other things.

What sanctions does the law provide for?

In the case of a minor infringement, fines can reach up to 0.7% of a company’s revenue. For serious infringements, fines range between 0.7% and 1% of the revenue.

When does the punitive regime come into effect?

The regulation established a grace period of two years before the punitive regime comes into effect, which was fulfilled on May 26th. Under this regime, the Personal Data Protection Authority can identify non-compliance with the regulations and apply corrective measures or fines.

It should be noted that, although the Personal Data Protection Authority has not been designated as of today, this does not exempt compliance with the obligations set forth in the law.