March 2023

1. Governing Texts

The National Assembly of Ecuador enacted on 26 May 2021 the Personal Data Protection Law (only available in Spanish here) ('the Law'). This is the first specific legal regulation about personal data protection.

The Law is currently in force, however some provisions will enter into force within the next two years (until May 2023), such as:

• any processing of personal data carried out prior to the entry into force of the Law must be brought into compliance with the provisions of the Law within two years of its publication;
• provisions related to corrective measures and sanctioning regime; and
• all personal data controllers must adapt the international transfer of personal data to the new legislation.

It is also important to mention that until the publication of the Law, there were only general principles related to the protection of personal data, which were scattered in several legal bodies. Therefore, there was no real data protection system as such. In this sense, it is necessary to adjust the company's internal procedures to the new procedures and provisions.

In general terms, the Law reflects the principles and procedures set forth in the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') enacted by the European Union. Therefore, if the company has experience in the regulatory and day-to-day aspects of the GDPR, it will not be inconvenient to comply with the requirements of the local law.

The appointment of the person who will head the Personal Data Protection Authority, known as the Data Protection Superintendency ('the Superintendency'), is still pending, which in turn must issue the secondary regulations to regulate different aspects of the Law.

The issuance of the General Regulation ('Draft Regulation') is still pending by the President of Ecuador.

1.1. Key acts, regulations, directives, bills

The fundamental rights established in the Constitution of the Republic of Ecuador 2008 (only available in Spanish here) ('the Constitution') include the right to privacy concerning an individual's personal data. This protection includes the inviolability of correspondence, whether physical or virtual. Correspondence cannot be withheld, opened, or examined except by a court order and with the obligation to keep confidential any matter unrelated to the event prompting the examination of the correspondence.

Although the Constitution mentions written and virtual communications, all kinds of communications are protected. Based on the Constitution, the compilation, filing, processing, distribution, or dissemination of personal data requires the consent of the data subject or the data subject's representative.

Additionally, the Constitution also establishes a fundamental right for nationals and foreigners to freely access their personal information or data concerning assets, bank accounts, personal files, and genetic data produced or held on file by public or private entities, whether in material or electronic format. This data may be disclosed only when the data subjects' consent to it or the law so requires. It also contains the legal recourse of Habeas Data, which allows the individual to obtain a ruling before a judge to access their personal information contained in public and private records.

The Constitution also guarantees that individuals or legal entities may request such information free of charge and have access to update or correct their personal data. If the information on file is regarded as sensitive, safety measures must be adopted. This guarantee may also be requested through a judge and the individual who believes they have been affected may claim compensation for any damage or loss experienced.

With the enactment of the Law, all the personal data protection provisions that were contained in several laws were compiled.

There are data protection provisions contained within the following laws:

• The Organic Law on Transparency and Access to Public Information 2004 (only available in Spanish here) ('the Transparency and Access Law') regulates publicly available data and the management of credit information;
• The Organic Law on Telecommunications 2015 (only available in Spanish here) ('the Telecommunications Law') which regulates telecommunications operators;
• The Labour Code 2005 (only available in Spanish here), which contains the duty of employers to protect the personal information of their employees;
• The Health Law 2006 (only available in Spanish here) ('the Health Law') which establishes the duty of people involved in the Health Care Industry to protect confidential health information;
• The Monetary and Financial Code (only available in Spanish here) ('the Financial Code') which includes dispositions regarding data protection in all financial transactions; and
• The Law of the National System of Registration of Public Data (only available in Spanish here) ('Public Data Law'), includes general provisions related to public data protection.

1.2. Guidelines

The Superintendency is the competent authority to issue data protection guidance. However, it is still pending its incorporation.

1.3. Case law

Not applicable.

2. Scope of Application

2.1. Personal scope

The scope of law applies only to natural persons. Does not apply to the following persons:

• data of deceased persons;
• data that have been anonymised (i.e., it is not possible to identify the owner);
• data collected during journalistic activities; and
• data of legal entities.

2.2. Territorial scope

The Law has coverage throughout the national territory, as well as extraterritorial scope with respect to international data transfers. Regarding territorial aspects, the Law establishes the following conditions:

• the processing of personal data is carried out in any part of the national territory;
• the person responsible or in charge of the processing of personal data is domiciled in any part of the national territory;
• the processing of personal data of data subjects residing in Ecuador is carried out by a controller or processor not established in Ecuador, when the processing activities are related to:
  • the offering of goods or services to such data subjects, regardless of whether they are required to pay for them; or
  • the control of their behaviour, insofar as it takes place in Ecuador; and,
• the controller or processor of personal data, not domiciled in the national territory, is subject to national legislation by virtue of a contract or the regulations in force of public international law.

2.3. Material scope

The scope of application of the Law is broad, since it will apply to the processing of personal data contained in any type of support, automated or not, as well as to any form of subsequent use.

3. Data Protection Authority | Regulatory Authority

3.1. Main regulator for data protection

The Superintendency is the control and oversight body responsible for guaranteeing all citizens the protection of their personal data, and for taking all necessary actions to ensure that the principles, rights, guarantees, and procedures set forth in the Law and its implementing regulations are respected.

3.2. Main powers, duties and responsibilities

The main powers, duties, and responsibilities are detailed in Article 76 of the Law. The most relevant aspects are:

• exercise the supervision, control, and evaluation of the activities carried out by the person responsible and in charge of the processing of personal data;
• exercise the sanctioning power with respect to data controllers, delegates, persons in charge, and third parties, in accordance with the provisions of this Law;
• to hear, substantiate and resolve the claims filed by the owner or those initiated ex officio, as well as to apply the corresponding sanctions;
• administer the National Registry of Personal Data Protection, as well as coordinate the necessary actions with public and private sector entities for its effective operation;
• to dictate the standard data protection clauses, as well as to verify the content of additional or specific clauses or guarantees; and
• to exercise international representation in matters of personal data protection.

4. Key Definitions

Article 4 of the Law contains the definitions applicable to data protection matters. The following is the literal definition provided by law:

Data controller: Natural or legal person, public or private, public authority, or other body, which alone or jointly with others decides on the purpose and processing of personal data.

Data processor: Natural or legal person, public or private, public authority, or other body that alone or jointly with others processes personal data on behalf of and for the account of a data controller.

Personal data: Data that identifies or makes identifiable a natural person, directly or indirectly.

Sensitive data: Data related to ethnicity, gender identity, cultural identity, religion, ideology, political affiliation, judicial background, immigration status, sexual orientation, health, biometric data, genetic data, and those whose improper processing may give.

Health data: Personal data relating to the physical or mental health of an individual, including the provision of health care services, which reveal information about their health status.

Biometric data: Unique personal data, related to the physical or physiological characteristics, or behaviours of a natural person that allows or confirms the unique identification of such person, such as facial images or fingerprint data, among others.

Pseudonymisation: The application of measures aimed at preventing the identification or re-identification of a natural person, without disproportionate efforts.

Data subject: Natural person whose data is processed.

Data protection officer: A natural person responsible for informing the controller or processor of his or her legal data protection obligations, for ensuring or supervising compliance with data protection laws, and for cooperating with the DPA, serving as a point of contact between the DPA and the entity responsible for the processing of personal data (Article 4 of the Law).

5. Legal Bases

5.1. Consent

The Law defines it as the manifestation of free, specific, informed, and unequivocal will, by which the owner of the personal data authorises the data controller to process the personal data.

Consent must contain at least the following elements:

• free when it is free from vices of consent;
• specific, in terms of the concrete determination of the means and purposes of the processing;
• informed, so that it complies with the principle of transparency and gives effect to the right to transparency;
• unambiguous, so that there are no doubts as to the scope of the authorisation granted by the data subject; 
• clear and unambiguous, so that there are no doubts as to the scope of the authorisation granted by the data subject; and 
• it can be revoked at any time without the need of any justification.

5.2. Contract with the data subject

It is possible for a data controller to process personal information on the bases of the performance of the contract with the data subject. 

5.3. Legal obligations

The data subject cannot oppose the processing of data when the data is necessary to comply with a court order, resolution, or reasoned mandate from a competent public authority (Article 18(3) of the Law).

5.4. Interests of the data subject

The Article 9 of the Law, establishes when the processing of personal data is based on legitimate interest:

• only data that are strictly necessary for the realisation of the purpose may be processed;
• the data controller must ensure that the processing is transparent to the data subject; and
• the Superintendency may require from the controller a data protection risk report in which it shall verify whether there are no concrete threats to the legitimate expectations of the data subjects and to their fundamental rights.

5.5. Public interest

The concept of public interest is developed in different aspects of the Law. For example, it is an exception foreseen for the processing of sensitive data, when the processing is necessary for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, which must be proportionate to the objective pursued. In this sense, it is also considered as an exceptional case of international transfer of personal data when the transfer is necessary for reasons of public interest.

Also, the consent of the data subject shall not be required for the processing of health data when it is necessary for reasons of essential public interest in the field of health.

5.6. Legitimate interests of the data controller

The processing of personal data will be legitimate and lawful if any of the following conditions are met (Article 7 of the Law):

• by consent of the data subject for the processing of their personal data, for one or more specific purposes;
• that it is carried out by the data controller in compliance with a legal obligation;
• that it is carried out by the data controller, by court order, in compliance with the principles of this law; and
• for the execution of pre-contractual measures at the request of the owner or for the fulfilment of contractual obligations pursued by the data controller, data processor or by a legally authorised third party.

5.7. Legal bases in other instances

There are other laws that also regulate, within the scope of their competencies, aspects related to the handling of personal data, such as, for example:

Financial sector

Financial sector, the Financial Code (only available in Spanish here) allows the processing of data intended to provide information on the solvency or creditworthiness, including data relating to the fulfilment or non-fulfilment of obligations of a commercial or credit nature that allow to evaluate the conclusion of business in general, the commercial conduct or the payment capacity of the data subject.

The personal data protection regime established by Ecuadorian legislation also applies to the protection of information held by institutions that are part of the financial system. There was a section established in the Public Data Law that was transferred to the Financial Code which regulates the management of credit information (Section 17 of the Financial Code):

• persons that, for any reason, have access to the reports issued by the Superintendency of Banks (including civil servants, employees, agents, among others), shall keep the information contained in such reports confidential;
• use for other purposes than credit analysis is prohibited; and
• whomever unduly uses or discloses any information contained in a credit report or modifies the information provided by the source, will be subject to the sanctions contained in the criminal legislation, without prejudice of the applicable actions and civil or administrative liabilities.

Personal data user's from the financial system must be protected and will only be disclosed to its data subject or to third parties when authorised (Article 352 of the Financial Code). Furthermore, the content of reports issued by the banks Superintendency should be treated as confidential and only used for credit analysis (Article 360 of the Financial Code).

Data subjects may access their personal financial data with no restrictions.

Health sector

Personal data protection regarding the health and pharmaceuticals sector regulations are contained in the Health Organic Law (only available in Spanish here) and there is the right of confidentiality for health service users regarding their medical records (Article 7 of the Health Organic Law).

Also, the Health Ministry issued a regulation regarding data protection, named the Regulation of Confidential Information in the National Health System (only available in Spanish here). According to this regulation confidential health information in all documents or systems must be treated as confidential by health care members, and private and public employees working in health service providers.

In addition, the Law allows that the institutions that are part of the National Health System and health professionals may collect and process data related to the health of their patients who are or have been under treatment.

Telecommunications sector

The Telecommunications Law (only available in Spanish here) contains a complete chapter with rules applicable to the telecommunications sector in terms of personal data protection. Furthermore the telecommunications users have the right to their data privacy and protection, and to the inviolability of their communications (Article 22 of the Telecommunications Law).One important aspect is the obligation of operators to take measures to protect the personal data of customers and users in compliance with security policies, requiring them to take measures to keep their network and the information they transmit secure. The Telecommunications Law prohibits operators from using personal data, information about service use, traffic, and consumer patterns to commercially promote services and products without the customer's consent.

Executive Decree No. 864 for the Regulation of the Telecommunications Law (only available in Spanish here) ('the Regulation') was enacted in January 2016. Article 120 of the Regulation states that service providers within the general telecommunications regime are prohibited from performing or omitting actions that violate the guarantee of personal data protection, that is, causing the destruction, loss, alteration, disclosure, or non-authorised access of personal data transmitted, stored, or used in the provision of telecommunications services in accordance with the procedures or protocols established in the Telecommunications Law, the Regulation and the resolutions issued by the Agency for the Regulation and Control of Telecommunications ('ARCOTEL') to that effect. A violation of this guarantee will lead to the imposition of penalties.

6. Principles

There are some principles that applies to data protection regime in Ecuador (Article 10 od the Law):

• Lawfulness: Personal data must be processed in strict compliance with the principles, rights, and obligations established in the Constitution, international instruments, the Law, its Regulations and other applicable rules, and jurisprudence.
• Fairness: The processing of personal data must be fair, so it must be clear to the owners that personal data concerning them are being collected, used, consulted, or otherwise processed, as well as the ways in which such data are or will be processed. In no case may personal data be processed by unlawful or unfair means or for unlawful or unfair purposes.
• Transparency: The processing of personal data shall be transparent, so that any information or communication relating to this processing shall be easily accessible and easy to understand and shall use simple and clear language.
• Purpose: The purposes of the processing must be determined, explicit, legitimate, and communicated to the owner: personal data may not be processed for purposes other than those for which they were collected, unless one of the grounds that enable a new processing in accordance with the assumptions of legitimate processing indicated in the law occurs.
• Relevance and minimisation of personal data: Personal data must be relevant and limited to what is strictly necessary for the fulfilment of the purpose of the processing;
• Proportionality of the processing: The processing must be adequate, necessary, timely, relevant, and not excessive in relation to the purposes for which they have been collected or to the nature of the special categories of data.
• Confidentiality: The processing of personal data must be conceived based on due confidentiality and secrecy, i.e., it must not be processed or communicated for a purpose other than that for which it was collected, unless one of the grounds that enable a new processing in accordance with the assumptions of legitimate processing set forth in the Law is met.
• Quality and accuracy: The personal data to be processed must be accurate, complete, precise, complete, verifiable, clear, and if applicable, duly updated, in such a way that their veracity is not altered. All reasonable measures shall be taken to ensure that personal data that are inaccurate with respect to the purposes for which they are processed are deleted or rectified without delay.
• Retention: Personal data will be kept for no longer than is necessary to fulfil the purpose for which they are processed. In order to ensure that personal data are not kept longer than necessary, the controller shall establish deadlines for their deletion or periodic review.
• Security of personal data: Those responsible for and in charge of the processing of personal data shall implement all appropriate and necessary security measures, understood as those accepted by the state of the art, be they organisational, technical, or of any other nature, to protect personal data against any risk, threat, vulnerability, considering the nature of the personal data, the scope and context.
• Proactive and proven responsibility: The person responsible for the processing of personal data must prove that they have implemented mechanisms for the protection of personal data; that is, compliance with the principles, rights, and obligations set forth in this Law, for which purpose, in addition to the provisions of the applicable regulations, they may use standards, best practices, self-and coregulation schemes, protection codes, certification systems, personal data protection seals, or any other mechanism determined appropriate to the purposes, the nature of the personal data or the risk of the processing.
• Application favourable to the owner: In case of doubt as to the scope of the provisions of the legal system or contractual provisions applicable to the protection of personal data, judicial and administrative officials shall interpret and apply them in the sense most favourable to the owner of such data. 
• Independence of control: For the effective exercise of the right to the protection of personal data, and in compliance with the State's obligations to protect its rights, the Superintendency shall exercise an independent, impartial and autonomous control, as well as carry out the respective actions of prevention, investigation and sanction.

7. Controller and Processor Obligations

7.1. Data processing notification

The data controller shall register and keep the National Personal Data Protection Register up to date, in accordance with the provisions of the Law, its regulations, guidelines, directives, and regulations issued by the Superintendency (Article 47(12) of the Law).

The processor of personal data shall have the same obligations as the data controller, as far as applicable, in accordance with the Law and its regulations (Article 47 of the Law).

The data controller shall report and keep up to date the following information before the Superintendency (Article 51 of the Law):

• identification of the database or processing;
• the name, legal address, and contact details of the data controller and data processor of the personal data;
• characteristics and purpose of the processing of personal data
• nature of the personal data processed;
• identification, name, legal address, and contact details of the recipients of the personal data, including processors and third parties;
• how the recorded information is interlinked;
• the means used to implement the principles, rights, and obligations contained in the Law and specialised regulations;
• the technical and physical, organisational, and legal requirements and administrative tools implemented to guarantee the security and protection of personal data; and
• the retention periods of the relevant data.

In addition to the above requirements, Resolution No. 009-NG-DINARDAP-2021 (only available in Spanish here) ('the Resolution') was published, on 5 June 2021, in the Official Registry, and establishes the criteria for the processing of personal data in the Register. Furthermore, these are mandatory for all entities that make up the system.

Further to the above, the Resolution details the services that are part of the DINARP and that will be subject to the regulations on the protection of personal data, which include, among other things (Article 4 of the Resolution):

• the Electronic Notification System;
• exceptional authorisations; and
• others as determined by the DINARP.

Additionally, those responsible and in charge of the processing of personal data must provide evidence of compliance with this resolution and allow the verification of the same to the DINARP (Article 9 of the Resolution).

7.2. Data transfers

Personal data may be transferred or communicated to third parties when it is carried out for the fulfilment of purposes directly related to the legitimate functions of the controller and the recipient, when the transfer is configured within one of the grounds of legitimacy established in this Law, and with the consent of the owner (Article 33 of the Law).

It shall be understood that the consent is informed when for the transfer or communication of personal data the data controller has provided sufficient information to the data subject to enable them to know the purpose for which their data will be used and the type of activity of the third party to whom the data will be transferred or communicated.

However, some exceptions in which the consent of the data subject is not necessary to carry out a data transfer (Article 36 of the Law):

• when the data have been collected from sources accessible to the public;
• when the processing responds to the free and legitimate acceptance of a legal relationship between the data controller and the owner, whose development, compliance and control necessarily involves the connection of such processing with a database;
• when the personal data must be provided to administrative or judicial authorities by virtue of requests and orders under the powers attributed to them by the law in force;
• when the communication takes place between public administrations and its purpose is the further processing of data for historical, statistical, or scientific purposes, provided that such data is duly dissociated or at least anonymised;
• when the communication of personal data relating to health is necessary to solve an emergency involving the vital interests of the owner and the latter is unable to give his consent; and
• when the communication of personal data related to health is necessary to carry out epidemiological studies of public interest, in compliance with international standards on human rights.

In the event of an international transfer of data to a country, organisation, or international economic territory that has not been qualified by the Superintendency as having an adequate level of protection, the data controller or processor of personal data must consider the following:

• guarantee compliance with principles, rights, and obligations in the processing of personal data at a standard equal to or higher than the Ecuadorian regulations in force;
• effective protection of the right to the protection of personal data, through the permanent availability of administrative or judicial actions; and
• the right to request full reparation, if applicable.

7.3. Data processing records

Please see section on data processing notification above.

7.4. Data protection impact assessment

The controller shall carry out an impact assessment of the processing of personal data where it has been identified that such processing, by its nature, context, or purposes, is likely to result in a high risk to the rights and freedoms of the data subject or where the Superintendency so requires (Article 42 of the Law).

The Data Protection Impact Assessment ('DPIA') shall be mandatory in case of:

• systematic and comprehensive evaluation of personal aspects of natural persons that is based on automated processing, such as profiling, and based on which decisions are made that produce legal effects for natural persons;
• large-scale processing of special categories of data, or of personal data relating to criminal convictions and offences, or
• large-scale systematic observation of a publicly accessible area.

The Superintendency shall establish other types of processing operations requiring a DPIA.

The DPIA must be carried out prior to the start of the processing of personal data.

7.5. Data protection officer appointment

The personal data protection delegate must be appointed in the following cases (Article 48 of the Law):

• when the processing is carried out by those who make up the public sector in accordance with the provisions of Article 225 of the Constitution;
• when the activities of the person responsible or in charge of the processing of personal data require a permanent and systematised control due to the volume, nature, scope, or purposes of the processing, as established in this law, the regulations thereof, or in the regulations issued in this regard by the Superintendency;
• when it refers to the large-scale processing of special categories of data, in accordance with the provisions of the regulations of this law; and
• when the processing does not refer to data related to national security and defence of the State that are confidential or secret, in accordance with the provisions of the specialised regulations on the matter.

The Superintendency may define new conditions under which a personal data protection officer must be appointed and shall issue, for such purpose, sufficient guidelines for the appointment thereof.

Role

The DPO will have the following functions and powers (Article 49 of the Law):

• advise the controller, the controller's staff and the processor of personal data on the provisions contained in the Law, the regulations, guidelines, directives and other regulations issued by the DPA;
• supervise compliance with the provisions contained in the Law, the regulations, directives, guidelines, and other regulations issued by the DPA; and
• advise on risk analysis, impact assessment, and evaluation of security measures and supervise their implementation;
• cooperate with the DPA and act as a point of contact with the DPA in relation to issues concerning the processing of personal data; and
• such other tasks as may be established by the DPA in connection with special categories of personal data.

In the event of a breach of his/her duties, the DPO will be administratively, civilly, and criminally liable in accordance with the Law.

The DPA can define additional functions, attributes, and responsibilities for the DPO.

Furthermore, Article 50 of the law outlines special considerations for a DPO including that:

• it is the responsibility of the data controller to ensure that the participation of the DPO, in all matters related to the protection of personal data, is done in an appropriate and timely manner;
• it is the responsibility of the data controller to facilitate the access to the personal data and to the processing operations, as well as all the resources and elements necessary to guarantee the correct and free performance of the DPO's functions;
• it is the responsibility of the data controller and data processor to train the DPO, in accordance with the technical regulations issued by the DPA;
• the data controller may not dismiss or sanction the DPO for the performance of their duties;
• the DPO will maintain a direct relationship with board level management of the data controller;
• the data controller may contact the DPO in relation to the processing of their personal data and the exercise of their rights;
• the DPO will be obliged to maintain the strictest confidentiality regarding the execution of their functions; and
• provided that there is no conflict with their responsibilities established in this Law, its regulations, and guidelines issued by the DPA and other regulations on the subject, the DPO may perform other functions provided by the data controller.

7.6. Data breach notification

The data controller must notify the personal data security breach to the Superintendency and the ARCOTEL as soon as possible, and at the latest within five days after becoming aware of it, unless such security breach is unlikely to constitute a risk to the rights and freedoms of natural persons (Article 43 of the Law). If the notification to the Superintendency does not take place within five days, it must be accompanied by an indication of the reasons for the delay.

The processor must notify the controller of any breach of security of personal data as soon as possible, and at the latest within two days from the date on which they become aware of it.

In addition, the data controller must promptly notify the data subject of a personal data security breach when it entails a risk to his fundamental rights and individual liberties, within three days from the date on which they became aware of the risk.

However, depending on the specific applicable law, the procedure and timeframe may vary. For example, in no case may credit data relating to obligations of an economic, financial, banking, or commercial nature be communicated more than five years after the obligation to which it relates has become due.

The Telecommunications Law defines data breach as the situation in which personal data security is violated and it provokes the destruction, accidental or illegal, loss, modification, disclosure, or access, of personal data transmitted, stored or treated during the execution of telecommunication services.

Pursuant to data breach notification, in the occurrence of anevent of a particular risk of breach of security of the public network or telecommunications service, the telecommunications service provider must inform its subscribers, customers and users of such risk and of the measures to be taken (Article 79 of the Telecommunication Law).

7.7. Data retention

According to Article 31 of the Law:

• health-related data generated in public or private health establishments will be treated in compliance with the principles of confidentiality and professional secrecy; and
• the health-related data processed should, whenever possible, be previously anonymised or pseudonymised, avoiding the possibility of identifying the data subjects.

Any processing of anonymised health data must be previously authorised by the Superintendency. To obtain the authorisation, the interested party must submit a technical protocol containing the necessary parameters that guarantee the protection of such data and the prior favourable report issued by the Health Ministry.

7.8. Children's data

The right not to be subject to a decision based solely or partially on automated assessments, sensitive data, or data of children and adolescents may not be processed unless expressly authorised by the owner or their legal representative (Article 21 of the Law).

However, adolescents, in progressive exercise of their rights, from the age of 15, may grant, as owners, their explicit consent for the processing of their personal data, provided that the purposes are clearly specified.

7.9. Special categories of personal data

The following must be considered special categories of personal data (Article 25 of the Law):

• sensitive data;
• data of children and adolescents;
• health data;
• data of persons with disabilities and their substitutes, related to disability;
• data of persons with disabilities and their substitutes, related to disability; and
• data of persons with disabilities and their substitutes.

The Law does not apply to the processing of data or databases established for the prevention, investigation, detection, or prosecution of criminal offenses or the execution of criminal sanctions, carried out by the competent state agencies in compliance with their legal functions.

7.10. Controller and processor contracts

The Law establishes that the relationship between the controller and the processor must be contained in a contract. However, the issuance of the secondary regulations applicable to this matter is still pending, so there are no specific provisions to be established in such contracts as of today.

8. Data Subject Rights

8.1. Right to be informed

The data subject has the right to be informed in accordance with the principles of fairness and transparency by any means about Article 12 of the Law:

• the purposes of the processing.
• the legal basis for the processing;
• types of processing;
• the storage period;
• the existence of a database containing your personal data;
• the origin of personal data;
• the origin of the personal data when they have not been obtained directly from the owner;
• other purposes and further processing;
• identity and contact details;
• identity and contact details of the person responsible for the processing of personal data, including: address of the legal domicile, telephone number, and e-mail address;
• where applicable, identity and contact details of the personal data protection officer, including: home address, telephone number, and e-mail address;
• the transfers or communications, national or international, of personal data that it intends to carry out, including the recipients and their types, as well as the purposes that motivate the realisation of these and the protection guarantees established;
• the consequences for the owner of the personal data of its delivery or refusal to do so;
• the effect of supplying erroneous or inaccurate personal data;
• the possibility of revoking consent;
• the existence and manner in which their rights of access, deletion, rectification and updating, opposition, cancellation, limitation of processing, and not to be subject to a decision based solely on automated evaluations can be made effective;
• the mechanisms to enforce their rights of access, deletion, rectification and updating, opposition, cancellation, limitation of processing, and not to be subject to a decision based solely on automated evaluations;
• the mechanisms to make effective their right to portability, when requested by the data subject;
• where and how to make claims before the data controller and the Superintendency; and
• the existence of automated assessments and decisions, including profiling.

8.2. Right to access

The data subject has the right to know and obtain, free of charge, from the data controller access to all their personal data and to the information detailed in the preceding article, without the need to provide any justification whatsoever. The data controller must establish reasonable methods to allow the exercise of this right, which must be complied with within 15 days (Article 13 of the Law).

The right of access may not be exercised in such a way as to constitute an abuse of the right.

8.3. Right to rectification

The data subject has the right to obtain from the data controller the rectification and updating of his or her inaccurate or incomplete personal data (Article 14 of the Law).

For this purpose, the data subject must submit the relevant justifications, where appropriate. The data controller must respond to the request within 15 days and, within the same period, must inform the recipient of the data, if applicable, about the rectification, in order to update it.

8.4. Right to erasure

The data subject has the right to have their personal data deleted by the data controller when (Article 15 of the Law):

• the processing does not comply with the principles set forth in this law;
• the processing is not necessary or relevant for the fulfilment of the purpose;
• the personal data have fulfilled the purpose for which they were collected or processed;
• the term of conservation of the personal data has expired;
• the processing affects fundamental rights or individual freedoms;
• the consent given has been revoked or the consent has not been given for one or more specific purposes, without the need for any justification; or
• there is a legal obligation.

The person responsible for the processing of personal data must implement methods and techniques aimed at eliminating, rendering unreadable, or rendering unrecognisable in a definitive and secure manner the personal data. This obligation must be fulfilled within 15 days of receipt of the request by the owner and must be free of charge.

8.5. Right to object/opt-out

The data subject has the right to oppose or refuse the processing of their personal data in the following cases (Article 16 of the Law):

• fundamental rights and freedoms of third parties are not affected, the law permits it and it does not concern public information, of public interest or whose processing is ordered by law;
• the processing of personal data is for direct marketing purposes;
• at any time to the processing of personal data concerning them, including profiling; in which case the personal data must no longer be processed for such purposes; and
• where their consent to the processing is not required as a result of the concurrence of a legitimate interest, as provided for in Article 7 of the Law, and is justified by a specific personal situation of the data subject, unless otherwise provided by law.

8.6. Right to data portability

The data subject has the right to receive from the data controller his personal data in a compatible, updated, structured, common, interoperable, and machine-readable format, preserving its characteristics; or to transmit it to other data controllers. The Superintendency must issue the regulations for the exercise of the right to portability (Article 17 of the Law).

The data subject may request that the data controller transfers or communicates their personal data to another data controller as soon as technically possible and without the data controller being able to claim any impediment of any kind in order to slow down the access, transmission, or reuse of data by the data subject or another data controller. Once the transfer of data has been completed, the data controller must proceed to its deletion, unless the data owner orders its preservation. The data controller who has received the information must assume the responsibilities contemplated in this Law.

8.7. Right not to be subject to automated decision-making

The data subject has the right not to be subjected to a decision based solely or partially on assessments that are the product of automated processes, including profiling, that produce legal effects on them or that violate their fundamental rights and freedoms, for which they may (Article 20 of the Law):

• request from the data controller a reasoned explanation of the decision taken by the controller or processor of personal data;
• submit observations;
• request the assessment criteria on the automated program;
• request from the responsible party information about the types of data used and the source from which the data was obtained; or
• challenge the decision before the data controller or data processor.

8.8. Other rights

The Law also recognises other rights to the data subject, such as:

• right of consultation, individuals have the right to public and free consultation before the national registry for the protection of personal data, in accordance with the present law (Article 22 of the Law); and
• the right to digital education, people have the right to access and availability of knowledge, learning, preparation, study, training, training, teaching, and instruction related to the proper, healthy, constructive, safe, and responsible use and management of information and communication technologies, in strict compliance with human dignity and integrity; fundamental rights and individual freedoms with special emphasis on privacy, private life, informational self-determination, online identity and reputation, digital citizenship and the right to protection of personal data, as well as to promote a culture sensitised to the right to protection of personal data (Article 23 of the Law)

9. Penalties

The sanctioning regime is divided into minor and major infringements.

Penalties for minor infractions:

• fine of 1 to 10 Ecuadorians minimum legal wage (approx. $400 and $4000) for civil servants or public officials; or
• fine of between 0.1% and 0.7% calculated on its turnover corresponding to the fiscal year immediately prior to the imposition of the fine, for members of private or public company entities.

Penalties for major infringements:

• economic fine of 10 to 20 Ecuadorians minimum legal wage (approx. $4000 to $8000) for public servants or civil servants; or
• fine of between 0.7% and 1% calculated on their turnover corresponding to the fiscal year immediately prior to the imposition of the fine, for members of private law entities or public companies.

9.1 Enforcement decisions

The provisions related to the corrective measures and the sanctioning regime will enter into force two years after their publication on 26 May 2023. Therefore, up to now there have been no administrative sanctioning processes that can be commented on.