January 2024

1. Governing Texts

The National Assembly of Ecuador enacted on May 26, 2021, the Personal Data Protection Law (only available in Spanish here) ('the Law'). This is the first specific legal regulation about personal data protection. The Law has been enforced since May 2023. It is also important to mention that until the publication of the Law, there were only general principles related to the protection of personal data, which were scattered in several legal bodies. Therefore, there was no real data protection system as such. In this sense, it is necessary to adjust the company's internal procedures to the new procedures and provisions. In general terms, the Law reflects the principles and procedures set forth in the General Data Protection Regulation (Regulation (EU) 2016/679) ('the GDPR') enacted by the European Union. Therefore, if the company has experience in the regulatory and day-to-day aspects of the GDPR, it will not be inconvenient to comply with the requirements of the local law.

The appointment of the person who will head the Personal Data Protection Authority, known as the Data Protection Superintendency ('the Superintendency'), is still pending. The Superintendency will issue the secondary regulations to regulate different aspects of the Law.

The issuance of the General Regulation ('the General Regulation') was made through Executive Decree 904 published in Official Gazette Supplement 435 of November 13, 2023 (only available in Spanish here).

1.1. Key acts, regulations, directives, bills

The fundamental rights established in the Constitution of the Republic of Ecuador 2008 (only available in Spanish here) ('the Constitution') include the right to privacy concerning an individual's personal data. This protection includes the inviolability of correspondence, whether physical or virtual. Correspondence cannot be withheld, opened, or examined except by court order and with the obligation to keep confidential any matter unrelated to the event prompting the examination of the correspondence.

Although the Constitution mentions written and virtual communications, all kinds of communications are protected. Based on the Constitution, the compilation, filing, processing, distribution, or dissemination of personal data requires the consent of the data subject or the data subject's representative. Additionally, the Constitution also establishes a fundamental right for nationals and foreigners to freely access their personal information or data concerning assets, bank accounts, personal files, and genetic data produced or held on file by public or private entities, whether in material or electronic format. This data may be disclosed only when the data subjects consent to it or the law so requires. It also contains the legal recourse of Habeas Data, which allows the individual to obtain a ruling before a judge to access their personal information contained in public and private records.

The Constitution also guarantees that individuals or legal entities may request such information free of charge and have access to update or correct their personal data. If the information on file is regarded as sensitive, safety measures must be adopted. This guarantee may also be requested through a judge and the individual who believes they have been affected may claim compensation for any damage or loss experienced. With the enactment of the Law, all the personal data protection provisions that were contained in several laws were compiled.

There are data protection provisions contained within the following laws:

• Organic Law on Transparency and Access to Public Information 2004 (only available in Spanish here) ('the Transparency and Access Law') regulates publicly available data and the management of credit information;

• Organic Law on Telecommunications 2015 (only available in Spanish here) ('the Telecommunications Law') which regulates telecommunications operators;

• Labour Code 2005 (only available in Spanish here) ('the Labour Code'), which contains the duty of employers to protect the personal information of their employees;

• Health Law 2006 (only available in Spanish here) ('the Health Law') which establishes the duty of people involved in the healthcare industry to protect confidential health information;

• Monetary and Financial Code (only available in Spanish here) ('the Financial Code') which includes dispositions regarding data protection in all financial transactions; and

• Law of the National System of Registration of Public Data (only available in Spanish here) ('the Public Data Law'), includes general provisions related to public data protection.

1.2. Guidelines

The Superintendency is the competent authority to issue data protection guidance. However, it is still pending its incorporation.

1.3. Case law

Not applicable.

2. Scope of Application

2.1. Personal scope

The scope of law applies only to natural persons. This does not apply to the following persons:

• data of deceased persons;

• data that have been anonymized (i.e., it is not possible to identify the owner);

• data collected during journalistic activities; and

• data of legal entities.

2.2. Territorial scope

The Law has coverage throughout the national territory, as well as extraterritorial scope with respect to international data transfers. Regarding territorial aspects, the Law establishes the following conditions:

• the processing of personal data is carried out in any part of the national territory;

• the person responsible or in charge of the processing of personal data is domiciled in any part of the national territory;

• the processing of personal data of data subjects residing in Ecuador is carried out by a data controller or data processor not established in Ecuador when the processing activities are related to:

  • the offering of goods or services to such data subjects, regardless of whether they are required to pay for them; or

  • the control of their behavior, insofar as it takes place in Ecuador; and

• the data controller or data processor of personal data, not domiciled in the national territory, is subject to national legislation by virtue of a contract or the regulations in force of public international law.

2.3. Material scope

The scope of application of the Law is broad since it will apply to the processing of personal data contained in any type of support, automated or not, as well as to any form of subsequent use.

3. Data Protection Authority | Regulatory Authority 

3.1. Main regulator for data protection

The Superintendency is the control and oversight body responsible for guaranteeing all citizens the protection of their personal data, and for taking all necessary actions to ensure that the principles, rights, guarantees, and procedures set forth in the Law and its implementing regulations are respected. It is an autonomous and independent public entity and will be based in Quito, Ecuador. It will be managed and represented by the Superintendent who will be appointed for a five-year term.

The Superintendent must fulfill the following minimum requirements for their appointment:

• must be a professional in law, information systems, communication, or technology;

• with a fourth-level degree; and

• at least 10 years of experience in related areas.

3.2. Main powers, duties and responsibilities

The main powers, duties, and responsibilities are detailed in Article 76 of the Law. The most relevant aspects are:

• exercise the supervision, control, and evaluation of the activities carried out by the person responsible and in charge of the processing of personal data;

• exercise the sanctioning power with respect to data controllers, delegates, persons in charge, and third parties, in accordance with the provisions of this Law;

• to hear, substantiate, and resolve the claims filed by the owner or those initiated ex officio, as well as to apply the corresponding sanctions;

• administer the National Registry of Personal Data Protection ('the National Register'), as well as coordinate the necessary actions with public and private sector entities for its effective operation;

• to dictate the standard data protection clauses, as well as to verify the content of additional or specific clauses or guarantees; and

• to exercise international representation in matters of personal data protection.

In addition, Article 80 of the General Regulation establishes as attribution of the Superintendent, the power to:

• enforce the regulations in the framework of the protection of personal data;

• register databases containing personal data in the National Register;

• to manage and administer the Single Register of Responsible and Responsible Parties in Failure to Comply;

• issue regulations for the protection of personal data;

• to issue technical reports within the control and supervision mechanisms provided for;

• propose reforms to the Law and its regulations;

• issue reference guides to assist data controllers and data processors in the process of adapting to and complying with the personal data protection regulations; and

• to hear and resolve petitions, complaints, claims, and appeals that are proposed within the scope of its competence and in accordance with the Law.

The main attributions of the Superintendent are contained in Article 83 of the General Regulation and include:

• Legal and judicial representation of the Superintendency in all acts, contracts, and legal relations subject to its competence;

• to prepare and publish, on an annual basis, statistical information on the organizations subject to its control and on the processing of personal data;

• to formulate, approve, and execute the budget of the Superintendency;

• to prepare studies and proposals on legal and regulatory reforms required for the correct exercise of the right to the protection of personal data, and to submit the same for consideration to the bodies responsible for approving them; and

• approve and issue internal rules, resolutions, and manuals that are necessary for the proper functioning of the Authority under their charge.

4. Key Definitions

Article 4 of the Law contains the definitions applicable to data protection matters. The following is the literal definition provided by law:

Data controller: Natural or legal person, public or private, public authority, or other body, which alone or jointly with others decides on the purpose and processing of personal data.

Data processor: Natural or legal person, public or private, public authority, or other body that alone or jointly with others processes personal data on behalf of and for the account of a data controller.

Personal data: Data that identifies or makes identifiable a natural person, directly or indirectly.

Sensitive data: Data related to ethnicity, gender identity, cultural identity, religion, ideology, political affiliation, judicial background, immigration status, sexual orientation, health, biometric data, genetic data, and those whose improper processing may give.

Health data: Personal data relating to the physical or mental health of an individual, including the provision of health care services, which reveal information about their health status.

Biometric data: Unique personal data, related to the physical or physiological characteristics, or behaviors of a natural person that allows or confirms the unique identification of such person, such as facial images or fingerprint data, among others.

Pseudonymization: The application of measures aimed at preventing the identification or re-identification of a natural person, without disproportionate efforts.

Data subject: Natural person whose data is processed.

Data protection officer (DPO): A natural person responsible for informing the data controller or data processor of their legal data protection obligations, for ensuring or supervising compliance with data protection laws, and for cooperating with the Data Protection Authority ('DPA') serving as a point of contact between the DPA and the entity responsible for the processing of personal data (Article 4 of the Law).

5. Legal Bases

5.1. Consent

The processing of personal data will be legitimate and lawful where the consent of the data subject is obtained for the processing of their personal data, for one or more specific purposes. The Law defines it as the manifestation of free, specific, informed, and unequivocal will, by which the owner of the personal data authorizes the data controller to process the personal data.

Consent must contain at least the following elements:

• free when it is free from vices of consent;

• specific, in terms of the concrete determination of the means and purposes of the processing;

• informed, so that it complies with the principle of transparency and gives effect to the right to transparency;

• clear and unambiguous, so that there are no doubts as to the scope of the authorization granted by the data subject; and

• it can be revoked at any time without the need for any justification.

In cases where the consent has been revoked, this revocation will not affect the validity of the data processing that has been performed up to the date of revocation. The data controller shall have a simple procedure for the person to withdraw their consent.

5.2. Contract with the data subject

It is possible for a data controller to process personal information on the basis of the performance of the contract with the data subject. In addition, the processing of personal data will be legitimate and lawful where it is for the execution of pre-contractual measures at the request of the owner or for the fulfillment of contractual obligations pursued by the data controller, data processor, or by a legally authorized third party.

5.3. Legal obligations

The processing of personal data will be legitimate and lawful where it is carried out by the data controller in compliance with a legal obligation. The data subject cannot oppose the processing of data when the data is necessary to comply with a court order, resolution, or reasoned mandate from a competent public authority (Article 18(3) of the Law).

5.4. Interests of the data subject

In addition, the General Regulation provides that the processing of personal data should be lawful if it is necessary for the protection of an interest essential for the life of the data subject or of another person, such as epidemics or humanitarian emergencies. Personal data should only be processed based on the vital interest of another natural person, where the processing cannot manifestly be based on a different legal basis.

Regarding the interests of the data subject, Article 9 of the Law establishes the following for processing on this basis, namely:

• only data that are strictly necessary for the realization of the purpose may be processed;
• the data controller must ensure that the processing is transparent to the data subject; and
• the Superintendency may require from the data controller a data protection risk report in which it shall verify whether there are no concrete threats to the legitimate expectations of the data subjects and their fundamental rights.

5.5. Public interest

The concept of public interest is developed in different aspects of the Law. For example, it is an exception foreseen for the processing of sensitive data, when the processing is necessary for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, which must be proportionate to the objective pursued. In this sense, it is also considered an exceptional case of international transfer of personal data when the transfer is necessary for reasons of public interest.

Also, the consent of the data subject shall not be required for the processing of health data when it is necessary for reasons of essential public interest in the field of health.

Article 7(1)1 of the General Regulation provides that the processing of personal data carried out on this legitimate basis shall observe the following:

• the types of data to be processed;

• the data subjects or data subjects concerned;

• the entities to which personal data may be disclosed and the purposes of such disclosure;

• the purpose limitation; and

• the time limits for the storage of the data, as well as the processing operations and procedures, including measures to ensure lawful and fair processing.

The processing of personal data under this legitimate basis must meet a public interest objective and be proportionate to the legitimate aim pursued.

5.6. Legitimate interests of the data controller

In addition, Article 7(3) of the General Regulation provides that where it is necessary to meet a legitimate interest of the data controller or a third party concerned, the balancing rule shall apply, provided that the interests rights and freedoms of the data subject are not overridden. The balancing shall be carried out by means of a careful assessment taking into account the following factors:

• assessment of the legitimate interest of the data controller or the third party concerned, which must be necessary and proportionate;
• impact on data subjects measuring the actual or potential consequences arising from the processing:
• provisional balancing, which considers the measures taken by the data controller to fulfill its obligations in terms of proportionality and transparency; and
• additional safeguards implemented by the data controller to prevent any undue impact on the data subjects.

5.7. Legal bases in other instances

Other laws also regulate, within the scope of their competencies, aspects related to the handling of personal data, such as, for example:

Financial sector

For the financial sector, the Financial Code (only available in Spanish here) allows the processing of data intended to provide information on the solvency or creditworthiness, including data relating to the fulfillment or non-fulfillment of obligations of a commercial or credit nature that allows the evaluation of the business in general, the commercial conduct, or the payment capacity of the data subject.

The personal data protection regime established by Ecuadorian legislation also applies to the protection of information held by institutions that are part of the financial system. There was a section established in the Public Data Law that was transferred to the Financial Code which regulates the management of credit information (Section 17 of the Financial Code):

• persons that, for any reason, have access to the reports issued by the Superintendency of Banks (including civil servants, employees, and agents, among others), shall keep the information contained in such reports confidential;

• use for other purposes than credit analysis is prohibited; and

• whomever unduly uses or discloses any information contained in a credit report or modifies the information provided by the source, will be subject to the sanctions contained in the criminal legislation, without prejudice of the applicable actions and civil or administrative liabilities.

Personal data users from the financial system must be protected and will only be disclosed to its data subject or to third parties when authorized (Article 352 of the Financial Code). Furthermore, regarding the content of reports issued by the banks, the Superintendency should be treated as confidential and only used for credit analysis (Article 360 of the Financial Code). Data subjects may access their personal financial data with no restrictions.

Health sector

Personal data protection regarding the health and pharmaceuticals sector regulations are contained in the Health Organic Law (only available in Spanish here) and there is the right of confidentiality for health service users regarding their medical records (Article 7 of the Health Organic Law). Also, the Ministry of Public Health ('the Ministry') issued a regulation regarding data protection, the Regulation of Confidential Information in the National Health System. According to this regulation, confidential health information in all documents or systems must be treated as confidential by healthcare members, and private and public employees working in health service providers.

In addition, the Law allows the institutions that are part of the National Health System and health professionals may collect and process data related to the health of their patients who are or have been under treatment.

Telecommunications sector

The Telecommunications Law (only available in Spanish here) contains a complete chapter with rules applicable to the telecommunications sector in terms of personal data protection. Furthermore, telecommunications users have the right to their data privacy and protection, and to the inviolability of their communications (Article 22 of the Telecommunications Law). One important aspect is the obligation of operators to take measures to protect the personal data of customers and users in compliance with security policies, requiring them to take measures to keep their network and the information they transmit securely. The Telecommunications Law prohibits operators from using personal data, information about service use, traffic, and consumer patterns to commercially promote services and products without the customer's consent.

Executive Decree No. 864 for the Regulation of the Telecommunications Law (only available in Spanish here) ('the Regulation') was enacted in January 2016. Article 120 of the Regulation states that service providers within the general telecommunications regime are prohibited from performing or omitting actions that violate the guarantee of personal data protection, that is, causing the destruction, loss, alteration, disclosure, or non-authorized access of personal data transmitted, stored, or used in the provision of telecommunications services in accordance with the procedures or protocols established in the Telecommunications Law, the Regulation, and the resolutions issued by the Agency for the Regulation and Control of Telecommunications ('ARCOTEL') to that effect. A violation of this guarantee will lead to the imposition of penalties.

6. Principles

Some principles apply to the data protection regime in Ecuador (Article 10 of the Law):

• Lawfulness: Personal data must be processed in strict compliance with the principles, rights, and obligations established in the Constitution, international instruments, the Law, its Regulations and other applicable rules, and jurisprudence.

• Fairness: The processing of personal data must be fair, so it must be clear to the owners that personal data concerning them are being collected, used, consulted, or otherwise processed, as well as how such data is or will be processed. In no case may personal data be processed by unlawful or unfair means or for unlawful or unfair purposes.

• Transparency: The processing of personal data shall be transparent so that any information or communication relating to this processing shall be easily accessible and easy to understand and shall use simple and clear language.

• Purpose: The purposes of the processing must be determined, explicit, legitimate, and communicated to the owner: personal data may not be processed for purposes other than those for which they were collected unless one of the grounds that enable new processing in accordance with the assumptions of legitimate processing indicated in the law occurs.

• Relevance and minimization of personal data: Personal data must be relevant and limited to what is strictly necessary for the fulfillment of the purpose of the processing.

• Proportionality of the processing: The processing must be adequate, necessary, timely, relevant, and not excessive in relation to the purposes for which they have been collected or to the nature of the special categories of data.

• Confidentiality: The processing of personal data must be conceived based on due confidentiality and secrecy, i.e., it must not be processed or communicated for a purpose other than that for which it was collected unless one of the grounds that enable a new processing in accordance with the assumptions of legitimate processing set forth in the Law is met.

• Quality and accuracy: The personal data to be processed must be accurate, complete, precise, complete, verifiable, clear, and if applicable, duly updated, in such a way that their veracity is not altered. All reasonable measures shall be taken to ensure that personal data that is inaccurate with respect to the purposes for which it is processed is deleted or rectified without delay.

• Retention: Personal data will be kept for no longer than is necessary to fulfill the purpose for which it is processed. In order to ensure that personal data is not kept longer than necessary, the data controller shall establish deadlines for their deletion or periodic review.

• Security of personal data: Those responsible for and in charge of the processing of personal data shall implement all appropriate and necessary security measures, understood as those accepted by the state of the art, be they organizational, technical, or of any other nature, to protect personal data against any risk, threat, vulnerability, considering the nature of the personal data, the scope and context.

• Proactive and proven responsibility: The person responsible for the processing of personal data must prove that they have implemented mechanisms for the protection of personal data; that is, compliance with the principles, rights, and obligations set forth in this Law, for which purpose, in addition to the provisions of the applicable regulations, they may use standards, best practices, self-and coregulation schemes, protection codes, certification systems, personal data protection seals, or any other mechanism determined appropriate to the purposes, the nature of the personal data or the risk of the processing.

• Application favorable to the owner: In case of doubt as to the scope of the provisions of the legal system or contractual provisions applicable to the protection of personal data, judicial and administrative officials shall interpret and apply them in the sense most favorable to the owner of such data.

• Independence of control: For the effective exercise of the right to the protection of personal data, and in compliance with the State's obligations to protect its rights, the Superintendency shall exercise independent, impartial, and autonomous control, as well as carry out the respective actions of prevention, investigation, and sanction.

7. Controller and Processor Obligations

7.1. Data processing notification

The data controller shall register and keep the National Registry up to date, in accordance with the provisions of the Law, its regulations, guidelines, directives, and regulations issued by the Superintendency (Article 47(12) of the Law). The processor of personal data shall have the same obligations as the data controller, as far as applicable, in accordance with the Law and its regulations (Article 47 of the Law).

The data controller shall report and keep up to date the following information before the Superintendency (Article 51 of the Law):

• identification of the database or processing;

• the name, legal address, and contact details of the data controller and data processor of the personal data;

• characteristics and purpose of the processing of personal data

• nature of the personal data processed;

• identification, name, legal address, and contact details of the recipients of the personal data, including processors and third parties;

• how the recorded information is interlinked;

• the means used to implement the principles, rights, and obligations contained in the Law and specialized regulations;

• the technical and physical, organizational, and legal requirements and administrative tools implemented to guarantee the security and protection of personal data; and

• the retention periods of the relevant data.

In addition to the above requirements, Resolution No. 009-NG-DINARDAP-2021 (only available in Spanish here) ('the Resolution') was published, on June 5, 2021, in the National Registry, and establishes the criteria for the processing of personal data in the Register. Furthermore, these are mandatory for all entities that make up the system.

Further to the above, the Resolution details the services that are part of the National Directorate of Public Records (DINARP) and that will be subject to the regulations on the protection of personal data, which include, among other things (Article 4 of the Resolution):

• the Electronic Notification System;

• exceptional authorizations; and

• others as determined by the DINARP.

Additionally, those responsible and in charge of the processing of personal data must provide evidence of compliance with this resolution and allow the verification of the same to the DINARP (Article 9 of the Resolution).

7.2. Data transfers

Personal data may be transferred or communicated to third parties when it is carried out for the fulfillment of purposes directly related to the legitimate functions of the data controller and the recipient when the transfer is configured within one of the grounds of legitimacy established in this Law, and with the consent of the owner (Article 33 of the Law).

It shall be understood that consent is informed when for the transfer or communication of personal data the data controller has provided sufficient information to the data subject to enable them to know the purpose for which their data will be used and the type of activity of the third party to whom the data will be transferred or communicated.

However, some exceptions in which the consent of the data subject is not necessary to carry out a data transfer (Article 36 of the Law):

• when the data have been collected from sources accessible to the public;

• when the processing responds to the free and legitimate acceptance of a legal relationship between the data controller and the owner, whose development, compliance, and control necessarily involves the connection of such processing with a database;

• when the personal data must be provided to administrative or judicial authorities by virtue of requests and orders under the powers attributed to them by the law in force;

• when the communication takes place between public administrations and its purpose is the further processing of data for historical, statistical, or scientific purposes, provided that such data is duly dissociated or at least anonymized;

• when the communication of personal data relating to health is necessary to solve an emergency involving the vital interests of the owner and the latter is unable to give their consent; and

• when the communication of personal data related to health is necessary to carry out epidemiological studies of public interest, in compliance with international standards on human rights.

In the event of an international transfer of data to a country, organization, or international economic territory that has not been qualified by the Superintendency as having an adequate level of protection, the data controller or data processor of personal data must consider the following:

• guaranteeing compliance with principles, rights, and obligations in the processing of personal data at a standard equal to or higher than the Ecuadorian regulations in force;

• ensuring effective protection of the right to the protection of personal data, through the permanent availability of administrative or judicial actions; and

• the right to request full reparation, if applicable.

In addition, Article 22 of the General Regulation provides that the transfer or communication of personal data to third parties may be carried out in the following cases:

• for the fulfillment of purposes directly related to the legitimate functions of the data controller and the third-party recipient, in which case the recipient undertakes to comply with data protection regulations; and

• with the prior consent of the data subject, which may be revoked at any time.

7.3. Data processing records

Please see the section on data processing notifications above.

7.4. Data protection impact assessment

The data controller shall carry out an impact assessment of the processing of personal data where it has been identified that such processing, by its nature, context, or purposes, is likely to result in a high risk to the rights and freedoms of the data subject or where the Superintendency so requires (Article 42 of the Law).

The Data Protection Impact Assessment ('DPIA') shall be mandatory in the case of:

• systematic and comprehensive evaluation of personal aspects of natural persons that is based on automated processing, such as profiling, and based on which decisions are made that produce legal effects for natural persons;

• large-scale processing of special categories of data, or personal data relating to criminal convictions and offenses, or

• large-scale systematic observation of a publicly accessible area.

According to Article 30 of General Regulation, the purpose of the DPIA is to:

• identify and describe the potential and likely risks of certain processing of personal data;

• describe concrete actions for the management of the identified risks;

• act in a preventive manner in compliance with the obligations established in the Law, its Regulations, and other applicable regulations; and

• promote guidelines for the construction of a preventive culture of personal data protection in the organization.

The Superintendency shall establish other types of processing operations requiring a DPIA. In this case, the DPIA shall contain at least the following aspects (Article 32 of the General Regulation):

• the systematic description of the processing operations and the purposes of the processing;

• the justification of the necessity for carrying out those processing operations, as well as their proportionality in relation to the purpose;

• the assessment of risks to the rights and freedoms of data subjects; and

• the measures envisaged to address the risks, safeguards, security measures, and mechanisms intended to safeguard and demonstrate respect for the right of data subjects to the protection of their personal data.

The DPIA must be carried out prior to the start of the processing of personal data.

7.5. Data protection officer appointment

The personal data protection delegate must be appointed in the following cases (Article 48 of the Law):

• when the processing is carried out by those who make up the public sector in accordance with the provisions of Article 225 of the Constitution;

• when the activities of the person responsible or in charge of the processing of personal data require a permanent and systematized control due to the volume, nature, scope, or purposes of the processing, as established in this law, the regulations thereof, or in the regulations issued in this regard by the Superintendency;

• when it refers to the large-scale processing of special categories of data, in accordance with the provisions of the regulations of this law; and

• when the processing does not refer to data related to national security and defense of the State that are confidential or secret, in accordance with the provisions of the specialized regulations on the matter.

The Superintendency may define new conditions under which a personal DPO must be appointed and shall issue, for such purpose, sufficient guidelines for the appointment thereof.

Role

The DPO will have the following functions and powers (Article 49 of the Law):

• advise the data controller, the data controller's staff, and the data processor on the provisions contained in the Law, the regulations, guidelines, directives, and other regulations issued by the DPA;

• supervise compliance with the provisions contained in the Law, the regulations, directives, guidelines, and other regulations issued by the DPA;

• advise on risk analysis, impact assessment, and evaluation of security measures and supervise their implementation;

• cooperate with the DPA and act as a point of contact with the DPA in relation to issues concerning the processing of personal data; and

• such other tasks as may be established by the DPA in connection with special categories of personal data.

In the event of a breach of their duties, the DPO will be administratively, civilly, and criminally liable in accordance with the Law. The DPA can define additional functions, attributes, and responsibilities for the DPO.

Furthermore, Article 50 of the law outlines special considerations for a DPO including that:

• it is the responsibility of the data controller to ensure that the participation of the DPO, in all matters related to the protection of personal data, is done in an appropriate and timely manner;

• it is the responsibility of the data controller to facilitate access to the personal data and to the processing operations, as well as all the resources and elements necessary to guarantee the correct and free performance of the DPO's functions;

• it is the responsibility of the data controller and data processor to train the DPO, in accordance with the technical regulations issued by the DPA;

• the data controller may not dismiss or sanction the DPO for the performance of their duties;

• the DPO will maintain a direct relationship with board-level management of the data controller;

• the data controller may contact the DPO in relation to the processing of their personal data and the exercise of their rights;

• the DPO will be obliged to maintain the strictest confidentiality regarding the execution of their functions; and

• provided that there is no conflict with their responsibilities established in this Law, its regulations, and guidelines issued by the DPA and other regulations on the subject, the DPO may perform other functions provided by the data controller.

7.6. Data breach notification

The data controller must notify a personal data security breach to the Superintendency and the ARCOTEL as soon as possible, and at the latest within five days after becoming aware of it unless such security breach is unlikely to constitute a risk to the rights and freedoms of natural persons (Article 43 of the Law). If the notification to the Superintendency does not take place within five days, it must be accompanied by an indication of the reasons for the delay. The processor must notify the data controller of any breach of security of personal data as soon as possible, and at the latest within two days from the date on which they become aware of it.

In addition, the data controller must promptly notify the data subject of a personal data security breach when it entails a risk to their fundamental rights and individual liberties, within three days from the date on which they became aware of the risk. However, depending on the specific applicable law, the procedure and timeframe may vary. For example, in no case may credit data relating to obligations of an economic, financial, banking, or commercial nature be communicated more than five years after the obligation to which it relates has become due.

The Telecommunications Law defines a data breach as a situation in which personal data security is violated and it provokes the destruction, accidental or illegal, loss, modification, disclosure, or access, of personal data transmitted, stored, or treated during the execution of telecommunication services.

Pursuant to data breach notification, in the occurrence of an event of a particular risk of breach of security of the public network or telecommunications service, the telecommunications service provider must inform its subscribers, customers, and users of such risk and of the measures to be taken (Article 79 of the Telecommunication Law).

7.7. Data retention

According to Article 31 of the Law:

• health-related data generated in public or private health establishments will be treated in compliance with the principles of confidentiality professional secrecy; and

• the health-related data processed should, whenever possible, be previously anonymized or pseudonymized, avoiding the possibility of identifying the data subjects.

Any processing of anonymized health data must be previously authorized by the Superintendency. To obtain the authorization, the interested party must submit a technical protocol containing the necessary parameters that guarantee the protection of such data and the prior favorable report issued by the Health Ministry.

7.8. Children's data

Children and adolescents' data may not be processed unless expressly authorized by the owner or their legal representative (Article 21 of the Law). However, adolescents, in the progressive exercise of their rights, from the age of 15, may grant, as owners, their explicit consent for the processing of their personal data, provided that the purposes are clearly specified.

7.9. Special categories of personal data

The following must be considered special categories of personal data (Article 25 of the Law):

• sensitive data;

• data of children and adolescents;

• health data;

• data of persons with disabilities and their substitutes, related to a  disability; and

• data of persons with disabilities and their substitutes.

The Law does not apply to the processing of data or databases established for the prevention, investigation, detection, or prosecution of criminal offenses or the execution of criminal sanctions, carried out by the competent state agencies in compliance with their legal functions.

7.10. Controller and processor contracts

The Law establishes that the relationship between the data controller and the data processor must be contained in a contract. However, the issuance of the secondary regulations applicable to this matter is still pending, so there are no specific provisions on the establishing of such contracts as of today.

8. Data Subject Rights

8.1. Right to be informed

The data subject has the right to be informed in accordance with the principles of fairness and transparency (Article 12 of the Law):

• the purposes of the processing.

• the legal basis for the processing;

• types of processing;

• the storage period;

• the existence of a database containing your personal data;

• the origin of personal data;

• the origin of the personal data when they have not been obtained directly from the owner;

• other purposes and further processing;

• identity and contact details;

• identity and contact details of the person responsible for the processing of personal data, including address of the legal domicile, telephone number, and e-mail address;

• where applicable, the identity and contact details of the personal DPO, including home address, telephone number, and e-mail address;

• the transfers or communications, national or international, of personal data that it intends to carry out, including the recipients and their types, as well as the purposes that motivate the realization of these and the protection guarantees established;

• the consequences for the owner of the personal data of its delivery or refusal to do so;

• the effect of supplying erroneous or inaccurate personal data;

• the possibility of revoking consent;

• the existence and manner in which their rights of access, deletion, rectification and updating, opposition, cancellation, limitation of processing, and not to be subject to a decision based solely on automated evaluations can be made effective;

• the mechanisms to enforce their rights of access, deletion, rectification, and updating, opposition, cancellation, limitation of processing, and not to be subject to a decision based solely on automated evaluations;

• the mechanisms to make effective their right to portability, when requested by the data subject;

• where and how to make claims before the data controller and the Superintendency; and

• the existence of automated assessments and decisions, including profiling.

8.2. Right to access

The data subject has the right to know and obtain, free of charge, from the data controller access to all their personal data and to the information detailed in the preceding Article, without the need to provide any justification whatsoever. The data controller must establish reasonable methods to allow the exercise of this right, which must be complied with within 15 days (Article 13 of the Law).

The right of access may not be exercised in such a way as to constitute an abuse of the right.

8.3. Right to rectification

The data subject has the right to obtain from the data controller the rectification and updating of their inaccurate or incomplete personal data (Article 14 of the Law). For this purpose, the data subject must submit the relevant justifications, where appropriate. The data controller must respond to the request within 15 days and, within the same period, must inform the recipient of the data, if applicable, about the rectification, in order to update it.

8.4. Right to erasure

The data subject has the right to have their personal data deleted by the data controller when (Article 15 of the Law):

• the processing does not comply with the principles set forth in this law;
• the processing is not necessary or relevant for the fulfillment of the purpose;
• the personal data have fulfilled the purpose for which they were collected or processed;
• the term of conservation of the personal data has expired;
• the processing affects fundamental rights or individual freedoms;
• the consent given has been revoked or the consent has not been given for one or more specific purposes, without the need for any justification; or
• there is a legal obligation.

The person responsible for the processing of personal data must implement methods and techniques aimed at eliminating, rendering unreadable, or unrecognizable in a definitive and secure manner the personal data. This obligation must be fulfilled within 15 days of receipt of the request by the owner and must be free of charge.

8.5. Right to object/opt-out

The data subject has the right to oppose or refuse the processing of their personal data in the following cases (Article 16 of the Law):

• fundamental rights and freedoms of third parties are not affected, the law permits it and it does not concern public information, of public interest, or whose processing is ordered by law;

• the processing of personal data is for direct marketing purposes;

• the processing of personal data concerning them, including profiling; in which case the personal data must no longer be processed for such purposes; and

• where their consent to the processing is not required as a result of the concurrence of legitimate interest, as provided for in Article 7 of the Law, and is justified by a specific personal situation of the data subject unless otherwise provided by law.

8.6. Right to data portability

The data subject has the right to receive from the data controller personal data in a compatible, updated, structured, common, interoperable, and machine-readable format, preserving its characteristics; or to transmit it to other data controllers. The Superintendency must issue the regulations for the exercise of the right to portability (Article 17 of the Law).

The data subject may request that the data controller transfer or communicate their personal data to another data controller as soon as technically possible and without the data controller being able to claim any impediment of any kind in order to slow down the access, transmission, or reuse of data by the data subject or another data controller. Once the transfer of data has been completed, the data controller must proceed to its deletion, unless the data owner orders its preservation. The data controller who has received the information must assume the responsibilities contemplated in this Law.

8.7. Right not to be subject to automated decision-making

The data subject has the right not to be subjected to a decision based solely or partially on assessments that are the product of automated processes, including profiling, that produce legal effects on them or that violate their fundamental rights and freedoms, for which they may (Article 20 of the Law):

• request from the data controller a reasoned explanation of the decision taken by the data controller or data processor;

• submit observations;

• request the assessment criteria for the automated program;

• request from the responsible party information about the types of data used and the source from which the data was obtained; or

• challenge the decision before the data controller or data processor.

8.8. Other rights

The Law also recognizes other rights to the data subject, such as:

• right of consultation: individuals have the right to public and free consultation before the national registry for the protection of personal data, in accordance with the present law (Article 22 of the Law); and

• right to digital education: people have the right to access and availability of knowledge, learning, preparation, study, training, training, teaching, and instruction related to the proper, healthy, constructive, safe, and responsible use, and management of information and communication technologies, in strict compliance with human dignity and integrity; fundamental rights and individual freedoms with special emphasis on privacy, private life, informational self-determination, online identity and reputation, digital citizenship and the right to protection of personal data, as well as to promote a culture sensitized to the right to protection of personal data (Article 23 of the Law).

9. Penalties

The sanctioning regime is divided into minor and major infringements.

Penalties for minor infractions:

• a fine of 1 to 10 Ecuadorians minimum legal wage (approx. $400 and $4000) for civil servants or public officials; or

• a fine of between 0.1% and 0.7% calculated on its turnover corresponding to the fiscal year immediately prior to the imposition of the fine, for members of private or public company entities.

Penalties for major infringements:

• an economic fine of 10 to 20 Ecuadorians minimum legal wage (approx. $4000 to $8000) for public servants or civil servants; or

• a fine of between 0.7% and 1% calculated on their turnover corresponding to the fiscal year immediately prior to the imposition of the fine, for members of private law entities or public companies.

9.1 Enforcement decisions

The appointment of the Superintendent is still pending, and this means that the Authority is not operative yet. Therefore, up to now, there have been no administrative sanctioning processes that can be commented on.