Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Ecuador: Data subject rights under the new law

The Organic Law on the Protection of Personal Data ('the Law') brings with it new principles, obligations, rights, and adequacy mechanisms to guarantee the right of personal data protection. This new framework offers individuals an arsenal of rights they can exercise against controllers. Juan Carlos Guerrero and Johanna Suarez, from Onethyca GRC, provide an overview of the Law and its impact on the rights of data subjects, as well as the its new requirements for data controllers.

PatricioHidalgoP / Essentials collection / istockphoto.com

Chapter III of the Law titled 'Rights' outlines in Articles 11 to 24 of the Law a variety of rights that in general terms would be reasonably aligned with the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') in terms of their definition and application. Visibly, the Law wants to clarify that these rights have certain limitations, as in the GDPR, such as that the right to data protection is not considered an absolute right. Its lawfulness, proportionality, and necessity should be considered when its application interferes with other rights or scope, demonstrating compliance with international standards on human rights and the principles of the Law.

The Ecuadorian norm specifies as limitations in the exercise of the rights of data subjects the application of freedom of expression, public interest, risk management, natural disasters, national security, defence of the state, request for information by administrative or judicial authorities covered by powers attributed to current regulations, the protection of administrative and judicial proceedings, the protection of the data subject or the rights and freedoms of others, the protection of the vital interest of the data subject or another person and, for the processing of personal data that is necessary for the archive that constitutes state patrimony, scientific, historical, or statistical research.

Among these rights, the right to be informed and the right to access constitute a cornerstone of data subjects' informational empowerment. These two rights allows individuals to monitor what personal data is held about them, how it is being processed, and with whom it is shared. Especially considering a growingly complex data processing eco-system and the increased reliance on data to make all kinds of (life-affecting) decisions, the right to access and the right to be informed can play a crucial role in safeguarding fairness and accountability liability and the enforcement of civil law claims.

Regarding the right to be informed, as well as the GDPR, the data subject must be informed under the principles of fairness and transparency, using clear and plain language about the following aspects of the processing:

  • the identity and the contact details of the controller and the contact details of the data protection officer, where applicable;
  • the purposes and legal basis for the processing (including subsequent processing);
  • the types of data processing;
  • the existence of a database containing their personal data;
  • data transfers that are intended to be carried out nationally or internationally, including the recipients, the categories of recipients, the purposes of the transfers, and the protection guarantees defined for these transfers;
  • the extent of the length that the personal data will be stored;
  • the existence of the right to request, from the controller, the right to access, erasure, rectification, and amendment, to not to be the subject of a decision based solely or partially on automated valuations, the restriction of processing concerning the data subject, or to object to the processing as well as the right to data portability;
  • where and how to lodge a complaint with the controller and the supervisory authority ('the SA');
  • the automated decision-making, including profiling;
  • the possibility of revoking consent;
  • the significance and the envisaged consequences of such processing for the data subject and the possible consequences of failure to provide such data are the effects of supplying inaccurate personal data;
  • if the data is obtained directly from the subject, this information must be provided simultaneously as when it is collected. If the personal data has not been obtained from the data subject, the controller must inform from which source the personal data originate; and
  • if the data is obtained from publicly accessible sources, the data subject must be informed within the next 30 days, or at the time of the first communication with the data subject, whichever of the two circumstances occurs first.

Consequently, the right of access consists of data subjects having the right to know, and obtain from the controller, the personal data concerning them being processed without justification and free of charge. Nevertheless, the right of access may not be employed in a way that constitutes an abuse of the right. This consideration may refer to excessive, repetitive, or inappropriate requirements, of which more details shall be considered in the secondary norm of the Law and guidelines issued by the yet to be established SA for its implementation.

The right to rectification and amendment are other rights of great importance for implementing the principles of quality and accuracy of the data contemplated in the Law. The data subject has the right to obtain from the controller the rectification and amendment of their inaccurate or incomplete personal data. For this purpose, the data subject shall submit the justifications of the case when pertinent.

Regarding the right of erasure and the right to object, the cases in which these rights can be applied are primarily aligned with the GDPR. The data subject shall have the right to obtain from the controller the erasure of personal data concerning them where one of the following grounds applies:

  • the processing of data does not comply with the principles established in the Law;
  • the personal data is not required or no longer necessary concerning the purposes for which it was collected;
  • the period of preservation has expired;
  • the processing affects fundamental rights or individual freedoms;
  • the data subject withdraws consent on which the processing is based;
  • the data subject objects to the processing;
  • or the personal data have to be erased for compliance with a legal obligation. The controller shall implement mechanisms and techniques designed to erase and make permanently unreadable and securely unrecognisable.

The right to object is focused mainly on direct marketing purposes and the data subject shall have the right to object, at any time, to processing personal data concerning them for such marketing, which includes profiling. However, as is the case in the GDPR, the controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing, overriding the interests, rights, and freedoms of the data subject or the defence of legal claims. This right may be executed if the fundamental rights of third parties are not affected and if it is not public information or of public interest.

Additionally, the Law contemplates the rights of portability, suspension of treatment, and the right not to be the subject of a decision based solely or partially on automated evaluations. With the right to data portability, the data subject shall have the right to have the personal data transmitted directly from one controller to another when technically feasible. In the same cases as the GDPR, this right could be requested when the processing is based on consent or done by automated means and additionally, when there is a relevant volume of personal data or when the processing is based on complying with a legal obligation, especially in labour and social security aspects. This right shall not apply in the case of information inferred, derived, created, generated, or obtained from the analysis carried out by the controller based on the personal data provided by the data subject.

The right to restriction of processing shall apply in the same cases defined in the GDPR, but this is not applicable when the decision is required to comply with a contract, the subject has given express consent, or there is a legal obligation or a court order. The right not to be subject to a decision based solely or partially on automated processing, including profiling, allows the data subject to request from the data controller a reasoned explanation about the decision made, the evaluation criteria, the types of data used, and the source from which they have been obtained. Additionally, the data subject may contest the decision to the controller or processor.

Furthermore, the following rights have been added to the Law:

  • the right to lodge a complaint with the SA;
  • the right to an effective judicial remedy against a controller or processor;
  • the right to compensation and liability when the data subject has suffered material or non-material damage as a result of an infringement of the Law;
  • the right to effective protection of data subject rights through the permanent availability of administrative or judicial actions;
  • and the right to be notified of a personal data breach by the controller when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, not later than three days after having become aware of it.

The Law has included two quite interesting additional rights: the right of consultation in the National Registry of Protection of Personal Data, free of charge, about all the personal data that public institutions hold in the national and integrated system; and the right to digital education about the use of information and communication technologies, in strict adherence to human dignity and integrity, fundamental rights ,and individual freedoms ,with particular emphasis on privacy, control of personal data, digital identity and reputation, and digital citizenship, as well as promoting a conscious culture in the data protection right. The only right considered in the GDPR and not included in the Law is the right to be forgotten.

Regarding minors and their rights, the norm tells us that children under 15 years old need their legal representative to exercise their rights. Meanwhile, children from the age of 15 may exercise their rights directly before the SA or before the controller.

The controller is required to verify the data subject's identity before responding to the request. The period to attend to the data subjects' rights is 15 days, relatively short if we compare it with the GDPR, which is one month. On the other hand, Article 62 of the Law establishes that once the data subject presents a request to the controller, they will have a term of 10 days to answer affirmatively or negatively, notify, and execute what corresponds. Therefore, to prevent confusion, in the regulations of the Law, it should be clarified under what conditions the term of ten days will apply. The possible fines for not processing, processing outside the established term, or unjustifiably denying the requests or complaints made by the data subject can be up to 0.7% of their annual turnover.

To conclude, despite considering data protection as a constitutional right guaranteed in the National Constitution of the Republic of Ecuador 2008, it was not until the creation of the Law, in 2021, that there are the necessary mechanisms to finally ensure the right to data protection, especially since it is mostly aligned with a regulatory framework that has served as an international reference, the GDPR. Nevertheless, the possible challenges that the implementation of the Law will face is the constitution and institutionalisation of the SA and the definition of guidelines for the attention and practical application of data subjects' rights in an efficient time to start to apply the requirements of the Law. Also, the lack of awareness among controllers, processors, and data subjects about the existence and scope of their rights could be a significant challenge. Finally, another significant challenge will be that companies can see the benefits of the data discovery phase and data inventories, which is essential for adequate data subject rights application.

Juan Carlos Guerrero CEO
[email protected]
Johanna Suarez DPO
[email protected]
Onethyca GRC, Quito