Ecuador is building its future on data (protection)


Ecuador joins the party of personal data protection with the issuance of its new law on the subject and leaves the group of regional countries that do not have this type of regulations. It includes elements of the standard set by the General Data Protection Regulation (GDPR) and adapts the standard to Ecuador's complex regulatory framework.

Since 2008 the Ecuadorian Constitution recognizes the right to the protection of personal data within its catalog of fundamental rights, but it was not until May 26, 2021 that the Organic Law on Personal Data Protection came into force, after it was presented to the National Assembly in September 2019.

This new law largely reflects the guidelines outlined by the General Regulation on Personal Data Protection in force in the European Union since May 2018, however, in its structure it does present some differences with respect to that normative body.

First of all, beyond the principles laid down in the European legislation such as purpose limitation, data minimization, integrity and confidentiality, accuracy and accountability, it presents a total of 13 principles governing the way in which third parties must carry out the processing of personal data of third parties.

Then, the law establishes 8 legitimate bases for processing, including consent, compliance with legal obligations or judicial provisions, the interest or exercise of public powers, compliance with pre-contractual measures or contractual obligations, protection of vital interest, public access sources and legitimate interest.

Among the rights derived from the regulation we will find those that have been called ARCO plus, due to which a total of 11 rights are included, among which the right to digital education, the right to elimination and the right to suspension of processing stand out. Some of them may be similar to the well-known right of cancellation, but with the particularities of the Ecuadorian regulatory and constitutional scheme.

Without going into some more specific issues, it is possible to point out that it considers the creation of a personal data protection authority called Superintendence of Data Protection and, among its reforming provisions, it grants powers of supervision and control of compliance with the law and the provisions of such Superintendence to the National Direction of Public Registries, which somehow becomes an intermediate subject within the relationship between entities that are part of the National System of Public Registries with the new authority to be created.

A major difference with the European General Regulation derives from the magnitude of the fines that can be imposed by the authority for infringements, which in its highest percentage reaches 1% of the turnover of the preceding fiscal year. This somehow breaks the dissuasive vision of the European Regulation, but it is representative for the local Ecuadorian economy.

Currently, by provision of the same law, the administrative sanctioning regime is suspended until May 2023, although this does not prevent the execution of any other type of action derived from the already existing and constitutionally recognized right.

After the entry into force of this law, work has begun on its regulations and some pronouncements regarding the appointment of the first data protection superintendent, but the most important step so far has been taken by the Superintendency of Banks, which on December 2 issued a reform to the operational risk control regulation applicable to all banks nationwide, This reform stipulates that until March 31, 2022, the controlled entities must submit to this control entity their plans for compliance with the organic law for the protection of personal data, among other provisions that point to the security measures that must be complied with.

Likewise, the National Direction of Public Registries issued a resolution addressed to all members of the national system of the matter to comply with certain actions within a period of 1 year, starting in June 2021, just a few days after the entry into force of the law.

The Ecuadorian personal data protection ecosystem is still incipient, but it is being built little by little, not only from the public sector, but also from the various actors that make it up, hoping that this will empower the personal data subjects, as well as raise awareness among data controllers and data processors.


Article provided by INPLP member: Christian Espinosa-Velarde (ECIJA GPA, Ecuador)



Discover more about INPLP, the INPLP-Members and the GDPR-FINE database

Dr. Tobias Höllwarth (Managing Director INPLP)

What is the INPLP?

INPLP is a not-for-profit international network of qualified professionals providing expert counsel on legal and compliance issues relating to data privacy and associated matters. INPLP provides targeted and concise guidance, multi-jurisdictional views and practical information to address the ever-increasing and intensifying field of data protection challenges. INPLP fulfils its mission by sharing know-how, conducting joint research into data processing practices and engaging proactively in international cooperation in both the private and public sectors.