Territory: Ecuador.
Data Protection Regulations: Organic Law on the Protection of Personal Data
Regulatory purpose: The purpose of the regulation is to guarantee the exercise of the right to the protection of personal data that is recognised in the Constitution of the Republic of Ecuador.
Parties:
- Data controller: Yes.
- Data Processor: Yes.
- Data Protection Officer: Yes.
- Supervisory Authority: Yes.
Principles:
- Principle of legality.
- Principle of loyalty.
- Principle of transparency.
- Principle of purpose.
- Principle of relevance and minimisation of personal data.
- Principle of proportionality of the processing.
- Principle of confidentiality.
- Principle of quality and accuracy.
- Principle of retention.
- Principle of security of personal data.
- Principle of proactive accountability.
- Principle of implementation favourable to the data subject.
- Principle of independence of control.
Obligations:
- Register of Processing Activities: Yes. The controller shall keep the National Register for the Protection of Personal Data up to date, in which, inter alia, the processing activities are recorded.
- Impact Assessments: Yes.
- Risk analysis: Yes.
- Technical and organisational security measures: Yes.
- Duty to inform: Yes.
- Data Protection Officer: Yes. The obligation to appoint a Personal Data Protection Officer is established when i) the processing is carried out by those who make up the public sector, ii) the activities of the controller or processor of personal data require permanent and systematised control due to the volume, nature, scope or purposes of the processing, iii) there is large-scale processing of special categories of data.
Data subjects' rights:
- Right of Access: Yes.
- Right of rectification: Yes, the right to rectification and updating.
- Right of Suppression: Yes. Right of removal.
- Right to limitation: No.
- Right to portability: Yes.
- Right to object: Yes.
- Automated individual decisions, including profiling: Yes.
International transfers:
The Personal Data Protection Act provides for the international transfer of data to countries, organisations and legal entities designated as having adequate levels of protection. The Data Protection Authority must determine that a given international transfer complies with adequate levels of protection.
Sanctioning regime:
Yes, the Law provides for minor and serious penalties. Fines vary between 0.1% and 1% of the total income of the offender during the immediately preceding fiscal year. For the imposition of the fine, the Data Protection Authority will consider intentionality, repetition, recidivism and the nature of the damage caused by the infringement. The sanctioning regime will enter into force as of May 2023.
Certification or accreditation of compliance for companies:
Yes, the Organic Law on Personal Data Protection establishes that controllers and processors of personal data may voluntarily subscribe to codes of conduct, certifications, seal of protection marks, and standard clauses. There are as yet no specific requirements to be fulfilled in order to obtain the aforementioned certification.
Other highlights:
Special categories of data are established, including sensitive data, data of children and adolescents, health data and data of persons with disabilities. Credit data are mentioned within the chapter on special categories of data, however the Organic Law on Personal Data Protection does not expressly mention them as a special category of data.
Other related legislation:
The Regulation to the Organic Law on Personal Data Protection has not yet been published, nor has the Data Protection Authority been established.
