Data Protection in Ecuador

Collection and processing in Ecuador

Our Personal Data Protection Law defines data processing as any operation or set of operations performed on personal data, whether by automated, partially automated or non-automated technical procedures, such as: collection, compilation, obtaining, recording, organization, structuring, conservation, custody, adaptation, modification, elimination, indexing, extraction, consultation, processing, use, possession, exploitation, distribution, assignment, communication or transfer, or any other form of enabling access, matching, interconnection, limitation, suppression, destruction and, in general, any use of personal data. 

The processing of personal data shall be legitimate and lawful if any of the following conditions are met: 

  1. By consent of the owner for the treatment of his personal data, for a specific purpose or purposes.
  2. That it is carried out by the data controller in compliance with a legal obligation.
  3. That it is carried out by the data controller, by court order, in compliance with the principles of the present Law.
  4. That the treatment of personal data is based on the fulfilment of a mission carried out in the public interest or in the exercise of public powers conferred on the controller, derived from a competence attributed by a regulation with the rank of law, subject to compliance with the international human rights standards applicable to the matter, to compliance with the principles of this Law and to the criteria of legality, proportionality, and necessity.
  5. For the execution of pre-contractual measures at the request of the owner or for the fulfilment of contractual obligations pursued by the person responsible for the processing of personal data, person in charge of the processing of personal data or by a legally authorized third party.
  6. To protect vital interests of the data subject or another natural person, such as his or her life, health, or integrity.
  7. For the processing of personal data contained in publicly accessible databases; or
  8. To satisfy a legitimate interest of the data controller or of a third party, provided that the interest or fundamental rights of the data subjects do not prevail under the provisions of this regulation. 

Personal data may be processed and communicated when there is an explicit consent of the owner to do so. The consent will be valid when the expression of will is: 

  1. Free, that is, when it is absent of any consent flaws.
  2. Specific, in terms of the concrete determination of the means and purposes of the data treatment.
  3. Informed, so that it complies with the transparency principle.
  4. Unambiguous, so that there is no doubt as to the scope of the authorization granted by the owner. 

The consent of the data owner must reflect, in an unequivocal manner, his or her acceptance in relation to the processing of personal data. Silence or inaction, by itself, does not imply the consent of the data owner.

Consent may be revoked at any time without the need for a justification, for which purpose the data controller shall establish mechanisms that guarantee speed, efficiency, effectiveness, and gratuity, as well as a simple procedure, similar to the procedure by which the consent was obtained. 

The processing carried out prior to the revocation of consent is lawful since it does not have retroactive effects. 

When the data treatment is intended to be based on the consent of the data owner for a plurality of purposes, it will be necessary to state that such consent is obtained for all of them. 

Unless proven otherwise, it shall be legitimate and lawful to process data intended to provide information on the financial or credit solvency, including information relating to the fulfilment or non-fulfilment of obligations of a commercial or credit nature that enable an assessment on the general conclusion of business, the commercial conduct or the payment capacity of the owner of the information, where such information is obtained from publicly available sources or from information provided by the creditor. Such data may be used only for the purpose of analysis and will not be communicated or disseminated, nor may they be used for any secondary purpose. 

The protection of personal credit data shall be subject to the provisions of this Law, the specialized legislation on the subject and other regulations issued by the Personal Data Protection Authority. 

Notwithstanding the foregoing, in no case may credit data relating to obligations of an economic, financial, banking or commercial nature be communicated after five years have elapsed since the obligation to which they refer has become due. 

Pursuant to the provisions of article 29 of the Organic Law on Personal Data Protection, the holders of Credit Data have the following rights: 

  1. To have personal access to the information of which they are owners.
  2. That the credit report allows them to know the condition of their credit history clearly and precisely; and,
  3. That the sources of information update, rectify or eliminate information that is unlawful, false, inaccurate, erroneous, incomplete, or outdated. 

Regarding the right of access by the Credit Data Owner, this shall be free of charge, as many times as required, with respect to the information registered about him/herself before the credit reference service providers and through the following mechanisms: 

  1. Direct observation through displays that the credit reference service providers will make available to such owners; and
  2. Delivery of printed copies of the reports for the Credit Data Subject to verify the truthfulness and accuracy of their content, without being used for credit or commercial purposes. 

Regarding the rights of updating, rectification or deletion, the Data Owner may demand these rights from the information sources by means of a written request. The information sources, within fifteen days from the date the request is submitted, shall resolve it by admitting or rejecting it with reasons. The Credit Data Owner has the right to request the credit reference service providers to indicate in the credit reports they issue, while the review process continues, that the information subject to the request is being reviewed at the owner's request.

Continue reading

  • no results

Previous topic
Back to top