Data Privacy Tool
You may also be interested in our Data Privacy Scorebox to assess your organization's level of data protection maturity.
The Constitution of Ecuador in its article 66, referring to the personal freedom rights of individuals in the Ecuadorian territory, the State recognizes and guarantees in section 19: "The right to the protection of personal data, which includes the access and decision on information and data of this nature, as well as its corresponding protection. The collection, filing, processing, distribution or dissemination of such data or information shall require the authorization of the owner or the mandate of the law."
Article 92 gives the right to every person to be informed of and have access to information, documents, genetic data, personal data banks or files and reports on him/herself and his/her assets, contained in files and/or databases of public or private entities, in material and/or electronic support. The interested individual has the right to be informed of the use, purpose, origin and destination of his personal data and the time of permanence of the file of the same.
The responsible parties of the personal data banks or files may disseminate the information filed with the authorization of its owner, before which the owner of the personal data may request from the responsible party access to the file free of charge, as well as the updating, rectification, deletion or cancellation of his personal data.
In the case of sensitive data, the collection and storage must be authorized by law or by the owner. The adoption of the necessary security measures will be required. If the request is not complied with, the affected individual may appeal to the judge and may sue for the damages caused.
Personal Data Protection Organic Law
Since May 26, 2021, Ecuador adopted the Personal Data Protection Organic Law, whose main purpose is to guarantee the right to the protection of personal data, that includes the access and decision on information and personal data, as well as its corresponding protection. The law mainly refers to the conditions that must be verified for the legitimate treatment of personal data. It also refers to the ways through which the owner of the personal data may express his or her consent to the processing of his or her data.
Definition of Personal Data
The Ecuadorian data protection regime distinguishes between personal data and a sub-category of sensitive personal data, depending on the information and the harmful effects caused by its unlawful use.
Article 4 of the Organic Law on Personal Data Protection defines personal information as the information that identifies or makes identifiable a specific individual, directly or indirectly.
Definition of Sensitive Personal Data
Article 4 of the Organic Law on Personal Data Protection defines sensitive personal data as information related to: ethnicity, gender identity, cultural identity, religion, ideology, political affiliation, judicial background, immigration status, sexual orientation, health, biometric data, genetic data and those whose improper processing may give rise to discrimination, infringe or may infringe fundamental rights and freedoms.
In application of article 26 of the Organic Law for the Protection of Personal Data, the processing of sensitive personal data is prohibited unless one of the following circumstances applies:
- The owner has given his explicit consent to the processing of his personal data, clearly specifying its purposes.
- The processing is necessary for the fulfilment of obligations and the exercise of specific rights of the controller or the holder in the field of labor law and social security and protection.
- The processing is necessary to protect the vital interests of the data owner or another individual, in the event that the data owner is physically or legally incapable of giving his/her consent.
- The processing relates to personal data which the data owner has manifestly made public.
- The processing is carried out by order of a judicial authority.
- The processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, which must be proportionate to the aim pursued, respect in substance the right to data protection and provide for adequate and specific measures to protect the interests and fundamental rights of the owner.
- When the processing of health data is subject to the provisions contained in this Law.
Pursuant to the provisions of Articles 76 and 77 of the Organic Law for the Protection of Personal Data, the Authority for the Protection of Personal Data will be the Superintendence of Data Protection, which once constituted will act as the control and surveillance body in charge of guaranteeing all citizens the protection of their personal data, and of carrying out all necessary actions to ensure that the principles, rights, guarantees and procedures provided for in the Law and its implementing regulations are respected.
Article 51 of the Organic Law for the Protection of Personal Data creates the National Registry for the Protection of Personal Data, a registry that will be under the responsibility and custody of the Superintendence of Data Protection as the competent national protection authority. The person responsible for the processing of personal data shall report and keep updated the information before the Personal Data Protection Authority, on the following:
- Identification of the database treatment.
- Name, legal domicile, and contact details of the responsible and in charge individual of the processing of personal data.
Characteristics and purpose of the personal data treatment.
- Nature of the personal data treatment.
- Identification, name, legal domicile, and contact details of the recipients of the personal data, including processors and third parties.
- Description of the utilized method of interrelation of the recorded information.
- Description of the means used to implement the principles, rights and obligations contained in the present Law and specialized regulations for the data protection.
- Requirements and/or technical and physical, organizational, and legal administrative tools implemented to guarantee the security and protection of personal data.
- Data retention time.
There is no requirement to appoint a data protection officer in Ecuador. Nevertheless, it is required for a specific person in the company or a designated group within the company to be in charge of personal data matters.
Our Personal Data Protection Law defines data processing as any operation or set of operations performed on personal data, whether by automated, partially automated or non-automated technical procedures, such as: collection, compilation, obtaining, recording, organization, structuring, conservation, custody, adaptation, modification, elimination, indexing, extraction, consultation, processing, use, possession, exploitation, distribution, assignment, communication or transfer, or any other form of enabling access, matching, interconnection, limitation, suppression, destruction and, in general, any use of personal data.
The processing of personal data shall be legitimate and lawful if any of the following conditions are met:
- By consent of the owner for the treatment of his personal data, for a specific purpose or purposes.
- That it is carried out by the data controller in compliance with a legal obligation.
- That it is carried out by the data controller, by court order, in compliance with the principles of the present Law.
- That the treatment of personal data is based on the fulfilment of a mission carried out in the public interest or in the exercise of public powers conferred on the controller, derived from a competence attributed by a regulation with the rank of law, subject to compliance with the international human rights standards applicable to the matter, to compliance with the principles of this Law and to the criteria of legality, proportionality, and necessity.
- For the execution of pre-contractual measures at the request of the owner or for the fulfilment of contractual obligations pursued by the person responsible for the processing of personal data, person in charge of the processing of personal data or by a legally authorized third party.
- To protect vital interests of the data subject or another natural person, such as his or her life, health, or integrity.
- For the processing of personal data contained in publicly accessible databases; or
- To satisfy a legitimate interest of the data controller or of a third party, provided that the interest or fundamental rights of the data subjects do not prevail under the provisions of this regulation.
Personal data may be processed and communicated when there is an explicit consent of the owner to do so. The consent will be valid when the expression of will is:
- Free, that is, when it is absent of any consent flaws.
- Specific, in terms of the concrete determination of the means and purposes of the data treatment.
- Informed, so that it complies with the transparency principle.
- Unambiguous, so that there is no doubt as to the scope of the authorization granted by the owner.
Consent may be revoked at any time without the need for a justification, for which purpose the data controller shall establish mechanisms that guarantee speed, efficiency, effectiveness, and gratuity, as well as a simple procedure, similar to the procedure by which the consent was obtained.
The processing carried out prior to the revocation of consent is lawful since it does not have retroactive effects.
When the data treatment is intended to be based on the consent of the data owner for a plurality of purposes, it will be necessary to state that such consent is obtained for all of them.
Unless proven otherwise, it shall be legitimate and lawful to process data intended to provide information on the financial or credit solvency, including information relating to the fulfilment or non-fulfilment of obligations of a commercial or credit nature that enable an assessment on the general conclusion of business, the commercial conduct or the payment capacity of the owner of the information, where such information is obtained from publicly available sources or from information provided by the creditor. Such data may be used only for the purpose of analysis and will not be communicated or disseminated, nor may they be used for any secondary purpose.
The protection of personal credit data shall be subject to the provisions of this Law, the specialized legislation on the subject and other regulations issued by the Personal Data Protection Authority.
Notwithstanding the foregoing, in no case may credit data relating to obligations of an economic, financial, banking or commercial nature be communicated after five years have elapsed since the obligation to which they refer has become due.
Pursuant to the provisions of article 29 of the Organic Law on Personal Data Protection, the holders of Credit Data have the following rights:
- To have personal access to the information of which they are owners.
- That the credit report allows them to know the condition of their credit history clearly and precisely; and,
- That the sources of information update, rectify or eliminate information that is unlawful, false, inaccurate, erroneous, incomplete, or outdated.
Regarding the right of access by the Credit Data Owner, this shall be free of charge, as many times as required, with respect to the information registered about him/herself before the credit reference service providers and through the following mechanisms:
- Direct observation through displays that the credit reference service providers will make available to such owners; and
- Delivery of printed copies of the reports for the Credit Data Subject to verify the truthfulness and accuracy of their content, without being used for credit or commercial purposes.
Regarding the rights of updating, rectification or deletion, the Data Owner may demand these rights from the information sources by means of a written request. The information sources, within fifteen days from the date the request is submitted, shall resolve it by admitting or rejecting it with reasons. The Credit Data Owner has the right to request the credit reference service providers to indicate in the credit reports they issue, while the review process continues, that the information subject to the request is being reviewed at the owner's request.
Personal data may be transferred or communicated to third parties when it is carried out for the fulfillment of purposes directly related to the legitimate functions of the controller and the recipient, when the transfer is configured within one of the grounds of legitimacy and also has the consent of the owner.
It shall be understood that the consent is informed when for the transfer or communication of personal data the data controller has provided sufficient information to the data subject to enable him/her to know the purpose for which his/her data will be used and the type of activity of the third party to whom it is intended to transfer or communicate such data.
It will not be considered a transfer or communication in the event that the processor or a third-party accesses personal data for the provision of a service to the controller of personal data. The third party who has legitimately accessed personal data in these considerations shall be considered the processor.
The treatment of personal data carried out by the processor or by a third party must be regulated by a contract, in which it is clearly and precisely established that the personal data processor or the third party will only process the information in accordance with the instructions of the owner and will not use it for purposes other than those indicated in the contract, nor transfer or communicate it even for storage to other persons.
Once the contractual performance has been fulfilled, the personal data shall be destroyed or returned to the data controller under the supervision of the Personal Data Protection Authority.
The processor or third party shall be liable for any infringements arising from non-compliance with the conditions of personal data processing set forth in this Law.
Data controllers or the individual in charge of the treatment of personal data must abide by the principle of personal data security, for which it must consider the categories and volume of personal data, the state of the art, best comprehensive security practices. and the costs of application according to the nature, scope, context, and purposes of the treatment, as well as identifying the probability of risks.
Data controllers or the individual in charge of the treatment, must implement a process of verification, evaluation and continuous and permanent assessment of the efficiency, effectiveness, and effectiveness of the measures of a technical, organizational and any other nature, implemented to guarantee and improve the security of the processing of personal data.
The individual in charge of the treatment of personal data must demonstrate that the measures adopted and implemented adequately mitigate the risks identified.
Among other measures, the following may be included:
- Anonymization, pseudonymization or encryption measures of personal data.
- Measures aimed at maintaining the confidentiality, integrity and permanent availability of the systems and services for the processing of personal data and access to personal data, quickly in case of incidents.
- Measures aimed at improving technical, physical, administrative, and legal residence.
- Those responsible and in charge of the treatment of personal data, may avail themselves of international standards for adequate risk management focused on the protection of rights and freedoms, as well as for the implementation and management of information security systems or codes of conduct. recognized and authorized by the Personal Data Protection Authority.
Mandatory breach notification
Data controllers or the individual in charge of the treatment of personal data must notify the breach of personal security data to the Personal Data Protection Authority and the Telecommunication Control Agency, as soon as possible, and at the latest within a term of five (5) days after the occurred breach incident, unless it is unlikely that said breach of security constitutes a risk to the rights and freedoms of its individual owners. If the notification to the Data Protection Authority does not take place within five (5) days, it must be accompanied by an indication of the reasons for the delay.
Data controllers or the individual in charge of the treatment of personal data must notify the person in charge of any violation of the security of personal data as soon as possible, and at the latest within a term of two (2) days from the date on which he becomes aware of it.
The person responsible for the treatment must notify the owner of the breach of personal data security without delay when it entails a risk to their fundamental rights and individual freedoms, within a term of three (3) days from the date on which they became aware of the risk.
In case of non-compliance with the provisions set forth in the Law, its regulations, guidelines and directives and regulations issued by the Personal Data Protection Authority, the Personal Data Protection Authority shall issue corrective measures with the purpose of preventing the infringement from continuing and the conduct from occurring again, without prejudice to the application of the corresponding administrative sanctions.
Corrective measures may consist of, among others:
- The cease of the treatment, under certain conditions or deadlines.
- The disposal of the data; and,
- The imposition of technical, legal, organizational or administrative measures to ensure proper handling of personal data.
The Personal Data Protection Authority, within the framework of this Law, will dictate, for each case; the corrective measures, which are classified into minor infringements and serious infringements.
Penalties for minor infringements will impose an administrative sanction of a fine between 0.1% and 0.7% calculated on the turnover corresponding to the financial year immediately prior to the imposition of the fine.
Penalties for serious infringements will impose an administrative sanction of a fine between 0.7% and 1% calculated on the turnover corresponding to the financial year immediately prior to the imposition of the fine.
In addition to the previously mentioned fines, the Personal Data Protection Authority may apply provisional measures of protection or precautionary measures such as:
- Sale Prohibitions.
- Shutdown of establishments.
- Activity suspension.
- Decommissioning of products, documents, or other goods.
- Eviction of individuals.
There is no specific regulation regarding data treatment on electronic marketing, to the extent that it may involve processing of personal data, is subject to the general rules applicable to such data, such as valid data subject consent, adequate privacy notices as to use and disclosure of personal data and data subject rights.
There is no specific regulation regarding processing of personal data online, therefore, this kind of processing shall be ruled by the Personal Data Protection Organic Law.
Personal data must not be available online unless there are adequate security measures to ensure that access by any unauthorized user is restricted.
Unauthorized collection of personal data will be subject to the general rules applicable to such data.