Ecuador LOPDP

Ecuador’s data protection law

Book a Demo

What is LOPDP?

Ley Orgánica de Protección de Datos Personales (Organic Law on the Protection of Personal Data) is Ecuador’s data protection law, enacted as of 26 May 2021, the first of its kind in the country. Despite the fact that the right to the privacy of personal data is a constitutional right, up until May 2021 data protection was regulated by several laws that contained data protection provisions. 

Also, although the law is already in force, it has allowed for organizations covered to reach compliance until May of 2023, so up until this time no penalties have been imposed. It bears similarities to the GDPR, reflecting similar principles and steps towards compliance, making it easy to implement by organizations already familiar with the former. Also, there are still a few aspects related to its implementation that are pending, such as the appointment of the head of the data protection authority, or the publication of a general regulation document. 

 

What is Personal Information and what are other key definitions?

The LOPDP offers definitions for key concepts such as ‘personal data’ which it defines the same way as other data privacy laws, as any data that identifies a natural person, whether directly or indirectly. It also defines ‘sensitive data’ as any data on the ethnicity, gender identity, cultural identity, religion, ideology, political affiliation, judicial past, migration status, sexual orientation, health, biometric data, genetic data of an individual, as well as any other data whose mistreatment might give rise to discrimination, infringe or have a potential to infringe on fundamental rights and freedoms. 

Under the law, ‘biometric data’ is defined as unique data that relates to the physical or physiological characteristics, or behaviors of a natural person that allows or confirms the unique identification of that person, such as facial images or dactyloscopic data, among others, and ‘genetic data’ is unique personal data related to genetic characteristics inherited or acquired from a natural person that provide unique information about the physiology or health of an individual.

The law regulates the way databases of personal data are handled so it offers a definition for what a ‘database’ or ‘file’ is, namely, a structured set of data whatever the form, mode of creation, storage, organization, type of support, treatment, processing, localization or access, centralized, decentralized or distributed functionally or geographically. 

Same as with other data privacy laws in Latin America, such as Uruguay for example, the text of the law does not mention either the ‘data controllers’ or the ‘data processors’ as entities, but instead defines a ‘person in charge of processing personal data’ as natural or legal person, public or private, public authority, or other body that alone or together with others processes personal data in the name and on behalf of a data controller, and a ‘person responsible with the processing of personal data’ as a natural or legal person, public or private, public authority, or other body, which alone or together with others decides on the purpose and processing of personal data.

 

Who has to comply with the LOPDP?

LOPDP applies to the processing of personal data that is contained in any type of environment, whether automated or not, and to any type of subsequent use. 

Territorially, according to Article 3 of the law, LOPDP applies in the following cases: 

  • The processing of personal data takes place on the territory of Ecuador; 
  • The data controller or processor is located in Ecuador; 
  • The processing of personal data of inhabitants of Ecuador by a controller or processor not located in the country but whose processing activities relate to: 
    • The offering of goods or services to inhabitants of the country;
    • The control of their behavior, insofar as it takes place in Ecuador.
  • The data controller or processor is not located in Ecuador but they are subject to the national law based on a contract or an international agreement. 

Who is excluded from LOPDP compliance? 

LOPDP excludes several types of entities or data, as follows: 

  • The processing of personal data for family or domestic purposes;
  • The processing of personal data of deceased persons, unless the provisions in Article 27 of the law apply, where inheritance rights may be claimed, or the deceased has indicated another use for their data or has designated a representative; 
  • Anonymized data;
  • Journalistic or other editorial activities and content; 
  • Personal data whose processing is regulated by specialized regulations of the same or higher hierarchy in matters of risk management due to natural disasters; and, State security and defense, in any of these cases compliance with international human rights standards and the principles of this law, and at least with the criteria of legality, proportionality and necessity;
  • Data or databases established for the prevention, investigation, detection or prosecution of criminal offenses or for the enforcement of criminal sanctions, carried out by the competent State bodies to limit their legal functions. In any of these cases, compliance with international human rights standards and the principles of this law, and at least with the criteria of legality, proportionality and necessity;
  • Data identifying or making legal persons identifiable.

How can I keep my organization LOPDP compliant? 

According to Article 10, there are a series of principles that you should observe in order to achieve compliance with the LOPDP, as follows: 

Lawfulness: Personal data must be processed in strict compliance with the principles, rights and obligations established in the Constitution, international instruments, this Law, its Regulations and other applicable laws and jurisprudence.

Fairness: The processing of personal data must be fair, so it should be clear to the holders that personal data concerning them is being collected, used, consulted or otherwise processed, as well as the ways in which such data are or will be processed.

Transparency: The processing of personal data must be transparent, so that all information or communication relating to this processing must be easily accessible and easy to understand and must be simple and clear. The relations arising from the processing of personal data should be transparent and governed by the provisions contained in this Law, its regulations and other regulations concerning theft.

Purpose: The purposes of the processing must be determined, explicit, legitimate and communicated to the owner; you may not process personal data for other purposes than those for which it was collected, unless one of the grounds for new treatment complies with lawful treatment provided for in this Act.

Relevance and minimization: Personal data must be relevant and limited to what is strictly necessary for the purpose of processing.

Proportionality of processing: The processing must be appropriate, necessary, timely, relevant and not excessive in relation to the purposes for which they have been collected or to the nature of the special categories of data.

Confidentiality: The processing of personal data must be done on the basis of due confidentiality, meaning it must not be processed or communicated for a different purpose than that for which it was collected, unless one of the grounds for a new treatment is satisfied in accordance with the cases of lawful treatment set out in the law.

Quality and accuracy: The personal data to be processed must be accurate, complete, complete, verifiable and clear; and, if necessary, duly updated; in such a way that its truthfulness is not altered. All reasonable measures have to be taken to ensure that personal data which is inaccurate with regards to the purposes for which it was collected is deleted or rectified without delay.

Retention: Personal data cannot be kept longer than necessary for the fulfillment of processing purposes. To achieve this, you are required to set deadlines for period reviews and deletion of data.

Security: any person(s) responsible for processing personal data must implement all appropriate and necessary security measures, understood as state of the art measures, whether organizational, technical or any other type, designed to protect personal data from any risk, threat or vulnerability, taking into account the nature of personal data, its scope and context.

Proactive and demonstrated responsibility: any person(s) responsible for the processing of personal data must prove that they have implemented mechanisms for the protection of personal data; this means they have to prove compliance with the principles, rights and obligations established in this Law. To achieve this, you may use standards, best practices, protection codes, certification systems, personal data protection seals or any other mechanism deemed appropriate to the purposes, nature, and risk of processing of personal data.

Application that is favorable to the data owner: when there is any doubt as to the scope of the provisions of the legal system or contractual provisions that apply to personal data protection, judicial and administrative officials shall interpret them and apply them in the most favorable manner to the owner of such data.

Independence from control: in order for the right to the protection of personal data to be exercised effectively, and in compliance with the State’s obligations to protect the rights of data subjects, the data protection authority will exercise independent, impartial and autonomous control, as well as carry out the respective preventive, investigative and sanction actions.

In addition to the above principles, the law outlines a series of other aspects to be taken into account for the purpose of compliance. Article 25 establishes what are the special categories of data, namely sensitive data, data of children and adolescents, health data; and, data of persons with disabilities and their substitutes, relating to disability. These cannot be processed unless exceptions apply, as outlined by Article 26 of the law. 

The legal age of consent for children and teenagers is 15, which means that up until this age, personal data processing has to have the consent of a parent or legal guardian of the child. 

Article 42 mandates that you are required to conduct a Data Processing Impact Assessment where the likelihood of such processing, by its nature, context or purpose, has been identified, carries a high risk to the rights and freedoms of the holder or when the Personal Data Protection Authority requires it. Additionally, this will be mandatory in the following instances:

  • Where there is a systematic and thorough assessment of personal aspects of natural persons based on automated processing, such as profiling, and on the basis of which decisions are taken that produce legal effects for natural persons;
  • For large-scale processing of special categories of data, or personal data relating to criminal convictions and offenses;
  • Where there is a systematic large-scale observation of a publicly accessible area.

As a data controller, you are required to report any data breaches, as stated in Article 43, to the data protection authority as well as to the Telecommunications Regulatory and Control Agency as soon as possible and no later than 5 days after becoming aware of a risk, unless such a breach of security is unlikely to constitute a risk to the rights and freedoms of physical persons. As a processor, you must notify the controller of any data breach as soon as possible, no later than 2 days from the date of becoming aware of this. 

Article 47 lists a series of obligations contained in the principles mentioned earlier, and with Article 48 the obligation to appoint a Data Protection Officer is defined. Appointing a DPO is mandatory in the following cases: 

  • If the processing is carried out by entities in the public sector;
  • If your activity as a data controller or processor requires a permanent and systematic control for the volume, nature, scope or purpose of processing, as regulated by the current law, the regulations issued to it or any other regulations issued by the Data Protection Authority.
  • If you process special categories of data on a large scale;
  • If the processing does not refer to data related to national security or State defense, which is subject to secrecy, in accordance with the provisions of the relevant specialized legislation.

In addition to the above, the Data Protection Authority may issue new regulations and conditions for appointing a DPO, as well as the necessary guidelines for these. 

Last but not least, as a controller, you are required, according to Articles 51 and 47 (12), to not only register into but also keep up to date the National Personal Data Protection Register on the following details: 

  • Identification of the database or processing;
  • The legal address and contact details of the data controller and processor;
  • Characteristics and purpose of the processing of personal data;
  • Nature of personal data processed;
  • Identification, name, legal address and contact details of the recipients of personal data, including data processors and third parties;
  • How recorded information is interrelated;
  • Means used to implement principles, rights and obligations contained in this law and specialized regulations;
  • Technical and physical administrative, organizational and legal requirements and tools implemented to ensure the security and protection of personal data;
  • Data retention time.

What data access rights does LOPDP grant? 

The law of Ecuador grants data subjects the following rights: 

  • Right to be informed
  • Right to access
  • Right to rectification and update
  • Right to delete
  • Right to object to the processing of personal data
  • Right to portability
  • Right to not be subject to automated decision making

Ecuador LOPDP compliant website with Clym

Book a Demo

How to address data subject access requests under LOPDP?

In the event of a request submitted under the Right to be informed, you are required to reply to the data subject within 30 days of the request, whether with the information, or with the refusal and its reason. The data subject has to be provided with explicit, unambiguous, transparent, intelligible, concise, precise and barrier-free information which may be transmitted in any verifiable manner in clear, simple and easily understandable language, preferably so that it may be accessible in the language of his choice.

For all other data subject rights, the deadline for answering is 15 days, with no extension mentioned in the text of the law. 

In the case of the Right to portability, you are required to provide the data subject with their personal data in a compatible format, updated, structured, common, inter-operable and machine-readable, preserving its characteristics; or to transmit them directly to other controllers, if one of the conditions in Article 51 is met: 

  • The data subject has given his consent for the processing of his personal data for one or more specific purposes. The transfer or communication will be made between data controllers when the operation is technically possible; otherwise the data shall be transmitted directly to the data subject;
  • The processing is carried out by automated means;
  • It is a relevant volume of personal data, according to the parameters defined in the regulations of the law; 
  • The processing is necessary for the fulfillment of obligations and the exercise of rights of the controller or processor of personal data, or of the holder in the field of labor law and social security.

The data transfer has to be financially efficient according to the law, expeditious and unhindered, and there are exceptions to the applicability of this right, such as in the case of inferred, derived, created, generated or obtained information based on the analysis or processing carried out by the data controller on the basis of the personal data provided by the data subject, as is the case with personal data that have been subjected to a process of personalization, recommendation, categorization or creation of profiles.

For the correct exercise of this right, it is expected that the Data Protection Authority of Ecuador will issue additional regulations. 

 

Enforcement and penalties

The regulating authority is the Superintendency of Data Protection, whose president remains to be appointed by the President of Ecuador. According to Article 65, in cases of non-compliance with the law, the authority will issue corrective measures designed to stop the violation to continue. These corrective measures may include cessation of processing, under certain conditions or time limits; deletion of data: or the imposition of technical, legal, organizational or administrative measures to ensure the proper processing of personal data. 

As far as penalties are concerned, Articles 71 and 72 outline these, as follows: 

  • For minor violations
    • For civil servants or public officials: a fine between 1 and 10 minimum legal wages (approx. $450 to $4500).
    • For private law entities or public entities: a fine between 0.1% and 0.7% calculated on its turnover for the financial year immediately preceding the imposition of the fine.
  • For serious violations
    • For civil servants or public officials: a fine between 10 and 20 minimum legal wages (approx. $4500 to $9000).
    • For private law entities or public entities: a fine between 0.7% and 1% calculated on its turnover for the financial year immediately preceding the imposition of the fine.

Data Subject Rights - GDPR vs. LOPDP

GDPR

  • Right to access data
  • Right to correct inaccurate data
  • Right to the portability of data
  • Right to delete personal information
  • Right to information about how entities are sharing your data
  • Right to restrict processing
  • Right to object to processing
  • Right to object to automated processing

Ecuador LOPDP

  • Right to be informed
  • Right to access
  • Right to rectification and update
  • Right to delete
  • Right to object to the processing of personal data
  • Right to portability
  • Right to not be subject to automated decision making 

 

How can Clym help?

Clym believes in striking a balance between legal compliance and business needs, which is why we offer businesses the following:
  • All-in-one platform: One interface combining Privacy and Accessibility compliance with global regulations, at an affordable price;
  • Seamless integration into your website;
  • Adaptability to your users’ location and applicable regulation;
  • Custom branding;
  • Ready Compliance: Covering 30+ data privacy regulations;
  • Six preconfigured accessibility profiles, as well as 25+ display adjustments that allow visitors to customize their individual experience.
You can convince yourself and see Clym in action by booking a demo or reaching out to us to discuss your specific needs today. 

 

illustration-contact

Questions?

If you would like to learn more, our compliance experts are happy to support you.

Leave us a Message
support@clym.io
+1 980 446 8535 +1 866 275 2596