Ecuador: Beginning Of The Sanctioning Regime Of The Organic Law On Personal Data Protection

On May 26, 2021, the Organic Law for the Protection of Personal Data (the "LOPDP") entered into force with its publication in Official Gazette Supplement 459. However, the sanctioning regime began to apply as of May 26, 2023, as established in the First Transitory Provision: "(the...) provisions related to the corrective measures and the sanctioning regime will enter into force two years after the publication of this Law in the Official Gazette".

In the course of this time, whoever oversees the processing of personal data had to adapt its activities to the precepts established in the LOPDP, whose purpose is to protect the fundamental rights and freedoms of data owners and their right to the protection of personal data.

The process of adapting to the new information processing depends on the type of company (public entity, multinational, SME, self-employed, among others) and, above all, on the types of data processed (health data, credit data, data of children or adolescents).

The main obligations of companies are summarized below:

1. Scope of application of the LOPDP:

• The law is applicable to any processing of personal data, whether in physical or digital format, including its automation and any additional use.
• Both legal and natural persons, public or private, must comply with the obligations imposed by the LOPDP.

2. Individuals involved in data protection:

• The controller is the person, natural or legal, who decides on the purpose and treatment of the personal data collected.
• The processor is the person who provides a service to the controller that involves the processing of personal data in the name and on behalf of the Controller.
• The data subject is the natural person whose data is subject to processing, such as name, surname, ID card number, health data, religion, credit data, gender, ethnicity, fingerprint, among others.

3. New obligations:

The LOPDP obliges to include new warnings, for example: the legal basis for data processing or data retention periods. In addition to the following:

• Consent: this must be a free, specific, informed, and unequivocal manifestation. This implies that the data controller must be able to prove that it had the consent of the data subject.
• Relationship between data controllers and data processors: describes the type of contract between the data controller and the data processor. It specifies the obligations of both parties for the provision of the agreed service.
• Risk analysis: those who process data must carry out a risk analysis on the processing of data, before implementing its use, to minimize the impact, it may have on data subjects.
• Rights: provides data subjects with a series of rights to ensure data protection, such as: access, rectification, erasure, opposition, portability, not be subject to a decision based solely or in part on automated assessments, among others.
• Data Protection Officer ("DPO"): those who process personal data, depending on the volume, category, and treatment of data, must appoint a DPO who will be the one to carry out a permanent and systematized control of personal data.

4. Data Protection Authority ("DPA"):

The LOPDP provides for the creation of the Superintendence of Personal Data Protection, which will oversee the correct application of the law.

5. Corrective actions:

The DPA shall take corrective measures to prevent further infringement. These measures could be:

• Cessation of processing.
• Erase of the data.
• Imposition of technical, legal, organizational, or administrative measures.

6. Sanctioning measures:

Establishes an administrative regime whereby there are minor and major offenses. The fines are based on the volume of business:

• Minor offenses: are sanctioned with fines that go from 0,1% to 0,7%.
• Major offenses: are sanctioned with fines that go from 0,7% to 1%.

So far, the regulation to the LOPDP has not been issued, nor has the DPA been appointed. However, as the sanctioning regime is already in force, those who use personal data must implement data processing policies and data protection measures to avoid fines.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.