General Regulation on the National and International Transfer of Personal Data

On January 28, 2026, the Data Protection Authority (the “DPA”) issued Resolution No. SPDP-SPD-2026-0004-R, approving the General Regulation on National and International Transfers or Communications of Personal Data (the “Transfer Regulation”). This regulation establishes the technical and legal procedures and requirements necessary to safeguard the right to data protection during the transfer of personal data both within locally and internationally.

The Transfer Regulation establishes the following rules:

1. National Transfers: These must comply with the following requirements:

• Existence of a legitimate purpose related to the functions of the data controller and the data recipient.
• The data transfer must have a legal basis under the Data Protection Law (“DPL”).

• Obtain the prior, free, specific, informed, and unequivocal consent of the data subject, except in cases covered by exceptions under the DPL.
• Adopt security measures such as data minimization, technical safeguards like encryption, and restrictions on further transfers.
• Ensure the recipient has mechanisms to guarantee data subject rights to correction, updating, deletion, or objection.
• The recipient must fulfill all obligations applicable to data controllers.

2. International Transfers: These regulate the mechanisms enabling international transfers:

1. Adequate Level of Protection: International transfers are permitted to countries, international organizations, legal entities, or economic territories that the DPA has declared to have an adequate level of protection—either upon request or ex officio—provided the following requirements are met:

• Contractual and technical measures are in place.
• Maintain an up-to-date record of the transfers.
• Notify data subjects about the transfer.
• Fulfill registration requirements for the transfer with the National Data Protection Registry (“NDPR”).

1. Adequate Safeguards: If the transfer is to a country, international organization, legal entity, or economic territory that does not have an adequate level of protection, appropriate safeguards may be implemented, including:

• Standard contractual clauses, in accordance with the model agreement for international transfers of personal data between data controllers issued by the Ibero-American Data Protection Network.
• Binding corporate rules, subject to verification of compliance with the requirements in the DPL, its regulations, and the Transfer Regulation, and approved by the DPA.
• Codes of conduct, subject to verification of compliance with the requirements in the DPL, its regulations, and the Transfer Regulation, and approved by the DPA.
• Certification processes for international transfers, provided the specific regulations issued by the DPA are met.

• Authorization: In exceptional cases, prior authorization from the DPA may be requested. The request must include:

• Identification of the parties involved and the destination of the data.
• Legal and technical justification for the necessity, purpose, and proportionality of the transfer.
• Risk analysis.
• Impact assessment.
• Description of security measures.
• A copy of the transfer contract meeting the obligations under the DPL and its regulations.
• Certification of obtaining consent from the data subject and informing them about the purpose, rights, complaint mechanisms, data protection officer contact, and potential risks.
• Evidence that the recipient commits to complying with the DPL, its regulations, and other data protection laws, and to submit to the DPA and Ecuadorian courts, or that data protection rights are guaranteed in the recipient’s jurisdiction, including access to complaint mechanisms with a data protection authority and effective judicial remedies.
• A reasoned explanation of why an international transfer cannot be made to a country, international organization, legal entity, or economic territory with an adequate level or with appropriate safeguards.

3. Special “Intra-ACN” Regime for the Andean Community of Nations (“ACN”): Transfers to ACN member countries are considered cross-border flows. By community mandate, these countries are deemed to have an adequate level of protection without further DPA evaluation, except in cases of serious deficiencies.

• In such cases, transfers are permitted if data subjects are informed of their information rights under Article 12 of the DPL, and if contracts, internal policies, risk assessments, impact evaluations, and security reports are in place.

4. Registration and Transparency:

• International transfers conducted under DPA authorization or the Intra-ACN regime must be registered on a case-by-case basis in the NDRP.

• International transfers conducted by other mechanisms do not require individual registration, but an annual consolidated report must be submitted to the DPA in the first quarter of each year. This report should detail safeguards adopted and compliance with Article 78 of the DPL Regulations.

5. Compliance:

• The Transfer Regulation requires data controllers and processors to regularize international transfers conducted prior to its entry into force within twelve (12) months.

• To comply, the following actions must be taken:
  • Notify the DPA of previously executed international transfers.
  • Submit a compliance plan, including control and mitigation measures, mechanisms to regularize the transfer, and an implementation timeline.

• • During this period, no sanctions will be imposed provided that prior notification is given, the compliance plan is submitted, and the corresponding measures are implemented.

The Transfer Regulation clarifies that data processing arrangements do not constitute a transfer of personal data. Nonetheless, using standard contractual clauses is considered good practice.

Rafael Serrano, Partner at CorralRosales
rserrano@corralrosales.com
+593 2 2544144