On November 6, 2023, the President of the Republic signed the Executive Decree 904, through which the Regulation of the Law on Personal Data Protection is issued (hereinafter the “Regulation“).
Below, we highlight the key points:
The Regulation includes relevant definitions for the application of the Law on Personal Data Protection (hereinafter “LOPDP“). One of the most important definitions is the term “large-scale processing” which includes the processing of data affecting a large number of data subjects. To determine “large-scale processing” the following factors must be considered: the number of data subjects, volume and variety of data, duration or permanence of the processing activities, and the geographical scope.
Specifically, the Regulation considers the following as “large-scale processing”:
- Patient data from hospitals and healthcare institutions.
- Data on the movement of individuals using public transportation.
- Real-time geolocation data.
- Data from customers from insurance companies or financial institutions.
- Data for behavioral advertising by a search engine.
- Data of content, traffic, and location data by telecommunications or internet service providers.
II. Obligations of data controllers and processors located outside of Ecuador:
Controllers and processors of personal data not established in Ecuador but processing data of residents in Ecuador must appoint a special representative in the country.
III. Impact assessment of personal data processing:
LOPDP establishes the obligation to evaluate the impact of personal data processing when it is identified that such processing may generate a high risk to the rights and freedoms of the data subject.
The Regulation describes an impact assessment as a preventive analysis in which the data controller evaluates the actual impact of the data processing.
The impact assessment must be submitted to the Data Protection Authority and should include the following elements:
- Description of the operations and purposes of processing.
- Reasoning for the necessity to carry out the processing.
- Risk assessment to the rights of the data subjects; and,
- Security measures to address the risks.
IV. Record of Processing Activities:
The following are required to maintain a Record of Processing Activities: Controllers of personal data processing with 100 or more employees, controllers processing special categories of personal data, and any processors if the controller has the obligation to maintain such record.
The Record must include:
- Name and contact details of the controller,
- Purposes of the processing,
- Categories of recipients to whom the data has been communicated,
- Categories of personal data of the subjects,
- Use of profiles,
- International transfers,
- Legitimating basis;
- Data retention periods, and
- General description of technical, legal, administrative, and organizational measures.
V. Data Protection Officer:
Individuals with a third-level degree in Law, Information Systems, Communication, or Technologies, and a minimum of 5 years of professional experience, may be appointed as Data Protection Officers (hereinafter “DPO“).
The DPO may perform other data protection-related activities that do not conflict with the inherent responsibilities of their role.
The DPO can be hired as an employee or through a service provision contract.
Controllers or processor that are not required to appoint a DPO may do so voluntarily as a good practice and proof of compliance with the principle of proactive responsibility.
VI. Joint Responsibility:
Controllers jointly responsible for data processing with the same purposes and means will be considered as joint controllers. These joint controllers will establish their tasks and responsibilities regarding data protection through a contract, which data subjects can access if required.
VII. International Data Transfers:
The Data Protection Authority will establish the countries or organizations with an adequate level of data protection for international data transfers.
If the country or organization to which the international data transfer is made has not been qualified by the Authority, the transfer will only be permissible if certain legal instruments support the transfer.
The Regulation establishes the following criteria to establish if a country or organization has an adequate level of data protection:
- Legislation and sectoral regulations in the country on data protection.
- Subsequent regulations on personal data by authorities.
- Judicial rulings on data protection.
- Recognition of rights and mechanisms for their exercise in favor of data subjects.
- Establishment of rights and duties of data controllers and processors.
- Independent and autonomous authority.
- International commitments assumed by the country or organization regarding personal data protection.
- Legislation related to national security, public security, and any laws pertaining to the defense and security of the State.
The National Data Protection Registry will record:
- The country where the data recipient is located.
- The categories subject to the transfer.
- The purposes of the transfer.
- The identification data of the recipient.
- The authorization mechanism or exemption criteria for the transfer.
VIII. Security Breaches:
The Regulation establishes that security breaches must be reported to the Data Protection Authority and the Telecommunications Regulation and Control Agency in the following cases:
- When personal data has been destroyed, no longer exists, or is no longer available to the data controller,
- When personal data has been altered, corrupted, or is no longer intact,
- When the data controller has lost control or access, or personal data is no longer in their possession,
- When the processing has not been authorized or is unlawful, including unauthorized disclosure or access by recipients.
The Regulation will enter into force upon its publication in the Official Registry.
Rafael Serrano, associate at CorralRosales
+593 2 2544144