Monthly Archives: November 2025

The new Regulations to the Public Procurement Law (hereinafter, the “Regulations”) were published in the Official Gazette No. 153 of October 28, 2025.

Below is a summary of the main provisions of the Regulations:

 

1. Value for money. “Value for money” is defined as the outcome of considering efficiency, effectiveness, economy, competition, and sustainability throughout all stages of the procurement process, in order to obtain the desired results, optimize public resources, and achieve the best cost–benefit ratio.

 

1. Financing of SERCOP. For contracts equal to or exceeding one million U.S. dollars (USD 1,000,000), contracting entities shall withhold 0.4% of each invoice or work statement and transfer it to the National Public Procurement Service (hereinafter, “SERCOP”) for its financing.

 

1. Open data. A public policy of open contracting and access to open data is established, led by SERCOP, aimed at reducing corruption and increasing competition. Information related to national security or classified as confidential by law is exempt from disclosure.

 

1. Exceptions to the RUP. Contractors will not be required to be registered in the Single Registry of Suppliers to participate in: (i) contracts financed with loans and international cooperation; (ii) contracts abroad; (iii) acquisition or lease of real estate; (iv) fuels; (v) airline tickets; (vi) minor purchases (“ínfima cuantía”); and (vii) social communication services.

 

1. Electronic signature. Documents related to public procurement procedures must be signed electronically using a signature issued by a locally accredited entity and through the official application of the telecommunication’s regulatory authority. Procurements carried out abroad are exempt from this requirement.

 

1. Technical commission. For contracts with a reference budget equal to or greater than USD$ 100,000, entities must form a Technical Commission responsible for evaluating and qualifying bids. If the amount is lower, this function may be performed by a public officer designated by the highest authority of the contracting entity.

 

1. In bids submitted by entities, the contracting entity shall ensure that majority shareholders are not subject to any of the disqualifications established by law. A majority shareholder is any individual or entity holding fifty-one percent (51%) or more of the shares in the entity.

 

1. The awarded bidder shall sign the contract within fifteen (15) business days following the date on which the award becomes final and binding, with the possibility of requesting an extension in cases of force majeure.
2. Technical warranty. As part of the technical warranty, it may be required that if the contractor breaches the agreement, the manufacturer or authorized distributor will take on the corresponding obligations. For contracts valued at five million USD or more, the contractor must provide a financial guarantee equal to the value of the goods supplied.

 

1. Advance payments. To execute the contracts, an advance payment of between twenty percent (20%) and thirty-five percent (35%) of the total contract amount may be granted to the contractor. Advance payment is mandatory for works contracts.

 

1. Bank transactions. The contract administrator may verify that the contractor’s banking transactions are related to the use of the advance payment or the execution of the contract. Upon request of the administrator, the contractor shall provide the bank statements issued by the corresponding financial institution for verification purposes.

 

1. In case of delay in the execution of the contract, the contracting entity may impose a daily penalty equivalent to one per thousand (1×1000) of the value of the unfulfilled obligation. If such obligation cannot be quantified, the calculation shall be based on the total contract amount, provided that the penalty does not exceed five hundred U.S. dollars per day.

 

1. Substitution of goods. In the event of force majeure, the contractor may propose to the entity the delivery of goods of a different brand than that offered, provided that they are of equal or superior quality and condition, without generating any additional cost. Acceptance of such proposal shall be at the sole discretion of the contracting entity.

Procurement procedures initiated up to October 27, 2025, will continue to be governed by the prior regulations.

Hugo García Larriva, Partner at CorralRosales
hgarcia@corralrosales.com
+593 2 2544144

Mario Fernández, Associate CorralRosales
mfernandez@corralrosales.com
+593 2 2544144

On November 7, 2025, through Resolution No. SPDP-SPD-2025-0041-R, the Data Protection Authority (hereinafter, “DPA”) issued Regulations for the Application of Legitimate Interest as a Lawful Basis for the Processing of Personal Data (hereinafter, the “Regulation”).

 

The Regulation is mandatory whenever a legitimate interest is relied upon as a legal basis for processing personal data.

 

Below we highlight the most relevant aspects of the Regulation:

 

1. Characteristic of legitimate interest

 

The Regulation establishes that legitimate interest must be:

 

i. Lawful: the processing activity must not pursue a purpose that is prohibited by law.

ii. Certain and specific: it cannot be substantiated upon hypothetical circumstances and must be clearly identified responding to concrete and verifiable needs.

iii. Proportionate: the processing must be adequate, necessary, timely, and not excessive.

iv. Within the data subject’s reasonable expectations: before carrying out the processing, the controller must provide the data subject with relevant information on the entire processing activity and must also include such information in the applicable privacy notice/policy.

 

2. Balancing Assessment

 

Any controller intending to rely on legitimate interest as a lawful basis must first carry out a balancing assessment with respect to the processing activity. This assessment, along with its outcome, must be available for review by the DPA and data subjects.

 

The balancing assessment will have to determine whether the interest relied upon by the controller prevails over the rights and freedoms of the data subjects. Failure to carry out such an assessment constitutes a serious infringement under the Data Protection Law.

 

The balancing assessment must include the criteria set out in Annex 1 of the Regulation, which, among other aspects, requires:

 

i. Identification and justification of the legitimate interest.

ii. Justification of the necessity, demonstrating that the processing is indispensable to achieve the intended purpose and that there are no less intrusive means available.

iii. A balance between the purpose pursued and the potential impact on the data subject’s rights.

iv. Implementation of technical, organizational, and mitigation measures, as well as documentation of the outcome of the assessment.

 

Controllers must maintain an up-to-date record of the balancing assessments they have performed. This record must be reviewed at least once every year, or whenever the purpose, the type of data, or the level of risk associated with the processing changes.

 

3. Permissible Scenarios

 

The DPA has limited the use of legitimate interest to the following purposes:

 

i. Direct marketing provided that no special categories of data or children’s data is used, and that a free and immediate mechanism to object to such processing activity is in place.

ii. Prevention, detection, reporting of fraud, money laundering, terrorism financing, and related crimes.

iii. Internal data sharing within a corporate group, limited to legitimate purposes and subject to transparency towards data subjects.

iv. Security of networks and IT systems, through the implementation of appropriate technical and organizational measures.

v. Video surveillance for the security of individuals, property, or facilities. The capture or recording of audio is not permitted in systems relying on legitimate interest.

 

In all cases, each processing activity must successfully pass the balancing assessment required under the Regulation. Data subjects may exercise their rights under the Data Protection Law at any time, in particular their rights to object and to access.

 

4. Prohibitions

 

Legitimate interest may not be relied upon in the following cases:

 

i. Processing of special categories of personal data, unless the processing is strictly indispensable, and reinforced security measures are in place.

ii. Processing involving automated profiling that produces legal effects concerning the data subject or significantly affects them similarly, except in cases expressly provided for the financial or insurance sectors with additional safeguards.

iii. Processing of personal data of children or adolescents, unless it can be justified based on the best interests of the child.

iv. Large-scale processing or further use of personal data for purposes that are different from, or incompatible with, the original purpose.

 

Rafael Serrano, Partner at CorralRosales
rserrano@corralrosales.com
+593 2 2544144