Data Protection Officer: Characteristics, Functions, and Obligation of Appointment

CorralRosales > BlogENG > Data Protection Officer: Characteristics, Functions, and Obligation of Appointment
Categories BlogENG Posted on Author Jorge Cadena Tags Ecuador, Quito

The Organic Law on the Protection of Personal Data (the “LOPDP”) introduces the role of the Data Protection Officer (the “DPO”), who is an integral part of the personal data protection system. The DPO plays a crucial role within Ecuador’s data protection regulatory framework by supervising and advising on the proper compliance with the LOPDP, the General Regulations of the LOPDP (the “Regulations”), and secondary regulations issued by the personal data protection authority (collectively with the LOPDP and the Regulations, the “Personal Data Protection Framework”).

On 30 July 2025, the Superintendence for the Protection of Personal Data (“SPDP” or “Authority”) issued Resolution No. SPDP‑SPD‑2025‑0028‑R, which contains the Regulation on the Data Protection Officer (the “DPO Regulation”), governing the DPO’s activities. This document updates the scope of the DPO’s obligations, limitations, and responsibilities to ensure compliance with the Personal Data Protection Framework.

I. CHARACTERISTICS OF THE DPO

1. Definition of the DPO

Inspired by the European data protection regime, the LOPDP defines the DPO as the natural person responsible for independently advising and monitoring the organization’s compliance with the Personal Data Protection Framework, and for cooperating with the Authority, acting as the organization’s point of contact with it.

This definition highlights three key characteristics of the DPO:

  1. Must be a natural person;

  2. Their role is to monitor and ensure the organization meets its legal data protection obligations; and

  3. They must cooperate with the Authority.

2. Requirements to Serve as DPO

Articles 55 of the Regulations and 11 of the DPO Regulation establish the following requirements:

  • Must enjoy political rights;

  • Must be of legal age;

  • Must hold a tertiary-level degree in Law, Information Systems, Communications, or Technology;

  • Must demonstrate at least five years of professional experience; and

  • Must complete a professional training program authorized by the SPDP.

The final requirement ensures that DPOs have the necessary knowledge to appropriately advise organizations. It becomes mandatory starting on 1 January 2029. The SPDP‑authorized training must be offered by a higher education institution whose curriculum meets the minimum content requirements set out in Resolution No. SPDP‑SPD‑2025‑0004‑R (the Professional Training Program Regulation). Institutions offering such programs must inform the SPDP of the degrees or diplomas they issue.

A related question arises: Can a foreign national serve as DPO?

Articles 61 of the Constitution and 2 of the Code of Democracy stipulate that political rights are granted to Ecuadorian citizens and to foreign persons where applicable. Consequently, the DPO role is effectively limited to Ecuadorian citizens, although foreign nationals may serve if they are legal residents.

3. Appointment, Nomination, and Registration of the DPO

The DPO must be officially appointed by the organization’s legal representative or authorized agent. The appointment must include:

  1. Date of appointment;

  2. Organization’s identifying information:

    • For companies domiciled in Ecuador: legal name and taxpayer registration number;

    • For non‑domiciled organizations: legal name, tax ID, address, phone, and email of the parent or headquarters;

  3. Name of the legal representative;

  4. Name of the DPO;

  5. DPO’s responsibilities;

  6. Signature of the legal representative or agent;

  7. The DPO’s express acceptance of the role;

  8. The appointment or power verifying the authority of the legal representative/agent;

  9. Documentation proving the organization’s legal existence.

Once appointed, the organization must register the DPO with the SPDP within 15 business days so that the Authority can record and publish the organization’s details and the DPO’s contact email, ensuring transparency. Failure to meet this deadline constitutes a serious violation of security measures and may result in a fine equivalent to 0.7% to 1% of the organization’s turnover.

4. Engagement Models for the DPO

The DPO may be appointed directly or through a legal entity, provided the appointment contract specifies the natural person serving as the DPO. According to Articles 49 of the Regulations and 12 of the DPO Regulation, they may be hired as an employee or as an independent contractor. Regardless of the contract form, the DPO must retain independence and be empowered to issue recommendations and observations regarding compliance with the Personal Data Protection Framework.

In all cases, the contract must ensure:

  • Direct communication with the organization’s senior leadership;

  • Provision of necessary tools for the role;

  • Confidentiality clauses to protect sensitive information;

  • Clear delineation of functions, restrictions, and responsibilities.

Because the DPO needs time to adapt and understand the organization, it is recommended they conduct an internal audit to assess the organization’s data protection compliance and identify risks to mitigate.

a) Internal DPO

Two scenarios may occur:

  1. Hiring a new person specifically for the DPO role, or

  2. Appointing an existing employee to serve as DPO, who must devote themselves exclusively to the role and must not participate in data processing activities, to avoid conflict of interest.

b) External DPO

In addition to the above contract requirements, an external DPO’s contract must specify the service duration and modality and include an internal contact person within the organization.

5. Group DPO for Business Groups

Article 50 of the Regulations allows a single DPO to serve all companies within a corporate group, provided there is no conflict of interest and they can adequately fulfill their responsibilities.

6. Persons Disqualified from Being DPO

Articles 56 of the Regulations and 16 of the DPO Regulation list those who cannot serve as DPO:

  1. Members of the organization’s management or supervisory bodies;

  2. Owners or shareholders;

  3. Spouses or close relatives (up to fourth‑degree consanguinity or second‑degree affinity) of administrators, directors, commissioners, or data controllers/processors;

  4. Individuals with conflicts of interest as defined by SPDP regulations;

  5. Information security officers;

  6. Compliance officers;

  7. Special agents of foreign organizations processing data in Ecuador; and

  8. High‑rank public officials.

These restrictions aim to preserve the DPO’s objectivity and independence.

7. Conflicts of Interest

A conflict exists if the DPO:

  • Participates in data processing activities (even occasionally);

  • Provides advice beyond their role to defend the organization’s interests;

  • Makes decisions affecting the organization’s internal operations.

They are specifically prohibited from:

  1. Performing duties of the data controller or processor;

  2. Directly implementing data protection laws;

  3. Directly managing risk or impact assessments (they may only issue non-binding observations);

  4. Deciding on processing purposes or means;

  5. Representing the organization before the SPDP; or

  6. Holding roles such as security officer, compliance officer, or implementer which compromise their independence.

The DPO must declare any real or potential conflict before accepting the position; if one exists, the organization must refrain from appointing them or must revoke the appointment if already made.

8. Independence of the DPO

Independence is fundamental for supervising compliance without interference. It is reflected in:

a) Supervisory Authority

The DPO must monitor compliance, make observations, and issue recommendations—but implementation remains the responsibility of the organization to avoid conflict of interest.

b) Relations with the Authority and Stakeholders

The DPO must interact independently with the SPDP, responding to its requests without instruction from the organization. They also serve as the contact for data subjects, although responding to them directly is the organization’s responsibility. The DPO’s oversight includes ensuring data subject rights are respected.

c) Controls to Ensure Independence

Organizations must ensure:

  1. Direct access to senior leadership;

  2. Access to necessary technical, financial, and human resources;

  3. Mechanisms to ensure DPO recommendations are considered;

  4. Reports on compliance levels.

These controls must be evaluated annually by an internal audit, compliance area, or external auditor to maintain objectivity.

9. Special Protection for the DPO

Article 50(4) of the LOPDP specifies:

“The DPO may not be removed or sanctioned for properly performing their duties.”

Thus, any disciplinary action against the DPO for executing their role according to law is prohibited. However, if the DPO is unjustly removed or sanctioned, or their independence is compromised, they may file a complaint with the SPDP, which will investigate and take appropriate action.

II. DPO FUNCTIONS

1. Core Duties

Article 49 of the LOPDP specifies that the DPO shall:

  1. Advise the data controller, processor, and their staff on legal provisions (law, regulations, guidelines) related to personal data;

  2. Monitor compliance with those provisions;

  3. Assist in risk analysis, impact assessments, and security measures, and supervise their implementation;

  4. Cooperate with the SPDP and act as the organization’s contact;

  5. Perform additional functions assigned by the Authority regarding special personal data categories.

The DPO Regulation (Article 13) further clarifies that advisory and supervisory duties extend to:

  1. Risk analysis, impact assessments, and security measures for data transfers;

  2. Handling data subject rights requests;

  3. Managing and notifying data breaches (to data subjects, the SPDP, and ARCOTEL);

  4. Evaluating security measures’ effectiveness;

  5. Ensuring compliance with records of processing activities; and

  6. Overseeing overall compliance with personal data protection rules in processing activities.

The DPO must stay informed of updates and reforms to the Personal Data Protection Framework and advise the organization accordingly—via documentation, organizational changes, or security improvements. Compliance may be assessed through internal or external audits, with reports escalated to senior management for corrective action.

They should also support risk assessments and impact evaluations with appropriate methodology expertise.

2. Scope of Liability

Per Article 49 of the LOPDP, the DPO may be held administratively, civilly, or criminally liable for non‑compliance. However, the DPO Regulation allows exemption if they can demonstrate they acted diligently.

a) Administrative Liability

Administrative liability arises from defined infractions and corresponding sanctions. Since the LOPDP does not specify administrative violations or sanctions for DPOs, nor authorize SPDP to define such infractions, the Authority lacks power to sanction the DPO purely for failure in their duties.

b) Civil Liability

Civil liability may arise contractually (due to breach of contractual obligations resulting in harm to the organization) or extracontractually (non‑contractual wrongdoing harming data subjects or the organization). DPOs may be held liable if negligence causes harm.

c) Criminal Liability

Criminal liability applies only to acts defined as offenses by law. There is no explicit crime defined for DPO non‑performance, but general criminal provisions may apply (e.g., document forgery).

III. OBLIGATION TO APPOINT A DPO

1. When Is Appointment Mandatory?

Article 47(13) of the LOPDP mandates appointment when required, and Article 48 outlines circumstances:
a. When processing is conducted by public entities under Article 225 of the Constitution;
b. When processing activities require continuous and systematic control due to volume, nature, scope, or purposes;
c. When large-scale processing involves special categories of data;
d. When processing involves data related to national security or defense issues that are reserved or secret—though there is ambiguity regarding the scope of this clause; clarification or reform is suggested to avoid misinterpretation.

The DPO Regulation includes an annex (Annex 1) listing sectors that must appoint a DPO regardless of profitability.

It notably includes any institution processing data of minors—even outside educational contexts—which may be overly broad, e.g., requiring designating a DPO in certain employment or tax-related record-keeping. Clarification is recommended to avoid disproportionate obligations.

2. Penalties for Non-Appointment

When mandatory, DPOs must be appointed and registered between 1 November and 31 December 2025. Failure is considered a serious violation and may result in a fine of 0.7% to 1% of the organization’s turnover.

IV. CONCLUSIONS

The DPO is a foundational figure in Ecuador’s data protection framework, helping organizations comply with legal requirements while mitigating legal risks through supervision and advice. Appointing a DPO not only meets legal obligations but also embodies a proactive and accountable approach to data governance.

Although appointment is required only in certain sectors, the role extends beyond compliance—it supports organizations in implementing a nuanced, emerging regime governing personal data handling.

The DPO Regulation clarifies many questions—designation criteria, functions, conflicts of interest, role limitations—but ambiguities remain in some legal definitions, which the SPDP should address via secondary regulation.

Assigning criminal liability to DPOs may be counterproductive, discouraging qualified professionals from serving—a caution underscored by the Spanish model, in which DPOs are not held personally liable for organizational data protection infractions, which rest with the controllers or processors.

Finally, appointing a DPO does not absolve data controllers or processors of their obligations. The DPO supports and oversees compliance, but ultimate responsibility remains with the organization.

Annex 1. Special Cases Requiring DPO Appointment

  1. Early childhood educational institutions

  2. Primary and secondary schools

  3. Any institution processing data of minors (beyond educational scope)

  4. Higher education institutions processing special data categories for academic or administrative purposes

  5. Financial entities processing personal data

  6. Insurance entities (insurers, reinsurance, intermediaries, brokers, agents)

  7. Organizations conducting market research, advertising, profiling

  8. Healthcare system actors maintaining patient records

  9. Pharmaceutical actors: producers, distributors, laboratories, pharmacies

  10. Private security companies

  11. Private property managers, HOAs, housing trusts

  12. Professional sports federations or academies

  13. Sports clubs or academies

  14. Telecommunications service providers

  15. Mass video surveillance services

  16. Geolocation service providers

  17. IT service providers, including AI developers

  18. Public service concessionaires, including PPPs

Rafael Serrano
Partner at CorralRosales
rserrano@corralrosales.com 

Juan Martín Chavez
Associate at CorralRosales
jchavez@corralrosales.com 

PREVIOUS
NEXT