Ecuador´s Preliminary draft of the Data Protection Law – IAPP



DATE: 18-03-2021


-Rafael Serrano


For the first time in history, Ecuador will have a Data Protection Law that will follow the European normative standard. Our associate Rafael Serrano, a collaborator for the IAPP blog, writes about it.

Despite never having had a specific law, data protection in Ecuador is restricted and limited by the various laws that include this particular legislation, such as the Telecommunications Law, the Electronic Commerce Law, the Criminal Law, and the Financial and monetary law.

After two significant circumstances in the country, the government determined it essential for the country to have its own law.  It would protect Ecuadorian citizens’ data, allowing the authorities to take action if it was not complied with. One of the revealing events was a data breach that affected practically the entire population. The other one corresponds to the evolution of the Data Protection Law in other countries. This limits Ecuador when it comes to transferring data internationally.

The current bill, which is currently being debated in Congress, contains 76 articles and 12 chapters focused on the following aspects:

Extraterritorial scope

Processors and controllers who offer services and goods to Ecuadorian residents but as long as they are located outside of our country.

Data protection principles

As published by Serrano, “the bill recognizes many of the data protection principles accepted throughout the world, such as limitation of purpose, transparency, confidentiality, limited retention, responsibility and accuracy of data, guidelines established and obligations for data processors and controllers.”

Lawful basis for the processing of personal data

With this draft Law, there will be contractual and pre-contractual obligations, the protection of vital interests, the processing of data from public databases, and the exercise of tasks carried out in the public interest or exercise of public powers.

New data subjects rights

The law will include the right to information, access, rectification, deletion, cancellation, the right to object, not be subject to a decision based on automatic processing, portability, and the right to be forgotten. Some exceptions will also be recognized.

Special categories of data

It will be necessary to give explicit consent to process data that is categorized as special. That is sensitive data, those related to health, financial, and minors’ data.

Security measures

Processors and controllers must implement various security measures and adopt technical measures that will depend on the volume and type of the data processed.


There must be a data protection officer as the data controller. All authorities must have a DPO; the rest of the companies will depend on the purpose, scope, and data they process.

International data transfer

The transfer of data to other countries and territories will be allowed, provided that their security is guaranteed.


“The bill creates the Data Protection Superintendency as the new DPA. The Superintendency is an autonomous institution. The Superintendent will be appointed following the procedure established in the Constitution”, indicates Serrano.

Sanctions and liabilities

The new Law, according to its project, will establish infractions if what is indicated in it is not fulfilled. “The data processor and controller can be penalized between 3% and 17% of their annual income from the previous year,” he concludes.

If you want to see the article, click here.