General Regulation for the Guarantee of the Right to Personal Data Protection in the Use of Artificial Intelligence Systems

CorralRosales > Bulletin > General Regulation for the Guarantee of the Right to Personal Data Protection in the Use of Artificial Intelligence Systems
Categories Bulletin Posted on Author Jorge Cadena Tags Ecuador, Quito

On 18 February 2026, the Data Protection Authority (“DPA”) issued, through Resolution No. SPDP-SPD-2026-0009-R, the General Regulation for the Guarantee of the Right to Personal Data Protection in the Use of Artificial Intelligence Systems (“AI Regulation”), with the purpose of ensuring the effective application of the Data Protection Law (“DPL”), its General Regulation, and other applicable regulations concerning personal data protection, when controllers and processors develop, train, implement, deploy and/or provide artificial intelligence systems (“AI Systems”) in which the personal data of Ecuadorians are processed, regardless of the location of the AI System or its provider.

 

Below, we detail the most relevant aspects of the AI Regulation:

 

  1. Definitions:
  • Developer: controller or processor that generates or creates an AI System.
  • Deployer: controller or processor that, through the use of an AI System, provides a service, except where such use falls within a personal activity of a non-professional nature.
  • Distributor: controller or processor that forms part of the supply chain other than the developer, deployer, or implementer, that markets or supplies an AI System on the market.
  • Implementer: controller or processor that commissions the development of, or implements, an AI System within internal procedures or processes.

 

  1. Controllers or processors that process personal data through AI Systems must comply with the following obligations:

 

  • Comply with the principles established in the DPL.
  • Guarantee the rights recognized in the DPL, in particular the rights to information, objection, and not to be subject to a decision based solely or partially on automated assessments.
  • Inform the data subject about the processing of their personal data carried out through AI Systems, including its purposes and its automated nature.
  • Carry out risk analyses and data impact assessments.
  • Implement appropriate security measures.
  • Include the processing operations carried out through AI Systems in the record of processing activities (RoPA).
  • Audit the operation of the AI System according to its level of risk.

 

  1. The DPA may audit AI Systems where the principles and rights are not guaranteed and may impose corrective measures and/or precautionary measures in the event of non-compliance with the obligations established in the DPL and other applicable regulations in this field.

Rafael Serrano, Partner at CorralRosales
rserrano@corralrosales.com
+593 2 2544144

© CORRALROSALES 2026
NOTA: EL texto anterior ha sido elaborado con fines informativos. CorralRosales no es responsable de ninguna pérdida o daño ocasionado como consecuencia de haberse actuado o dejado de actuar en base a la información contenida en este documento. Cualquier situación determinada adicional requiere la opinión y concepto específico de la firma.

CORRALROSALES

PREVIOUS