Ecuador will publish in the coming days its first Personal Data Protection Law in the most European style after a long time working on it. Our senior associate Rafael Serrano writes about it in LexLatin.
This great advance for Ecuador, although the right was guaranteed since 2008 but without a norm that would regulate it, will allow companies to have a refined database with globally homogenized standards and, above all, to have greater protection of the personal information.
In the words of Rafael Serrano, “it is about establishing a framework of parameters to process correct information”.
All those people who store information that identifies or makes any individual identifiable, directly or indirectly, and in any type of support, will be affected by this rule.
To review whether the law is being complied with, a personal data protection authority has been created. “If the president does not veto the project, this authority, the Superintendency, will be independent and with overseeing power in both the private and the public sectors,” adds Serrano.
In addition, this law has established parameters for international communications and transfers with personal data. It has also stablished rights so that consultation, digital education, and girls, boys and adolescents would not be the subject of a decision based solely or partially on automated valuations.
Serrano points out, “one of the most discussed issues was whether or not there was a need to create a record of the databases in the possession of those responsible. This does not mean that this information is delivered to the Superintendency to create a large database, but rather that what is delivered responds to statistical purposes: for example, what data is being processed and how many databases are there”.
The law establishes that the consent for a person to be registered in a database will only be valid when it is manifested freely, specifically, informed and unequivocally.
Information from companies to the owner of personal data
As Serrano explains, the information required by companies is “the purpose of the data treatment, the legal basis, the types of treatment that exist, the time of their conservation, the existence of a database , the purposes, a contact person in charge, the transfers that are intended to be made and the existence of automated evaluations and decisions, among others”.
“Those responsible for the processing of personal data are obliged to sign confidentiality contracts and proper handling of personal data with the person in charge and the staff in charge of the processing of such personal data or whoever has knowledge of the personal data, in addition to using technologies to mitigate and evaluate the performance or the violations that their protection mechanisms may have ”, concludes Serrano.