RESOLUTION NO. SPDP-SPD-2025-0022-R

CorralRosales > Bulletin > RESOLUTION NO. SPDP-SPD-2025-0022-R
Categories Bulletin Posted on Author Jorge Cadena Tags Ecuador, Quito

 

On July 23, 2025, through Resolution No. SPDP-SPD-2025-0022-R, the Data Protection Authority (“SPDP” or “Authority”) issued the Regulation for the application of the methodology for calculating fines under the SPDP´s administrative sanctions regime (“Regulation”).

 

The Regulation is mandatory for the SPDP and aims to establish the methodology for calculating fines applicable to violations outlined in the Data Protection Law.

 

In determining the applicable fine, the Authority shall apply the principle of proportionality, and the corresponding amounts shall be supported by justifications or rationales.

 

If the calculated fine is below the minimum threshold established in the LOPDP, the minimum value shall apply. If the estimated amount exceeds the maximum threshold, the maximum value outlined in the LOPDP shall be applied.

Under the Regulation, the SPDP may apply one of two models for calculating fines. The Authority may use the deterministic model when the applicable values are known with certainty, or the stochastic model when uncertainty exists.

 

  1. Deterministic calculations

 

  • Calculation model MPRIV-1

 

The SPDP may apply this model to determine the applicable fine for private for-profit institutions. The model takes into account the following factors:

 

  1. Turnover (“VDN”): Refers to the revenue from the most recent fiscal year of the alleged infringer, after deducting taxes related to the economic operation.

 

  1. Category of the infringement (“CDI”): Considers the following components:

 

    1. Fine range (“RDM”): Identifies the category of the infringement and establishes the applicable percentage for the fine. Minor violations are sanctioned with a percentage ranging from 0.1% to 0.7%, while serious violations are sanctioned with a percentage ranging from 0.7% to 1% of the VDN.
    2. Weight of the infringement (“PDI”): Assesses the maturity level of compliance with the LOPDP and the corrective measures implemented by the alleged infringer. This is determined within a range of 0% to 100%.

 

  1. Severity of the infringement (“SDI”): Composed of three factors, each calculated using the PERT formula:

 

a. Impact on Data Subjects’ rights and freedoms (“IED”), with a weight of 60%. This includes four elements:

    1. Types of personal data.
    2. Number of affected data subjects and volume of data.
    3. Nature of the breach.
    4. Groups of particularly vulnerable data subjects.

b. Intentionality (“INT”), with a weight of 40%. Assessed based on the willful misconduct or negligence and the level of awareness of the alleged infringer.

c. Recidivism[1] and reiteration [2] (“RER”), as an optional factor, may be included with an additional weight of 20%.

 

  1. The final fine is obtained by multiplying the value estimated based on the CDI by the SDI.

 

  • Formulas for calculating the fine under the MPRIV-1 model

 

  • CDI = VDN x RDM minimum + (PDI/100) x (VDN (RDM maximum – RDM minimum))
  • SDI = 2 (IED + INT + RER)
    • IED: PERT = (minimum value + 4 x most probable value + maximum value) / 6
    • INT: PERT = (minimum value + 4 x most probable value + maximum value) / 6
    • RER: PERT = (minimum value + 4 x most probable value + maximum value) / 6
  • Fine = CDI x SDI

 

2. Calculation model MPUB-1

 

This model applies to sanctions imposed on public officials and civil servants. It follows the same methodology as the MPRIV-1 model, with the exception that the business volume factor is replaced by a value based on Statutory Minimum Wage.

 

3. Stochastic Calculation

 

This method is applied using a Monte Carlo analysis in cases where there is uncertainty regarding the values required to calculate the fine. Through this analysis, multiple random scenarios are generated, enabling the SPDP to operate within a range of outcomes and make decisions informed by sound judgment.

 

[1] Art. 71 and 72 of the Data Protection Law, Official Register Supplement 459 of May 26, 2021. Occurs when the previous and current infringements are of the same nature; that is, they involve the same type of non-compliance or infringing conduct.

[2] Ibid. Occurs when the offender has previously been sanctioned for two or more minor infringements, or one infringement of equal or greater severity than the current one, even if not necessarily of the same nature.

Rafael Serrano, Partner at CorralRosales
rserrano@corralrosales.com
+593 2 2544144

Juan Martín Chavez, Associate at CorralRosales
jchavez@corralrosales.com
+593 2 2544144

© CORRALROSALES 2025
NOTA: EL texto anterior ha sido elaborado con fines informativos. CorralRosales no es responsable de ninguna pérdida o daño ocasionado como consecuencia de haberse actuado o dejado de actuar en base a la información contenida en este documento. Cualquier situación determinada adicional requiere la opinión y concepto específico de la firma.

CORRALROSALES

PREVIOUS
NEXT