RESOLUTION NO. SPDP-SPD-2025-0028-R

CorralRosales > Bulletin > RESOLUTION NO. SPDP-SPD-2025-0028-R
Categories Bulletin Posted on Author Jorge Cadena Tags Ecuador, Quito

On July 30, 2025, through Resolution No. SPDP-SPD-2025-0028-R, the Data Protection Authority (“SPDP”) issued the Governing Rules for the Data Protection Officer, with the purpose of regulating the activities associated with that role.

 

Below are the most relevant aspects:

 

     I.         Appointment of the Data Protection Officer (“DPO” or “DPOs”)

 

The DPO must be appointed by the legal representative or a duly authorized attorney-in-fact of the organization, in its capacity as data controller or data processor.

 

The appointment must include the following:

 

  1. Date of appointment.
  2. Identification details of the organization:
    a. For domiciled entities: Corporate name and tax identification number (RUC);
    b. For non-domiciled entities: Corporate name, tax identification number, address, phone numbers, and email addresses of the parent company or main office.
  3. Name of the legal representative.
  4. Name of the DPO.
  5. Functions of the DPO.
  6. Signature of the legal representative or attorney-in-fact.
  7. Express acceptance of the position by the DPO.

 

The appointment must be submitted to the SPDP within fifteen (15) days of its issuance. Failure to comply with this deadline will be considered an infringement classified as a serious violation.

 

The appointment will be recorded in a public registry to be created by the SPDP.

 

   II.         Special Cases of Mandatory Appointment

 

In addition to the cases provided for in the Data Protection Law (“LOPDP”), the following entities are required to appoint a DPO:

 

  1. Entities processing personal data of minors.
  2. Higher education institutions that process special categories of personal data for academic or administrative purposes.
  3. Entities engaged in financial activities.
  4. Insurance entities, reinsurance companies or intermediaries, as well as insurance advisors, brokers, agents, and other service providers in the insurance sector.
  5. Companies engaged in advertising, commercial prospecting, or market research that process personal data involving profiling.
  6. Members of the healthcare system responsible for maintaining patient medical records, except for individual health professionals practicing privately.
  7. Establishments in the pharmaceutical sector that carry out the production, distribution, or marketing of pharmaceutical products, including laboratories, drug representatives, pharmaceutical distributors, and pharmacies.
  8. Private security companies, as well as private legal entities or trusts administering gated communities, private residential complexes, or condominiums, due to their processing of personal data for access control purposes.
  9. Professional sports federations or associations, sports corporations, professional clubs, or sports academies.
  10. Professional associations or bar councils.
  11. Telecommunications service providers.
  12. Companies offering or providing mass video surveillance, geolocation, or information technology services, including those involved in the development, implementation, or deployment of artificial intelligence.
  13. Public or private legal entities that are public service concessionaires, as well as public-private partnerships distributing, marketing, or supplying public services.

 

These entities must appoint a DPO regardless of whether they act as data controllers or data processors, and regardless of whether they operate for profit.

 

 III.         Additional Requirements for the DPO

 

In addition to the requirements established in the Regulations to the LOPDP, the DPO must comply with and successfully complete the DPO professionalization program officially approved by the SPDP.

 

This obligation will become effective as of January 1, 2029.

 

 IV.         Prohibitions

 

The DPO may not engage in the following activities:

 

  1. Carry out functions corresponding to the data controller or data processor.
  2. Directly implementing data protection regulations within the organization.
  3. Conduct data protection risks assessments or data protection impact assessments. The DPO may only issue non-binding comments or recommendations.
  4. Make decisions regarding the purposes or means of processing.
  5. Represent the organization before the SPDP.
  6. Serve as the information security officer, compliance officer, implementer, or any other role that may create a conflict of interest.
  7. Perform duties that compromise their independence, autonomy, impartiality, or objectivity as a DPO.

 

Local representatives on data protection matters of non-established processors or controllers may not serve as DPOs within the same organization.

 

    V.         Conflicts of Interest

 

Before their appointment, the DPO must disclose any actual, potential, or apparent conflict of interest. If such a conflict arises before or after the appointment, the organization must take corrective measures, such as refraining from appointing the individual, modifying their duties, or revoking the appointment, as appropriate.

 

A conflict of interest shall be deemed to exist when the DPO:

 

  1. Carries out or participates in personal data processing activities, even occasionally.
  2. Provides advisory services beyond their functions that aim to safeguard the interests of the organization.
  3. Make decisions regarding the organization, its activities, or its internal operations.

 

 VI.         Impartiality and Independence of the DPO

 

The DPO must act with full independence in the performance of their duties.

 

The organization must ensure the DPO’s independence and impartiality by implementing the following control mechanisms:

 

  1. Direct access and communication with the highest executive and decision-making level within the organization.
  2. Availability of technical, financial, and human resources.
  3. Mechanisms for effective consideration of the DPO’s observations and recommendations regarding the data processing activities carried out by the organization.
  4. Reports assessing the organization’s level of compliance with data protection regulations.

 

Compliance assessments must be conducted annually by the organization. Under no circumstance may the assessment be carried out by the DPO.

 

The DPO may report the data controller or processor to the SPDP for any actions that may undermine their independence or constitute retaliation related to their duties.

 

VII.         Additional Considerations

 

Data controllers and processors must register their DPO by December 31, 2025.

 

Failure to register the DPO will be considered a serious violation due to the lack of implementation of security measures.

 

Rafael Serrano, Partner at CorralRosales
rserrano@corralrosales.com
+593 2 2544144

Juan Martín Chavez, Associate at CorralRosales
jchavez@corralrosales.com
+593 2 2544144

© CORRALROSALES 2025
NOTA: EL texto anterior ha sido elaborado con fines informativos. CorralRosales no es responsable de ninguna pérdida o daño ocasionado como consecuencia de haberse actuado o dejado de actuar en base a la información contenida en este documento. Cualquier situación determinada adicional requiere la opinión y concepto específico de la firma.

CORRALROSALES

PREVIOUS
NEXT