By Resolution No. SPDP-SPD-2025-0030-R, dated August 7, 2025, the Superintendency of Personal Data Protection (hereinafter “SPDP”) issued the Regulations for the pseudonymization, anonymization, blocking, and deletion of personal data (hereinafter “Regulations”)
The purpose of the Regulation is to establish guidelines for applying data security measures and ensuring the effective exercise of data subjects’ rights.
Below, we summarize the main aspects of the Regulation:
I. Pseudonymization
It is a technical measure that preserves the possibility of reidentification of the data being processed.
Data controllers or processors may apply pseudonymization techniques, after carrying out the corresponding risk analysis, to technically preserve the possibility of reidentifying the data being processed.
Pseudonymized data will continue to be considered personal data and, therefore, the provisions of the Data Protection Law will apply to them.
Pseudonymization may be applied in the following cases: (i) in the provision of products or services where identification of the data subject is not necessary; (ii) in scientific, historical, or statistical research processes; and (iii) in internal audits, system testing, or security analyses.
If a reidentification action of pseudonymized information is carried out, such action must be recorded to guarantee the data subjects’ right to data protection.
II. Anonymization
It is a technical security measure used to prevent the identification or reidentification of a data subject.
To apply this technique, a risk analysis of the implications must be carried out, and it must also be assessed that this measure does not affect the continuity and quality of the services provided.
Authorization from the SPDP will be required for the processing of anonymized health data.
If the personal data is anonymized, the consent of the data subject will not be required for its transfer.
III. Blocking
Once the purpose of the processing has been fulfilled, personal data may be retained for the period established by law in compliance with legal obligations, or for as long as there is a legitimate basis that permits such retention.
Nevertheless, blocking techniques must be applied to this data to ensure it is securely maintained and access to it is limited and restricted solely to fulfill the purposes that remain after the primary objective has been exhausted.
IV. Suspension
The data subject has the right to request that the controller or processor temporarily halt a specific processing activity. In such cases, the controller must suspend the processing within no more than three days.
If the processing has been delegated to a processor, the controller must notify the processor of the request, and the processor must suspend the processing within a maximum period of three days from the notification.
Likewise, when a data subject revokes their consent, the controller must cease processing activities within a maximum of three (3) days from receipt of the notification from the data subject.
V. Erasure
The data subject may request the erasure of all or part of their personal data that is being processed. This request will only proceed when the data controller does not have a legal basis for continuing the processing of the personal data that is the subject of the request.
If the data subject exercises this right and their request is accepted, the data controller must provide the data subject with a document certifying the erasure of their personal data.
When the data subject exercises their right of erasure, this request must be notified by the controller to all processors and third parties to whom the data was previously transferred, so that they also proceed with its erasure within three (3) days.
The Data Protection Agreement (DPA) must establish the necessary conditions to carry out and guarantee the return or erasure of personal data by the processor.
Once its legal relationship with the controller has ended, the processor must return or erase the personal data within five (5) days and provide the data controller with a document certifying such erasure.
VI. Right to portability
The right to portability entitles the data subject to receive their personal data from the controller in a compatible format. This transfer must be carried out whenever technically possible.
Once the data transfer has been completed to the new controller, the original controller must erase the transferred data from its own systems.
Within six months of the publication of the Regulation in the Official Register, the General Directorate for Innovation, Technology, and Personal Data Security must present the “Technical Guide to Pseudonymization, Anonymization, Blocking, Suspension, and Erasure in Personal Data Protection.”
Rafael Serrano, Partner at CorralRosales
rserrano@corralrosales.com
+593 2 2544144
