Ecuador’s PDPL: challenges of the entry into force of its sanctioning regime


DATE: 23-05-2023


Rafael Serrano



The entry into force of the EU General Data Protection Regulation in May 2018 prompted the creation and adaptation of different regulations on personal data protection worldwide. Ecuador was no exception, and on May 26 2021 the Organic Personal Data Protection Law (PDPL), the first law in Ecuador focused exclusively on regulating and guaranteeing personal data protection, entered into force.

Two years later, as stipulated by law, the corrective measures and the sanctioning regime have come into force. Our associate Rafael Serrano writes on this matter in IAPP.

Serrano points out that “as of May, and since the publication of the PDPL, and private entities have been obliged to undertake adaptation processes that have meant significant challenges for them, which have deepened due to the lack of regulation for the application of the PDPL, as well as the lack of creation and designation of a data protection authority”.

These difficulties, he says, “added to the technical, legal and procedural actions the regulated entities adopted, have undoubtedly generated great uncertainty regarding compliance with and application of the PDPL”.

As of May 26, according to Serrano, “a new stage in the protection of personal data in Ecuador will begin. The risks can be significant, as fines can reach up to 1% of the fiscal year’s turnover immediately before the fine’s imposition”.

He states that the law generates a new regulatory regime that positions Ecuador at an international level since, even with all the risks mentioned above, it also presents great opportunities.

“Compliance with this regulation will improve processes and information systems, and help Ecuadorian companies strengthen their corporate images in the international market. In this sense, companies must begin to mitigate risk by implementing certain documents and security measures”.

If you want to read the complete article, click here.