Tag Archives: Ecuador

 

Pursuant to Agreement No. 027-CG-2025, published in the Official Gazette No.  83, on July 17, 2025, the Office of the Comptroller General of the State has amended several regulations governing the procedures for the pre-determination and determination of culpable civil liability.

 

The amended regulations include: (i) Organic Statute for Organizational Management by Processes; (ii) Regulations for the Preparation, Processing, and Approval of Government Audit Reports; (iii) Substitute Regulations on the Execution of Documents; and (iv) Regulations on the Determination of Liability.

 

A summary of the amendments is provided below:

 

1.The National Director for the Pre-determination of Liability may refrain from pre-determining civil liability when the amount involved does not exceed US$20,000. For higher amounts, prior authorization from the Deputy Comptroller General of the State shall be required

 

2. In deciding not to pre-determine civil liability, at least the following criteria shall be taken into account: (i) contradiction or inconsistency between the liability suggested in the audit report and other sections of the report, supporting documentation, or applicable regulations; (ii) absence of evidence demonstrating economic harm; (iii) preparation of the audit report under regulations not in force at the time of the audited actions; and (iv) restitution or payment of the amounts stated in the report by the audited parties.

 

3.If, during the approval process, the approval period expires, the work order shall be canceled and the audit rescheduled.

 

4.Evidence such as on-site inspections, expert reports, acknowledgment of documents, or similar forms shall be admissible, provided they comply with applicable procedural legislation and are conducted by experts accredited by the Judiciary Council.

 

Hugo García Larriva, Partner at CorralRosales
hgarcia@corralrosales.com
+593 2 2544144

Mario Fernández, Associate at CorralRosales
mfernandez@corralrosales.com
+593 2 2544144

 

On August 6, 2025, the Tax Authority (“SRI”) issued Resolution No. NAC-DGERCGC25-000000018 (the “Resolution”), whereby it establishes the following:

 

1. The Single Taxpayer Registry (“RUC”) will indicate whether or not the taxpayer is an obligated party to report to the Financial and Economic Analysis Unit (“UAFE”).
2. The SRI may suspend the RUC of those taxpayers who have not obtained their Registration Code issued by the UAFE within 30 business days after opening or updating their RUC.

• In the event of suspension, it will remain in effect until the taxpayer submits to the SRI the certificate of compliance with obligations issued by the UAFE.

 

We recommend reviewing the activities listed in the RUC to retain only those activities that the taxpayer actually performs and remove those that are not carried out, in order to avoid being incorrectly classified as an obligated party to report to the UAFE.

Andrea Moya, Partner at CorralRosales
amoya@corralrosales.com
+593 2 2544144

Juan Fernando Riera, Associate at CorralRosales
jriera@corralrosales.com
+593 2 2544144

On July 30, 2025, the Ministry of Labor issued the Ministerial Agreement No. MDT-2025-083, extending the deadline for private sector employers with 50 or more employees on their payroll to register their “Equality Plans” until December 31, 2025, through the Unified Labor System (SUT).

Once this deadline has passed, the Ministry of Labor will begin the corresponding control and sanction process in cases where registration has not been completed.

 

Edmundo Ramos, Partner at CorralRosales
eramos@corralrosales.com
+593 2 2544144

 

María Victoria Beltrán, Senior Associate at CorralRosales
mbeltran@corralrosales.com
+593 2 2544144

 

On July 30, 2025, through Resolution No. SPDP-SPD-2025-0028-R, the Data Protection Authority (“SPDP”) issued the Governing Rules for the Data Protection Officer, with the purpose of regulating the activities associated with that role.

 

Below are the most relevant aspects:

 

     I.         Appointment of the Data Protection Officer (“DPO” or “DPOs”)

 

The DPO must be appointed by the legal representative or a duly authorized attorney-in-fact of the organization, in its capacity as data controller or data processor.

 

The appointment must include the following:

 

1. Date of appointment.
2. Identification details of the organization:
   a. For domiciled entities: Corporate name and tax identification number (RUC);
   b. For non-domiciled entities: Corporate name, tax identification number, address, phone numbers, and email addresses of the parent company or main office.
3. Name of the legal representative.
4. Name of the DPO.
5. Functions of the DPO.
6. Signature of the legal representative or attorney-in-fact.
7. Express acceptance of the position by the DPO.

 

The appointment must be submitted to the SPDP within fifteen (15) days of its issuance. Failure to comply with this deadline will be considered an infringement classified as a serious violation.

 

The appointment will be recorded in a public registry to be created by the SPDP.

 

   II.         Special Cases of Mandatory Appointment

 

In addition to the cases provided for in the Data Protection Law (“LOPDP”), the following entities are required to appoint a DPO:

 

1. Entities processing personal data of minors.
2. Higher education institutions that process special categories of personal data for academic or administrative purposes.
3. Entities engaged in financial activities.
4. Insurance entities, reinsurance companies or intermediaries, as well as insurance advisors, brokers, agents, and other service providers in the insurance sector.
5. Companies engaged in advertising, commercial prospecting, or market research that process personal data involving profiling.
6. Members of the healthcare system responsible for maintaining patient medical records, except for individual health professionals practicing privately.
7. Establishments in the pharmaceutical sector that carry out the production, distribution, or marketing of pharmaceutical products, including laboratories, drug representatives, pharmaceutical distributors, and pharmacies.
8. Private security companies, as well as private legal entities or trusts administering gated communities, private residential complexes, or condominiums, due to their processing of personal data for access control purposes.
9. Professional sports federations or associations, sports corporations, professional clubs, or sports academies.
10. Professional associations or bar councils.
11. Telecommunications service providers.
12. Companies offering or providing mass video surveillance, geolocation, or information technology services, including those involved in the development, implementation, or deployment of artificial intelligence.
13. Public or private legal entities that are public service concessionaires, as well as public-private partnerships distributing, marketing, or supplying public services.

 

These entities must appoint a DPO regardless of whether they act as data controllers or data processors, and regardless of whether they operate for profit.

 

 III.         Additional Requirements for the DPO

 

In addition to the requirements established in the Regulations to the LOPDP, the DPO must comply with and successfully complete the DPO professionalization program officially approved by the SPDP.

 

This obligation will become effective as of January 1, 2029.

 

 IV.         Prohibitions

 

The DPO may not engage in the following activities:

 

1. Carry out functions corresponding to the data controller or data processor.
2. Directly implementing data protection regulations within the organization.
3. Conduct data protection risks assessments or data protection impact assessments. The DPO may only issue non-binding comments or recommendations.
4. Make decisions regarding the purposes or means of processing.
5. Represent the organization before the SPDP.
6. Serve as the information security officer, compliance officer, implementer, or any other role that may create a conflict of interest.
7. Perform duties that compromise their independence, autonomy, impartiality, or objectivity as a DPO.

 

Local representatives on data protection matters of non-established processors or controllers may not serve as DPOs within the same organization.

 

    V.         Conflicts of Interest

 

Before their appointment, the DPO must disclose any actual, potential, or apparent conflict of interest. If such a conflict arises before or after the appointment, the organization must take corrective measures, such as refraining from appointing the individual, modifying their duties, or revoking the appointment, as appropriate.

 

A conflict of interest shall be deemed to exist when the DPO:

 

1. Carries out or participates in personal data processing activities, even occasionally.
2. Provides advisory services beyond their functions that aim to safeguard the interests of the organization.
3. Make decisions regarding the organization, its activities, or its internal operations.

 

 VI.         Impartiality and Independence of the DPO

 

The DPO must act with full independence in the performance of their duties.

 

The organization must ensure the DPO’s independence and impartiality by implementing the following control mechanisms:

 

1. Direct access and communication with the highest executive and decision-making level within the organization.
2. Availability of technical, financial, and human resources.
3. Mechanisms for effective consideration of the DPO’s observations and recommendations regarding the data processing activities carried out by the organization.
4. Reports assessing the organization’s level of compliance with data protection regulations.

 

Compliance assessments must be conducted annually by the organization. Under no circumstance may the assessment be carried out by the DPO.

 

The DPO may report the data controller or processor to the SPDP for any actions that may undermine their independence or constitute retaliation related to their duties.

 

VII.         Additional Considerations

 

Data controllers and processors must register their DPO by December 31, 2025.

 

Failure to register the DPO will be considered a serious violation due to the lack of implementation of security measures.

 

Rafael Serrano, Partner at CorralRosales
rserrano@corralrosales.com
+593 2 2544144

Juan Martín Chavez, Associate at CorralRosales
jchavez@corralrosales.com
+593 2 2544144

 

The President of the Republic of Ecuador has submitted the “Law for the Control of Irregular Capital Flows” bill to the National Assembly. The most important tax provisions are detailed below:

1. Income Tax on Dividend Distribution

Profits or dividends distributed by entities with tax residence in Ecuador or permanent establishments located in Ecuador to its shareholders will be subject to a unique income tax.

The applicable rates are:

• 12% in general.
• 10% for distributions to individuals and entities that do not have tax residence in Ecuador.
• 14% in the following cases:
  • If the distribution is made to non-resident entities when: (i) a resident of a tax haven or low-tax jurisdiction is part of the ownership structure, and (ii) the final beneficiary is a tax resident in Ecuador.
  • If the local company distributing the dividend fails to report its ownership structure.

The following exemptions are established:

• The dividend distributed to another entities with tax residence in Ecuador or permanent establishments located is not considered taxable income, and
• If the dividend recipient is an individual with tax residence in Ecuador, an exemption applies equivalent to 3 minimum wages received by each company distributing the dividend, within the same fiscal period.

Dividends distributed between January 1, 2025, and the first day of the month following the effective date of this law, to individuals with tax residence in Ecuador, will be consolidated with global income and will be subject to taxation according to the applicable progressive tariffs.

1. Advance Income Tax on Undistributed Profits

Entities with tax residence in Ecuador and permanent establishments located in Ecuador, that as of July 31 of each fiscal year, do not distribute its retained earnings from previous years, are subject to pay the following:

This amount may be offset by the company with the corporate income tax during the two subsequent fiscal years. If the credit is not offset during this period, it will not be subject to a refund and will be recorded as a non-deductible expense in the respective year.

This payment is not applicable for: (i) trusts that do not carry out business activities or operate ongoing businesses; (ii) non-profit organizations; (iii) public companies; (iv) mixed-economy companies with respect to the Governments’ share.

Effectiveness of the Provisions

These provisions will come into force on the first day of the month following the publication of this law in the Official Registry.

 

Andrea Moya, Socia en CorralRosales
amoya@corralrosales.com
+593 2 2544144

Mateo Bravo, Asociado en CorralRosales
mbravo@corralrosales.com
+593 2 2544144

 

The Superintendency for Economic Competition (“SCE”) has released the findings of its Market Study on the Health Insurance and Prepaid Medical Services Sector (Case No. SCE-IGT-INAC-3-2023). The report identifies structural distortions that hinder competition and transparency in this market and puts forward a reform agenda directed at the Superintendency of Companies, Securities and Insurance (“SCVS”), the Ministry of Public Health (“MSP”), and the Agency for Quality Assurance of Health Services and Prepaid Medicine (“ACESS”).

Key discoveries include:

• High market concentration and practices that restrict user mobility.
• Lack of pricing transparency: unjustified premium surcharges without a technical or financial basis.
• Information asymmetry: 77% of users are unaware of the factors that drive their premium increases.
• Barriers to mobility and gender-based premium segmentation without technical justification.

The SCE recommends seven regulatory reforms to be implemented by the SCVS, aimed at (i) ensuring free portability of health insurance policies that preserve benefits and waiting periods when changing providers; (ii) requiring technical justification for premium surcharges that may distort pricing; (iii) establishing a local registry for reinsurers operating in the country to ensure compliance with SCVS regulations; (iv) aligning the obligations of prepaid medicine companies with those of insurance companies, including the mandatory contracting of reinsurance and compliance with equivalent minimum capital requirements; (v) adapting prepaid medicine contracts to conform with the provisions of the Organic Law of the National Health and Social Security System; and (vi) mandating individualized and confidential transparency in the provision of information to beneficiaries regarding the variables that determine premium renewal values.

Additionally, the SCE recommends that the MSP adopt measures to ensure the recognition of fulfilled waiting periods when modifying contracts within the same company and revise the current 24-month waiting period considering its restrictive effects on treatment continuity and overall market efficiency.

ACESS is encouraged to review the structure of currently approved plans to apply the principle of minimal differentiation and prevent the proliferation of products with artificial distinctions that confuse users and may distort competition.

Finally, SCE proposes the establishment of inter-institutional technical working groups to coordinate the implementation of these recommendations, reaffirming its commitment to fostering more efficient, equitable markets focused on user welfare.

 

Ana Samudio, Associate at CorralRosales
asamudio@corralrosales.com
+593 2 2544144

Thalía Ordoñez, Associate at CorralRosales
tordonez@corralrosales.com
+593 2 2544144

 

On July 23, 2025, through Resolution No. SPDP-SPD-2025-0022-R, the Data Protection Authority (“SPDP” or “Authority”) issued the Regulation for the application of the methodology for calculating fines under the SPDP´s administrative sanctions regime (“Regulation”).

 

The Regulation is mandatory for the SPDP and aims to establish the methodology for calculating fines applicable to violations outlined in the Data Protection Law.

 

In determining the applicable fine, the Authority shall apply the principle of proportionality, and the corresponding amounts shall be supported by justifications or rationales.

 

If the calculated fine is below the minimum threshold established in the LOPDP, the minimum value shall apply. If the estimated amount exceeds the maximum threshold, the maximum value outlined in the LOPDP shall be applied.

Under the Regulation, the SPDP may apply one of two models for calculating fines. The Authority may use the deterministic model when the applicable values are known with certainty, or the stochastic model when uncertainty exists.

 

1. Deterministic calculations

 

• Calculation model MPRIV-1

 

The SPDP may apply this model to determine the applicable fine for private for-profit institutions. The model takes into account the following factors:

 

1. Turnover (“VDN”): Refers to the revenue from the most recent fiscal year of the alleged infringer, after deducting taxes related to the economic operation.

 

1. Category of the infringement (“CDI”): Considers the following components:

 

1. 1. Fine range (“RDM”): Identifies the category of the infringement and establishes the applicable percentage for the fine. Minor violations are sanctioned with a percentage ranging from 0.1% to 0.7%, while serious violations are sanctioned with a percentage ranging from 0.7% to 1% of the VDN.
   2. Weight of the infringement (“PDI”): Assesses the maturity level of compliance with the LOPDP and the corrective measures implemented by the alleged infringer. This is determined within a range of 0% to 100%.

 

1. Severity of the infringement (“SDI”): Composed of three factors, each calculated using the PERT formula:

 

a. Impact on Data Subjects’ rights and freedoms (“IED”), with a weight of 60%. This includes four elements:

1. 1. Types of personal data.
   2. Number of affected data subjects and volume of data.
   3. Nature of the breach.
   4. Groups of particularly vulnerable data subjects.

b. Intentionality (“INT”), with a weight of 40%. Assessed based on the willful misconduct or negligence and the level of awareness of the alleged infringer.

c. Recidivism[1] and reiteration [2] (“RER”), as an optional factor, may be included with an additional weight of 20%.

 

1. The final fine is obtained by multiplying the value estimated based on the CDI by the SDI.

 

• Formulas for calculating the fine under the MPRIV-1 model

 

• CDI = VDN x RDM minimum + (PDI/100) x (VDN (RDM maximum – RDM minimum))
• SDI = 2 (IED + INT + RER)
  • IED: PERT = (minimum value + 4 x most probable value + maximum value) / 6
  • INT: PERT = (minimum value + 4 x most probable value + maximum value) / 6
  • RER: PERT = (minimum value + 4 x most probable value + maximum value) / 6
• Fine = CDI x SDI

 

2. Calculation model MPUB-1

 

This model applies to sanctions imposed on public officials and civil servants. It follows the same methodology as the MPRIV-1 model, with the exception that the business volume factor is replaced by a value based on Statutory Minimum Wage.

 

3. Stochastic Calculation

 

This method is applied using a Monte Carlo analysis in cases where there is uncertainty regarding the values required to calculate the fine. Through this analysis, multiple random scenarios are generated, enabling the SPDP to operate within a range of outcomes and make decisions informed by sound judgment.

 

[1] Art. 71 and 72 of the Data Protection Law, Official Register Supplement 459 of May 26, 2021. Occurs when the previous and current infringements are of the same nature; that is, they involve the same type of non-compliance or infringing conduct.

[2] Ibid. Occurs when the offender has previously been sanctioned for two or more minor infringements, or one infringement of equal or greater severity than the current one, even if not necessarily of the same nature.

Rafael Serrano, Partner at CorralRosales
rserrano@corralrosales.com
+593 2 2544144

Juan Martín Chavez, Associate at CorralRosales
jchavez@corralrosales.com
+593 2 2544144