NEW FRAMEWORK APPLICABLE TO PERSONS WITH DISABILITIES, PERSONS WITH CATASTROPHIC DISEASES, CAREGIVERS, AND SUBSTITUTES

Within the current regulatory framework, specific provisions have been incorporated that directly affect the rights and benefits applicable to people with disabilities, their substitutes, and caregivers, as well as those facing rare, orphan, catastrophic, or complex diseases. These reforms cover key aspects related to access to services, labor, education, and health benefits. We highlight the following:

  1. Person with Disability: An individual presenting structural or functional, bodily, mental, intellectual, sensory, or psychosocial impairments and limitations in exercising essential daily life activities autonomously.

 

The Law introduces a new category of disability not regulated in the previous statute, namely psychosocial impairments.

 

Previously, applicable regulations determined that the rights of people with disabilities depended on their disability percentage. However, the current law eliminated this classification system, proposing instead that disability be categorized as mild, moderate, severe, very severe, and complete.

 

  1. Direct Substitute: A person responsible for the maintenance or care of individuals with severe, very severe, or complete disabilities, related up to the fourth degree of consanguinity and the second degree of affinity.

 

Parents and legal representatives of minors with any type and percentage of disability are also considered direct substitutes.

 

Certification of Direct Substitutes:

 

  • People seeking recognition as substitutes for adults with severe, very severe, or complete disabilities must submit a certificate of non-affiliation to the social security under a dependency regime.
  • Where certification of substitute status is required by an employer to comply with inclusion quotas, a copy of the employment contract must be submitted.
  • People with disabilities may, if deemed necessary, request the withdrawal of substitute status.
  • Employers are required to register within 30 days, in the system established by the Ministry of Labor, those employees who have notified them of their substitute status.
  • Failure to register may result in a fine of USD 200 per unregistered employee, up to a maximum of 20 Unified Basic Salaries (currently USD 9,400.00).
  • Employees are likewise obligated to notify their employer of their substitute status.
  • The Ministry of Labor, through the SUT platform, has implemented a complementary system to verify the authenticity of substitute certificates.

 

  1. Caregiver: The new law introduces the category of caregiver, defined as the mother, father, legal representative, or guardian authorized to care for a person with a severe, very severe, or complete disability.

 

Caregivers assume responsibility for assisting people with disabilities who, to varying degrees, require support in carrying out daily life activities.

 

This role confers rights distinct from those of substitutes, and caregivers are not included within the inclusion quota.

 

  1. Remote Work Authorization: people with disabilities pursuing postgraduate or continued education systems can request to work remotely.

 

  1. Labor Inclusion: employers with 25 or more employees must include at least 4% of people with disabilities. Substitute personnel may be included within the quota, provided they do not exceed 25% of the total inclusion required.

 

To fully comply with the quota, employers must apply principles of gender equity and disability diversity, and where operations exist in multiple provinces, distribute included personnel equitably.

 

Noncompliance may result in monetary sanctions of 11 to 15 unified basic salaries or the suspension of activities for up to thirty days.

 

  1. Labor Inclusion for Private Security Companies: for the purpose of calculating the inclusion quota, private security and surveillance companies may consider substitutes in operational roles, even exceeding the maximum percentage allowed in other sectors.

 

  1. Employment Conditions: people with disabilities must be hired on full-time schedules (8 hours), under contractual modalities deemed stable or permanent by law.

 

Part-time employment is permitted only with medical certification confirming the impossibility of full-time work.

 

  1. Job Stability: people with disabilities, as well as those responsible for their maintenance and/or care, enjoy reinforced job stability. Unjustified dismissal entitles them to either reinstatement or additional severance equal to 18 months of the highest salary received from the employer.

 

  1. Extended Maternity Leave: in cases of childbirth involving minors with disabilities or severe congenital conditions, maternity leave is extended by three months.

 

  1. Leave for Substitutes and Caregivers: individuals responsible for people with severe, very severe, or complete disabilities are entitled to two hours of daily leave for caregiving purposes.

 

  1. People with Rare, Orphan, Catastrophic, or Highly Complex Diseases Employment Rights: employees who demonstrate such conditions are entitled to workplace accommodations, including modified schedules, where necessary.

 

  1. Rights of Substitutes and Caregivers:

13. Income Tax Deduction: employers may deduct an additional 150% of all remunerations and benefits contributed to social security (IESS) with respect to disabled employees and substitutes exceeding the mandatory inclusion quota.

 

14. Tax Exempt from Vehicle Imports: In the case of used vehicles, the model must correspond to the last three years prior to importation, (between the model year and the year of shipment).

 

The beneficiary may access a new tax-exempt importation five years after the Customs Import Declaration has been cleared.

 

15. Local Purchase of Exempt Vehicles: local purchase must be authorized by the Internal Revenue Service within a maximum period of 30 days from the submission of the application. Only new vehicles will be exempt from local taxes. The beneficiary may access a new exemption five years after the local purchase.

 

If it is determined that the conditions for benefiting from the exemption on local vehicle purchases were not met, the Internal Revenue Service will recalculate the tax for the total amount of the exempted values plus the respective interest.

 

16. Exceptional Transfer Clause: if the person with a disability benefiting from the tax exemption is unable to fulfill their financial obligation to the seller of the vehicle due to an emerging personal economic crisis, they may request the transfer of the vehicle within one year from the date of importation or acquisition.

 

To this end, the person with a disability or the person interested in acquiring the vehicle, duly authorized by the beneficiary of the exemption, may request the transfer of ownership of the vehicle from the customs or tax authority, as appropriate, and pay the proportional part of the taxes remaining to complete the five-year period, calculated from the date of submission of the transfer request.

 

To this end, the person with a disability must, by means of a sworn statement before a notary public, justify the reasons for their emerging financial hardship; they will be prevented from benefiting from this exemption again until five years have elapsed from the date of release of the import or acquisition, as applicable.

 

17. Use of Exempt Vehicles: vehicles imported or purchased locally with tax exemption must be driven by the person with a disability who is the beneficiary of the exemption. Extraordinarily, and depending on the condition of the person with a disability, the vehicle may be driven by:

 

  • Members of the family unit of the person with a disability, including up to the second degree of consanguinity and first degree of affinity.
  • A person outside the immediate family, if they can prove that the person with a disability is under their protection, care, or dependency (e.g., driver) and that the person with a disability is in the vehicle.
  • In emergency situations, when the person with a disability is unable to drive the vehicle due to exceptional circumstances, duly justified and verifiable if applicable.

**Legal References:

  1. Organic Law for Persons with Disabilities. Published July 3, 2025, Fourth Supplement of the Official Gazette No. 73.
  2. Ministerial Agreement MDT-2025-105 “Regulation for the Certification of Direct Substitutes of Persons with Disabilities.” Published August 26, 2025, Third Supplement of the Official Gazette No. 110.
  3. Organic Reform Law to Various Legal Bodies to Guarantee the Labor Rights of Persons with Disabilities, Rare, Orphan, Catastrophic, and Highly Complex Diseases, and Their Substitutes. Published June 20, 2025, Fifth Supplement of the Official Gazette No. 64.

 

 

Andrea Moya, Partner at CorralRosales
amoya@corralrosales.com
+593 2 2544144

Edmundo Ramos, partner at CorralRosales
eramos@corralrosales.com
+593 2 2544144

María Victoria Beltrán, Associate at CorralRosales
mbeltran@corralrosales.com
+593 2 2544144

© CORRALROSALES 2025
NOTA: EL texto anterior ha sido elaborado con fines informativos. CorralRosales no es responsable de ninguna pérdida o daño ocasionado como consecuencia de haberse actuado o dejado de actuar en base a la información contenida en este documento. Cualquier situación determinada adicional requiere la opinión y concepto específico de la firma.

CORRALROSALES

SUSPENSION OF DEADLINES AND TERMS FOR THE DECLARATION AND PAYMENT OF “ECO DELTA” AND “POTENCIA TURÍSTICA” FEES

Through Interministerial Agreement No. 2025-013, issued by the Ministry of Production, Foreign Trade, Investments and Fisheries together with the Ministry of Tourism, it has been ordered:

 

  • The suspension of deadlines and terms for the declaration and payment of the “Eco Delta” and “Potencia Turística” fees, effective September 15, 2025, for a period of two months.
  • No interest or penalties will accrue on obligations that fall within the suspension period.
  • The obligation to declare and pay remains in force; therefore, airlines must comply with these obligations once the suspension period ends or earlier, if lifted through a new ministerial agreement.

 

Reason for the suspension:

 

This measure is adopted as part of the merger by absorption of the Ministry of Tourism into the Ministry of Production, Foreign Trade, Investments and Fisheries, in order to ensure a proper administrative transition and guarantee due process in tax and collection procedures.

 

Summary of the fees:

 

  • Eco Delta: Fee applied to international airline tickets issued in Ecuador, aimed at fostering air connectivity and promoting tourism.

 

  • Potencia Turística: Contribution created to finance national tourism development and promotion projects.

Chester Salazar, Senior Associate at  CorralRosales
csalazar@corralrosales.com
+593 2 2544144

Veronica Olivo, Associate at  CorralRosales
volivo@corralrosales.com
+593 2 2544144

© CORRALROSALES 2025
NOTA: EL texto anterior ha sido elaborado con fines informativos. CorralRosales no es responsable de ninguna pérdida o daño ocasionado como consecuencia de haberse actuado o dejado de actuar en base a la información contenida en este documento. Cualquier situación determinada adicional requiere la opinión y concepto específico de la firma.

CORRALROSALES

AMENDMENTS TO THE REGULATION ON EXTERNAL AUDIT

Update of asset thresholds for entities subject to the supervision of the Superintendence of Companies, Securities and Insurance, requiring their annual financial statements to be submitted to mandatory external audit.

Supplement No. 118 of the Official Register, dated September 5, 2025, published Resolution No. SCVS-INC-DNCDN-2025-0005 of August 27, 2025, issued by the Superintendence of Companies, Securities and Insurance, which, for the purposes of external audit, the amounts that were previously expressed in United States dollars have been replaced with values equivalent to a specific number of minimum wages. In this manner, the thresholds applicable to the assets of domestic entities, as well as branches of foreign corporations or other foreign companies organized as legal entities, shall be adjusted automatically on an annual basis.

Under these amendments, the following entities are required to submit their annual financial statements to external audit review:

  1. a) Domestic mixed-economy companies, corporations, and simplified joint-stock corporations with the participation of public entities or private legal entities with a social or public purpose, whose assets exceed two hundred seventy-three (273) minimum wages.
  2. b) Branches of foreign corporations or enterprises organized as legal entities and established in Ecuador, provided that their assets exceed two hundred seventy-three (273) minimum wages.
  3. c) Domestic corporations, limited liability companies, partnerships limited by shares, and simplified joint-stock corporations whose assets exceed one thousand three hundred sixty-six (1,366) minimum wages.
  4. d) Entities subject to the control and oversight of the Superintendence of Companies, Securities and Insurance, which are required to file consolidated financial statements.

For purposes of the Regulation on External Audit, “assets” shall mean the total assets recorded in the statement of financial position submitted by the respective company to the Superintendence of Companies, Securities and Insurance in the prior fiscal year.

These amendments shall apply from the statement of financial position corresponding to the fiscal year 2025.

Milton Carrera, Partner at CorralRosales
mcarrera@corralrosales.com
+593 2 2544144

© CORRALROSALES 2025
NOTA: EL texto anterior ha sido elaborado con fines informativos. CorralRosales no es responsable de ninguna pérdida o daño ocasionado como consecuencia de haberse actuado o dejado de actuar en base a la información contenida en este documento. Cualquier situación determinada adicional requiere la opinión y concepto específico de la firma.

CORRALROSALES

AMENDMENTS TO THE MINING LAW

In the Third Supplement to the Official Registry No. 112 of August 28, 2025, the Organic Law on Social Transparency was published.

The Fifth Amending Provision modifies the Mining Law (the “Law”) as follows:

Exploration Stage of the Mining Concession

Before the expiration of the initial exploration period, if the concessionaire wishes to continue mining exploration activities, it must request approval from the Sectoral Ministry to transition to the advanced exploration period for a term of four years. This request must include: an express waiver of part of the concession area; and evidence of compliance with the minimum activities and investments required during the initial exploration period.

For concessions obtained through auction or tender, the concessionaire must also demonstrate compliance with:

  1. The minimum investment amounts established by law; and
  2. The committed investment declared in its financial bid for each concession granted.

If the Sectoral Ministry fails to issue the corresponding resolution within sixty (60) days from the approval of the request, advanced exploration shall be deemed authorized.

Caducity of Mining Rights

In the administrative process for the caducity of a mining concession due to any of the causes established in the Law, the timeframe for the concessionaire to prove compliance with its obligations, submit defenses, and provide supporting evidence is reduced from forty-five (45) to fifteen (15) days.

If an administrative resolution determines that obligations remain outstanding, the concessionaire will have fifteen (15) days (previously forty-five) to remedy the non-compliance. Failure to do so within this period will result in the Sectoral Ministry declaring the forfeiture of mining rights through a reasoned resolution.

Caducity of mining rights shall also be declared automatically, without the need for further administrative proceedings, if the environmental authority has determined and notified the existence of environmental damage.

New Cause of Caducity for Non-Payment

Within the grounds of caducity due to non-payment of fees, royalties, and other rights or taxes established under this Law and its Regulations, administrative fees are now expressly included, broadly and without specific limitation

New Cause of Caducity for Breach of Economic Commitments

A new unnumbered article following Article 177 establishes that mining concessions obtained through auction or tender shall be terminated if the concessionaire fails to comply with either the minimum investment amounts or the committed investment set forth in its financial bid.

Verification Process of Minimum Investment and Committed Investment

The Ninth Transitory Provision instructs the Mining Regulation and Control Agency, within ninety (90) days, to verify whether mining concessions obtained through auction or tender have complied with the minimum investment amounts and the committed investment proposed in the financial bid. The results must be reported to the Sectoral Ministry to initiate, if applicable, forfeiture proceedings.

 

Carlos Torres, Senior Associate at CorralRosales
ctorres@corralrosales.com
+593 2 2544144

© CORRALROSALES 2025
NOTA: EL texto anterior ha sido elaborado con fines informativos. CorralRosales no es responsable de ninguna pérdida o daño ocasionado como consecuencia de haberse actuado o dejado de actuar en base a la información contenida en este documento. Cualquier situación determinada adicional requiere la opinión y concepto específico de la firma.

CORRALROSALES

NEW BINDING JURISPRUDENTIAL PRECEDENT IN LABOR LAW

The National Court of Justice, through Resolution No. 15-2025, has issued a new binding jurisprudential precedent in labor law matters.

The Specialized Chamber for Labor Law identified a recurring issue in several cases where the plaintiff’s (employee’s) testimony as a party was considered, on its own, sufficient evidence to prove the facts alleged in their complaint.

The analysis was grounded on the principles of evidence assessment established in the Organic General Code of Processes (COGEP), which mandate that evidence must be evaluated as a whole and in accordance with the rules of sound judicial discretion (sana crítica). Consequently, the plaintiff’s statement as a party cannot be the sole piece of evidence sufficient to prove the facts alleged in the complaint.

Binding Jurisprudential Precedent

The Plenary of the National Court has resolved to declare the following point of law as a binding jurisprudential precedent:

In labor law matters, the plaintiff’s testimony as a party does not, by itself, constitute suitable and sufficient evidence to prove the facts alleged in the complaint. Therefore, for said testimony to acquire evidentiary sufficiency, it must be corroborated by external, objective data that allows it to be subjected to an examination of credibility, verisimilitude, and reliability.”

Effects of the Resolution

  • This precedent is of mandatory compliance for all judges in the country, including the National Court of Justice itself.
  • The resolution entered into force upon its publication in the Official Gazette (September 1, 2025).

Mateo Zavala, Associate at CorralRosales
mzavala@corralrosales.com
+593 2 2544144

© CORRALROSALES 2025
NOTA: EL texto anterior ha sido elaborado con fines informativos. CorralRosales no es responsable de ninguna pérdida o daño ocasionado como consecuencia de haberse actuado o dejado de actuar en base a la información contenida en este documento. Cualquier situación determinada adicional requiere la opinión y concepto específico de la firma.

CORRALROSALES

LAW OF SOCIAL TRANSPARENCY

 

The Law of Social Transparency, published in Official Gazette Third Supplement No. 81 on August 28, 2025, establishes the following tax reforms:

 

  1. Income Tax on the Distribution of Dividends

The profits or dividends distributed by resident companies or permanent establishments in Ecuador will be subject to a single income tax. This tax will be withheld by the company making the distribution.

The applicable tax rate is 12%; however, it is reduced or increased in the following cases:

  1. 10% if the distribution is made to individuals and companies that are not residents of Ecuador.
  2. 14% in the following cases:
    1. If the distribution is made to non-resident entities when: (i) in the ownership chain, there is a resident in a tax haven or low-tax jurisdiction; and (ii) the beneficial owner is a tax resident in Ecuador.
    2. If the local entity distributing the dividend fails to comply with the obligation to disclose its ownership structure.

Dividends distributed to another resident company or permanent establishment in Ecuador are not considered taxable income.

If the dividend recipient is an individual resident in Ecuador, the equivalent of 3 unified basic salaries (USD 1,410 for 2025) will be considered exempt with respect to each company distributing dividends, within the same tax period.

Dividends distributed between January 1 and August 28, 2025, will be consolidated with global income and subject to the regular income tax payment.

 

  1. Income Tax Advance on Undistributed Profits

Companies and permanent establishments with tax residence in Ecuador that, by July 31 of each tax year, do not distribute accumulated profits from previous years, shall pay on that balance the following rates:

BRACKET FROM TO RATE 1 – $100,000.00 0.00% 2 $100,000.01 $1,000,000.00 0.75% 3 $1,000,000.01 $10,000,000.00 1.25% 4 $10,000,000.01 $100,000,000.00 1.75% 5 $100,000,000.01 $500,000,000.00 2.25% 6 $500,000,000.01 Onwards 2.50%

 

In the case of financial and insurance institutions, the amount of profits that cannot be distributed due to orders from the supervisory authority shall not be taken into account.

If the company distributes dividends within the following 2 years, the amount paid may be used as a tax credit for withholding tax applicable to the dividend distribution.

If the company distributes dividends or capitalizes undistributed profits within the following 2 years, the amount may be used as a tax credit for the company’s income tax payment, and the excess may be refunded.

If the entity does not distribute dividends or capitalize its profits within the following 2 years, the amount paid cannot be credited against any tax, will not be refundable, and must be recorded as a non-deductible expense.

Investment funds, trusts, and mixed-economy companies with state participation are not obliged to pay this advance. Companies that have recognized investments in other companies using the equity method are not subject to the advance payment with respect to the undistributed profits of the companies they own.

This advance payment will apply as of the 2025 tax year.

Andrea Moya, Partner at CorralRosales
amoya@corralrosales.com
+593 2 2544144

Mateo Bravo, Associate at CorralRosales
mbravo@corralrosales.com
+593 2 2544144

© CORRALROSALES 2025
NOTA: EL texto anterior ha sido elaborado con fines informativos. CorralRosales no es responsable de ninguna pérdida o daño ocasionado como consecuencia de haberse actuado o dejado de actuar en base a la información contenida en este documento. Cualquier situación determinada adicional requiere la opinión y concepto específico de la firma.

CORRALROSALES

Data Protection Officer: Characteristics, Functions, and Obligation of Appointment

The Organic Law on the Protection of Personal Data (the “LOPDP”) introduces the role of the Data Protection Officer (the “DPO”), who is an integral part of the personal data protection system. The DPO plays a crucial role within Ecuador’s data protection regulatory framework by supervising and advising on the proper compliance with the LOPDP, the General Regulations of the LOPDP (the “Regulations”), and secondary regulations issued by the personal data protection authority (collectively with the LOPDP and the Regulations, the “Personal Data Protection Framework”).

On 30 July 2025, the Superintendence for the Protection of Personal Data (“SPDP” or “Authority”) issued Resolution No. SPDP‑SPD‑2025‑0028‑R, which contains the Regulation on the Data Protection Officer (the “DPO Regulation”), governing the DPO’s activities. This document updates the scope of the DPO’s obligations, limitations, and responsibilities to ensure compliance with the Personal Data Protection Framework.

I. CHARACTERISTICS OF THE DPO

1. Definition of the DPO

Inspired by the European data protection regime, the LOPDP defines the DPO as the natural person responsible for independently advising and monitoring the organization’s compliance with the Personal Data Protection Framework, and for cooperating with the Authority, acting as the organization’s point of contact with it.

This definition highlights three key characteristics of the DPO:

  1. Must be a natural person;

  2. Their role is to monitor and ensure the organization meets its legal data protection obligations; and

  3. They must cooperate with the Authority.

2. Requirements to Serve as DPO

Articles 55 of the Regulations and 11 of the DPO Regulation establish the following requirements:

  • Must enjoy political rights;

  • Must be of legal age;

  • Must hold a tertiary-level degree in Law, Information Systems, Communications, or Technology;

  • Must demonstrate at least five years of professional experience; and

  • Must complete a professional training program authorized by the SPDP.

The final requirement ensures that DPOs have the necessary knowledge to appropriately advise organizations. It becomes mandatory starting on 1 January 2029. The SPDP‑authorized training must be offered by a higher education institution whose curriculum meets the minimum content requirements set out in Resolution No. SPDP‑SPD‑2025‑0004‑R (the Professional Training Program Regulation). Institutions offering such programs must inform the SPDP of the degrees or diplomas they issue.

A related question arises: Can a foreign national serve as DPO?

Articles 61 of the Constitution and 2 of the Code of Democracy stipulate that political rights are granted to Ecuadorian citizens and to foreign persons where applicable. Consequently, the DPO role is effectively limited to Ecuadorian citizens, although foreign nationals may serve if they are legal residents.

3. Appointment, Nomination, and Registration of the DPO

The DPO must be officially appointed by the organization’s legal representative or authorized agent. The appointment must include:

  1. Date of appointment;

  2. Organization’s identifying information:

    • For companies domiciled in Ecuador: legal name and taxpayer registration number;

    • For non‑domiciled organizations: legal name, tax ID, address, phone, and email of the parent or headquarters;

  3. Name of the legal representative;

  4. Name of the DPO;

  5. DPO’s responsibilities;

  6. Signature of the legal representative or agent;

  7. The DPO’s express acceptance of the role;

  8. The appointment or power verifying the authority of the legal representative/agent;

  9. Documentation proving the organization’s legal existence.

Once appointed, the organization must register the DPO with the SPDP within 15 business days so that the Authority can record and publish the organization’s details and the DPO’s contact email, ensuring transparency. Failure to meet this deadline constitutes a serious violation of security measures and may result in a fine equivalent to 0.7% to 1% of the organization’s turnover.

4. Engagement Models for the DPO

The DPO may be appointed directly or through a legal entity, provided the appointment contract specifies the natural person serving as the DPO. According to Articles 49 of the Regulations and 12 of the DPO Regulation, they may be hired as an employee or as an independent contractor. Regardless of the contract form, the DPO must retain independence and be empowered to issue recommendations and observations regarding compliance with the Personal Data Protection Framework.

In all cases, the contract must ensure:

  • Direct communication with the organization’s senior leadership;

  • Provision of necessary tools for the role;

  • Confidentiality clauses to protect sensitive information;

  • Clear delineation of functions, restrictions, and responsibilities.

Because the DPO needs time to adapt and understand the organization, it is recommended they conduct an internal audit to assess the organization’s data protection compliance and identify risks to mitigate.

a) Internal DPO

Two scenarios may occur:

  1. Hiring a new person specifically for the DPO role, or

  2. Appointing an existing employee to serve as DPO, who must devote themselves exclusively to the role and must not participate in data processing activities, to avoid conflict of interest.

b) External DPO

In addition to the above contract requirements, an external DPO’s contract must specify the service duration and modality and include an internal contact person within the organization.

5. Group DPO for Business Groups

Article 50 of the Regulations allows a single DPO to serve all companies within a corporate group, provided there is no conflict of interest and they can adequately fulfill their responsibilities.

6. Persons Disqualified from Being DPO

Articles 56 of the Regulations and 16 of the DPO Regulation list those who cannot serve as DPO:

  1. Members of the organization’s management or supervisory bodies;

  2. Owners or shareholders;

  3. Spouses or close relatives (up to fourth‑degree consanguinity or second‑degree affinity) of administrators, directors, commissioners, or data controllers/processors;

  4. Individuals with conflicts of interest as defined by SPDP regulations;

  5. Information security officers;

  6. Compliance officers;

  7. Special agents of foreign organizations processing data in Ecuador; and

  8. High‑rank public officials.

These restrictions aim to preserve the DPO’s objectivity and independence.

7. Conflicts of Interest

A conflict exists if the DPO:

  • Participates in data processing activities (even occasionally);

  • Provides advice beyond their role to defend the organization’s interests;

  • Makes decisions affecting the organization’s internal operations.

They are specifically prohibited from:

  1. Performing duties of the data controller or processor;

  2. Directly implementing data protection laws;

  3. Directly managing risk or impact assessments (they may only issue non-binding observations);

  4. Deciding on processing purposes or means;

  5. Representing the organization before the SPDP; or

  6. Holding roles such as security officer, compliance officer, or implementer which compromise their independence.

The DPO must declare any real or potential conflict before accepting the position; if one exists, the organization must refrain from appointing them or must revoke the appointment if already made.

8. Independence of the DPO

Independence is fundamental for supervising compliance without interference. It is reflected in:

a) Supervisory Authority

The DPO must monitor compliance, make observations, and issue recommendations—but implementation remains the responsibility of the organization to avoid conflict of interest.

b) Relations with the Authority and Stakeholders

The DPO must interact independently with the SPDP, responding to its requests without instruction from the organization. They also serve as the contact for data subjects, although responding to them directly is the organization’s responsibility. The DPO’s oversight includes ensuring data subject rights are respected.

c) Controls to Ensure Independence

Organizations must ensure:

  1. Direct access to senior leadership;

  2. Access to necessary technical, financial, and human resources;

  3. Mechanisms to ensure DPO recommendations are considered;

  4. Reports on compliance levels.

These controls must be evaluated annually by an internal audit, compliance area, or external auditor to maintain objectivity.

9. Special Protection for the DPO

Article 50(4) of the LOPDP specifies:

“The DPO may not be removed or sanctioned for properly performing their duties.”

Thus, any disciplinary action against the DPO for executing their role according to law is prohibited. However, if the DPO is unjustly removed or sanctioned, or their independence is compromised, they may file a complaint with the SPDP, which will investigate and take appropriate action.

II. DPO FUNCTIONS

1. Core Duties

Article 49 of the LOPDP specifies that the DPO shall:

  1. Advise the data controller, processor, and their staff on legal provisions (law, regulations, guidelines) related to personal data;

  2. Monitor compliance with those provisions;

  3. Assist in risk analysis, impact assessments, and security measures, and supervise their implementation;

  4. Cooperate with the SPDP and act as the organization’s contact;

  5. Perform additional functions assigned by the Authority regarding special personal data categories.

The DPO Regulation (Article 13) further clarifies that advisory and supervisory duties extend to:

  1. Risk analysis, impact assessments, and security measures for data transfers;

  2. Handling data subject rights requests;

  3. Managing and notifying data breaches (to data subjects, the SPDP, and ARCOTEL);

  4. Evaluating security measures’ effectiveness;

  5. Ensuring compliance with records of processing activities; and

  6. Overseeing overall compliance with personal data protection rules in processing activities.

The DPO must stay informed of updates and reforms to the Personal Data Protection Framework and advise the organization accordingly—via documentation, organizational changes, or security improvements. Compliance may be assessed through internal or external audits, with reports escalated to senior management for corrective action.

They should also support risk assessments and impact evaluations with appropriate methodology expertise.

2. Scope of Liability

Per Article 49 of the LOPDP, the DPO may be held administratively, civilly, or criminally liable for non‑compliance. However, the DPO Regulation allows exemption if they can demonstrate they acted diligently.

a) Administrative Liability

Administrative liability arises from defined infractions and corresponding sanctions. Since the LOPDP does not specify administrative violations or sanctions for DPOs, nor authorize SPDP to define such infractions, the Authority lacks power to sanction the DPO purely for failure in their duties.

b) Civil Liability

Civil liability may arise contractually (due to breach of contractual obligations resulting in harm to the organization) or extracontractually (non‑contractual wrongdoing harming data subjects or the organization). DPOs may be held liable if negligence causes harm.

c) Criminal Liability

Criminal liability applies only to acts defined as offenses by law. There is no explicit crime defined for DPO non‑performance, but general criminal provisions may apply (e.g., document forgery).

III. OBLIGATION TO APPOINT A DPO

1. When Is Appointment Mandatory?

Article 47(13) of the LOPDP mandates appointment when required, and Article 48 outlines circumstances:
a. When processing is conducted by public entities under Article 225 of the Constitution;
b. When processing activities require continuous and systematic control due to volume, nature, scope, or purposes;
c. When large-scale processing involves special categories of data;
d. When processing involves data related to national security or defense issues that are reserved or secret—though there is ambiguity regarding the scope of this clause; clarification or reform is suggested to avoid misinterpretation.

The DPO Regulation includes an annex (Annex 1) listing sectors that must appoint a DPO regardless of profitability.

It notably includes any institution processing data of minors—even outside educational contexts—which may be overly broad, e.g., requiring designating a DPO in certain employment or tax-related record-keeping. Clarification is recommended to avoid disproportionate obligations.

2. Penalties for Non-Appointment

When mandatory, DPOs must be appointed and registered between 1 November and 31 December 2025. Failure is considered a serious violation and may result in a fine of 0.7% to 1% of the organization’s turnover.

IV. CONCLUSIONS

The DPO is a foundational figure in Ecuador’s data protection framework, helping organizations comply with legal requirements while mitigating legal risks through supervision and advice. Appointing a DPO not only meets legal obligations but also embodies a proactive and accountable approach to data governance.

Although appointment is required only in certain sectors, the role extends beyond compliance—it supports organizations in implementing a nuanced, emerging regime governing personal data handling.

The DPO Regulation clarifies many questions—designation criteria, functions, conflicts of interest, role limitations—but ambiguities remain in some legal definitions, which the SPDP should address via secondary regulation.

Assigning criminal liability to DPOs may be counterproductive, discouraging qualified professionals from serving—a caution underscored by the Spanish model, in which DPOs are not held personally liable for organizational data protection infractions, which rest with the controllers or processors.

Finally, appointing a DPO does not absolve data controllers or processors of their obligations. The DPO supports and oversees compliance, but ultimate responsibility remains with the organization.

Annex 1. Special Cases Requiring DPO Appointment

  1. Early childhood educational institutions

  2. Primary and secondary schools

  3. Any institution processing data of minors (beyond educational scope)

  4. Higher education institutions processing special data categories for academic or administrative purposes

  5. Financial entities processing personal data

  6. Insurance entities (insurers, reinsurance, intermediaries, brokers, agents)

  7. Organizations conducting market research, advertising, profiling

  8. Healthcare system actors maintaining patient records

  9. Pharmaceutical actors: producers, distributors, laboratories, pharmacies

  10. Private security companies

  11. Private property managers, HOAs, housing trusts

  12. Professional sports federations or academies

  13. Sports clubs or academies

  14. Telecommunications service providers

  15. Mass video surveillance services

  16. Geolocation service providers

  17. IT service providers, including AI developers

  18. Public service concessionaires, including PPPs

Rafael Serrano
Partner at CorralRosales
rserrano@corralrosales.com 

Juan Martín Chavez
Associate at CorralRosales
jchavez@corralrosales.com 

Considerations on the Regulatory Omission of the Exchange of Medical Devices in Public Procurement

The Exchange of Medicines is a Mechanism Provided for in Ecuadorian Regulations That Authorizes Institutions Within the National Health System to Require Their Suppliers to Replace Medicines That Are Close to Expiring With Others of the Same Technical Specifications but With a Longer Shelf Life (“Exchange”).

This mechanism is regulated exclusively for products defined as: (i) general medicines, (ii) biological medicines, and (iii) medicine kits that include medical devices (hereinafter collectively referred to as “Medicines”). However, it is not regulated for medical devices, which are items or apparatuses designed to treat diseases or support physiological functions in the human body, without acting through pharmacological means.

There are no express or implied rules that require the exchange of medical devices, which creates uncertainty regarding the applicability of the exchange mechanism to these products when they are close to expiration. Additionally, if such a situation arises, there is no clear guidance on how to carry out the exchange.

Article 175 of the Organic Health Law and Ministerial Agreement No. 00015 – 2019 require suppliers to exchange Medicines, even if the procurement process documentation does not expressly include such an obligation. However, neither that regulation nor any other legal framework governs the exchange of medical devices. This regulatory gap generates doubts among suppliers, who are, in principle, not obligated to exchange such products.

In practice, contracting entities include this requirement during various stages of the public procurement process. This scenario can become particularly burdensome when the obligation does not specify limits in terms of volume, frequency, or cause. Due to the vague wording of the respective clauses, suppliers may even be considered non-compliant if they are unable to fulfill them.

To mitigate these risks, suppliers should ensure that any contractual exchange provision is aligned with Ministerial Agreement No. 00015 – 2019, or includes some of its limitations related to quantity, periodicity, or causality, as these are reasonable for the contractor and allow for the anticipation of potential financial impacts.

In addition to the points mentioned above, and to strengthen risk prevention during the pre-contractual stage, it is advisable for suppliers to take the following measures:

a) Verify whether the exchange obligation applies exclusively to medicines and does not extend to medical devices;


b) Ask questions during the inquiry and clarification phase to define the scope of the exchange obligation clearly; and


c) Analyze the historical consumption of the contracting entity through its needs assessment report, in order to anticipate the turnover of the requested product, as low turnover combined with high supply volumes could result in multiple exchange requests.

If such measures are not adopted, experience shows that suppliers may face exchange requests for up to 100% of the medical devices sold.

Rafael Serrano
Partner at CorralRosales
rserrano@corralrosales.com 

Juan Martín Chavez
Associate at CorralRosales
jchavez@corralrosales.com 

AMENDMENTS TO THE PRE-DETERMINATION AND DETERMINATION OF LIABILITY FRAMEWORK

 

Pursuant to Agreement No. 027-CG-2025, published in the Official Gazette No.  83, on July 17, 2025, the Office of the Comptroller General of the State has amended several regulations governing the procedures for the pre-determination and determination of culpable civil liability.

 

The amended regulations include: (i) Organic Statute for Organizational Management by Processes; (ii) Regulations for the Preparation, Processing, and Approval of Government Audit Reports; (iii) Substitute Regulations on the Execution of Documents; and (iv) Regulations on the Determination of Liability.

 

A summary of the amendments is provided below:

 

1.The National Director for the Pre-determination of Liability may refrain from pre-determining civil liability when the amount involved does not exceed US$20,000. For higher amounts, prior authorization from the Deputy Comptroller General of the State shall be required

 

2. In deciding not to pre-determine civil liability, at least the following criteria shall be taken into account: (i) contradiction or inconsistency between the liability suggested in the audit report and other sections of the report, supporting documentation, or applicable regulations; (ii) absence of evidence demonstrating economic harm; (iii) preparation of the audit report under regulations not in force at the time of the audited actions; and (iv) restitution or payment of the amounts stated in the report by the audited parties.

 

3.If, during the approval process, the approval period expires, the work order shall be canceled and the audit rescheduled.

 

4.Evidence such as on-site inspections, expert reports, acknowledgment of documents, or similar forms shall be admissible, provided they comply with applicable procedural legislation and are conducted by experts accredited by the Judiciary Council.

 

Hugo García Larriva, Partner at CorralRosales
hgarcia@corralrosales.com
+593 2 2544144

Mario Fernández, Associate at CorralRosales
mfernandez@corralrosales.com
+593 2 2544144

© CORRALROSALES 2025
NOTA: EL texto anterior ha sido elaborado con fines informativos. CorralRosales no es responsable de ninguna pérdida o daño ocasionado como consecuencia de haberse actuado o dejado de actuar en base a la información contenida en este documento. Cualquier situación determinada adicional requiere la opinión y concepto específico de la firma.

CORRALROSALES

RESOLUTION NO. SPDP-SPD-2025-0030-R – REGULATIONS FOR PSEUDONYMIZATION, ANONYMIZATION, BLOCKING, AND DELETION OF PERSONAL DATA

By Resolution No. SPDP-SPD-2025-0030-R, dated August 7, 2025, the Superintendency of Personal Data Protection (hereinafter “SPDP”) issued the Regulations for the pseudonymization, anonymization, blocking, and deletion of personal data (hereinafter “Regulations”)

 

The purpose of the Regulation is to establish guidelines for applying data security measures and ensuring the effective exercise of data subjects’ rights.

Below, we summarize the main aspects of the Regulation:

I. Pseudonymization

 

It is a technical measure that preserves the possibility of reidentification of the data being processed.

 

Data controllers or processors may apply pseudonymization techniques, after carrying out the corresponding risk analysis, to technically preserve the possibility of reidentifying the data being processed.

 

Pseudonymized data will continue to be considered personal data and, therefore, the provisions of the Data Protection Law will apply to them.

 

Pseudonymization may be applied in the following cases: (i) in the provision of products or services where identification of the data subject is not necessary; (ii) in scientific, historical, or statistical research processes; and (iii) in internal audits, system testing, or security analyses.

If a reidentification action of pseudonymized information is carried out, such action must be recorded to guarantee the data subjects’ right to data protection.

 

II. Anonymization

 

It is a technical security measure used to prevent the identification or reidentification of a data subject.

 

To apply this technique, a risk analysis of the implications must be carried out, and it must also be assessed that this measure does not affect the continuity and quality of the services provided.

 

Authorization from the SPDP will be required for the processing of anonymized health data.

 

If the personal data is anonymized, the consent of the data subject will not be required for its transfer.

 

III. Blocking

 

Once the purpose of the processing has been fulfilled, personal data may be retained for the period established by law in compliance with legal obligations, or for as long as there is a legitimate basis that permits such retention.

 

Nevertheless, blocking techniques must be applied to this data to ensure it is securely maintained and access to it is limited and restricted solely to fulfill the purposes that remain after the primary objective has been exhausted.

 

IV. Suspension

 

The data subject has the right to request that the controller or processor temporarily halt a specific processing activity. In such cases, the controller must suspend the processing within no more than three days.

 

If the processing has been delegated to a processor, the controller must notify the processor of the request, and the processor must suspend the processing within a maximum period of three days from the notification.

 

Likewise, when a data subject revokes their consent, the controller must cease processing activities within a maximum of three (3) days from receipt of the notification from the data subject.

 

V. Erasure

 

The data subject may request the erasure of all or part of their personal data that is being processed. This request will only proceed when the data controller does not have a legal basis for continuing the processing of the personal data that is the subject of the request.

 

If the data subject exercises this right and their request is accepted, the data controller must provide the data subject with a document certifying the erasure of their personal data.

 

When the data subject exercises their right of erasure, this request must be notified by the controller to all processors and third parties to whom the data was previously transferred, so that they also proceed with its erasure within three (3) days.

 

The Data Protection Agreement (DPA) must establish the necessary conditions to carry out and guarantee the return or erasure of personal data by the processor.

 

Once its legal relationship with the controller has ended, the processor must return or erase the personal data within five (5) days and provide the data controller with a document certifying such erasure.

 

VI. Right to portability

 

The right to portability entitles the data subject to receive their personal data from the controller in a compatible format. This transfer must be carried out whenever technically possible.

 

Once the data transfer has been completed to the new controller, the original controller must erase the transferred data from its own systems.

 

Within six months of the publication of the Regulation in the Official Register, the General Directorate for Innovation, Technology, and Personal Data Security must present the “Technical Guide to Pseudonymization, Anonymization, Blocking, Suspension, and Erasure in Personal Data Protection.”

 

 

 

Rafael Serrano, Partner at CorralRosales
rserrano@corralrosales.com
+593 2 2544144

Juan Fernando Riera, Associate at CorralRosales
jriera@corralrosales.com
+593 2 2544144

© CORRALROSALES 2025
NOTA: EL texto anterior ha sido elaborado con fines informativos. CorralRosales no es responsable de ninguna pérdida o daño ocasionado como consecuencia de haberse actuado o dejado de actuar en base a la información contenida en este documento. Cualquier situación determinada adicional requiere la opinión y concepto específico de la firma.

CORRALROSALES