Resolution No. SPDP-SPDP-2024-0002-R

Resolution No. SPDP-SPDP-2024-0002-R (“Resolution”), published in the Official Gazette No. 640 on September 10, 2024, the Data Protection Authority (“SPDP” or “Authority”) issued the “Mandatory Technical Guide for the Registration of the Attorney-in-fact designated by Controllers, whether acting individually or jointly, and Processors that engage in Data Processing Activities in the Republic of Ecuador” (“Guide”).

The following are highlighted:

  1. The Guide is mandatory for all controllers and processors who, although not domiciled in Ecuador, offer goods or services to residents of the country, are part of the personal data protection system, or control the behavior of data subjects to the extent that such control occurs within the territory (“Regulated Entities”).
  2. The Regulated Entities must designate an attorney-in-fact (“Attorney-in-fact”) on a permanent basis. The Attorney-in-fact must be vested with broad faculties to represent them before administrative and judicial bodies on data protection matters. In addition, the Attorney-in-fact must handle requests or complaints from data subjects without limitations that could affect their rights.
  3. The power of attorney must detail the commercial name and the brands identifying the foreign controller in the market. Foreign processors must also detail information regarding the controllers for whom they process data. Both controllers and processors must provide their addresses and telephone numbers for their offices and those of their Attorney-in-fact designated in Ecuador.
  4. In case of non-compliance with these obligations, the individuals or entities who, under certain circumstances, appear to act on behalf of the Regulated Entities may be held administratively liable. The Authority may impose and apply corrective measures established in the Data Protection Law and its Regulations.
  5. The Attorney-in-fact can be an individual or a legal entity domiciled in Ecuador. If the Attorney-in-fact is an individual, they must be Ecuadorian or, if foreign, a resident in the country with full political rights. When the Attorney-in-fact is an entity, its corporate purpose must allow it to act as Attorney-in-fact. The SPDP may verify with the Superintendence of Companies that the entity meets its obligations, and that the appointment of the legal representative is valid.
  6. Regulated entities must register their Attorney-in-fact with the SPDP by presenting the document granting the power of attorney. If the power of attorney is granted abroad, it must be apostilled or certified by an Ecuadorian diplomatic agent. Powers of attorney in a foreign language must be translated into Spanish.
  7. The SPDP will verify that the power of the Attorney-in-fact meets the Guide’s requirements and assess whether the power of attorney granted is adequate and sufficient. If it is approved, registration will proceed, and the Regulated Entity will be notified. The registration of the Attorney-in-fact, along with their contact details, will be published on the SPDP’s website and that of the Regulated Entities to facilitate the exercise of data subjects’ rights.
  8. The Regulated Entities must update their Attorney-in-fact registration in the following cases: a) death; b) resignation; c) expiration of the power of attorney, if applicable; d) change in the denomination, absorption, split, transformation, dissolution, or liquidation of the entity designated as the Attorney-in-fact. Except for the death of the Attorney-in-fact, the registered Attorney-in-fact will continue to be liable before the SPDP and the data subjects until the registration is updated.
  9. All controllers and processors performing data processing abroad must present the following to the Authority:
    • The co-responsibility or data processing agreement.
    • The Record of Processing Activities (ROPA).
    • Risk analysis for each processing activity.
    • Dataflow of personal data for each processing activity.
    • Security measures implemented for data transfers.
    • Self-regulation codes, if any, must be approved by the Authority.

Transitional provisions of the Resolution establish the following:

  1. Regulated Entities engaged in processing activities since September 6, 2024, are granted a six-month period from the issuance of the Guide to comply with the registration of their Attorney-in-fact.
  2. The Authority will initiate the corresponding administrative control processes if an Attorney-in-fact is not registered within the period.
  3. The application for registration of the Attorney-in-fact must be submitted in person at the Authority’s office.

 

Rafael-Serrano-abogados-ecuador

Rafael Serrano, Partner at CorralRosales
rserrano@corralrosales.com
+593 2 2544144

© CORRALROSALES 2024
NOTE: The above text has been prepared for informational purposes. CorralRosales is not responsible for any loss or damage caused by actions taken or not taken based on the information contained in this document. Any specific situation requires the specific opinion and advice of the firm.

CORRALROSALES

Protection and processing of sensitive and confidential data in medical-occupational contexts

On July 11, 2024, the Constitutional Court issued Ruling 59-19-IN/24 (the “Ruling”), declaring Ministerial Agreement 0341-2019, titled “Application of Occupational Medical Records” (the “Agreement”), unconstitutional. The Court found that the Agreement and its related forms violated privacy and personal data protection rights.

From the Ruling, we highlight the following:

  • The Constitutional Court reviewed whether the State’s actions had a legitimate aim and whether the Agreement met the requirements of proportionality, suitability, and necessity when limiting workers’ rights to privacy and data protection.
  • The Ruling determined that there is no proportionality between the constitutionally valid aim and the challenged regulation, as it is contradictory and inappropriate to require workers to provide sensitive data (such as sexual orientation, gender identity, and religion).
  • Based on these grounds, considering that the Agreement creates an illegitimate limitation on workers’ rights, and given that this information is not directly related to the performance of the worker’s duties or the specific needs of the job, the Constitutional Court declared the Agreement unconstitutional.
  • From the publication of the Ruling in the Official Gazette (which has not occurred as of the date of this bulletin) and until the adoption of new regulations on the application and management of Occupational Medical Records, occupational physicians, public or private entities, as well as the national health authority, will not be able to request workers to provide data related to sexual orientation and gender identity. Data concerning religious beliefs will be optional.

 

Rafael-Serrano-abogados-ecuador

Rafael Serrano, Partner at CorralRosales
rserrano@corralrosales.com
+593 2 2544144

María Victoria Beltrán, Senior Associate at CorralRosales
mbeltran@corralrosales.com
+593 2 2544144

© CORRALROSALES 2024
DISCLAIMER: The previous text has been prepared for informational purposes. CorralRosales is not responsible for any loss or damage caused because of having acted or stopped acting based on the information contained in this document. Any additional determined situation requires the specific opinion and concept of the firm.

CORRALROSALES

Resolution on Organic Statute of Organizational Management by Start-up Processes of the Superintendence for the Protection of Personal Data (SPDP)

Resolution No. SPDP-SPDP-2024-0001-R introduces the Organic Statute of Organizational Management by Start-up Processes in the SPDP, hereinafter referred to as the “Statute”. This Resolution, effective as of August 2, 2024, establishes the basis for efficient and transparent management of the Institution.

What are the key aspects of the Statute?

Flexibility in Structure The Statute allows for future modifications in processes, products, and administrative units according to implementation and deconcentration needs. Process Management The SPDP will optimize its activities and resources, focusing on achieving its goals more efficiently and effectively. Managerial Positions The Quartermasters, General Coordinators and Directors are freely appointed and removable. Continuous Improvement Continuous evaluation and improvement of processes is promoted, ensuring adaptation to changes and the pursuit of excellence in management. Transparency Management by processes will facilitate access to information and accountability, strengthening institutional transparency. Demand for Services and Products The Financial Administrative Directorate shall submit a report detailing the services and products that the SPDP will need within 180 days. The corresponding authorities must approve this report.

What does the approval of the Statute imply?

Approval of the Statutes implies that the SPDP can perform its role as a technical supervisory, audit, intervention, and control body. This includes issuing decisions, monitoring compliance with the law, investigating complaints and applying sanctions in the event of non-compliance.

What is the organizational structure?

The organizational structure is divided into three processes:

  • Governing Processes: They are responsible for the direction and control of the institution, establishing guidelines, policies, and strategic plans.
  • Substantive Processes: They conduct the essential activities to provide services and fulfill the SPDP’s mission, such as the supervision, regulation, and control of the processing of personal data.
  • Adjective Processes: Provide support to the other processes, including legal advice, planning, and administrative and financial management.

In summary, the structure is divided as follows:

Type of Process Level Unit Responsible Governance Management Strategic Management Superintendent for the Protection of Personal Data Substantive Operational General Intendancy for Technological Innovation and Personal Data Security General General Intendant for Technological Innovation and Personal Data Security General Substantive Operational General Intendancy for the Regulation of Personal Data Protection General Intendant for the Regulation of Personal Data Protection Substantive Operational General Intendancy for Control and Sanctions General Intendant for Control and Sanctions Adjectives Advisory Directorate of Legal Advisory Services Director of Legal Advisory Services Adjectives Advisory Planning and Strategic Management Unit Planning and Strategic Management Specialist Adjectives Support Financial Administrative Management Financial Administrative Director

In conclusion, the approval of the Organic Statute of the Superintendence of Personal Data Protection marks a crucial milestone in data protection in Ecuador. From now on, the SPDP has the necessary structure and mechanisms to ensure compliance with the Organic Law on Personal Data Protection and its Regulations. This means that companies must comply, diligent and transparent in the handling of personal information, thus guaranteeing the privacy and security of the data of their clients, employees, and users.

 

Rafael-Serrano-abogados-ecuador

Rafael Serrano, Partner at CorralRosales
rserrano@corralrosales.com
+593 2 2544144

© CORRALROSALES 2024
DISCLAIMER: The previous text has been prepared for informational purposes. CorralRosales is not responsible for any loss or damage caused as a result of having acted or stopped acting based on the information contained in this document. Any additional determined situation requires the specific opinion and concept of the firm.

 

CORRALROSALES

American Privacy Rights Act: a bill that promises a radical change for privacy in the United States

Respect for the privacy of personal data has become particularly important in the digital era. Companies and governments collect and process information about our daily activities, which makes it essential to have rules that adequately protect the privacy of citizens.

A step towards data protection in the United States.

Although the United States does not have a specific federal law on data protection, an important step was taken on April 7, 2024[1], Republican Congress Cathy McMorris Rodgers and Democratic Senator Maria Cantwell, both from the state of Washington, introduced a federal privacy bill called the American Privacy Rights Act (APRA).

This bill creates a comprehensive regulatory framework for the protection of personal data in the United States. It is a significant step forward towards greater privacy protection for U.S. citizens.

Key aspects of APRA and its relationship with Ecuador.

APRA[2] addresses various aspects contained in most of the laws on the subject, including that of Ecuador, among them:

  1. Data Minimization: Limits the collection of personal data to the minimum necessary for the intended purpose.
  2. Transparency in privacy policies: Requires companies and suppliers to provide clear and accessible information about their data collection, use, and disclosure practices.
  3. Rights management: Grants individuals the right to access, rectify, and delete their personal data. In addition, the right to opt out of receiving targeted advertising.
  4. Designation of a Privacy or Data Security Officer: Establishes the obligation to designate an officer responsible for data security, who must be qualified and have the experience to perform the position effectively.

APRA news.

The APRA federal bill incorporates aspects related to artificial intelligence (AI) and data. These include:

  • Restricting the volume of data used in AI development: Applies the minimization principle to limit the amount of personal data used in the training and operation of AI systems.
  • Concept of “covered algorithms”[3]: Defines “covered algorithms” as any computational process that decides or facilitates human decision-making using data. This definition covers a wide range of AI systems, from the simplest to the most complex.
  • Obligations for entities using covered algorithms: Entities using covered algorithms will have multiple obligations, among which the most important are:
  1. Design evaluation: Evaluate the design of the algorithm to identify and reduce the risk of potential damage.
  2. Impact assessment: Evaluate the impact of the possible effects of the algorithm on individuals and society.
  3. Notice and opportunity to opt out: Provide the ability to opt out of the use of a covered algorithm if it is used to make “consequential decisions” (decisions that significantly affect an individual’s access to or enjoyment of essential goods or services).

Implications for Ecuador.

The enactment of APRA would have a significant impact in Ecuador, especially in the following aspects:

  1. Transborder data flow: It will facilitate the transfer of data between the United States and countries with equivalent data protection standards, such as Ecuador. This translates into:
  • Simplification of processes: Administrative and legal burdens are reduced for companies transferring data between the two countries.
  • Cost reduction: Costs associated with data transfer, such as implementing additional security measures, are minimized.
  1. International cooperation: It will allow international cooperation on data protection between the United States and other countries, including Ecuador. This will allow Ecuadorian authorities to:
  • Safer information sharing: Collaborate on investigations and data protection cases involving U.S. companies.

In conclusion, once approved, the APRA bill will represent a significant advance towards data protection in the United States and will have clear impacts in other countries, including Ecuador, as expressed in previous paragraphs.

[1]  https://energycommerce.house.gov/posts/committee-chairs-rodgers-cantwell-unveil-historic-draft-comprehensive-data-privacy-legislation

[2]https://d1dth6e84htgma.cloudfront.net/American_Privacy_Rights_Act_of_2024_Discussion_Draft_0ec8168a66.pdf

[3]  https://www.whitecase.com/insight-alert/proposed-american-privacy-rights-act-seeks-establish-comprehensive-national-framework

 

Thalía Ordoñez
Associate at CorralRosales
tordonez@corralrosales.com

Appointment of Data Protection Authority

On March 28, 2024, the Council of Citizen Participation and Social Control (CPCCS) appointed Fabrizio Roberto Peralta Díaz as the Data Protection Authority for 2024-2029.

During the presentation of his work plan, Mr. Peralta highlighted his experience in data protection and proposed the following:

i.    Implement an educational vision in the Authority.

ii.    Generate inter-institutional relations by creating awareness of administrative, legal, and technical security measures related to data protection.

iii.    Create technical dependencies responsible for registration, policy planning, and sanctions.

iv.    Promote prevention, protection, and transparency as fundamental principles.

v.    Ensure the appropriate use of resources under the Transparency and Access to Information Law.

The CPCCS must submit the resolution designating the Data Protection Authority to the Legislative for his possession.

 

DISCLAIMER: The previous text has been prepared for informational purposes. CorralRosales is not responsible for any loss or damage caused as a result of having acted or stopped acting based on the information contained in this document. Any additional determined situation requires the specific opinion and concept of the firm.

 

CORRALROSALES

El Universo – How to protect from data thieves?

el-universo-how-to-protect-from-data-thieves-lawyers-ecuador

DETALLES

DATE: 26-08-2020

CORRALROSALES IN THE NEWS:

-Rafael Serrano

MEDIA: El Universo

The Ecuadorian newspaper “El Universo”  has published  in its magazine an article by Rafael Serrano Barona who is an associate of CorralRosales. He participates as an interviewee on how to protect from data theft, which is becoming increasingly common on the internet. It is not difficult to find someone -or even yourself- who has suffered a virtual attack called phishing, a term used to refer to one of the most used methods in the digital age to scam internet users to obtain confidential information, such as a password or something even more serious like bank information.

The Ecuadorian newspaper “El Universo”  has published  in its magazine an article by Rafael Serrano Barona who is an associate of CorralRosales. He participates as an interviewee on how to protect from data theft, which is becoming increasingly common on the internet. It is not difficult to find someone -or even yourself- who has suffered a virtual attack called phishing, a term used to refer to one of the most used methods in the digital age to scam internet users to obtain confidential information, such as a password or something even more serious like bank information.

Another issue to monitor is the domain to which the web page we are going to access belongs. If it is made up of numbers, it has a greater chance of being a hoax and we should not access it under any circumstances. The same happens with links that do not contain words related to the information that is going to be found in it.

Special care must also be taken with the attached files. Mostly directly executable file formats such as “ .exe ” , ” .bat ” or ” .cmd ” are especially dangerous. You should also be careful with Office format files (.docx, .xlsx or .pptx), which may contain macros.

Our associate Rafael Serrano, who is also the Vice President of the Ecuadorian Association for Data Protection, explains in this article what happens with data protection in Ecuador, since in this country there is no Data Protection Law that regulates these activities; this makes things easier for data thieves to act.

“Currently a bill is being discussed in the National Assembly that is being analyzed by the Commission for Sovereignty, Integration, International Relations and Integral Security. The Bill was presented by the President of the Republic Lenín Moreno. The Bill is quite complete. It follows the guidelines of the European General Data Protection Regulation, which in turn is the most important regulation on the matter ”, Rafael adds.

When asking Serrano about the need for a law of these characteristics, he details the importance of having such legislation since recent cases of data leaks by Ecuadorians have demonstrated the lack of control and regulation in this matter. Additionally, the Constitution approved in 2008 recognizes the autonomous right to data protection (art. 66 # 19). To date, we do not have a regulation that adequately regulates and develops the exercise of said right.

For now, we just have to wait.

If you want to read the full article, click here 

EKOS – Personal data protection: legitimate means for handling data

proteccion-datos-personales-ekos-ecuador-abogados

DETAILS

DATE: 16-08-19

CORRALROSALES IN THE NEWS:: 

-Rafael Serrano
-Michael Wollman

MEDIO: Ekos Magazine

With the forthcoming issuance of the Personal Data Protection Law, companies must adapt their procedures to collect and carry out the appropriate handling of the personal data of their consumers or customers.

The correct handling of personal data is one of the main tools for companies to adequately market their products; not only to protect the personal information of their customers, but also to benefit their businesses.

The main purpose of the draft Law is to regulate the exercise of the right to protection of personal data, self-determination information, and circulation of this type of data (Article 1).

The legitimacy principle (Article 9) establishes the conditions or situations in which the collection and processing 1 of personal data by companies is legitimate and lawful:

  1. Consent of the personal data owner to the sharing of his information for a specific purpose.

The consent must be free, specific, unequivocal, prior and informed. A company may share someone’s personal data when he authorizes or gives consent knowing the purpose of the use of his information.

  1. Legal obligation for the sharing of personal data.

In this case, the law orders the company to share the personal data of an individual.

Example: The Labor Code requires employers to have certain personal information of their workers such as address, marital status, number of children, and some other relevant information. In this case the will of the data owner is irrelevant since it is the law that orders the sharing of this information.

  1. Contractual relationship.

A company can use the data of an individual with whom they have a contractual relationship. The limitation to this use is related to the data necessary for compliance with contractual obligations and may not exceed the limits established in the contract.

Example: In a contract of sale of goods, the company cannot use the data of the individuals to send commercial promotions, except if there is a clause in the contract that expressly authorizes the sending of such promotions.

1 The Personal Data Protection Law project defines the handling as any operation performed on personal data; this includes collection, conservation, modification, transfer, among other actions.

  1. 4. Vital interests of the owner.

The sharing of data of a person may be carried out if through this process the vital interests of the owner are protected, such as the protection of fundamental rights.

Example: A company can share the personal data of a person if it helps to save the life of the individual, such as in a medical emergency.

  1. Order of a judicial authority or resolution of competent authority.

If through a ruling or a decision of the competent authority the delivery or processing of personal data is ordered, the company will be bound to do so without facing negative consequences.

The legitimacy of the sharing and use of personal data is not given only by the consent of his owner. Companies must analyze in each particular situation which of the above mentioned scenarios the handling of personal data applies, thus complying with the principle of legitimacy.

If you want to read the news, press here