Organic Law on the Protection of Personal Data (LOPDP) Ecuador

    Overview

    Ley Orgánica de Protección de Datos Personales (Organic Law on the Protection of Personal Data) of Ecuador, enacted in May 2021, is the country's principal data privacy regulation. The law aligns with international standards such as the GDPR and establishes clear guidelines for businesses and individuals handling personal data and aims to guarantee the right to personal data protection by establishing requirements for data processing, consent, security measures, and transparency. It also defines obligations for businesses and rights for individuals, mandating that the handling of personal data is fair, lawful, and secure, while promoting accountability among data controllers and processors.

     

    Regulation Summary

    Timeline
    • May 26, 2021: Enactment of the Ley Orgánica de Protección de Datos Personales.
    • May 26, 2023: The law became fully effective, granting businesses two years to comply.
    What Businesses Are Affected
    • All entities processing personal data in Ecuador.
    • Foreign businesses offering goods or services to individuals in Ecuador or monitoring their behavior.
    • Both public and private sector organizations.
    Exemptions
    • Personal or domestic data use.
    • Data processed for journalistic, artistic, or literary purposes.
    • Data processed for national security, crime prevention, or public health.
    Responsibilities for Businesses
    • Obtain explicit, informed consent before processing personal data.
    • Process data only for specific, lawful purposes.
    • Ensure data accuracy and implement robust security measures.
    • Notify the Data Protection Authority of breaches within 72 hours.
    • Register data processing activities with the Data Protection Authority if required.
    Specific Responsibilities for Website Owners
    • Implement mechanisms to obtain consent for cookies and other tracking technologies.
    • Maintain a clear, accessible privacy policy.
    • Provide secure online forms for collecting personal data.
    • Offer users tools to exercise their data rights, such as access and deletion.
    Additional Requirements
    • International Transfers: Data transfers outside Ecuador must comply with adequacy standards, contractual safeguards, or explicit consent.
    • Impact Assessments: Required for high-risk data processing activities, such as profiling or processing sensitive data.
    • Data Protection Officers (DPOs): Mandatory for organizations processing large-scale or sensitive data.
    Data Subject Rights
    • Access: Request information about personal data held.
    • Rectification: Correct inaccuracies or incomplete data.
    • Deletion: Request removal of data when no longer needed.
    • Portability: Receive data in a structured, machine-readable format.
    • Objection: Refuse data processing for specific purposes.
    • Restriction: Limit data processing under certain conditions.
    Enforcement
    • Regulatory Authority: Superintendencia de Protección de Datos Personales (Data Protection Superintendency).
    • Penalties: Fines up to 1% of a company’s annual turnover or specific monetary values based on the violation's severity.
    illustration of contact means

    Questions?

    If you would like to learn more, our compliance experts are happy to support you.

    Leave us a Message
    support@clym.io
    +1 980 446 8535 +1 866 275 2596