Global Data Protection Law Guide  Ecuador

Bustamante Fabara

 

What law(s) specifically govern personal data / information?

LLey Orgánica de Protección de Datos Personales (LOPDP) – (Data Protection Act from Ecuador).

Reglamento a la Ley Orgánica de Protección de Datos Personales (RLOPDP) – (Regulation to the Data Protection Act from Ecuador).

 

What are the key data protection principles in this jurisdiction?:

Legality - Personal data must be treated with strict adherence and compliance with the principles, rights and obligations established in the Constitution, international treaties, the LOPDP, its Regulations and other applicable regulations and jurisprudence.

Lawfulness - The processing of personal data must be lawful, for the data subjects it must be clear what personal data is being collected, used, consulted or otherwise processed, as well as the ways in which said data will be processed.

Transparency - The processing of personal data must be transparent, so all Information or communication relating to this treatment must be easily accessible, easy to understand, and simple and clear language must be used.

Purpose - The purposes of the processing must be determined, explicit, legitimate and communicated to the data subject. Personal data may not be processed for purposes other than those for which they were collected.

Relevance and minimization of personal data - Personal data must be relevant and be limited to what is strictly necessary to fulfil the purpose of the treatment.

Proportionality of the treatment - The treatment must be adequate, necessary, timely, relevant and not excessive in relation to the purposes for which the personal data has been collected.

Confidentiality - The processing of personal data must be conceived on the basis of due secrecy and confidentiality, that is, it should not be processed or communicated for a purpose other than that for which they were collected.

Quality and accuracy - The personal data that is processed must be exact, complete, precise, complete, verifiable, clear; and, if applicable, duly updated; in such a way that its veracity is not altered.

Conservation - Personal data will be kept for a period no longer than necessary to fulfil the purpose of its treatment.

Security of personal data - Data Controllers and Data Processors must implement all appropriate and necessary security measures to ensure the safety of the personal data.

Proactive and demonstrated responsibility - The Data Controller must prove to have implemented mechanisms for the protection of personal data; that is, the compliance with the principles, rights and obligations established in the LOPDP.

Favourable application to the data subject - In case of doubt regarding the scope of legal or contractual provisions applicable to personal data protection, judicial and administrative officials shall interpret and apply them in the most favourable sense to the data subject.

 

What is the supervisory authority / regulator in charge of data protection?

Superintendencia de Protección de Datos Personales (Superintendence of Data Protection)

 

Is there a requirement to register with a supervisory authority / regulator?

Yes, there is a requirement to register. The LOPDP and RLOPDP establish the creation of the National Register of Personal Data Protection (Registro Nacional de Protección de Datos Personales). Controllers and processors are required to register their data processing activities in this National Register.

The registration should include information about the controller or processor, the purpose of the processing, categories of data subjects and personal data, recipients, international transfers, and security measures, among other details.

 

Is there a requirement to notify the supervisory authority / regulator?

Yes, there are several instances where notification to the Data Protection Authority is required:

• Data Breaches: The LOPDP requires controllers to notify the Authority of any personal data breaches that may significantly affect the rights of data subjects.
• International Data Transfers: The RLOPDP states that information about international transfers of personal data must be registered in advance with the National Register of Personal Data Protection.
• Appointment of the Data Protection Officer (DPO): The RLOPDP requires that the appointment of a DPO be communicated to the Authority.

It's important to note that as the implementation of the LOPDP and RLOPDP is still ongoing, specific procedures for these registrations and notifications may be further detailed by the Authority in future guidelines or regulations.

 

Is it possible to register with / notify the supervisory authority / regulator online?

Yes. The Superintendency of Data Protection has made available a portal for reporting personal data security breaches.

 

What are the key data subject rights under the data protection laws of this jurisdiction?

Right to information

Right of access

Right to rectification

Right to erasure

Right to restriction of processing

Right to data portability

Right to object to processing

Right to withdraw consent

Right to complain to the relevant data protection authority(ies)

Right object to automated individual decision-making

Is there a requirement to appoint a data protection officer (or equivalent)?

Yes, it is mandatory to designate a Data Protection Officer in the following cases:

• When the treatment is carried out by those who make up the public sector.
• When the activities of the data controller or data processor require a permanent and systematized control due to its volume, nature, scope or purposes of the treatment, as established in the LOPDP.
• When referring to large-scale processing of special categories of data

Additionally, through a resolution issued by the Superintendency of Data Protection, the following economic activities are required to appoint and register a Data Protection Officer (DPO):

• Institutions providing early childhood education, general basic education, and secondary education, whether publicly funded, state-subsidized, or private, offering in-person, blended, and/or distance learning modalities, as well as any other institution that processes data relating to minors, even if such processing does not occur within the educational sphere;
• Public or private higher education institutions, due to the various special categories of personal data they must process for the execution of their academic and/or administrative activities;
• Any activity involving the processing of special categories of personal data related to minors;
• Legal entities that carry out financial activities and that, for any reason, have access to or directly or indirectly process personal data;
• Legal entities engaged in insurance activities, reinsurance companies or intermediaries, as well as insurance advisors, producers, brokers, agents, and service providers within the insurance sector;
• Legal entities that carry out advertising, commercial prospecting, or market research activities and that, for such purposes, process personal data based on the data subjects’ preferences, interests, or behaviors, or that involve profiling;
• Actors within the healthcare system legally required to maintain patients’ medical records, with the exception of healthcare professionals who practice independently;
• Establishments within the pharmaceutical sector that carry out activities related to the production, distribution, and commercialization of pharmaceutical products, as well as laboratories, pharmaceutical representation companies, pharmaceutical distributors, and pharmacies;
• Private security legal entities, as well as private-law legal entities or trusts that manage private residential developments, gated communities, or condominium properties, due to the processing of personal data for access control purposes;
• Professional sports federations or associations, sports corporations, professional clubs, or sports academies;
• Professional associations or guilds;
• Private-law legal entities that provide telecommunications services;
• Private-law legal entities that offer or provide mass video surveillance, geolocation, or information technology services, including those dedicated to the development, implementation, or deployment of artificial intelligence; and
• Public or private legal entities that are concessionaires of public services, as well as public–private partnerships that distribute, commercialize, and/or provide public services.

 

Do data protection/ privacy impact assessments need to be carried out in certain circumstances?

Yes, it is mandatory for the data controller to carry out a data protection impact assessment (DPIA) when the probability of that said treatment, due to its nature, context or purposes, entails a high risk for the rights and freedoms of the data subjects or when the Personal Data Protection Authority requires it.
The DPIA is mandatory in the following cases:

• When there is a systematic and exhaustive evaluation of personal aspects of data subjects that is based on a automated processing, such as profiling, and on the basis of which decisions are made that produce legal effects for data subjects;
• When there is large-scale processing of special categories of data, or personal data related to criminal convictions and offences; and
• When there is systematic large-scale observation of a public access area.

 

Does this jurisdiction have any specific data breach notification requirements?

Yes, the Data Breach Response Requirements and Student Data Breach Response Requirements (discussed above) impose several requirements in the event of a data breach The Data Controller must notify the violation of the security of personal data to the Data Protection Authority and the Telecommunications Regulation and Control Agency (ARCOTEL), as soon as possible, and no later than within five (5) days after you have become aware of it, unless it is unlikely that said security violation constitutes a risk to the rights of the data subjects. If the notification to the Data Protection Authority does not take place within the term of five (5) days, said notification must be accompanied by an indication of the reasons for the delay. The Data Processor must notify the Data Controller of any violation of the security of personal data as soon as possible, and no later than within a period of two (2) days.
The Data Controller must notify without delay the security breach of personal data to the data subjects when it entails a risk to their fundamental rights and individual freedoms, within a period of three days counted from the date on which the Data Controller became aware of the risk.
The Data Subject should not be notified of a data breach in the following cases:

• When the Data Controller has adopted technical, organizational or protective measures of any appropriate nature applied to the data affected by the breach of security that can be demonstrated to be effective;
• When the Data Controller has taken measures to guarantee that the risk to the fundamental rights and individual freedoms of the data subject will not occur; and,
• When it requires a disproportionate effort to do so; in which case, the Data Controller must make a public communication through any means in which it is informed of data breach of data subjects.

The application of the exceptions of numerals 1 and 2 must be qualified by the Authority of Data Protection.
According to the provisions of the LOPDP, the infringement or violation of security constitutes a risk to the rights and the freedoms of Data Subjects when any of the following causes occur:

• When the data was destroyed, it no longer exists or is not available in a form that is useful to the Data Controller;
• When the data has been altered, corrupted or is no longer complete;
• When the Data Controller has lost control or access to the data, or no longer worksin his power;
• When the treatment has not been authorized or is unlawful, which includes the disclosure of personal data or the access by third parties who are not authorized to receive or access the data; or any other form of processing that is carried out contrary to the provisions of the LOPDP.

The data breach notification must contain the following:

• The nature and type of the data breach;
• Identification of the affected data subjects or interested parties;
• The detail of the breached systems;
• The alleged cause of the data breach;
• The volume and types of data exposed or compromised;
• The measures adopted and planned to respond and solve the breach with the purpose of mitigating the consequences of said data breach;
• The evaluation of the risk that the data breach implies for the rights and individual liberties of the data subjects;
• Other aspects that may be determined by the Personal Data Protection Authority.

 

What restrictions apply to the international transfer of personal data / information?

Personal data may be transferred or communicated to countries, organizations, and legal entities that provide adequate levels of protection and comply with the obligation to fulfil and guarantee internationally recognized standards according to the criteria established in the RLOPDP.
When necessary due to the nature of the transfer, the Data Protection Authority may implement ex post control methods that will be defined in the Regulation to the Law. It will also establish joint actions between the authorities of both countries to prevent, correct, or mitigate improper data processing in both countries.
To declare an adequate level of protection for countries or organizations, the Data Protection Authority will issue a reasoned resolution, establishing that the international transfer or communication of personal data meets adequate levels of protection or appropriate safeguards, in accordance with the provisions of the LOPDP and its regulations.
In case of an international data transfer to a country, organization, or international economic territory that has not been qualified by the Data Protection Authority as having an adequate level of protection, the aforementioned international transfer may be carried out provided that the controller or processor offers appropriate safeguards for the data subject, for which the following must be observed:

• Guarantee compliance with principles, rights, and obligations in the processing of personal data at a standard equal to or higher than the current Ecuadorian regulations.
• Effective protection of the right to personal data protection, through the permanent availability of administrative or judicial actions; and,
• The right to request comprehensive reparation, if applicable.

For this to occur, the international transfer of personal data will be based on a legally binding instrument that contemplates the aforementioned standards, as well as those established by the Data Protection Authority.
For all cases not covered before, where an international transfer of personal data is intended, the authorization of the Data Protection Authority will be required. For this purpose, compliance with current regulations on personal data protection must be documented, as determined in the RLOPDP.
Notwithstanding the above, information on international transfers of personal data must be previously registered in the National Register of Personal Data Protection by the controller or, where applicable, the processor, according to the procedure established in the RLOPDP.
Without prejudice to the preceding provisions, international transfers or communications of personal data may be carried out in the following cases:

• When personal data is required for the fulfilment of institutional competencies, in accordance with applicable regulations;
• When the data subject has given explicit consent to the proposed transfer or communication, after having been informed of the possible risks to them of such international transfers or communications, due to the absence of an adequacy decision and of appropriate safeguards;
• When the international transfer is intended to fulfil a legal or regulatory obligation;
• When the international transfer of personal data is necessary for the performance of a contract between the data subject and the controller, or for the implementation of pre-contractual measures taken at the data subject's request;
• When the transfer is necessary for reasons of public interest;
• When the international transfer is necessary for international judicial collaboration;
• When the international transfer is necessary for cooperation in the investigation of infringements;
• When the international transfer is necessary for the fulfilment of commitments acquired in international cooperation processes between States;
• When data transfers are made in banking and stock market operations;
• When the international transfer of personal data is necessary for the establishment, exercise or defense of legal claims, administrative or jurisdictional actions and appeals; and,
• When the international transfer of personal data is necessary to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent.

The legal instruments that support the international transfer of personal data to a country, organization or international economic territory that has not been qualified by the Data Protection Authority as having an adequate level of protection shall be the following:

• Legally binding and enforceable instruments between public authorities or bodies;
• Binding corporate rules (BCRs) approved by the Data Protection Authority;
• Standard data protection clauses adopted by international data protection bodies endorsed by the supervisory authority;
• Codes of conduct, which include binding commitments from the controller or processor in the third country, organization or international economic territory to apply appropriate safeguards, including those relating to the rights of data subjects;
• Certification mechanisms including data protection seals and marks, which incorporate binding commitments from the controller or processor in the third country, organization or international economic territory to apply appropriate safeguards, as well as those relating to the rights of data subjects; and,
• Contractual clauses that do not correspond to the standard clauses and that are duly authorized by the data protection authority.

 

Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?

Yes, the territorial scope of application of the LOPDP indicates that the precepts of the data protection regulations will be applicable in the following circumstances:

• When processing of personal data of data subjects residing in Ecuador is carried out by a controller or processor not established in Ecuador, when the processing activities are related to:
• The offering of goods or services to such data subjects, regardless of whether payment is required from them, or
• The monitoring of their behaviour, to the extent that this takes place in Ecuador; and,
• When the national legislation is applicable to the controller or processor of personal data not domiciled in the national territory by virtue of a contract or current regulations of public international law.

 

What rules specifically deal with marketing?

The LOPDP and RLOPDP do not have specific sections dedicated solely to marketing. However, several provisions apply to marketing activities:

• Article 8 of the LOPDP requires consent for data processing, which includes marketing purposes.
• Article 16 of the LOPDP grants data subjects the right to object to processing for marketing purposes.
• The LOPDP's provisions on purpose limitation and data minimization also apply to marketing activities.

Additionally, the Organic Law of Telecommunications and the Consumer Rights Act contain provisions related to commercial communications and marketing that should be explain in more detail in the specific section regarding electronic marketing.

 

Do different rules apply to business-to-business and business-to-consumer marketing?

The LOPDP and RLOPDP do not explicitly differentiate between B2B and B2C marketing. The same general principles of data protection apply to both contexts. However, the interpretation and application of these rules might differ in practice:

• B2C marketing typically involves personal data of individuals, falling squarely under the LOPDP.
• B2B marketing may involve personal data (e.g., business contact information) and thus also fall under the LOPDP, but there might be more flexibility in interpreting legitimate interests for processing or arguing that the processing of data is due to comply with contractual o pre-contractual obligations.

 

What rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc)?

While not specifically focused on electronic marketing, the following regulations apply:
Organic Law of Telecommunications:

• Article 22 of the Organic Law of Telecommunications stipulates that Subscribers, clients, and users of telecommunications services shall have the right to not receive mass or individual messages or calls for direct sales, commercial, advertising, or proselytizing purposes that have not been previously and expressly authorized by the client, subscriber, or user. The authorization to receive mass or individual messages, personal visits to the consumer's home, or calls for direct sales, commercial, or advertising purposes may be expressly revoked at any time and without justification, in accordance with the law.

Consumer Rights Act:

• Article 55 of the Consumer Rights Act stablishes that the following constitute abusive marketing practices and are absolutely prohibited for providers: Making telephone calls, personal visits to the consumer's home, unsolicited propositions or offers via telephone, email, text messages, or any other means of communication persistently, ignoring the consumer's request to cease this type of activity or outside working days, that is, Monday to Friday from 8:00 AM to 8:00 PM, unless expressly requested by the client.

The LOPDP's consent requirements and data subject rights (including the right to object) apply to electronic marketing.

 

What rules specifically deal with cookies?

Ecuador does not have specific legislation dedicated to cookies. However, the use of cookies is governed by general data protection principles in the LOPDP and RLOPDP:

Article 8 of the LOPDP requires obtaining consent for data processing, which would apply to the use of cookies that collect personal data.

The principles of transparency and purpose limitation, and the right to be informed in the LOPDP would require clear information about the use of cookies and limiting their use to specified purposes.

For this reason, data controllers and data processors should have a Cookie Policy in their webpages that comply with the provisions of the LOPDP.

 

What are the consequences of non compliance with data protections laws (including marketing laws)?

The LOPDP establishes minor and serious sanctions for controllers and processors who fail to comply with the provisions of the data protection regulations:

• Minor sanctions correspond to a fine between 0.1% and 0.7% calculated on the turnover corresponding to the financial year immediately preceding the imposition of the fine.
• Serious sanctions correspond to a fine between 0.7% and 1% calculated on the turnover corresponding to the financial year immediately preceding the imposition of the fine.

For the purposes of the sanctioning regime of this Law, turnover is understood as the amount resulting from the sale of products and the provision of services carried out by economic operators during the last financial year corresponding to their activities, after deduction of VAT and other taxes directly related to the economic operation.
In addition to the aforementioned sanctions, corrective measures can be imposed for those who fail to comply with the provisions of the data protection regulations.

 

In broad terms, multinational organisations should be aware of what key factors if they process personal data / information from individuals within this jurisdiction, without being located there?

Controllers and processors of personal data not established in Ecuador must designate a representative, in accordance with the following rules:

• When the controller and/or processor of personal data is not domiciled in national territory, as per Article 3, numeral 3 of the LOPDP, they must designate a representative in Ecuador with residence in the country, who has sufficient powers to appear on behalf of their represented party before administrative and judicial instances in the matter.
• Exceptionally, the designation of such representative will not be necessary when the processing of personal data is occasional and does not include large-scale processing of special category personal data, and it is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and objectives of the processing.

The LOPDP applies to organizations outside Ecuador if they: a) Offer goods or services to individuals in Ecuador; b) Monitor the behaviour of individuals in Ecuador.
If such is the case, all the provisions of the LOPDP and RLOPDP are applicable to multinational organizations, such as the following:

• Adherence to core principles like lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, and confidentiality.
• Ensure a valid legal basis (e.g., consent, contract, legitimate interests) for processing personal data.
• Respect and facilitate rights such as access, rectification, erasure, data portability, and objection to processing.
• Conduct DPIAs for high-risk processing activities.
• Implement procedures to detect, report, and investigate personal data breaches.
• Ensure appropriate safeguards for transferring data outside the Ecuador.
• Maintain documentation of data processing activities.

 

What upcoming data protection developments should multinational organisations be aware of?

The LOPDP was enacted in May 2021, but its full implementation is still ongoing. Most organizations (both in the private as in the public sector) haven’t accomplish a full implementation of the LOPDP or RLOPDP.

The establishment of Ecuador's Data Protection Authority is a key development to watch. This authority will be responsible for enforcing the LOPDP and issuing additional regulations. Fabrizio Peralta has been appointed as the Superintendent but the entity is not yet operational. There may be additional regulations or guidelines issued for specific sectors (e.g., finance, healthcare) that process sensitive personal data once the Data Protection Authority becomes operational.

As the enforcement mechanisms of the LOPDP become operational, organizations should be prepared for potential audits and sanctions.

The law requires the creation of a National Register of Personal Data Protection. Organizations should prepare to register the data processing activities once this system is operational.

 

Search by:

Need more information?
Contact a member firm:

Juan José Holguín

Bustamante Fabara

Ecuador

María José Sotomayor

Bustamante Fabara

Ecuador

Disclaimer:

© 2026, Bustamante Fabara. All rights reserved by Bustamante Fabara as author and the owner of the copyright in this chapter. Bustamante Fabara has granted to Multilaw non-exclusive worldwide license to use and include this chapter in this guide and to sublicense Lexis Nexis, a division of RELX Inc. and its affiliates certain rights to use and distribute this Guide.

The information in the International Data Protection Laws Guide provides a general overview at the time of publication and is not intended to be a comprehensive review of all legal developments nor should it be taken as opinion or legal advice on the matters covered. It is for general information purposes only and readers should take legal advice from a Multilaw member firm.

Publication Date: 2026