Ecuador’s new data protection law

June 17, 2021

Orange and yellow gradient

Ecuador’s new data protection regulation has now become law. The draft Organic Law on the Protection of Personal Data received no objections from the President of the Republic and has been published in the Official Registry, therefore becoming law.

Register for the webinar: Ecuador Privacy: What You Need to Know About the New Law

The new law establishes a national data protection authority, regulates cross-border data transfers, and provides citizens with the rights including the right to request access to, amend and delete their personal data.

What does Ecuador’s new law look like?

This new regulation is Ecuador’s first dedicated data protection law, and some of the key areas are outlined below:

  • Data protection principles: The draft law recognizes many familiar data protection principles, including transparency, purpose limitation, confidentiality, limited retention, accountability and data accuracy, and processor and controller obligations.
  • Extraterritorial scope: Processors and controllers located outside of Ecuador must comply with the new law if they offer goods and services to Ecuadorian residents. Nevertheless, it does not oblige processors and controllers to have any representative in the country that will comply with the different obligations recognized in the law.
  • Data subject rights: The law brings with it new data subject rights, including the right to access, to rectification, to deletion, of cancellation, to portability, to object, not to be subject to a decision based solely on automated processing, and the to be forgotten.
  • DPO requirements: Establishes controller and processor obligations for appointing a data protection officer, depending on the data being processed, and requires all public authorities to have a DPO. The DPO will work with the data protection authority and be the point of contact for data subjects.
  • Penalties: The law makes a distinction between minor and major infringements, with sanctions ranging from 3% to 17% of an organization’s annual revenue from the previous year. The DPA will decide on the sanction based on the severity of the infringement and the intention of the relevant party.

Register for the webinar: Ecuador Privacy: What You Need to Know About the New Law

How can OneTrust support compliance with Ecuador’s new data protection law?

OneTrust’s solutions can help you comply with Ecuador’s new privacy regulation, including:

  • Privacy Management Software: Operationalize and introduce automation to your Ecuador compliance requirements including opt-outs, consumer rights, and privacy governance operations.
  • Regulatory Research: With OneTrust DataGuidance you can leverage the world’s most in-depth and up to date source of regulatory research to make sure your program stays on top of the latest developments.
  • Professional Services: Get support with planning and implementing your Ecuador compliance program with our implementation and validation services.

Ecuador’s new data protection regulation has now become law, for the latest insight be sure to register for our webinar Ecuador Privacy: What You Need to Know About the New Law on June 29, or to find out more about how OneTrust can support your compliance request a demo today.

You may also like


Responsible AI

Unpacking the EU AI Act

Prepare your business for EU AI Act and other AI regulations with this expert webinar. We explore the Act's key points and requirements, building an AI compliance program, and staying ahead of the rapidly changing AI regulatory landscape.

July 12, 2023

Learn more


Consent & Preferences

Live demo: How to automate consent and preference management with OneTrust

In this webinar, we demonstrate how OneTrust Consent and Preferences helps build stronger customer relationships by providing transparency, giving users control over their data use, and delivering personalized experiences.

June 29, 2023

Learn more


Privacy Management

Unpacking the EU-US DPF

In this webinar, we cover the new EU-US Data Privacy Framework (EU-US DPF) and what privacy program managers need to know for post-Schrems II data transfers.

June 28, 2023

Learn more