The Organic Personal Data Protection Bill, presented by the government on September 19, 2019 and assigned to the Committee for Sovereignty, Integration, International Relations and Security, was approved in the second debate by the Plenary of the National Assembly on May 10, 2021. The motion to approve the full text in the report for the second debate was approved by a clear majority of 118 out of 137 assembly members, with one abstention. The approved text has been sent to the President of the Republic for his analysis and approval, and he must issue a pronouncement within 30 days.
This Bill is a significant step for the correct regulation of the digital economy we currently live in, and establishes the principles for processing personal data, the rights of the data holders, the obligations of the parties and the restrictions on collecting and using such data. With the regulations, Ecuador will join a list of countries with regulations in this area that have an adequate standard of protection, aligning with European regulations. It is important to note that the Law provides for a two-year period of adaptation, in which the regulations must be adapted to business practice before the application of penalties.
1. Scope of application: It applies to all data that identifies or makes identifiable an individual, regardless of the format. It excludes family use, data of the deceased, data regulated by norms of an equal or higher hierarchy, anonymized data, journalistic uses, security and risk management for the State, criminal investigation, legal entities.
The following are accessible to the public and subject to processing: contact details of professionals, data of merchants, representatives and partners and shareholders of legal entities and public servants, provided that it refers to the practice of their profession, trade, line of business, capacity, faculties, powers or position and it concerns names and surnames, positions or duties performed, address or email address, and professional telephone number.
2. Scope of territorial application: It regulates processing in Ecuador; when the processor or the controller are resident in Ecuador; when services are offered to persons in the national territory; when national regulations apply by reason of a contract.
3. Consent: The regulations establish that all consent must be free, prior, specific, informed, unequivocal, and can be revoked at any time. In the case of sensitive data, consent must be expressly given.
4. Lawful basis for processing: This is when there is consent, in compliance with a legal obligation, by court order, public interest, to take pre-contractual measures, protection of vital interests, legitimate interest.
5.Principles: Lawfulness, fairness, transparency, purpose, relevance and personal data minimization, proportionality of processing, confidentiality, quality, storage, security of personal data, proactive and proven responsibility, favorable application for the holder, and independence of control.
6. Rights: To be informed, of access, to rectification, to erasure, to object, to data portability, not to be subject to automated decisions only, right to suspension, to consultation, not to be subject to an automated decision.
7. Special categories of data: Sensitive data, data of minors, health data, data of disabled persons.
8. Transfer of personal data: This is permitted when consent has been given or when it is necessary to achieve the authorized purposes, or if it concerns any of the lawful bases. Also, when the holder has given consent.
9. Security: The controller and processor must adopt the following security measures: (i) data protection by design and by default, (ii) risk analysis, (iii) additional security measures, (iv) impact evaluation.
10. Notification of a security breach: The controller must notify the authority in a maximum of 5 days; the processor must notify the controller within a maximum of 2 days of becoming aware of the breach. The holder must be notified when the breach poses a risk to their fundamental rights.
11. National Register: The law contemplates the obligation to record files and databases.
12. International Transfer: The concept of “adequate and inadequate” countries is provided for; for inadequate countries there are alternative mechanisms to ensure good processing.
13. Exercise of rights: The holder can exercise their rights directly before the controller or through the authority. The controller has 10 days to meet the request.
14. Data protection officer: This is mandatory for the public sector, when the controller’s activities require it due to the volume and type of data.
15. Proactive responsibility: In addition to the provisions in the Law, the controllers and processors can voluntarily avail of certification seals, codes of conduct, protection marks, standard clauses and other mechanisms that ensure adequate processing.
16. Breaches: Breach of the obligations of the controller or processor and the legal provisions in these regulations can be considered serious or minor breaches and entail corrective measures or penalties.
17. Penalties: There is a distinction between minor and serious penalties. Minor penalties in the public sector: up to 10 Consolidated Basic Salaries (SBU); private sector: 0-1% up to 0.7% of sales volume. Serious penalties in the public sector: up to 20 Consolidated Basic Salaries (SBU); and between 0.7% and 1% of sales volume.
18. Data Protection Authority: The creation of an independent authority, a superintendency, is provided for.
19. General Provisions: Procedural matters will be governed by the Organic Administrative Code (COA); a Register of Controllers and Processors in Breach is created; efforts will be made so that indigenous peoples have processing in their own language.
20. Transition provisions: The penalties regime and enforceability of the regulations have a term of 2 years.
21. Reform provisions: E-commerce, E-signature and Data Message Law; Organic Law on the National Public Records System; Organic Knowledge Economy Code; Organic Telecommunications Law.
22. Repealing provisions: Article 9 of the E-Commerce, E-signature and Data Message Law; Articles 80 and 84 of the Organic Telecommunications Law; Article 5 of the Organic Law on the National Public Records System, all of which are conflicting.