Services Team Publications
Corporate Social Responsability About us Join PBP Contact us Family Office
ES EN

Search

August 12, 2025

New regulations on the life cycle of personal data in Ecuador

Internal publications

Personal Data Protection

Resolution No. SPDP-SPD-2025-0030-R - Personal Data Protection Authority

 

On August 7, 2025, the Personal Data Protection Authority issued the Regulations for Pseudonymization, Anonymization, Blocking, Restriction of Processing, and Deletion of Personal Data, which establishes mandatory technical measures and response times for all organizations that process personal data in Ecuador.           

 

These obligations cover the entire data lifecycle, from active processing to final deletion, and set clear rules for the exercise of rights by data subjects.

 

Pseudonymization

  • What is it? The replacement of personal data with pseudonyms, so that it cannot be linked to a data subject without separate and protected additional information.
  • When does it apply?
    • Provision of services or products when it is not essential to know the identity.
    • Scientific, historical, or statistical research processes, including in the healthcare field, applying the principle of minimization.
    • Internal audits, system testing, or security analysis.
  • Requirements:
    • Risk management analysis prior to implementation.
    • Strict control of information that would allow the data subject to be reidentified.
    • Mandatory recording of any re-identification action.
  • Important: Pseudonymized data remains personal data and is subject to the obligations of the Organic Law on Personal Data Protection.

 

Anonymization

  • What is it? A technical measure that eliminates the possibility of identifying or re-identifying the data subject, even when combining data with other sources.
  • Scope:
    • Applicable to all categories of personal data.
    • For sensitive data, a methodology and risk analysis adapted to the nature and context of the processing is required.
  • Health data:
    • Priority should be given whenever possible to avoid identifying the data subject.
    • Prior authorization from the Personal Data Protection Authority is required before processing.
  • Benefit: If the data is properly anonymized, it can be transferred or communicated without the consent of the data subject.

 

Blocking

  • What is it? A measure that disables access to personal data so that it cannot be actively processed.
  • When is it applied?
    • Once the purpose of the processing has been fulfilled, but there is a legal obligation or legitimate basis for retaining the data.
    • As a secure backup for a period defined by sector regulations.
  • Conditions:
    • Limited and restricted access.
    • Prior risk assessment to justify its maintenance.

 

Restriction

  • What is it? The temporary restriction of the processing of personal data at the data subject’s request.  
  • Response time:
    • The controller must suspend processing within no more than 3 days from the request.
    • If there are processors, they must also suspend processing within 3 days from notification.
  • Exceptions: Processing may continue if necessary to:
    • Formulate, exercise, or defend claims of the data subject.
    • Protect the rights of third parties, applying a balancing test.
    • Comply with the public interest as provided for by law.
    • Meet current legal obligations.

Deletion

  • What is it? The permanent deletion of personal data, preventing its access or recovery.
  • Application:
    • All categories of data, including those of deceased persons (through accredited heirs).
    • It may affect all or only part of the data in a processing operation.
  • Deadlines and obligations:
    • Processors and third parties must delete the data within no more than 3 days from notification.
    • The controller must provide the data subject with a document certifying the deletion and the measures taken (physical and digital).
  • Relationship with portability:
    • After transferring the data to another controller, the original controller must delete it, unless there is a legal basis for retention (legitimate interest is not accepted).
  • Contracts with processors: These must include specific clauses to guarantee the return or deletion of data at the end of the relationship.

 

PBP Recommendations

  1. Update internal policies and manuals to include these five procedures.
  2. Review contracts with processors and third parties, ensuring compliance with deadlines and obligations.
  3. Implement documented protocols for pseudonymization, anonymization, blocking, restriction, and deletion.
  4. Train internal teams to meet three-day deadlines and maintain traceability of actions.

 

At Pérez Bustamante & Ponce, we offer comprehensive advice to help your company adapt to these new regulations, reducing regulatory risks and strengthening customer confidence.

Editorial Board

Share article