The Superintendency of Personal Data Protection of Ecuador has approved the General Regulation on National and International Transfers or Communications of Personal Data. This regulation aims to govern the technical and legal procedures and requirements necessary to guarantee the exercise of personal data protection rights in information flows, both within and outside Ecuadorian territory.

Note: This regulation is mandatory for data controllers, as well as for processors carrying out transfers on behalf of a controller.

Key concepts

National transfer or communication: The disclosure of personal data to a third party within national territory, whereby the recipient assumes the role of data controller.

Cross-border data flow: An international transfer or communication carried out to a recipient located in a country other than the country of origin, regardless of the medium or format used.

Adequate safeguards: Measures implemented (such as contractual clauses or certifications) when the destination country does not have a recognized adequate level of protection.

Conditions for data transfers

For a transfer (national or international) to be lawful, it must comply with the following:

Purpose: Must be lawful, legitimate, and specific.

Legal basis: Must be supported by a legal basis in accordance with the Personal Data Protection Law.

Consent: Must be prior, free, specific, informed, and unequivocal, except in cases provided by law.

Security: Implementation of secure mechanisms, such as encryption, to preserve data integrity and confidentiality.

Mechanisms for International Transfers

Adequacy Decision: The Superintendency may declare that a country or organization provides a level of protection equivalent to that of Ecuador. These decisions are valid for a maximum period of four (4) years and are subject to annual review.

Adequate Safeguards: These include:

Standard Contractual Clauses: The SPDP recognizes as its own the model clauses issued by the Ibero-American Data Protection Network (RIPD).

Binding Corporate Rules: For transfers within the same corporate group.

Codes of Conduct and Certifications: Instruments that evidence compliance with data protection standards.

Obligations of the Controller and Recipient

Documentation: Documentation evidencing the lawfulness of the transfer (contracts, impact assessments, etc.) must be retained for at least three (3) years.

Rights notification: If a data subject exercises rights of rectification or erasure, the controller must notify the recipient so that such rights are also enforced.

Recipient’s responsibility: The data recipient must respect the original purposes and refrain from onward transfers without proper legal basis.

Transitional Provisions (Regularization)

Organizations that carried out data transfers prior to this regulation have a twelve (12) month period to regularize them by notifying the SPDP and submitting an adjustment plan.

Important: Failure to comply with regularization processes or carrying out transfers without the appropriate safeguards will be subject to the sanctions provided for by law.

To obtain further details about the Regulation, please contact our Personal Data Protection team.