Published legislation and draft legislation - Ecuador

New bill to ensure personal data protection

Organic Bill

The bill has become necessary because of the changing nature of information exchange under new technologies. Legislation is required to strengthen personal data protection for ordinary citizens and prevent their data being used for illicit purposes.

Following the lead of countries and territories such as Colombia, Paraguay, Dominican Republic and the European Union, which have passed new data protection regulations, Ecuador is joining the endeavour to ensure people’s right to privacy in the collection of their personal data in databases, filing systems, physical or digital archives, in both public and private institutions when this is exclusively for commercial financial ends.

The bill lays out a set of guiding principles that must be respected when creating, administering and managing databases, filing systems, physical and digital archives, and also when third party personal data is being handled. The principles are: legality, relevance, accuracy, informed consent, confidentiality and secrecy.

The bill also recognises that people whose data are being processed have certain rights, such as being able to know, update and correct the data about them, to be informed as to what the data is being used for, to be able to access their data free of charge, etc. Special protection is granted to the rights of children and adolescents.

The text establishes the duties and obligations of those in charge of processing personal data and of the database.

The bill puts the National Personal Data Protection Authority in charge of overseeing and supervising this information, giving it powers to guarantee that the principles, rights, guarantees and legal provisions around personal data collection are safeguarded at all times.

This Authority is required to set up a National Database Registry within one hundred and eighty (180) days after the bill passes into law. During this time all databases, filing systems and archives of all public- and private-sector data-processing entities with exclusively financial and commercial ends must be registered.

Furthermore, the bill prohibits the international transfer of personal data of any kind, to other countries or international bodies that do not provide data protection levels in line with the standards of Ecuador or with those laid down by international law.

Finally, it includes a classification of infractions (minor and serious) and sanctions that will be imposed on those who fail to comply with their duties and obligations under the law, as determined by the National Personal Data Authority depending on the degree of non-compliance and the harm resulting from it.

The law provides for implementing regulations to be drafted for application within 90 days after it is enacted.