Skip to main content

Personal Data Protection Act: Ecuador’s Current Challenges


A highly advanced Personal Data Protection Law to become into force on May 31st 2023, brings some challenges to Ecuador’s economy while preparing for compliance. We will get into some challenges Ecuador is facing on these last months of preparations.

Ecuador’s legal system tends to hyperregulate activities, and provide specific obligations that lead to compliance. However, Ecuadorean Personal Data Protection Act, introduces a new manner to regulate and a new scope of Law that has not yet been tried in Ecuador before.

Much needed Ecuadorean Personal Data Protection Act (PDPA) was issued on May 26th 2021. Prior to such Law, Ecuador protected Personal Data – in general terms – through  a Constitutional provision which grants Data Subject the right to decide upon its data processing. However, even though some sectors, as Telecommunications, had specific regulation regarding the processing of personal data and its protection, in general terms, data processing, data bases and access to personal data, had not been subject to any kind of efficient legal protection, or accessibility limits.

PDPA is Ecuador’s first Personal Data Protection Law. It was drafted based on the European Personal Data Regulation 679/2016 principles and obligations. Therefore the standard that private and public sector must reach, is very high. The Law establishes a period of two years before its enforceability. This period ends on May 26th 2023.

Very close to PDPA’s date of enforceability,  the regulations to the Law are still being discussed. Companies are already working on the compliance to the Law. However, the regulations must enable the incorporation of the control authority. We are still pending on seeing how the control authority will work, and acquire the knowledge on a compliance matter very new with much difficulties on finding senior professionals.

Compliance faces a reality challenge: companies have been processing data, with no parameters on objective, scope and timeframe; data has been gathered disregarding the services or goods provided by a company; data has not been well classified. Accuracy is a problem and technicalities are lacking. Additionally, most entities have just started to, or are about to start their implementation phase, in which most of this mentioned issues – and others – will come out.

The lack of Digital Transformation in public and private sectors has also been an issue. Ecuador has been promoting digital transformation. However, in a very regulated state, the digital transformation of the state will surely incentive the private sector to speed up its process. While digital transformation is far behind, the need to establish automated processes and integrations to reduce manpower is more difficult.
Finally, privacy professionals encounter the challenge in the practical privacy management side. With a lack of senior privacy professionals, the low likelihood to handle privacy with software and automated processes, entities are entering a legal framework which will be challenging to comply with, until the learning curve flattens. In the meanwhile, privacy professionals will need to come by each other to agree on criteria, and way forwards to allow entities to comply with the law, and help the control authority to engage in its endeavor, without jeopardizing the economy with high sanctions.


Article provided by INPLP member: Andrés Terán (HEKA LAW FIRM, Ecuador)



Discover more about the INPLP and the INPLP-Members

Dr. Tobias Höllwarth (Managing Director INPLP)

Cloud Privacy Check (CPC). Data Privacy Compliance in the Cloud Made Easy

Understand Cloud and Data Protection Law in only 4 easy steps. Plus highly relevant legal information for 33 countries. Provided by EuroCloud and 53 European lawyers.


About Us

EuroCloud is an independent non-profit organization and consists of a two-tier setup where organisations form all European countries can apply to participate in as long as they respect the EuroCloud Statutes.

To act as a true European player, all programs that are developed are intended to be European activities. These European programs are the strength of EuroCloud as a whole. Respect to local cultures along with the will to promote a real European spirit.