Important aspects regarding the Personal Data Protection Law
Important aspects regarding the Personal Data Protection Law
By Juan Fernando Riera
The following are important aspects of the Personal Data Protection Law, published in Official Gazette No. 459. Fifth Supplement dated May 26, 2021:
- The LPDP seeks to ”guarantee the exercise of the right to the protection of personal data, which includes the access and decision on information and data of this nature, as well as its corresponding protection”. In this sense, through its articles, the law seeks to ”regulate, provide for and develop principles, rights, obligations and mechanisms of protection”.
- The Law regulates and applies the processing of personal data in any form of support, with certain exceptions. Among the exceptions, it is important to note that data that identify or make identifiable legal entities will not be considered within the scope of the control of this body of law.
- The scope of application is quite extensive since it establishes the validity of its regulations extraterritorially when the processing of personal data of owners residing in Ecuador is carried out from another territory.
- The law establishes in detail what entails the legitimate processing of personal data and thus points out, among other situations, the processing of data when the owner gives consent for the processing of his data for a specific purpose.
- The ”conditions” with which the consent of the holder must comply in order to be valid are established; these are: free, specific, informed, and unequivocal. Likewise, it is established that celerity, efficiency and free of charge must be guaranteed in case the holder wishes to revoke.
- It can be foreseen that the regulatory body establishes different rights for the owners of the data and within these are granted mechanisms and deadlines for the attention of the data controllers. The common term is 15 days.
- The rights may be exercised by their holders, and in the case of minors under 15 years of age, through their guardian. The power is granted to persons over 15 years of age to exercise their rights to the protection of their personal data.
- Responsibilities and obligations for data controllers are established. Among the most important is the obligation for these persons, whether legal or natural persons, to have an analysis of risks, threats and vulnerabilities.
- This body of law also establishes a sanctioning regime, which was one of the most discussed points in the legislature. The Bill initially establishes fines of up to 17% of the gross sales value of a company or individual. Now, in the enacted Law, a maximum penalty of 1% of the gross value of sales has been included.
- The following transitional regime is established for the entry into force of the new regulations on Personal Data Protection:
- The provisions related to the corrective measures and the sanctioning regime will become effective two (2) years after the publication of this law in the Official Gazette; and,
- Any processing carried out prior to the entry into force of this Law must be brought into compliance with the provisions of this regulation within two years of its publication in the Official Gazette.
It is important to point out that although 2 years are established for the application of corrective or sanctioning measures, the obligations and rights become effective as of the publication of the Law.