General Regulations of the Organic Law for the Protection of Personal Data, by means of Executive Decree No. 904.
President Guillermo Lasso issued the General Regulations of the Organic Law on Personal Data Protection through Executive Decree No. 904. The Regulations contain 14 chapters, 90 articles, 1 general provision, 1 transitory provision and 1 final provision. This Regulation complements the Organic Law on Personal Data Protection issued on May 26, 2021, whose sanctioning regime came into force on May 26, 2023.
As we have been anticipating, the Regulation establishes specific guidelines that provide feasibility for the definition of the actions to be taken by the entities that process personal data.
In this Newsletter, we present for your consideration the most relevant elements of the Regulation:
- Conservation period
The periods for the conservation of personal data shall not exceed those that are strictly necessary for the fulfillment of the purposes of the processing.
The Data Protection Authority shall regulate the retention periods in accordance with the provisions applicable to the matter in question.
- File Registration
Personal Data Controllers must register the database files, containing the following information: the period of conservation, nature of the data, its processing and purpose.
- Registration of processing activities
The person in charge of the Treatment that has one hundred or more workers, shall keep a record of activities that shall contain:
- Name and contact details of the person in charge and, if applicable, of the person in charge acting jointly with the person in charge. As well as the name and contact details of the data protection officer;
- Treatment purposes;
- Categories of recipients to whom personal data have been or are communicated;
- Identify the data subjects and the categories of personal data of the data subjects;
- If applicable, the use of profiles;
- Where appropriate, define transfers of personal data to third country bodies or to an international organization;
- Description of the legitimate grounds for the processing;
- The retention periods foreseen for the deletion or review of the need to retain the different categories of personal data; and,
- An overview of the technical, legal, administrative and organizational measures.
The record shall be kept in writing or electronically. Controllers shall make the records available to the Personal Data Protection Authority upon request.
- Data Protection Officer
Those companies that fall within the parameters of big data scale, must have a Personal Data Protection Officer on a mandatory basis. Article 4 of the Regulation establishes that the following activities are treated on a large scale: those entities that are part of the National Health System, including hospitals; public transportation; any entity that provides a real-time geolocation service; the entities that make up the national insurance system, including agents, providers, brokers, financial institutions; behavioral advertising activities by search engines; internet and telephone telecommunications providers.
Business groups may appoint a single personal data protection officer, to the extent that he or she can perform his or her activities and without this generating a conflict of interest.
The requirements to be a delegate are:
- To be in enjoyment of political rights;
- Be of legal age;
- Hold a third level degree in Law, Information Systems, Communication, or Technology; and
- At least five years of professional experience;
Impediment to be a delegate:
Those who are part of the administration and control bodies of the responsible and in charge;
The partners or shareholders of the person responsible and in charge;
The spouses of the administrators, directors or commissioners of the company, if any, of the person in charge and the person in charge, or their relatives up to the fourth degree of consanguinity or second degree of affinity; and,
Those who have conflicts of interest with the person responsible and in charge, for which the Personal Data Protection Authority will issue the corresponding regulation establishing the assumptions that will give rise to such conflict of interest.