The figure of the data protection representative in Ecuador
Regarding the processing of personal data and its protection, the Organic Law on Personal Data Protection (LOPDP) and its Regulations determine a list of members for the management of this matter. Among which you can find al:
- Headline;
- Person in charge and person in charge of the treatment;
- Addressee;
- Control Authority
- Delegate of personal data protection.
The latter is one of the most relevant agents for compliance with the Law, the Regulations and related rules. The person known as Data Protection Officer (DPO) is defined in the LOPDP as the natural person appointed through a contract for the provision of services or under the figure of a dependency relationship.
What are the requirements to become a DPO?
The Regulations to the Law provide that the DPD must meet certain requirements, such as:
- To be in enjoyment of political rights;
- Be of legal age;
- Hold a third level degree in Law, Information Systems, Communication, or Technology;
- At least five years of professional experience.
When is a DPO appointed?
The Data Protection Law foresees the cases in which a Data Protection Officer should be appointed:
- When the processing is carried out by public sector entities;
- When a permanent and systematized control is required due to its volume, nature, scope or purposes;
- When the treatment is on a large scale;
- When the data processing is not for national security or defense of the State.
It should be noted that the Personal Data Protection Authority may establish new conditions for the appointment of a DPO.
What are the functions of the DPO?
Among the functions and attributions of the Data Protection Delegate, presented by the Law, we can find:
- Advise on the provisions contained in the regulations concerning data protection;
- Supervise compliance with regulations;
- Advise on risk analysis, impact assessment and evaluation of security measures, and supervise their implementation;
- Cooperate with the Personal Data Protection Authority and act as a point of contact;
- Others that may be established by the Personal Data Protection Authority.
In this context, it is essential that the contract entered into with the DPD clearly specifies the scenarios in which its intervention will be required. Likewise, the updating of the internal procedures of the Controllers or Processors must contemplate the participation of the DPD to ensure supervision and advice on personal data protection. This comprehensive approach will help establish a complete framework of organizational, technical and legal measures within each company.
The LOPDP Regulation establishes that the function of the DPD must operate independently from the Controller and the Processor. Therefore, it is important that both the Controllers and the Processors sign confidentiality agreements with the DPD in relation to the information to which the latter has access and may become aware of in the performance of his or her duties.
At HEKA, we specialize in offering the Personal Data Protection Delegate service, with the objective of ensuring regulatory compliance in accordance with the principles established in the LOPDP.
We are committed to ensuring that our functions are carried out with a holistic view of the regulatory ecosystem that affects the management of personal data and implement practical solutions to enable business and industry activities.
