Ecuador has a new data protection law

Ecuador’s National Assembly unanimously approved a new data protection law on May 10, 2021. The new data protection law was already countersigned by the now former President Moreno on May 21, 2021.

The EU’s General Data Protection Regulation (GDPR) has served as the model for enacting the law. For example, it has imposed obligations on the controller to implement appropriate technical and organizational security measures in the company. Further, it has to appoint a data protection officer and inform individuals before processing certain personal data. Accordingly, the law not only contains obligations for the relevant processors, but also endows the data subjects with their own protection rights. Thus, data subjects have the right to request access to, modification and deletion of their personal data.

The Data Protection Law also provides for the establishment of a national data protection authority. It also contains regulations for international and cross-border data exchange.

In contrast to the GDPR, however, the Data Protection Act provides lower fines for violations. The level of penalties here has been set between 0.1% and 1% of a company’s annual turnover. The specific amount is also made dependent on the severity of the violation, among other factors. The GDPR’s catalog of fines, on the other hand, provides fines of up to 20 million euros. Fines of up to four percent of the annual turnover achieved worldwide in the last financial year are also possible.

The reason for passing the new law was a massive data breach that resulted in the personal data of up to 20 million people being made available online.