Ecuador Data Privacy Laws: LOPDP Compliance Guide (2026)

Ecuador's personal data protection is governed by the Ley Orgánica de Protección de Datos Personales (LOPDP), enacted in May 2021 and fully enforceable since May 2023. The SPDP supervises compliance and issued its first sanctions in December 2025, fining LigaPro and the FEF for consent violations under Article 68(1) of the LOPDP.

Ecuador occupies a distinctive place in Latin American data protection. Its 2021 Ley Orgánica de Protección de Datos Personales (LOPDP) drew its architecture directly from the EU General Data Protection Regulation (GDPR). After a two-year implementation period, the law became fully enforceable in May 2023. The supervisory authority, the Superintendencia de Protección de Datos Personales (SPDP), went from standing up its operations in 2023 through a dense regulatory agenda in 2025 and, in December 2025, issued its first enforcement actions against two Ecuadorian football organizations.

This guide covers every layer of Ecuador's data protection framework: the constitutional foundation, the LOPDP's core provisions, data subject rights, legal bases, DPO requirements, breach notification, cross-border transfer rules, the penalty structure, and the wave of regulatory development that continues through 2026. For context on recording consent law in Ecuador, see Ecuador recording laws.

Quick Answer

Ecuador's data protection law is the LOPDP, published in the Official Registry on May 26, 2021. The law is fully in force as of May 2023. The SPDP enforces it with fines up to 10% of annual turnover. In December 2025 the SPDP imposed the country's first administrative sanctions: USD 259,644 on LigaPro and USD 194,856 on the FEF: for failing to obtain valid consent and for inadequate technical and organizational measures. Organizations processing personal data of Ecuadorian residents must maintain a record of processing activities, designate a DPO in certain cases, conduct impact assessments for high-risk processing, notify breaches within five business days, and comply with specific safeguards for cross-border transfers.

Constitutional Foundation

Ecuador's data protection framework begins not with a statute but with the constitution. The 2008 Constitution provides one of the strongest constitutional bases for data protection in the hemisphere.

Article 66(19) recognizes the right to personal data protection, including the right to access personal data held by public or private entities, to know the purpose and origin of that data, and to request rectification, updating, or destruction. Article 66(21) extends the protection to informational self-determination: the individual's right to control information about themselves.

Article 66(20) establishes a distinct right to personal and family privacy. Article 92 creates the constitutional action of habeas data, which allows any person to petition a judge to order access to, rectification of, or deletion of personal information held by any public or private entity.

Because the LOPDP was enacted as an organic law: a category requiring a qualified legislative majority under Article 133 of the Constitution: it occupies a higher tier in Ecuador's legal hierarchy than ordinary legislation. Ordinary laws cannot override or narrow its protections.

The LOPDP at a Glance

The LOPDP was published in Official Registry Supplement No. 459 on May 26, 2021. It established a two-year implementation window that expired on May 26, 2023. Executive Decree No. 904, issued in November 2023, promulgated the implementing regulations (Reglamento a la LOPDP) that added procedural detail on breach notification, DPO appointment, and data protection impact assessments.

Scope and Territorial Reach

The law applies to any processing of personal data carried out in Ecuadorian territory or directed at individuals located in Ecuador, regardless of where the controller or processor is established. This mirrors the GDPR's extraterritorial logic: a business operating from outside Ecuador that targets Ecuadorian residents is subject to the LOPDP.

The law covers processing in both the public and private sectors. Courts acting in their judicial capacity are the principal carve-out.

Core Principles

Every processing activity under the LOPDP must comply with the following principles:

Legality: A valid legal basis must exist before processing begins.

Loyalty and transparency: Data must be collected through fair means, and data subjects must be informed about how their data is used.

Purpose limitation: Data may only be used for the specific, explicit, and legitimate purposes stated at the time of collection.

Proportionality and data minimization: Only data that is adequate, relevant, and limited to what is necessary may be processed.

Data quality: Personal data must be accurate, complete, and current.

Retention limitation: Data must not be retained beyond what is necessary to fulfill the stated purpose.

Security: Appropriate technical and organizational measures must be implemented to protect data against unauthorized access, loss, or disclosure.

Accountability and proactive responsibility: Controllers must be able to demonstrate that they comply with these principles, not merely assert compliance.

Key Definitions

Personal data (datos personales): Any information relating to an identified or identifiable natural person.

Sensitive data (datos sensibles): A special category encompassing ethnic origin, gender identity, health data, biometric data, genetic data, political opinions, religious or philosophical beliefs, trade union membership, sexual orientation, criminal records, migration status, and ideological affiliation.

Controller (responsable del tratamiento): The person or entity that determines the purposes and means of processing.

Processor (encargado del tratamiento): The person or entity that processes data on behalf of the controller.

Data subject (titular): The natural person to whom the data relates.

Legal Bases for Processing

The LOPDP follows the GDPR's approach of requiring a valid legal basis for every processing activity. For ordinary personal data, six bases are available.

Consent: The data subject has given free, specific, informed, and unambiguous consent for one or more defined purposes. Consent may be withdrawn at any time without negative consequences.

Contractual necessity: Processing is necessary to perform a contract to which the data subject is a party or to take pre-contractual steps at the data subject's request.

Legal obligation: Processing is required to comply with a legal duty imposed on the controller by Ecuadorian law.

Vital interests: Processing is necessary to protect the life or physical integrity of the data subject or another person when the data subject is incapable of consenting.

Public interest or official authority: Processing is necessary for a task performed in the public interest or in the exercise of official authority.

Legitimate interests: Processing is necessary for the legitimate interests of the controller or a third party, provided those interests are not overridden by the data subject's rights and freedoms.

In November 2025, the SPDP issued Resolution No. SPDP-SPD-2025-0041-R, establishing detailed requirements for organizations that invoke legitimate interest. Controllers must conduct and document a prior written balancing test demonstrating that their interests do not override individuals' fundamental rights. The resolution adds a layer of procedural rigor that makes the legitimate interest basis more demanding in Ecuador than in some other GDPR-aligned regimes.

For sensitive data, only explicit consent or specific statutory exceptions permit processing. Those exceptions include obligations under employment law, protection of vital interests when consent cannot be obtained, processing by non-profit bodies regarding their own members, and other narrowly defined circumstances.

Data Subject Rights

The LOPDP grants data subjects a comprehensive set of rights that parallel the GDPR framework.

Right of information: Before or at the time data is collected, controllers must inform subjects of the controller's identity, the purpose of processing, the legal basis, the categories of data collected, potential recipients, retention periods, and the existence of data subject rights.

Right of access: A data subject may request confirmation of whether their data is being processed and, if so, receive a copy. The controller must respond within 10 business days.

Right of rectification: Individuals may request correction of inaccurate or incomplete personal data.

Right of deletion (erasure): Data subjects may request erasure when the data is no longer necessary, consent has been withdrawn, the processing was unlawful, or a legal obligation requires deletion. Exceptions apply for legal obligations and matters of public interest.

Right to object: Data subjects may object to processing based on legitimate interests or public interest grounds. The controller must suspend processing unless it demonstrates compelling legitimate grounds that override the data subject's interests.

Right to restrict processing: Individuals may request that processing be limited in defined circumstances, such as when the accuracy of the data is contested pending verification.

Right to data portability: Data subjects may receive their data in a structured, commonly used, and machine-readable format and may transmit it to another controller without obstruction.

Right not to be subject to automated decisions: Individuals have the right not to be subjected to decisions that produce legal or similarly significant effects and that are based solely on automated processing, including profiling.

Right to be informed of breaches: When a data breach is likely to result in high risk to a data subject's rights and freedoms, that person must be notified without undue delay.

Data Breach Notification

The LOPDP and its implementing regulations establish a tiered breach notification obligation.

When a personal data breach occurs, the controller must notify the SPDP within five business days of becoming aware of the incident. The notification must describe the nature of the breach, the categories and approximate number of individuals and records affected, the name and contact details of the DPO or other contact point, the likely consequences of the breach, and the measures taken or proposed to address it.

When the breach is likely to result in high risk to the rights and freedoms of affected individuals, the controller must also notify those individuals directly without undue delay. The notification must be written in plain language and describe the nature of the breach, the name and contact of the DPO, the likely consequences, and the steps the controller is taking to mitigate the impact.

Note that Ecuador's five-business-day notification window to the authority is slightly more lenient than the GDPR's 72-hour clock, though both regimes impose a prompt obligation. Controllers should not wait until the deadline if information is available sooner.

Data Protection Officer Requirements

The LOPDP requires certain organizations to appoint a Data Protection Officer (DPO). The mandatory obligation applies to:

• Public authorities and government entities (with the exception of courts in their judicial capacity)
• Controllers or processors whose core activities involve large-scale processing of sensitive personal data
• Controllers or processors whose core activities require regular and systematic monitoring of individuals on a large scale

In July 2025, the SPDP issued Resolution No. SPDP-SPD-2025-0028-R, the General Regulation on Data Protection Officers. This resolution significantly expanded the detail of DPO requirements.

Qualification Standards

Under the 2025 DPO Regulation, a DPO must:

• Be of legal age and in full exercise of civil and political rights
• Hold a bachelor's degree in Law, Information Systems, Communications, Technology, or a related discipline
• Have at least five years of verifiable professional experience in data protection or related fields

Beginning January 1, 2029, DPOs must also complete a professional training program officially recognized by the SPDP, offered by a higher education institution whose curriculum meets the minimum content standards in Resolution No. SPDP-SPD-2025-0004-R (the DPO Professionalization Regulation issued earlier in 2025).

Registration and Functional Independence

Organizations required to appoint a DPO must register that appointment with the SPDP within 15 days. Failure to register constitutes a violation under the LOPDP. The DPO registration window for obligated entities was November 1 through December 31, 2025.

The DPO must operate with functional independence. The controller may not dismiss or penalize the DPO for performing their duties. The DPO reports directly to the highest level of management and must not receive instructions regarding the exercise of their responsibilities.

Core DPO functions include advising on data protection obligations, monitoring internal compliance, assisting with data protection impact assessments, cooperating with the SPDP, and serving as the principal contact point for data subjects and the supervisory authority.

Organizations not required to appoint a DPO may do so voluntarily, in which case the same independence and qualification requirements apply.

Data Protection Impact Assessments

The LOPDP and its regulations require data protection impact assessments (DPIAs) for high-risk processing activities. A DPIA is mandatory when processing is likely to result in high risk to the rights and freedoms of data subjects given the nature, context, or purposes of the processing.

Specific triggers include:

• Systematic and exhaustive evaluation of personal aspects of individuals based on automated processing, including profiling, where decisions producing legal or similarly significant effects are made
• Large-scale processing of sensitive data or data relating to criminal convictions and offences
• Systematic large-scale monitoring of publicly accessible areas

In February 2026, the SPDP issued Resolution No. SPDP-SPD-2026-0005-R, the General Rule on Large-Scale Processing of Personal Data. This resolution introduced the Large-Scale Technical Model (Modelo Técnico de Gran Escala, MTGE), which provides a structured scoring framework. The MTGE evaluates six variables:

1. Number of data subjects affected
2. Volume of data processed
3. Categories of data involved (with sensitive data weighted higher)
4. Frequency of processing
5. Duration of processing
6. Geographic scope of processing

A total score equal to or greater than six points means the processing qualifies as large-scale, triggering the heightened requirements including mandatory DPO appointment and DPIA obligations. This objective scoring methodology reduces ambiguity and gives organizations a clearer compliance roadmap than a purely qualitative test.

Cross-Border Data Transfers

The LOPDP restricts the transfer of personal data outside Ecuador to protect the rights of data subjects against erosion through weaker foreign frameworks.

Adequacy Determinations

Transfers are permitted to countries or international organizations that the SPDP has determined provide an adequate level of protection. The SPDP maintains the official adequacy list. Organizations should verify the current list on the SPDP's official website before initiating international transfers, as the list evolves over time.

Transfer Safeguards

For transfers to countries without adequacy status, a controller or processor must put appropriate safeguards in place. In January 2026, the SPDP issued Resolution No. SPDP-SPD-2026-0004, the General Rule on National and International Transfers or Communications of Personal Data. This resolution formalized the available safeguard mechanisms:

• Standard contractual clauses adopted by the SPDP or the Ibero-American Data Protection Network (RIPD): the RIPD model clauses are recognized specifically for controller-to-controller transfers
• Binding corporate rules applicable within a corporate group
• Codes of conduct with binding commitments by the recipient
• Certification mechanisms approved by the SPDP

Controllers must document the safeguards in place and make that documentation available to the SPDP on request.

Derogations for Specific Situations

In the absence of both adequacy and safeguards, a transfer may proceed where:

• The data subject has given explicit and informed consent after being told of the risks resulting from the absence of adequate protection
• The transfer is necessary for the performance of a contract between the data subject and the controller
• The transfer is necessary for important reasons of public interest
• The transfer is necessary to establish, exercise, or defend legal claims
• The transfer is necessary to protect the vital interests of the data subject or another person when the data subject is incapable of consenting

These derogations are narrow and should not serve as a routine mechanism for transfers that could instead be governed by adequacy or safeguards.

Supervisory Authority: The SPDP

The LOPDP created the Superintendencia de Protección de Datos Personales (SPDP) as Ecuador's independent data protection authority. The SPDP operates with administrative and financial autonomy. Its official website is spdp.gob.ec.

Powers and Functions

The SPDP's mandate encompasses both regulatory and enforcement functions:

• Issue binding regulations, guidelines, and model clauses
• Investigate complaints filed by data subjects
• Conduct ex officio inspections of controllers and processors
• Impose administrative sanctions for LOPDP violations
• Approve standard contractual clauses for cross-border transfers
• Maintain the registry of data processing activities and DPO registrations
• Publish and update the adequacy list for international transfers
• Promote public awareness and data protection culture

Establishment and Operational Status

The SPDP was created by the LOPDP but faced operational delays during the 2021-2023 transition period. Executive Decree No. 904 of November 2023, which also promulgated the implementing regulations, designated the Superintendency of Companies, Securities, and Insurance (Superintendencia de Compañías, Valores y Seguros) to exercise certain supervisory functions temporarily while the SPDP built its independent operational capacity.

By 2025, the SPDP was fully operational and had shifted from institution-building to active regulatory output and enforcement. The authority published multiple binding resolutions during 2025, covering DPO qualifications, legitimate interest, and cross-border transfers, and followed these with additional resolutions in early 2026. In December 2025, the SPDP announced its 2026 Institutional Regulatory Plan, signaling continued rulemaking activity.

Penalties and Enforcement

The LOPDP establishes a turnover-based penalty structure that scales fines to the economic capacity of the violator.

Violation Categories and Fine Ranges

For entities without annual turnover, such as non-profit organizations, the LOPDP sets fixed alternative maximums.

What Constitutes Each Category

Minor violations include failing to respond to data subject requests within the statutory period, failing to maintain required records of processing activities, and processing data without adequate security measures.

Serious violations include processing personal data without any valid legal basis, failing to appoint a DPO when the obligation exists, transferring data internationally without meeting the required conditions, and: as the December 2025 cases confirmed: failing to implement sufficient administrative, technical, physical, organizational, and legal measures to guarantee lawful treatment.

Very serious violations include processing sensitive data without explicit consent or another permitted exception, using data for automated decision-making in ways that violate individual rights, and obstructing the SPDP's investigation.

Additional Enforcement Powers

Beyond fines, the SPDP may order the immediate cessation of a specific processing activity, impose a temporary or permanent prohibition on processing, and require notification of affected data subjects at the controller's expense.

The First SPDP Sanctions: December 2025

On December 1, 2025, the SPDP announced its first administrative sanctions, targeting two organizations in Ecuadorian football. The cases arose from the operation of mobile applications: LigaPro's Fan ID app and the FEF's Fan FEF app: that collected personal data from fans without validly obtained consent.

LigaPro (Liga Profesional de Fútbol del Ecuador): The SPDP determined that LigaPro committed a serious violation under Article 68(1) of the LOPDP by failing to implement sufficient measures to guarantee lawful data treatment. The fine was USD 259,644.01. LigaPro was also ordered to notify 14,398 affected data subjects that their consent had not been validly obtained, and to delete that personal data from all databases it administers.

FEF (Federación Ecuatoriana de Fútbol): The SPDP made a comparable finding against the FEF. The fine was USD 194,856.16. The FEF was ordered to delete personal data processed through the Fan FEF application, update its Record of Processing Activities, implement a compliant Data Protection Policy, and notify affected data subjects of the invalidity of the consent originally obtained.

The two fines together total approximately USD 454,500. Beyond their financial significance, the cases signal that the SPDP is willing to use its enforcement powers and that app-based data collection with flawed consent flows is a priority concern. The involvement of well-known sports institutions also maximized public visibility of the first sanctions.

Recent Regulatory Developments (2025-2026)

The pace of regulatory activity since the SPDP became fully operational has been substantial. The following are the most significant developments.

Business Compliance Checklist

Organizations processing personal data of individuals in Ecuador should verify the following elements of their compliance program.

Legal basis documentation: Every processing activity in the Record of Processing Activities must identify a specific legal basis under the LOPDP. For organizations relying on legitimate interest, a written balancing test is now required per the November 2025 resolution.

Record of Processing Activities: Controllers must maintain a register documenting the purposes, legal bases, data categories, retention periods, recipients, and security measures for each processing activity.

Data subject rights procedures: Response workflows must be capable of meeting the 10-business-day deadline for access requests and responding to erasure, portability, and objection requests.

DPO appointment and registration: Organizations meeting the mandatory thresholds must have appointed and registered a qualified DPO with the SPDP. The DPO must meet the professional qualifications established in the 2025 regulation.

Breach notification protocol: Internal procedures must allow the organization to assess a breach and notify the SPDP within five business days. Where high risk to individuals is present, direct notification to those individuals must follow without undue delay.

Data Protection Impact Assessments: Any processing that qualifies as large-scale under the MTGE scoring model or that presents a high risk based on nature, context, or purpose requires a DPIA before the processing begins.

Cross-border transfer safeguards: Transfers to countries not on the SPDP's adequacy list must be governed by approved standard contractual clauses or another recognized safeguard mechanism.

Consent mechanisms: For processing based on consent, collection flows must be capable of demonstrating free, specific, informed, and unambiguous consent. The LigaPro and FEF cases confirm that collecting consent through an app does not satisfy the LOPDP if the process is deficient.

Sensitive data controls: Heightened controls, including explicit consent or a statutory exception, must be in place for any processing of sensitive data categories.

Vendor contracts: Data processing agreements must be in place with all processors, including clauses required by the LOPDP.