NEW REGULATION FOR DATA PROTECTION OFFICERS

August 7th 2025 by bit_admin Latest News 0 comments

NEW REGULATION FOR DATA PROTECTION OFFICERS

What you need to know

On July 30, 2025, the Superintendence of Personal Data Protection (SPDP) issued Resolution No. SPDP-SPD-2025-0028-R, through which it enacted the Regulation on the Data Protection Officer (DPO) (the Regulation). This new regulatory instrument aims to reinforce the implementation of the Organic Law on Personal Data Protection (LOPDP) and its corresponding Regulation (RLOPDP), while clarifying key practical aspects for organizations already working toward compliance.

This bulletin outlines the key points of its content:

Who is Required to Appoint a DPO?

In addition to the public sector, which is already subject to this obligation, the Regulation clarifies that the following entities are also required to appoint a Data Protection Officer:

  • Institutions providing early childhood, elementary, and high school education—whether public, religious, or private—in in-person, semi-presential, remote, or other formats that process minors’ data, even outside the educational context.
  • Higher education institutions, public or private, due to the processing of special categories of data in their academic or administrative activities.
  • Activities involving the processing of sensitive personal data related to minors.
  • Legal entities engaged in financial activities that access or process personal data directly or indirectly.
  • Entities in the insurance sector, including insurers, reinsurers, brokers, agents, intermediaries, and related service providers.
  • Companies conducting advertising, commercial prospecting, or market research, especially those that create profiles based on interests, behaviors, or preferences.
  • Health system actors are legally required to maintain medical records (excluding independent healthcare professionals).
  • Entities in the pharmaceutical sector, such as laboratories, distributors, pharmacies, and medical product representatives.
  • Private security companies and managers of gated communities, residential complexes, or condominium properties, due to the use of access control systems.
  • Professional sports federations and associations, sports corporations, professional clubs, or sports academies.
  • Professional associations and bar associations.
  • Private companies providing telecommunications services.
  • Private companies providing: Mass video surveillance services, geolocation services, or information technology services (including the development, implementation, or deployment of artificial intelligence).
  • Public or private entities that are concessionaires of public services, or public-private partnerships involved in the distribution, commercialization, or supply of such services.

Appointment of the DPO

The data controller or processor must issue a formal document that includes:

  1. The DPO’s and the organization’s identifying information.
  2. A clear description of the DPO’s duties.
  3. The DPO’s acceptance of the appointment.
  4. Supporting documents demonstrating legal representation.

This appointment must be registered with the SPDP within a maximum of 15 days. Failure to do so within this timeframe will constitute a violation under the LOPDP.

 

Requirements to Serve as a DPO

In addition to the requirements already established in the LOPDP and its regulation, the new DPO Regulation introduces additional mandatory criteria:

  1. Successfully completed the Data Protection Officers Professional Training Program, officially recognized by the SPDP: This program, which becomes mandatory as of January 1, 2029, defines minimum technical, ethical, and regulatory training content.
  • Maintain independence and impartiality, even if employed under a labor relationship with the organization: The DPO must not be subject to hierarchical instructions that impair autonomy.
  • Refrain from performing roles that generate conflicts of interest, such as compliance officer, information security officer, or any role that involves decision-making regarding data processing.
  • Not have been appointed as a special attorney-in-fact for foreign data controllers or processors operating in Ecuador.
  • Not hold senior hierarchical positions in the public sector.
  • Declare any real, potential, or apparent conflict of interest before accepting the position (or during the term of service if such a conflict arises thereafter). In such cases, the organization must take immediate corrective measures: refrain from the appointment, restructure duties, or revoke the designation.

DPO’s Independence and Functions

This is one of the most significant aspects of the Regulation. The DPO must act autonomously and impartially, even when working within the organization. The DPO may not receive instructions on how to carry out their duties, nor may they be sanctioned for fulfilling them appropriately.

The organization must also:

  1. Ensure direct access to senior management.
  2. Allocate sufficient resources to perform DPO functions.
  3. Conduct an annual assessment to verify compliance with these conditions.

Regarding duties, the DPO must:

  1. Advise and oversee regulatory compliance.
  2. Assist with incident management and the exercise of data subject rights.
  3. Oversee the maintenance of the records of processing activities.
  4. Observe and provide guidance on risk analyses and impact assessments.

However, the DPO may not make decisions on behalf of the organization, implement data protection measures directly, or legally represent the controller before the SPDP. Likewise, the DPO may not hold other roles that compromise their impartiality, such as compliance or information security officer.

 

Key Dates

  • November 1 to December 31, 2025: Deadline for obligated entities to register their DPOs.
  • Within 3 months of the Regulation’s issuance: The SPDP must enable the digital registration platform.
  • Within 6 months of the Regulation’s issuance: A system must be implemented to handle complaints related to violations of DPO independence.
  • January 1, 2029: The DPO must have successfully completed and passed the mandatory minimum content of the Data Protection Officers Professional Training Program, officially recognized by the SPDP.

This Regulation sets clear standards, establishes the DPO as a key figure in the enforcement of the LOPDP, and protects their independence. If your organization has not yet evaluated whether it is required to appoint a DPO, ¡now is the time! Beyond a legal obligation, this is an opportunity to build a genuine culture of data protection and transparency.

Our team is ready to support you in the proper implementation of this regulation, providing practical, updated advice aligned with the requirements of the Superintendence of Personal Data Protection.

Whether you need help appointing your DPO, reviewing your obligations, or training your team, we are here to help you make informed decisions and achieve compliance with confidence.

Contact us!

Share

Related News

by bit_adminJanuary 8th 20240 comments

Presentación de Información de Socios/Accionistas Extranjeros

by bit_adminSeptember 3rd 20250 comments

Payment of Corporate Contribution / 2025

by bit_adminJuly 1st 20250 comments

Significant Reforms to the Regulatory Framework applicable to the Ecuadorian Electric Sector

by bit_adminJune 17th 20250 comments

Participation of Simplified Stock Companies (S.A.S.) in strategic sectors is prohibited

Significant Reforms to the Regulatory Framework applicable to the Ecuadorian Electric SectorPrevious Post
Payment of Corporate Contribution / 2025Next Post