The Superintendence of Personal Data Protection (“SPDP”) issued Resolution No. SPDP-SPD-2026-0009-R, which approves the General Regulation for Guaranteeing the Right to Personal Data Protection in the Use of Artificial Intelligence Systems (“AI”).

Summary of the Resolution

The resolution establishes the regulatory framework governing the processing of personal data in artificial intelligence systems in Ecuador. Its purpose is to ensure the application of the principles, rights, and obligations set forth in the Organic Law on Personal Data Protection (“LOPDP”), its General Regulation (“RGLOPDP”), and the secondary regulations issued by the SPDP.

Key Points of the Resolution

Scope of Application: The regulation applies to data controllers and processors that develop, train, implement, deploy, or provide AI systems that process personal data of Ecuadorian data subjects.

New Definitions: The resolution introduces specific definitions for the AI ecosystem:

1. Developer: Controller or processor that generates or creates an artificial intelligence

2. Deployer: Controller or processor that, through the use of an AI system, provides a service, except when such use falls within a personal, non-professional activity.

3. Distributor: Controller or processor that forms part of the supply chain and markets or provides an AI system in the

4. Implementer: Controller or processor that commissions the development of or implements an AI system in internal procedures or processes.

Obligations of Controllers and Processors: Those who process personal data in AI systems must:

1. Inform the data subject clearly, specifically, and transparently about the processing carried out through AI systems, including its purposes and automated nature.

2. Conduct risk management and data protection impact

3. Implement administrative, technical, physical, organizational, and legal security measures based on the categories and volume of personal data processed.

4. Include data processing activities carried out through AI systems in the Record of Processing Activities (“RAT”).

5. Audit the general functioning of the AI system according to its level of

Guaranteed Rights: Controllers and processors must ensure the rights recognized in the LOPDP, as well as access to mechanisms for their exercise. In particular, the right not to be subject to a decision based solely or partially on automated processing must be guaranteed at all times, as well as the right to information and the right to object.

At BUSTAMANTE FABARA, we will continue to provide specialized analysis on the practical application of these regulatory instruments and their implications for the various regulated sectors.

For additional information, please contact: