• +593 2 256 2680
  • info@bustamantefabara.com
ES
EN
ES
EN

New Rulings by the SPDP on the Use of Biometric Registration for Employee Attendance and the Appointment of a Data Protection Officer in Savings and Credit Cooperatives.

Key Aspects:

The Superintendency of Personal Data Protection (“SPDP”) has issued two new rulings in response to queries raised by public and private organizations, reaffirming and expanding on interpretative criteria relevant to the application of the Organic Law on Personal Data Protection (“LOPDP”) and its General Regulations (“RLOPDP”).

Both responses address sensitive issues with significant practical implications in the labor and financial sectors: the use of biometric data for employee attendance tracking and the obligation to appoint a Data Protection Officer (“DPO”) in savings and credit cooperatives.

SUMMARY OF THE QUERIES ADDRESSED BY THE SUPERINTENDENCY

Query – Official Letter No. SPDP-IRD-2025-0065-O

Use of biometric data for employee attendance control

Query submitted:

Is it lawful to use biometric data (such as fingerprints or facial recognition) to track employee attendance, especially in public institutions?

SPDP’s Response:

The SPDP reiterates its previously stated position in Official Letter No. SPDP-IRD-2025-0031-O. It emphasizes that the processing of biometric data for attendance control:

  • Constitutes the processing of sensitive data under Article 26 of the LOPDP, as it involves unique and sensitive individual characteristics.
  • Is considered a highly invasive measure and should only be applied in exceptional cases, when there are no less intrusive alternatives that achieve the same objective.

To be lawful, this type of processing must cumulatively meet the following requirements:

  • Prior proportionality assessment. The SPDP stresses that alternative, less intrusive methods (e.g., ID cards, digital logs, hybrid systems) must be evaluated and a justification provided for their dismissal.
  • Documented impact assessment (DPIA) and risk management. This must include analysis of data security, risks to data subjects’ rights, and mitigation measures adopted.
  • Valid consent from the data subject, pursuant to Article 8 of the LOPDP. The SPDP notes that consent cannot be imposed as a condition for employment access or continuation. Real and viable alternatives must be available for those who do not consent.
  • The use of “public interest” as a legal 1qbasis in this context is ruled out.

Other aspects addressed:

  • Employees or former employees have the right to access employment documents containing their personal data (Art. 13 LOPDP), including contracts, payslips, notices to the IESS, resignation letters, among others.
  • The right to rectification of data related to the cause of termination of employment may only be exercised if there is a final court ruling declaring that the termination was unjustified or different from what appears in the record (Art. 14 LOPDP). In the absence of a judicial decision, rectification is not admissible.

Query – Official Letter No. SPDP-IRD-2025-0036-O

Appointment of a Data Protection Officer (DPO) in Savings and Credit Cooperatives

Query submitted:

Are savings and credit cooperatives, as part of the popular and solidarity-based financial system, required to appoint a Data Protection Officer (DPO) immediately, or only if expressly required by the SPDP?

SPDP’s Response:

The SPDP responded affirmatively, clarifying that the obligation to appoint a DPO is immediate, general, and does not depend on a prior request by the authority, in accordance with the provisions of the Law and its Regulations. The ruling clearly outlines three regulatory and technical grounds supporting this obligation for cooperatives:

1. Legal nature of the obligated entity:

    Savings and credit cooperatives are part of the popular and solidarity-based financial system, pursuant to Article 311 of the Constitution of the Republic.

    2. Processing of special categories of data:

    These cooperatives handle credit data, which are classified as special category data.

    3. Large-scale data processing:

    Given the volume, frequency, and scope of data processing carried out by these entities, their operations qualify as large-scale processing, triggering the obligation to appoint a DPO. This obligation applies even to entities not supervised by the Superintendency of Banks.

    Failure to comply with this obligation may result in administrative sanctioning procedures, as it constitutes a fundamental component of the principle of proactive accountability.

    At BUSTAMANTE FABARA, we remain committed to sharing specialized analyses on the practical application of these regulatory instruments and their implications across regulated sectors.

    If you require additional information, please contact the following email addresses:

    Dr. María Rosa Fabara Vera: mrfabara@bustamantefabara.com

    Esteban Dávila: edavila@bustamantefabara.com

    Rafael Gabela: rgabela@bustamantefabara.com

    Marco Sánchez: msanchez@bustamantefabara.com

    Más publicaciones

    Negotiating to Win: Essential Lessons from “Getting to Yes”

    Leer más

    Regulation for the Prevention and Handling of all Cases of Discrimination, Violence, and Workplace Harassment in the Private Sector

    Leer más

    The National Assembly accepts the Executive’s partial veto and submits the final text for approval of the new Unfair Competition Law

    Leer más

    © Copyright 2024 BUSTAMANTE FABARA. All rights reserved I

    Privacy Policy

    Follow us:

    Facebook Instagram Linkedin Youtube