Key Highlights
The Superintendency of Personal Data Protection («SPDP») has issued two new opinions in response to consultations regarding the application of the Organic Law on Personal Data Protection («LOPDP») and the secondary regulations issued by the authority.
Both opinions address issues of significant practical importance for data controllers and processors: the obligation to appoint a Data Protection Officer («DPO») for certain public service providers, and the legal treatment of data processing arrangements where the processor is located outside Ecuador.
SUMMARY OF THE CONSULTATIONS ADDRESSED BY THE SUPERINTENDENCY
Consultation – Official Letter No. SPDP-IRD-2026-0299-O
Appointment of a Data Protection Officer for Public Service Providers Operating Under Permits
Question Submitted:
Considering that subsection 14 of Article 10 of Resolution No. SPDP-SPD-2025-0028-R establishes the obligation to appoint a Data Protection Officer for certain entities involved in the provision of public services, and that such provision specifically refers to modalities such as concessions and public-private partnerships, should this obligation also apply to public or private legal entities that distribute, commercialize and/or provide public services under a permit granted by the competent authority, even when such authorization does not constitute a concession or a public-private partnership?
SPDP Opinion:
The SPDP concluded that the obligation established under subsection 14 of Article 10 of Resolution No. SPDP-SPD-2025-0028-R expressly applies to public and private legal entities acting as public service concessionaires and to public-private partnerships that distribute, commercialize or provide public services.
Accordingly, legal entities providing public services under a permit granted by the competent authority are not automatically subject to this obligation solely by virtue of holding such authorization. The SPDP clarified, however, that each data controller or processor must determine whether any other mandatory grounds for appointing a DPO under the LOPDP, its General Regulation, or the secondary regulations issued by the SPDP apply to their particular case.
The authority also emphasized that the obligation to appoint a DPO is not triggered merely because an entity provides a public service, but only where the specific circumstances fall within one of the legal or regulatory grounds established for mandatory appointment.
Consultation – Official Letter No. SPDP-IRD-2026-0300-O
Data Processing Arrangements with Processors Located Outside Ecuador
Question Submitted:
Pursuant to Article 34 of the LOPDP and Article 23 of Resolution No. SPDP-SPD-2026-0004-R, does the legal characterization of a data processing arrangement as a legal figure that does not constitute a transfer or communication of personal data apply regardless of the territorial location of the processor, such that a processor located outside Ecuador remains subject to the legal framework governing data processing arrangements and excluded from the regime applicable to international transfers or communications of personal data established under Chapter IX of the LOPDP and Resolution No. SPDP-SPD-2026-0004-R? Or, alternatively, does the mere fact that the processor is located abroad alter the legal nature of the arrangement and trigger the application of the international transfer regime?
SPDP Opinion:
The SPDP concluded that a data processing arrangement does not constitute a transfer or communication of personal data, and that this legal characterization applies regardless of the processor’s territorial location.
Accordingly, where a person processes personal data on behalf of and under the instructions of the data controller, as provided in Article 34 of the LOPDP, the fact that the processor is located outside Ecuador does not alter the legal nature of the relationship.
The SPDP further stated that, where the legal elements of a data processing arrangement are present, access to personal data by a processor located abroad remains subject to the legal regime governing data processing arrangements and not to the regime applicable to international transfers or communications of personal data.
The authority emphasized that the determining factor is not the territorial location of the recipient of the data, but rather the legal nature of the relationship between the parties.
Accordingly, as long as the processor acts on behalf of and under the instructions of the data controller, and not for its own purposes, the relationship retains its legal nature as a data processing arrangement.
At BUSTAMANTE FABARA, we will continue providing specialized analysis on the practical application of these regulatory instruments and their implications for the various regulated sectors.
For further information, please contact: