Data protection & privacy laws in Ecuador (2026)

The LOPDP (Ley Orgánica de Protección de Datos Personales), published in Official Gazette Supplement 459 on 26 May 2021, is Ecuador's first standalone, comprehensive data protection law. A General Implementing Regulation was issued in late 2023 and the law was last updated in April 2026 per the official consolidated text.

The Superintendencia de Protección de Datos Personales (SPDP) is the independent control authority created by the LOPDP. It issues binding technical standards and resolutions, handles complaints, conducts audits, and imposes sanctions; its official portal is spdp.gob.ec.

The LOPDP grants data subjects rights of access, rectification, erasure, restriction of processing, data portability, opposition, and the right not to be subject to solely automated decisions — substantially equivalent to EU GDPR Chapter III rights.

Controllers must establish a lawful basis for processing (explicit consent required for sensitive data), maintain a Record of Processing Activities (RAT), implement proportionate security measures, notify data breaches, and register a Data Protection Officer (DPO) with the SPDP's digital platform — a deadline that fell on 31 December 2025 for private-sector entities.

The sanctioning regime entered into force on 26 May 2023 (the law's two-year transition period). Fines range from 0.1%–0.7% of annual business volume for minor infractions to 0.7%–1% for serious infractions. Concrete sanctions already issued include USD 259,644 against LigaPro and USD 194,856 against the Ecuadorian Football Federation (FEF).

In February 2026 the SPDP issued Resolution SPDP-SPD-2026-0004-R establishing General Rules on National and International Personal Data Transfers, creating a binding adequacy/safeguards framework for cross-border data flows analogous to GDPR Chapter V mechanisms.