On July 31, 2025, the Personal Data Protection Authority (Superintendencia de Protección de Datos Personales - SPDP) issued Resolution No. SPDP-SPD-2025-0028-R, which governs the duties and obligations of data protection officers, in compliance with the Organic Law on Personal Data Protection (Ley Orgánica de Protección de Datos Personales) and its regulations.
The resolution establishes that the data protection officer (DPO) must be appointed by the data controller or processor, and their appointment must be registered with the Personal Data Protection Authority. If the appointment is made with an electronic signature, it must be registered on the institutional portal within no more than fifteen days; if it is in physical format with a handwritten signature, it must be submitted in person. Late registrations are permitted, but these will be considered a legal breach.
Public entities are required to appoint a DPO in accordance with Article 225 of the Constitution of Ecuador. The Personal Data Protection Authority may authorize exceptions for certain public bodies, provided that the protection of personal data is not compromised.
In addition, the appointment of a DPO is required in specific sectors such as education, finance, health, pharmaceuticals, private security, sports, telecommunications, public service concessionaires, and activities involving sensitive data or minors, due to the sensitivity and volume of the information processed.
The DPO must have official certification from the Personal Data Protection Authority. The DPO’s role is to advise, supervise regulatory compliance, manage risks, and control security measures, without being responsible for final decisions if they demonstrate due diligence.
The DPO must act independently and cannot hold positions that create conflicts of interest, such as a security officer, compliance officer, or special attorney-in-fact of foreign data controllers or processors. If the DPO’s independence is compromised or they suffer reprisals, they can report this to the Personal Data Protection Authority, which will investigate and punish those responsible.
Lastly, private sector controllers and processors must register their DPO on the Personal Data Protection Authority’s digital platform between November 1 and December 31, 2025. Failure to do so will be considered a breach of legal certainty under the Organic Law on Personal Data Protection.
PBP can assess whether it is necessary to appoint a DPO at your company and provide support with this service.
Editorial Board
