We share the recent resolution issued by the Superintendence of Personal Data Protection (SPDP) on the Regulation of the Data Protection Officer (DPO), Resolution No. SPDP-SPD-2025-0028-R.
Who is the Personal Data Protection Officer (DPO)?
The Organic Law on Personal Data Protection (LOPDP) defines the DPO as the natural person in charge of informing the controller or processor about its legal obligations regarding data protection; supervising regulatory compliance; and cooperating with the Personal Data Protection Authority, acting as a point of contact between the latter and the entity responsible for the processing.
Who is required to appoint a DPO?
According to art. 48 of the LOPDP, it is mandatory to appoint a DPO when:
1.- The public sector (art. 225 of the Constitution) carries out data processing.
2.-The activities of the person in charge require permanent and systematized control due to their volume, nature, scope or purposes (according to the Law, its regulations or the Authority’s rules).
3.- Large-scale processing of special categories of data is carried out (in accordance with the regulation).
4.- The processing does not deal with reserved or secret information of national security and defense of the State (such processing is excluded).
The same art. 48 empowers the SPDP to define new conditions for requiring DPOs and to issue guidelines for their designation. In this regard, Resolution No. SPDP-SPD-2025-0028-R provides, among other points, that:
- The delegate shall be appointed by the person who is the data controller or, as the case may be, by the person who is in charge of the processing.
- Appointments must be registered (virtually or physically) with the General Intendancy of Technological Innovation and Personal Data Security within fifteen (15) days from the date of appointment.
- Late appointments will be accepted; however, late registration will be considered a breach of a legal security measure.
Special cases of mandatory appointment (private and mixed sector)
In addition to the provisions of the LOPDP/RGLOPDP, DPOs must be appointed by those who, on a regular basis, carry out activities such as:
- Advertising, commercial prospecting and market research with profiles, interests or behaviors.
- Education (pre-school, elementary, high school and any institution that processes data on minors, even outside the educational environment).
- Higher education (public or private).
- Processing of special categories of children’s data.
- Financial (legal entities that carry out financial activities and process personal data).
- Insurance and reinsurance (including advisors, brokers, agents and insurance providers).
- Health (actors obliged to keep medical records; private practitioners are excluded).
- Pharmaceutical (production, distribution and commercialization; laboratories, representation houses, distributors and pharmacies).
- Private security and administration of horizontal properties/urbanizations by access control.
- Professional sports (federations, associations, clubs and academies).
- Professional associations or guilds.
- Telecommunications.
- Mass video surveillance, geolocation and IT services, including AI.
- Public service concessionaires and PPPs that distribute, market or supply public services.
Who is prohibited from being a DPO?
- Information Security Officer (CISO) of the company.
- Compliance Officer of the company.
- Special attorney-in-fact for foreign data controllers/processors who process data in Ecuador.
- In addition, the DPO may not represent the organization before the SPDP as responsible or in charge, nor simultaneously hold conflicting positions (e.g., CISO, Compliance, implementer).
What are the DPO’s requirements?
i) enjoyment of political rights; ii) age of majority; iii) third level degree in Law, Information Systems, communication or technologies; iv) minimum professional experience of five (5) years. In addition, mandatory training in personal data protection, in mandatory compliance with and approval of the minimum training content of the Professionalizing Program for Data Protection Delegates officialized by the SPDP.
Other considerations:
- The DPO must act independently and impartially; he/she may be internal or external through specialized services.
- The company should ensure top-level contact, resources and an annual institutional (non-hierarchical) evaluation of the DPO function.
- If their independence is affected or there are reprisals, the SPDP may sanction.
Recommendations to our customers
1.- Verify if you are required to appoint a DPO.
2.- Define and appoint the DPO with real independence and without conflicts.
3.- Register it within the legal period.
Adjust internal functions to avoid prohibitions and conflicts (e.g., separate CISO/Compliance).
Quito D.M./Guayaquil, August 2025
