Almeida Guzmán Asociados informs that, on February 2, 2026, the Superintendence of Personal Data Protection – SPDP issued Resolution No. SPDP-SPD-2026-0005-R, by which the General Rule on Large Scale Personal Data Processing is issued.No. SPDP-SPD-2026-0005-R, by which the General Rule on Large Scale Processing of Personal Data is issued, which establishes technical and legal criteria to identify, evaluate and manage those treatments that, due to their magnitude or level of risk, require the application of reinforced measures of compliance, control and proactive responsibility, in development of the obligations provided in the Organic Law on Personal Data Protection and its Regulations. Thus:
1. Regulatory context
The Superintendence of Personal Data Protection (SPDP) issued the General Rule on Large Scale Processing of Personal Data, with the purpose of establishing technical and legal criteria to identify, evaluate and manage processing operations that, due to their magnitude or risk, require reinforced measures of compliance, control and proactive responsibility.
This resolution develops the obligations foreseen in the Organic Law on Personal Data Protection (LOPDP) and its Regulation, especially in matters of:
· Impact assessments;
· Mandatory appointment of a Data Protection Officer (DPO);
· Audits; and,
· Transparency and traceability of treatments.
2. When is a treatment considered “large-scale”?
The standard introduces the Large Scale Technical Model (LSTM), which allows treatments to be objectively rated on the basis of six variables:
· Number of holders.
· Data volume.
· Data categories.
· Frequency of treatment.
· Permanence of treatment.
· Geographic scope.
A treatment will be considered large-scale when the total score is equal to or higher than 6 points, which automatically triggers enhanced legal obligations. Additionally, there are cases of mandatory direct qualification, such as:
· Treatment of health data and special categories.
· Video surveillance and systematic monitoring in public spaces.
· Biometric data and geolocation.
· Automated profiling with legal effects.
· Systematic processing of data on children and adolescents.
· Structural and continuous international transfers.
3. Key obligations for those responsible and in charge
3.1. Enforced Treatment Activity Record (RAT)
Large-scale processing must be recorded in an updated ARP, including at least: description of the processing, categories of data and data subjects, frequency, permanence and security measures. The ARP must be reviewed at least once a year or when there are substantial changes in the processing or in its level of risk.
3.2. Data Protection Impact Assessment (DPA)
When the processing is qualified as large-scale, the obligation to carry out a prior Impact Assessment is triggered, with the aim of identifying the risks to the rights of the data subjects, establishing technical and organizational measures to mitigate those risks, and justifying the proportionality and necessity of the processing.
3.3. Mandatory appointment of Data Protection Officer (DPO)
Large-scale data controllers must appoint a DPO, register with the SPDP and comply with this requirement within 90 days of the entry into force of the regulation.
3.4. Privacy by design and by default
It imposes the obligation to apply the Privacy by Design and Privacy by Default principles, which means that data protection must be incorporated from the planning phase of the processing and maintained throughout its life cycle.
3.5. Mandatory audits
Controllers and processors must undergo internal or external audits at least once every 12 months, and additional audits when technologies used, purposes of processing, level of risk, or the scope and nature of processing change. Audit reports should be kept for a minimum of five years and be available to the SPDP upon request.
3.6. Transparency and privacy policies
Privacy policies should expressly identify large-scale processing and clearly inform about the purposes, categories of data processed, categories of data subjects and their rights.
3.7. Annual compliance reports
Those responsible and, where appropriate, those in charge, should prepare reports documenting internal control activities, audit results, MTGE review, EIPD update and improvement measures implemented. These reports should be retained for five years and made available to the SPDP.
4. Differentiated regime for Processors
The processor only assumes these obligations in respect of the processing steps over which it has control:
· Access;
· Visibility; o,
· Effective control
This delimitation does not imply exemption from liability, but a proportional application in accordance with the nature of the service provided and the instructions of the person in charge.
5. Sanction risk and practical recommendation
Failure to update or modify the Register of Processing Activities (RAT) will be sanctioned in accordance with the provisions of the Organic Law on Personal Data Protection (LOPDP) and its applicable regulations.
Additionally, failure to comply with the obligations related to the identification of large-scale processing, the application of the Large Scale Technical Model (MTGE), the execution of impact assessments, the implementation of audits and the adoption of control and security measures may give rise to administrative liabilities under the general supervision and control regime exercised by the Superintendence of Personal Data Protection.
In this context, it is recommended that organizations that process personal data in sectors such as health, education, tourism, financial, logistics and courier, automotive and video surveillance, carry out a MTGE diagnosis as a priority, update their RAT and validate whether they are obliged to:
· Designate a Data Protection Officer (DPO).
· Execute a Data Protection Impact Assessment (DPA).
– Implement formal compliance audits on personal data protection.
We remain attentive to any questions that may arise. Inquiries can be sent to the following e-mail address: pmerino@almeidaguzman.com
Quito D.M. / Guayaquil, February 2026
