On February 12, 2026, the Superintendent of Personal Data Protection of Ecuador issued Resolution Nº SPDP-SPD-2026-0009-R, through which it approved the General Rule for Guaranteeing the Right to Personal Data Protection in the Use of Artificial Intelligence Systems (the “Regulation”). As its name suggests, the Regulation establishes guidelines for the processing of personal data through artificial intelligence (“AI”) systems.
The Rule does not create an autonomous AI regime; rather, it develops and specifies the application of the principles and obligations already provided for in the Organic Law on Personal Data Protection in contexts involving automated systems. In this regard, it consolidates a risk-management, impact-assessment, and accountability approach.
Accordingly, data controllers and processors that develop, deploy, or use AI systems must:
- conduct personal data protection impact assessments;
- adopt security measures appropriate to the categories and volume of data;
- specify in the record of processing activities that personal data are processed through AI systems, including whether automated decisions are made that have legal effects or may affect rights and freedoms; and
- audit the operation of such systems based on the level of risks they entail.
The Rule provides that those responsible for processing personal data in AI systems must ensure the full exercise of the data subjects’ rights recognized under the Organic Law on Personal Data Protection, including the right not to be subject to decisions based solely on automated processing. Along these lines, it imposes a duty to inform data subjects that their data will be processed using AI systems.
Finally, the Rule empowers the Superintendency of Personal Data Protection to audit AI systems and to impose preventive or corrective measures in the event of non-compliance with the applicable regulatory framework.
The full text of the Regulation can be accessed here.
