- International Personal Data Transfers
On January 28, the Ecuador’s Superintendence for the Protection of Personal Data (“SPPD”) issued the General Rule on National and International Transfers or Communications of Personal Data, through Resolution No. SPDP‑SPD‑2026‑0004.
The rule aligns Ecuador with the standards of the most modern regulations, establishing the requirements that controllers and processors must take into account when transferring personal data to countries that provide an adequate level of protection.
It also regulates the safeguards that may be adopted when it is necessary to transfer personal data to countries that do not have an adequacy decision, including, among others, standard contractual clauses, binding corporate rules, codes of conduct, and certification mechanisms.
In this context, the rule adopts as a validation mechanism the model contractual clauses of the Ibero‑American Data Protection Network (“IDPN”), although exclusively for transfers between data controllers. As noted in a previous newsletter, Ecuador’s regime does not consider that a transfer or communication of personal data takes place when the processing is carried out strictly within the provision of a service by the processor to the controller.
In light of this new rule, Ecuador joins the countries that have recognized the IDPN’s contractual clauses, that being Argentina, Peru, Colombia and Uruguay.
ii. Large-Scale Processing
On February 2, 2026, the SPPD approved the General Rule on Large‑Scale Processing of Personal Data, through Resolution No. SPDP‑SPD‑2026‑0005‑R.
This regulation, which applies to both controllers and processors, introduces the Large‑Scale Technical Model (“MTGE”, by its Spanish initials), designed to assess whether a given processing activity qualifies as large‑scale processing.
The MTGE is based on the analysis of six variables:
- Number of data subjects.
- Volume of data.
- Categories of data.
- Frequency of processing.
- Duration of processing.
- Geographic scope of processing.
Under the MTGE, once the processing activity has been analyzed, a score must be assigned to each variable in accordance with the parameters set out in the rule, and the results must be incorporated into the record of processing activities. A total score equal to or greater than six points will qualify the processing as large‑scale.
Notwithstanding the above, the rule provides that large‑scale processing will be deemed to exist, without the need to apply the MTGE, in the case of:
processing relating to health data or other special categories of personal data;
systematic and extensive evaluation of personal aspects based on automated processing, where it results in decisions producing legal effects or affecting the rights and freedoms of data subjects;
systematic observation, surveillance, or monitoring of individuals in publicly accessible areas through continuous monitoring technologies;
processing of biometric data or processing involving the geolocation of data subjects;
structural processing within credit or financial information systems;
systematic processing of data relating to children and adolescents in educational or digital environments or that involve the provision of services directed at them;
systematic data transfers which are a part of continuous or structured information flows, within or outside national territory; or
processing carried out in express, expedited, or courier messaging services.
Where large‑scale processing is identified, the controller or processor must:
maintain a record of processing activities;
implement data protection by design and by default measures;
undergo audits on an annual basis or whenever significant changes occur in the processing, unless equivalent mechanisms are already in place;
disclose in their privacy policies that such processing activities are carried out, including the relevant information concerning said processing; and
prepare annual compliance reports, where applicable.
