On October 1, 2025, the Superintendence for the Protection of Personal Data of Ecuador, the supervisory authority in this field, submitted for public consultation a draft bill aimed at regulating international transfers of personal data (the “Bill”).
Notably, the Bill provides for the adoption of the Ibero-American Data Protection Network’s standard contractual clauses as a mechanism for validating such operations, provided that they take place between data controllers.
This approach is based, first, on Article 34 of Ecuador’s Organic Law on Personal Data Protection, which establishes that there is no transfer or disclosure when a data processor accesses personal data solely for the purpose of providing a service to the data controller.
In line with that reasoning, Article 3(b) of the Bill defines a “recipient” of international transfers as any entity receiving the data in its capacity as controller, thereby excluding data processors from such transfers.
Finally, the term to submit comments or observations ends on October 29, 2025.
The full text of the Bill can be found here.
