Skip to main content
Data protection

General Regulation on National and International Transfers or Communications of Personal Data

20 de February de 2026
Escrito por:

1. Executive Summary of the General Regulation on National and International Transfers or Communications of Personal Data

The General Regulation on National and International Transfers or Communications of Personal Data, issued by the Superintendence of Data Protection of Ecuador (hereinafter the “SPDP”), establishes the procedures and technical and legal requirements necessary to ensure the protection of personal data during its transfer, both at the national and international levels.

These provisions are mandatory for data controllers and data processors. The regulation establishes conditions for national transfers and stricter requirements for international transfers, including documentation obligations, security measures, contractual mechanisms, registration and regularization procedures, and special provisions for transfers between Member States of the Andean Community.

The regulation focuses on the effective protection of data subjects’ rights by ensuring traceability, oversight, and transparency in all personal data transfer operations.

2. Specific Obligations for Data Controllers and Data Processors

Data Controllers (national and foreign)

  • Comply with the legal and technical procedures and requirements established by the regulation.
  • Ensure that transfers pursue a lawful, legitimate, and specific purpose.
  • Rely on a valid legal basis under the law and, unless an exception applies, obtain the data subject’s informed consent.
  • Facilitate the data subject’s right to information.
  • Implement protective measures for transferred data (data minimization, secure transfer mechanisms, written agreements with third parties, control of onward transfers).
  • Notify the third-party recipient if a data subject exercises any of their rights.
  • Maintain documentation supporting the legality and legitimacy of the transfer for at least three years.
  • Notify the SPDP of security incidents and material changes.
  • Register and/or report transfers in the National Data Protection Registry.
  • Guarantee traceability and transparency of transfers, especially vis-à-vis data subjects.

Data Processors (national and foreign)

  • Apply the regulation on behalf of and under the instructions of the controller, in both national and international transfers.
  • Maintain documentation for at least three years and cooperate in managing data subject rights.
  • Ensure transfers comply with the controller’s instructions and with the same principles and safeguards required by law.
  • Adopt and evidence documentary measures demonstrating compliance, particularly in transfers between Andean Community Member States (intra-CAN).

3. Data Transfer Process: Compliance Steps

National Transfers

  • Verify the existence of a lawful, legitimate, and specific purpose, as well as a valid legal basis; unless an exception applies, obtain prior and informed consent from the data subject.
  • Implement protection measures such as data minimization, secure transfer mechanisms, execution of a written agreement with the third-party recipient, and control of onward transfers.
  • Execute a written agreement with the third party recipient, committing them to use the data exclusively for the stated purpose and to apply an equivalent level of protection.
  • Notify recipient third parties when data subjects exercise their rights and ensure their cooperation.
  • The third-party recipient assumes the role of data controller and is therefore obligated to comply with applicable Ecuadorian data protection law and to refrain from further transfers without proper legal grounds.
  • Document and retain supporting information for at least three years.

International Transfers

A. Transfers to countries/jurisdictions with an adequate level of protection

  • Verify that the country, organization, or third-party recipient is officially recognized on the SPDP’s adequacy list.
  • Adopt contractual and technical measures to comply with the Organic Law on Personal Data Protection (LOPDP), including obligations related to integrity, confidentiality, and restrictions on onward transfers.
  • Maintain updated records and inform data subjects about the transfer.
  • Submit consolidated reporting to the SPDP.

These obligations apply to both controllers and processors acting under the controller’s instructions in national or international transfers.

B. Transfers without an adequate level of protection but with appropriate safeguards

  • Implement legal instruments such as Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), approved codes of conduct, or certification mechanisms.
  • Ensure such safeguards:
    • Implement the principles set forth in the LOPDP.
    • Are subject to periodic compliance verification.
    • Are legally binding and enforceable.
    • Recognize data subject rights and procedures for their exercise.
    • Include acceptance of Ecuadorian jurisdiction and effective redress mechanisms.
  • Maintain documentation evidencing their implementation.

C. Transfers without adequacy or appropriate safeguards

  • Request prior authorization from the SPDP for exceptional transfers.
  • Submit an application including identification of the parties, legal and technical justification, risk analysis, data protection impact assessment (where applicable), contractual documentation, justification of the impossibility of alternative compliance mechanisms, security measures, data subject consent, complaint mechanisms, among others.
  • Await evaluation (up to three months) and remedy any observations if required.
  • Obtain a reasoned resolution and register the authorization if granted.
  • Comply with obligations regarding incident notification and material changes.

Special “Intra-CAN” Regime (Andean Community)

Transfers between Member States of the Andean Community are considered transfers to jurisdictions with an adequate level of protection. However, controllers must still comply with information duties toward data subjects and maintain proper internal documentation.

4. Practical Considerations

  • Required Documentation: Maintain contractual records, transfer logs, risk assessments, and impact assessments for possible SPDP audits or inspections.
  • Consent: Must be informed, specific, prior, and revocable at any time.
  • Security Measures: Mandatory implementation of technical and organizational measures such as encryption, anonymization, internal policies, access controls, and audits.
  • Monitoring and Updates: Adequacy decisions and safeguards are subject to periodic review; organizations must monitor renewals and regulatory updates.
  • Registration: Annual consolidated reporting within the first quarter of the year or individual transfer registration before the SPDP, depending on the case.
  • Regularization: Transfers conducted prior to the regulation’s entry into force must be notified and aligned within 12 months; no sanctions will apply during that period provided compliance requirements are met.
  • Suspension/Revocation: In cases of serious or verified non-compliance, the SPDP may suspend or revoke authorizations or safeguards; transfers must cease immediately.
  • Transparency: Non-sensitive extracts may be published on the SPDP’s website for public oversight; confidential information remains protected.

These guidelines enable organizations to strategically manage data transfers in compliance with Ecuadorian law, safeguard data subject rights, minimize regulatory risks, and strengthen transparency and legal certainty.


© TobarZVS 

This publication contains information of general interest and does not constitute legal opinion on specific issues. Any analysis will require legal advice from the Firm.