“I changed my number twice, but companies that offer services get it”: sanctions for mishandling of data will come into force in May 2023

After more than a year and six months after the approval of the Organic Law for the Protection of Personal Data (LOPDP) in Ecuador, there is little knowledge of the regulations among citizens and a significant number of companies have not applied mechanisms to better care the information of its users. This scenario occurs when there are six months left before the sanctions imposed in this law begin to apply (May 2023).

Carlos Maldonado affirms that he is unaware of the existence of the LOPDP and adds that even if it exists, he feels that companies continue to share personal data without the consent of their users. He affirms that in the last three months he has received text messages, WhatsApp messages, emails from companies and financial institutions, of which he is not a client, to offer him services.

‘They call me and write to offer me services. I have not given my number’: one year into the law, personal data and financial information continues to leak in Ecuador

“They also call. Sometimes there are voice recorders, other times they are people from other countries and they are very incisive. Sometimes the name “Finance” comes up and I have blocked those numbers from going to voice mail, but I think they have realized that and are now calling from other numbers. I haven’t given them my contact or my number, but they get it with incredible ease and I’ve changed my number twice in the last three years“, He says.

Although the law is in force, the approval of its regulations, the appointment of the Superintendent of Personal Data Protection and that companies and institutions, public and private, establish the figure of the data protection delegate are still pending. However, this does not mean that the regulations cannot be applied and, especially, respected, say analysts consulted.

Diego Beltrán Bastidas, lawyer and partner at the firm Solines & Asociados and a professor specializing in data protection at the SEK International University, regrets that many of the companies are not adapted to the (LOPDP) and that only a few have been applied in the public sector. guidelines issued by the National Directorate of Public Data Registration (Dinarp) for its websites.

The teacher affirms that in public companies there have really been no “serious, structured, organic” adaptation processes to comply with the regulations. Meanwhile, in private companies there are sectors that have taken “important steps” such as finance.

“We see with a degree of concern that it is observed that many companies are betting on the non-existence of the regulation and the lack of a superintendent. It is very speculative at this time to talk about a number, but there are a large number of companies that are regulated by this law that are not adapted to it.”, he points out.

Since the law is quite technical and complex, the type of adaptation varies according to the volume and type of data that a company handles for the course of its business. Beltrán also assures that the public perception that the LOPDP has not served because its information continues to leak must be analyzed in two ways.

“It is true that the data continues to be filtered, but in the protection of this information we have the entities that carry out the treatment, the control authority and the owners of the data (citizens). It is the latter who must exercise their rights beyond controls and create a culture of enforcing regulations, empowering themselves“, Add.

What is the profile of a data protection officer? A specialization that will be in great demand by companies in Ecuador

Not only should you demand that the data be deleted in the databases of companies in which you are not a customer, but you should also ask the companies and entities of which you are a user to make correct and responsible use of them. information.

Cecilia Parra, expert in handling personal data and country manager from Pridatect in Ecuador, indicates that there are many businessmen in the country who are aware of the existence of the LOPDP and who are analyzing options, but complain that there has not been enough communication and socialization of the standard.

“They know that there is the law, many legal studies have approached businessmen to comment on the situation, but from a fatalistic point of view, although what businessmen are looking for is the opportunities that the law also offers them. I have also observed companies starting programs for law enforcement“, He says.

One of the opportunities for business, according to Parra, is that the LOPDP, at the South American level, is drawing the attention of other nations to improve their relations with the European Union, since the European continent is looking for commercial partners that have a security digital backed by law.

For Parra, it would have been ideal for the country to start a less rigid regulation or with fewer points to value because Ecuadorian culture is very different from the European one.

“For example, in the United States the law seeks to protect the data, but they also give businessmen the opportunity to work with the data as long as the situation is well informed. In Ecuador we should have started one or two steps less and gradually increased the rigidity of the regulations”, he assures.

The lack of knowledge and application of the regulations that currently exist will cause companies and entities to try to comply with them in a “mediocre” way, once the sanctions are in force.

Despite the fact that in the middle of this year Angie Jijón, director of Dinarp, assured that the data superintendent would be appointed by the Council for Citizen Participation and Social Control (CPCCS) this year, days before the end of 2022 the shortlist has not even been sent by the Executive, which means that this would take place in 2023. EL UNIVERSO requested an interview with Jijón, but until the closing of this report, no response was received.

The Superintendence for the Protection of Personal Data will be created, after the approval of the law in the National Assembly

For Beltrán, the lack of this authority will be a big problem if it reaches May 2023 without a superintendent, since he will be in charge of applying the sanctions that will take effect in that month.

For this reason, the Executive must expedite the presentation of the short list so that once the authority is elected, it begins to structure the Superintendency, since this figure was created with the regulations. “If there is no one to sanction, the citizen will only have the civil, constitutional and criminal path until he is appointed,” he explains.

However, Parra considers that if the regulation and the figure of the superintendent come into effect in 2023 there would be no problem nor would it cause any reason to delay the effective delivery of the sanctions.

In addition, it indicates that what happens in markets such as the European one should be avoided, where despite establishing million-dollar fines and sanctions, companies simply pay them to continue using the personal information of their users in a discretionary manner.

Sanctions of the Personal Data Protection Law that will come into force from May 2023

Sanctions for minor infractions

1. Servers or officials of the public sector for whose action or omission they have incurred in any of the minor infractions established in this law will be sanctioned with a fine of one to ten unified basic salaries of the worker in general, without prejudice to the non-contractual responsibility of the State, which will be subject to the rules established in the corresponding regulations;
2. If the person in charge or in charge of the processing of personal data or, if applicable, a third party is a private law entity or a public company, a fine of between 0.1% and 0.7% calculated on its volume will be applied. of business corresponding to the financial year immediately prior to the imposition of the fine.

Sanctions for serious infractions

1. The servants or officials of the public sector by whose action or omission they have incurred in any of the serious infractions established in the present law will be sanctioned with a fine of between 10 to 20 unified basic salaries of the worker in general; without prejudice to the non-contractual responsibility of the State, which will be subject to the rules established in the corresponding regulations;
2. If the person in charge, in charge of the processing of personal data or, if applicable, a third party is a private law entity or a public company, a fine of between 0.7% and 1% will be applied, calculated on its turnover, corresponding to the financial year immediately prior to the imposition of the fine. (YO)