The protection of personal data in Ecuador has gained central relevance following the entry into force and effective enforcement of the Organic Law on Personal Data Protection (Ley Orgánica de Protección de Datos Personales – LOPDP). Recently, the Superintendence of Personal Data Protection (Superintendencia de Protección de Datos Personales – SPDP) imposed significant administrative sanctions on the Ecuadorian Professional Football League (LigaPro) and the Ecuadorian Football Federation (FEF), setting an important precedent for all public and private organizations in the country.
What Is Ecuador’s Organic Law on Personal Data Protection (LOPDP)?
The purpose of the LOPDP is to guarantee individuals’ right to the protection of their personal data by regulating the processing carried out by companies, institutions, and organizations. This law establishes fundamental principles such as lawfulness, transparency, purpose limitation, data minimization, security, and accountability.
The regulation applies to any natural or legal person that processes personal data within Ecuadorian territory, regardless of the size of the organization or the economic sector to which it belongs.
Why Did the Superintendence of Personal Data Protection Sanction LigaPro and the FEF?
According to the resolutions issued by the SPDP, both LigaPro and the FEF committed serious violations related to the processing of users’ personal data through digital platforms used for the registration and control of attendees at sporting events.
The main findings by the authority included the absence of valid, informed, and verifiable consent, as well as non-compliance with the principle of accountability required under the LOPDP.
What Sanctions Were Imposed?
LigaPro was fined an amount exceeding two hundred and fifty thousand U.S. dollars, in addition to being ordered to delete the personal data obtained without valid consent and to notify the affected data subjects.
For its part, the Ecuadorian Football Federation received a fine of nearly two hundred thousand U.S. dollars and was required to update its record of processing activities, implement internal data protection policies, and remedy the deficiencies identified by the SPDP.
What Mistakes Did the Sanctioned Entities Make?
Among the main errors identified were:
- Use of generic or implicit consents that do not meet legal requirements.
- Lack of clear personal data protection policies.
- Absence of documentation demonstrating regulatory compliance.
- Deficiencies in the security measures applied to data processing.
What Risks Do Companies in Ecuador Face for Non-Compliance with the LOPDP?
Failure to comply with the Personal Data Protection Law can lead to significant consequences, including substantial financial penalties, reputational damage, obligations to delete information, and potential additional administrative liabilities.
This case demonstrates that the supervisory authority is actively exercising its powers and that personal data protection is no longer a merely formal obligation.
How Can Companies Comply with the Personal Data Protection Law?
To avoid sanctions, organizations should adopt preventive measures such as:
- Conducting internal personal data audits.
- Implementing appropriate privacy policies and legal notices.
- Maintaining an up-to-date record of processing activities.
- Training staff in personal data protection.
- Engaging specialized legal counsel in regulatory compliance.
Conclusion
The sanctions imposed on LigaPro and the FEF constitute a milestone in the enforcement of Ecuador’s Organic Law on Personal Data Protection. This precedent clearly shows that compliance with the law is mandatory and that companies must adopt a data protection culture as an integral part of their legal and corporate governance.
At Moncayo & Almeida Abogados®, we advise companies and institutions on the comprehensive implementation of the LOPDP, helping them comply with the regulations and mitigate legal risks arising from the processing of personal data.
For more information, you may access the press release issued by the Superintendence of Personal Data Protection here.
