The Personal Data Protection Law of Ecuador applies to data controllers and processors domiciled within the national territory, effectively using the local establishment factor to determine its scope of applicability.

Text of Relevant Provisions

The Law Art.4(b):

"Without prejudice to the regulations established in the international conventions and treaties ratified by the Ecuadorian State that deal with this matter, this Organic Law shall apply when: (b) The controller or processor of personal data is domiciled in any part of the national territory;"

Analysis of Provisions

The Personal Data Protection Law of Ecuador explicitly uses the local establishment factor to determine its applicability. Article 4(b) of the Law states that it applies when "the controller or processor of personal data is domiciled in any part of the national territory". This provision clearly extends the law's jurisdiction to entities that have established themselves within Ecuador, regardless of where the actual data processing takes place.

The use of the term "domiciled" is significant. In legal contexts, domicile typically refers to the place where an entity has its permanent home or principal establishment. This suggests that the law applies not just to companies incorporated in Ecuador, but also to foreign entities that have established a significant presence in the country.

It's worth noting that this provision is part of a broader set of criteria for the law's territorial scope. Article 4 lists several other situations where the law applies, including when processing occurs within Ecuador (Art. 4(a)) and when non-domiciled entities offer goods or services to Ecuadorians or monitor their behavior (Art. 4(c)).

Implications

The inclusion of this local establishment factor has several important implications for businesses:

1. Ecuadorian companies: All companies established in Ecuador must comply with the Personal Data Protection Law for their data processing activities, regardless of where the data subjects are located or where the actual processing occurs.
2. Multinational corporations: Foreign companies with subsidiaries, branches, or other significant presences in Ecuador will be subject to the law for their operations related to that establishment.
3. Data processors: The law explicitly mentions both controllers and processors, meaning that service providers processing data on behalf of other companies are also covered if they are domiciled in Ecuador.
4. Compliance obligations: Entities falling under this provision must adhere to all aspects of the Ecuadorian data protection law, including principles of data processing, data subject rights, and potentially appointing a data protection officer.
5. Enforcement jurisdiction: The Ecuadorian authorities have a clear basis for enforcing the law against any entity with a local establishment, which could include audits, fines, or other penalties for non-compliance.

This approach aligns Ecuador's data protection regime with international trends, ensuring that entities benefiting from operating within the country's jurisdiction are also subject to its data protection obligations. It creates a level playing field between domestic and foreign companies with a significant presence in Ecuador, while also providing a clear point of contact for regulatory oversight and enforcement.