Ecuador LOPDP

Organic Law on the Protection of Personal Data (LOPDP)

Ecuador's GDPR-inspired data protection law with 5-day breach notification (stricter than GDPR's 72 hours) and DPIA requirements for high-risk processing.

Jurisdiction

Ecuador

Enacted

May 26, 2021

Effective

May 26, 2023

Enforcement

Superintendencia de Protección de Datos Personales

5-day breach notification - stricter than GDPR

Regulations.AI Ecuador LOPDP

Why It Matters

Ecuador's 5-day breach notification is stricter than GDPR's 72 hours, creating tightest incident response timeline globally for AI chatbot security incidents.

At a Glance

Applies to

AI CompanionMental Health AppGeneral Chatbot

Requires

Transparency User Rights Data Minimization

Who Must Comply

Data controllers and processors in Ecuador
Entities processing data of Ecuadorian residents
High-risk automated decision-making systems

Obligations fall on:

Safety Provisions

5-day breach notification to data subjects (stricter than GDPR)
Data Protection Impact Assessment for high-risk processing
Right to object to automated decisions
Data Protection Officer for certain controllers
Cross-border transfer restrictions

Compliance & Enforcement

Penalties

Fines for violations

Primary Source

Regulations.AI Ecuador LOPDP

https://regulations.ai/regulations/ecuador-2021-05-data-protection-law

View on map

Ecuador

Focus Areas

Mental health & crisis

Algorithmic accountability

Cite This

APA

Ecuador. (2021). Organic Law on the Protection of Personal Data (LOPDP).

Related Regulations

In Effect CARICOM

CARICOM CCSCAP 2025

CARICOM's 2025 regional cyber security framework establishing digital safety culture and coordinated incident response across 18 member states.

In Effect CL

First cybersecurity framework law in Latin America (Law 21,663 promulgated Mar 26, 2024; published Apr 8, 2024). Creates National Cybersecurity Agency (ANCI), mandatory incident reporting, and encryption rights.

In Effect PR

Puerto Rico Cybersecurity Act

Puerto Rico's comprehensive cybersecurity law establishing cybersecurity framework for public and private sectors, complementing Act 111-2005 breach notification.

In Effect AR

Argentina AI Strategy

Non-binding AI governance guidelines establishing principles for responsible AI use. Argentina positioning as AI innovation hub with limited regulatory barriers. Emphasizes transparency, accountability, and human oversight. Multiple legislative proposals pending inspired by EU AI Act, aiming to establish formal regulatory authority.

Failed CA

AIDA

Would have regulated high-impact AI systems with potential penalties up to $25M or 5% global revenue. Part of Bill C-27 which died when Parliament ended.

In Effect BR

Brazil ECA Digital

Comprehensive child digital safety law applying to any IT product or service directed at or likely to be accessed by minors in Brazil, with extraterritorial reach.

All regulations Check if this applies to you

Last updated January 22, 2026. Verify against primary sources before relying on this information.