Personal Data Protection

Personal data represents a fundamental asset for many companies and for the State, so the risks involved in the use of this information are increasing.

AVL Abogados’ advice is based on the knowledge of the client’s business, to jointly develop strategies for regulatory compliance without hindering their technological and commercial progress.

The AVL Abogados team has developed methodologies to ensure real traceability of the personal data processed within an entity (data life cycle). This allows our clients to have a clear understanding of where personal data originates from in each area of the company, where it is sent, and its eventual disposal. This will help us to understand the risks that are occurring in the internal or external areas of an organization and be able to mitigate them.

AVL Abogados carries out a tailor-made data protection system, considering the needs of each client within the institution, and complying with international regulations, in particular the European General Data Protection Regulation (GDPR).

The technical analysis (from an IT perspective) is done based on the requirements established for ISO 2700 certifications, and onwards. This analysis is done through our strategic technological partner. AVL has a strategic technical partner (IT), which is the representative of Microsoft and Amazon Web Services in Ecuador.

Through this comprehensive advisory service, we can conduct audits for our clients on both personal data protection and privacy, as well as information security. We can also perform Personal Data Impact Assessments using software specifically designed for this purpose.

Additionally, through our certified Data Protection Officer (DPO) partner in Spain, we can offer DPO services to entities that require them. We can also support the company’s designated DPO by providing training to help them perform their daily functions in compliance with regulations.

We can provide a comprehensive service so that private companies, public institutions, or individuals in general, can comply with Ecuadorian regulations, under international standards.

AVL Abogados' data protection and privacy team has professionals with certifications and master's degrees in personal data protection and technology.

In coordination with AVL’s litigation team, we are highly qualified to propose, respond, and appear before the competent authorities if any administrative or judicial process is initiated against our clients, or if they wish to initiate proceedings against third parties of data protection matters.

AVL Abogados has advised its clients in data protection matters has within the health, higher education, pharmaceutical, technology, retail, food and non-alcoholic beverages, aviation, insurance, and telecommunications, among other industries.

Learn about our firm's notable cases

  • We have advised a multinational pharmaceutical company before the enactment of the Organic Law on Data Protection [Ley Orgánica de Protección de Datos Personales y garantía de los derechos digitales] (LOPDP), following European regulations, to ensure compliance with the fundamental right to data protection established in the Ecuadorian Constitution.

    AVL Lawyers has advised a global aviation company to ensure that requests made by competent authorities for passenger lists are handled within the framework of the principles established by the regulations.

    A chapter for Ecuador has been created within a global personal data protection policy for an international aviation company.

    We have prepared reports requested by insurance companies on various matters, particularly regarding the necessary considerations for processing under legitimate interest.

    We have been involved in creating several explicit consents for the processing of minors’ data in national campaigns for a confectionery company.

    We participated in an M&A transaction for a globally recognized payment processing company, where it was necessary to verify compliance with data protection and information security requirements to complete the deal.

    We have conducted over 20 due diligence audits and implementations of data protection across industries such as healthcare, higher education, pharmaceuticals, technology, retail, food and non-alcoholic beverages, aviation, insurance, telecommunications, and others.

    The partner in this area has been the Data Protection Officer (DPO) for a well-known Ecuadorian university and is currently the DPO for a multinational non-alcoholic beverage company.

When is a lawyer in Personal Data Protection needed?

  • Data protection advice applies to any legal entity, natural person or public institution that processes personal data, regardless of its nature.

  • As personal data is the most important asset in most industries, it is currently one of the most vulnerable, so compliance with regulations is required to protect it.

  • Generally, the most common problem related to this matter is the processing of personal data without a legitimate basis, the lack of compliance with the principles established in the law, and the lack of safeguards to protect them.

  • The penalties for non-compliance with the regulations can be substantial, including the possibility of initiating legal action against those who contravene the fundamental rights of individuals.

  • This area is considered dynamic, so the advice of the lawyer must be constant, considering the development of new technologies. It is advisable, once the proper implementation has been made, to carry out a data protection audit at least once a year, and to have constant training.

What services does AVL provide in this area?

Due Diligence for the Implementation of the Organic Law on Data Protection

  • Due Diligence Audits of Initial Implementation Measures: Evaluation of the measures taken during the initial implementation.

  • Information Security Audits (IT): Assessments of IT security measures.

  • Customized Reports: Preparation of personalized reports on general data processing, legal aspects, legal principles, data processing assignments, sub-processing of personal data, co-responsibility for data processing, impact assessments, international data transfers, and any other queries related to personal data protection.

  • Personal Data Impact Assessments (DPIAs): Conducting DPIAs when processing sensitive data categories or as required by new technologies.

  • Policy Development: Drafting of general policies, codes of conduct, and Binding Corporate Rules (BCRs).

  • Data Protection Officer (DPO) Services: Provision of DPO services through our international partner.

  • DPO Training: Training for company DPOs.

  • Full Support in Arbitration, Judicial, and Administrative Processes: Comprehensive support in arbitration, legal, and administrative proceedings.

  • Responses to Data Protection Authority: Handling responses to audits conducted by the Data Protection Authority.

  • Responses to rights requests by data subjects.

  • Staff training and customization of these programs for specific departments, according to the identified needs.

Contact us

Practice areas

Contact Us
X-twitter Linkedin-in