Ecuador’s Superintendence of Personal Data Protection (SPDP) has announced its first major sanctions under the Organic Law on Personal Data Protection (LOPDP), marking an important milestone in the country’s data-protection enforcement. The authority imposed penalties on the organization that oversees the nation’s professional football competitions and on the entity responsible for regulating and managing the national football system. Both were sanctioned for serious violations related to the Fan ID and Fan FEF mobile applications.
After conducting information requests, on-site inspections, and corrective-measure processes, the SPDP initiated formal sanctioning procedures upon verifying continued non-compliance. The institution determined that both organizations failed to implement sufficient safeguards to ensure lawful and secure processing of personal data according to the applicable landmark.
The first organization was found administratively responsible and fined US$259,644.01. It must also notify 14,398 individuals that their consent was not validly obtained and permanently delete their data from all systems.
The second entity received a US$194,856.16 fine and must update its internal processing records, implement a compliant data-protection policy, notify affected users of invalid consent, and delete all personal data processed through its fan-identification platform.
This landmark action sets a strong enforcement precedent in Ecuador, underscoring that platforms lacking robust security, updated policies, or lawful consent mechanisms will face significant regulatory actions.
