The Superintendence of Personal Data Protection (SPDP) of Ecuador issued the General Regulation on Large-Scale Processing of Personal Data through Resolution No. SPDP-SPD-2026-0005-R, with the purpose of establishing clear guidelines and criteria to identify and manage personal data processing activities that qualify as large scale under the Organic Law on Personal Data Protection (LOPDP) and its general regulations.
The regulation introduces the Large-Scale Technical Model as a technical and legal instrument to determine when personal data processing must be classified as “large scale,” taking into account variables such as the number of data subjects, volume of data, categories of information, frequency of processing, duration, and geographic scope of the processing. Processing activities related to health, video surveillance, geolocation, biometric data, systematic data transfers, or automated assessments are considered large scale without regard to the remaining criteria.
Controllers and processors engaged in processing activities deemed large scale must comply with enhanced obligations, including maintaining an updated Record of Processing Activities, appointing a Data Protection Officer, conducting prior data protection impact assessments, implementing privacy by design and by default measures before and during processing, and undergoing periodic internal or external audits. In addition, the regulation establishes adaptation deadlines and strengthens technical and organizational safeguards to protect data subjects rights in contexts involving big data and mass processing activities.
