Quevedo & Ponce - Noticias Legales
The Superintendence of Personal Data Protection (SPDP) Issues New Key Criteria on the Use of Biometric Data and the Appointment of DPOs
- June 4th, 2025
- Quevedo & Ponce
The SPDP has recently issued rulings regarding the use of biometric data for labor attendance control and the obligation to appoint a Data Protection Officer (DPO) in savings and credit cooperatives. These criteria reinforce the need to protect sensitive data, require impact assessments, and ensure free consent, while establishing that cooperatives must appoint a DPO immediately to comply with current regulations and avoid sanctions.
On the Use of Biometric Data for Labor Attendance Control In Official Letter No. SPDP-IRD-2025-0065-O, the following inquiry was raised:
Is it lawful to use biometric data (fingerprints, facial recognition, etc.) to register workers’ attendance, especially in public institutions?
SPDP’s Position:
The SPDP reaffirms its previous stance issued in Official Letter No. SPDP-IRD-2025-0031-O, establishing that:
- Biometric data are sensitive data according to Article 26 of the LOPDP, as they involve unique and irreplaceable characteristics of the individual.
- Their use constitutes a highly invasive measure and should only be applied exceptionally when no less intrusive alternatives achieve the same objective.
Requirements for Lawful Processing:
For the use of biometric data to be lawful, the following cumulative requirements must be met:
- Prior proportionality assessment:
It must be demonstrated why other less intrusive alternatives (cards, digital registers, etc.) are not suitable.
- Impact assessment (EIPD) and documented risk management:
Risks to data subjects’ rights, mitigation measures, and information security must be analyzed.
- Valid and free consent of the data subject:
Consent cannot be imposed as a condition for accessing or maintaining employment. Real alternatives must be offered to those who do not provide consent.
The SPDP discards the use of “public interest” as a legal basis for this data processing.
Other Relevant Aspects:
- Workers (or former workers) can exercise their right of access to labor documents containing their personal data (Article 13 LOPDP).
- The right to rectify the cause of labor termination only applies when there is a final judicial ruling declaring the termination unjustified or different from what is recorded (Article 14 LOPDP).
On the Obligation to Appoint a Data Protection Officer (DPO) in Cooperatives in Official Letter No. SPDP-IRD-2025-0036-O, the following inquiry was posed:
Are savings and credit cooperatives required to appoint a Data Protection Officer (DPO) immediately, or only if the SPDP expressly requires it?
SPDP’s Position:
The SPDP states that the obligation is immediate and general, with no need for a prior request from the authority. This requirement is based on three key aspects:
- Legal nature of the obligated party:
Savings and credit cooperatives are part of the popular and solidarity financial system, according to Article 311 of the Constitution.
- Processing of special categories of data:
These entities process credit data, which are considered special category data.
- Large-scale processing:
The volume, frequency, and scope of data processing by these entities constitute large-scale processing, which directly triggers the obligation to appoint a DPO. This obligation also applies to cooperatives not supervised by the Superintendence of Banks.
Failure to comply with this obligation could result in administrative sanctions, as it is an essential element of the principle of proactive responsibility.
At Quevedo & Ponce, we advise companies and employers to ensure compliance with labor and data protection regulations.
Más Artículos
Arbitration in Ecuador: An Effective Alternative for Dispute Resolution
Arbitration in Ecuador is an effective alternative for resolving disputes, highlighting benefits such as celerity, confidentiality, and the ability to choose expert arbitrators, making the process more efficient and specialized than ordinary courts.
El arbitraje en Ecuador: una alternativa eficaz para la resolución de conflictos
El arbitraje en Ecuador es una alternativa eficaz para resolver conflictos, destacando beneficios como la rapidez, la confidencialidad y la posibilidad de elegir árbitros expertos, lo que hace el proceso más eficiente y especializado que la justicia ordinaria.
The Superintendence of Personal Data Protection (SPDP) Issues New Key Criteria on the Use of Biometric Data and the Appointment of DPOs
The Superintendency of Personal Data Protection (SPDP) has issued recent statements regarding the use of biometric data for workplace attendance control and the obligation to appoint a Data Protection Officer (DPO) in savings and credit cooperatives. These criteria reinforce the need to protect sensitive data, require impact assessments, ensure free consent, and establish that cooperatives must immediately appoint a DPO to comply with current regulations and avoid sanctions.
La Superintendencia de Protección de Datos Personales (SPDP) emite nuevos criterios clave sobre el uso de datos biométricos y la designación de DPOs
La Superintendencia de Protección de Datos Personales (SPDP) ha emitido recientes pronunciamientos sobre el uso de datos biométricos para el control de asistencia laboral y la obligación de designar un Delegado de Protección de Datos (DPO) en cooperativas de ahorro y crédito. Estos criterios refuerzan la necesidad de proteger datos sensibles, exigir evaluaciones de impacto, y garantizar el consentimiento libre, además de establecer que las cooperativas deben designar un DPO de manera inmediata para cumplir con la normativa vigente y evitar sanciones.
Protect Your Business and Avoid Sanctions! New Legal Obligation in Contracts: Personal Data Protection Clauses
Since April 30, 2025, in Ecuador the inclusion of specific personal data protection clauses is mandatory in all contracts involving the processing of personal data pursuant to Resolution No. SPDP-SPD-2025-0006-R. This new legal requirement applies to both public and private entities and non-compliance may result in severe sanctions.