Resources· DataGuard · LOPDP· DPIA · Data Processing Agreement

Before go-live and before signing: the two obligations the LOPDP requires before the incident, not after

📅 May 2026 ⏱ 7 min read ✍ Wiibiq ⚖️ Ecuador-specific

The Data Protection Impact Assessment must be conducted before the system enters production. The data processing agreement must be signed before the vendor accesses the data. Neither is a post-incident formality. They are the two obligations the LOPDP establishes as preconditions to processing — and that most Ecuadorian companies have not yet executed.

The same principle, two distinct moments

Ecuador's LOPDP establishes that compliance does not begin when a problem occurs: it begins before the system processes the first data point and before the vendor accesses the first record. Two concrete instruments materialize that principle in any organization's daily operations.

The first is the Data Protection Impact Assessment (DPIA): the preventive analysis that must be conducted before the start of processing when there is a probability that the treatment, by its nature, context or purposes, will carry a high risk for the rights of data subjects. The second is the data processing agreement (DPA): the written instrument that must regulate the relationship with any vendor that accesses personal data before that access occurs.

🔴 Key fact — mandatory direct qualification

Resolution SPDP-SPD-2026-0005-R establishes cases of direct and mandatory DPIA qualification, without additional calculation. These include: all processing of biometric data, all credit or financial information systems, and all systematic surveillance via video monitoring. If your organization operates in any of these cases, the DPIA is not discretionary.

The DPA: what the law requires before contracting

Every organization that contracts a service in which a third party accesses, stores, processes or queries personal data is establishing a data processing relationship. That relationship must be governed by a written contract before that access occurs. Art. 34 LOPDP establishes the obligation. Art. 41 SPDP Regulation details its minimum content.

📋 Key regulatory reference

Resolution SPDP-SPD-2025-0006-R, Model 2, expressly states: "This clause does not exempt the parties from entering into a data processing agreement in accordance with the LOPDP." A generic clause in the service contract does not substitute the DPA. It is complementary, not equivalent.

Do your systems have documented DPIAs? Do your vendors have signed DPAs?

Wiibiq's free DataGuard diagnosis identifies which systems require DPIAs, which vendor contracts lack a DPA with the minimum content of Art. 41 Regulation, and what actions are priorities before the next SPDP inspection.

Request free DataGuard diagnosis →

Related articles

DataGuard · LOPDP

When the vendor fails, you are also liable: the data supply chain under the LOPDP

 DataGuard · LOPDP

The lock and the camera nobody put in the RAT