top of page
En el teléfono

Personal Data Protection Policy

Introduction - Initial Observations

Meythaler & Zambrano, Attorneys (hereinafter referred to as "MZ") is committed to respecting the rights guaranteed for personal data holders, which are stipulated in the Constitution of the Republic of Ecuador, as well as in the entire content of the Organic Law on Personal Data Protection (hereinafter referred to as “LOPDP”) and its Regulations. In light of this, it provides its Personal Data Protection Policy for clients, collaborators, legal representatives of clients, and suppliers.

MZ reserves the right to update this policy based on its needs and in response to changes in laws, regulations, practices, and in response to newly identified threats or new requirements imposed by the Control Authority. When such modifications significantly affect the processing of personal information of data holders, they will be duly notified.

For MZ to access and process the personal data of clients, collaborators, and suppliers in order to provide quality legal and accounting advice, it is necessary for their stakeholders to be informed about the content of this policy and accept its terms.

Once the data holders either give their consent through the corresponding forms, or the processing of their data is legitimized through the execution of a legal or contractual obligation, MZ will be authorized to process their personal data, according to the parameters established in this policy, which will be duly socialized and published for the knowledge of all its stakeholders regarding the full content of the company's personal data protection policy.


  • Authorization: Express, informed, and revocable consent by the Holder for the Processing of their Personal Data.

  • Database: Organized set of Personal Data that are subject to Processing.

  • Confidentiality: Guarantee granted by the Responsible, Co-responsible, or Processor on the protection of the Personal Data they handle, as established in the LOPDP.

  • Biometric Data: Unique personal data related to the physical or physiological characteristics, or behaviors of a natural person, which allow or confirm the unique identification of such person, such as facial images or fingerprint data.

  • Personal Data: Information that identifies or makes a natural person identifiable, directly or indirectly.

  • Health-related Data: All information related to any aspect of the health of the holder, whether physical or psychological, of a past, present, or potential future health state. This also includes any kind of information about a natural person collected for the purpose of enrolling them to obtain or provide healthcare. It includes diseases, disabilities, disease risk, medical history, clinical or physiological treatment, as well as any information related to the same.

  • Sensitive Data: Data related to ethnicity, gender identity, cultural identity, religion, ideology, political affiliation, judicial past, migratory status, sexual orientation, health, biometric data, genetic data, and those whose improper handling may lead to discrimination or may infringe upon the fundamental rights and freedoms of their Holders.

  • Data Protection Officer: Natural person who acts as a communication link between the Holders, the Responsible or Processor, and the Data Protection Authority.

  • Processor: Natural or legal person, who alone or jointly with others, processes Personal Data on behalf and for the account of a Data Controller, in strict compliance with the provisions of the LOPDP.

  • Purposes: Those purposes for which the Personal Data are requested.

  • Publicly Accessible Source: Databases that can be consulted by anyone, whose access is public, unconditional, and widespread.

  • Processing Notification: Notice from the Responsible or Processor directed to the Holder, which informs about the company's Personal Data Protection Policies. Through these notifications, the holders can access the policies as such.

  • Data Controller: Natural or legal person who alone or jointly with others decides on the purpose of the Processing of Personal Data.

  • Claim: Request of the Data Holder, or of persons authorized by him, to correct, update, or delete their Personal Data or to revoke the Authorization.

  • Holder: Natural person whose Personal Data are object of Processing by a Responsible or Processor.

  • Transfer or communication: Manifestation, declaration, delivery, consultation, interconnection, assignment, transmission, diffusion, disclosure, or any other form of revealing Personal Data carried out by a person other than the Holder, Responsible, or Processor of the Personal Data. The communicated Personal Data must be accurate, complete, and up-to-date.

  • Processing: Any operation or set of operations on Personal Data of the Holders.

  • Third party: Natural or legal person, national or foreign, distinct from the Holder, Responsible, Processor, and Data Protection Officer.

  • Data Security Breach: Any security incident that directly affects the confidentiality, availability, or integrity of personal data.

  • Responsible for Personal Data: The Responsible for the processing of Personal Data of the Holders will be Meythaler & Zambrano, Attorneys, a company that has developed this policy to fully comply with the LOPDP. Its address is as follows: Av. 6 de diciembre 2816 y Paúl Rivet, Edificio Josueth González, Piso 10.

Purpose and Scope

This instrument (hereinafter "The Policy") seeks to inform the holders about the technical, legal, organizational, and administrative measures that MZ has taken, with the aim of complying with the LOPDP and its Regulation.

This Personal Data Protection Policy will apply to all databases and/or files that contain personal data, that are subject to processing by the company, as well as by any third party, individually considered as co-responsible or in charge of the processing, who provide administrative, advisory, or any kind of services whenever they receive information from the company.

Next, the general aspects of the current regulations on the protection of personal data are discussed.

Specific objectives of the policy of Meythaler & Zambrano Attorneys

  • Ensure the confidentiality, integrity, and availability of information.

  • Train and raise awareness among all MZ collaborators on information security and personal data protection, so that everyone is informed of their duties and obligations of security and continuity, being responsible for fulfilling them, ensuring the protection of MZ clients, as well as being informed of their own rights as a stakeholder group of the company.

  • Manage all incidents that occur appropriately.

  • Ensure that all data processing is performed safely, and only by authorized personnel.

  • Guarantee MZ's commitment to information security.

  • MZ is committed to the success of this policy, and for this, it will provide the necessary human, technological, and economic resources for its efficient operation and effective maintenance.


Personal Data Collected and Purposes of Processing

As per the operations of MZ, this firm collects personal information through: website, forms, emails, telephone calls, contracts. Due to the nature of the service we offer, on certain occasions sensitive, judicial, credit, and minor data are collected.

Meythaler & Zambrano, Attorneys will process the Personal Data of the holders, directly or through Processors, as long as the processing is consistent with the relationship generated between the parties and in accordance with the type of relationship it has with the HOLDER, for the following main purposes:

Clients - Natural Persons and Legal Representatives of Legal Entities



  • Identification data: names and surnames

  • Contact data: emergency contact.

  • Location data: home address

  • Judicial data: when applicable for legal representation.

  • Health data: when applicable for legal representation.

  • Socio-economic data.


Legal Representatives

  • Identification data: names and surnames, ID number

  • Contact data: numbers of mobile phone, work, home, etc.

  • Name and address of the workplace

  • Judicial data: when applicable for legal representation.

  • Health data: when applicable for legal representation.

  • Socio-economic data.

  • Credit data: when applicable for legal representation.

  • Sensitive data: when required for judicial, administrative, or arbitral defense of the holders.

  • Data of minors: when required for judicial, administrative, or arbitral defense of the holders.

  • Commercial data: when applicable for legal representation.



  • Initiate the process of legal representation or sponsorship (judicial, administrative, or arbitral) depending on the type of case.

  • Advise and audit in different areas of law, as well as in accounting to clients, providing a comprehensive and multidisciplinary service.

  • Create physical and digital databases, specific about each client and all cases over which representation, advocacy, or authorization is granted in favor of M&Z.

  • Create general databases containing lists of clients for each area of the firm.

  • Contact the holders through any means of communication provided and accepted by the data holder (email, social networks, by phone, electronic messaging, etc.), with the purpose of discussing topics strictly related to the contracted services.

  • To verify the authenticity of the data provided by the holders and legal representatives of legal entities, due to the sponsorship, representation, or legal authorization.

  • Build a database on all the company's clients.

  • Know the physical, emotional, and psychological health conditions of the clients in order to sponsor them effectively, when the case requires it.

  • Know about the sensitive data of the clients in order to sponsor them effectively, when the case requires it.

  • Deliver client information to the relevant public control institutions, when this is the object of the contracted legal sponsorship.

  • Coordinate with legal representatives any situation that requires their signature and observance regarding the legal entity in their charge.

  • Preserve for a period of 10 years the general database of clients. This period will run once they are no longer part of the company's portfolio. The same period will also apply to legal representatives, as long as they continue in their position.

  • To be able to notify about any security incident regarding their personal data, both to the holder and to the competent authority in the field of data protection; as stipulated in Chapter VI of the General Regulation of the Organic Law on Protection of Personal Data.

  • To bill and collect the expenses of legal sponsorship, audits, accounting advice to the holders or legal entities to which the service of legal representation is provided.

  • To assemble, implement, and manage advertising campaigns about Meythaler & Zambrano, of any kind and using any means of communication, with explicit consent from the data holder.

  • For the Systems area to manage security measures on the data and its transfer.


Data Collected and Processed


  • Identification data: names, surnames, ID number.

  • Academic and professional data: curriculum, professional degree, and professional ID number.

  • Contact data: personal email, mobile phone number, and landline number.

  • Health data: pre-existing health conditions or disabilities to consider for the vacancy.

  • Data about their professional and personal references.



  • Initiate the hiring process with the applicant, for which their data will be used to send multiple necessary communications for the execution of the process.

  • Gather information about their professional experience, education, competencies, skills, etc. This to examine whether they meet the company's demands or not.

  • Diligently investigate the veracity of the information provided by the applicants.

  • Carry out any corresponding procedure with the registration or entry of personnel in public institutions that require it.

  • Process sensitive health data, through any medical examination carried out by the company and third parties in general, to assess the physical and mental fitness of the applicant in contrast to the applied position, when applicable.

  • Build a backup database on potential profiles for future vacancies.

  • For the Systems area to manage security measures on the data and its transfer.

Data Collected and Processed from Employees

  • Identification data: names, surnames, ID number.

  • Academic and professional data: curriculum, professional degree, and professional ID number.

  • Contact data: personal email, mobile phone number, and landline number.

  • Health data: physical condition, recurrent diseases, disabilities, medical justifications,

  • Physical data: photographs and videos (image and/or voice).

  • Relatives and reference persons: family dependents, emergency contacts.

  • Credit data: bank account number, bank certificate (when required for the follow-up of a work benefit or the fulfillment of a contract).

  • Biometric data: attendance and punctuality control.

  • Judicial and criminal data.



  • Create a physical and digital folder about each of the company's employees, which will be preserved for a period of 10 years. This period will start to run once they have left the company.

  • Process data especially protected (minors), which have been declared as family dependents.

  • Perform a time control, both for entry and exit from the company.

  • Make payroll payments to the holders, as well as any other item that has been agreed in the employment contracts.

  • Process sensitive health data, through any medical examination carried out by the company and third parties in general, to assess the physical and mental fitness of the employee in contrast to the applied position

  • Generate a basic profile of the employee with the purpose of building a database to assign possible vacancies according to this information

  • Manage various legal procedures, whether required by a competent authority or by law.

  • Grant permits and licenses.

  • Conduct periodic evaluations of the staff, with the aim of improving the academic process through periodic feedback.

  • For the Systems area to manage security measures on the data and its transfer.


Suppliers when they are Natural Persons

Data Collected Suppliers.- Natural Person

  • Identification data: names, surnames, ID number.

  • Contact data: personal email, mobile phone number, and landline number.

  • Credit data: bank certifications, account numbers, commercial references.



  • Qualify as suppliers for MZ, meeting all the requirements of the case.

  • Follow up on purchase orders, payments, information requests, and other requirements ordered by the company.

  • To maintain the relationship between the interested parties in order to proceed with the activities and obligations that are carried out jointly and the fulfillment of the legal relationships that are generated: elaboration of service contracts, confidentiality agreements, as well as co-responsible or in charge of treatment, respectively.

  • Preserve for a period of 10 years all tax documents necessary for compliance with the company's obligations.

  • Use all necessary personal data to enter suppliers into the company's accounting system

  • Generate a basic profile of the supplier with the purpose of building a database to assign budgets.

  • Manage different legal procedures, whether required by a competent authority or by law.

  • Prepare and issue commercial certificates.

  • For the Systems area to manage security measures on the data and its transfer.

  • Sign data processing assignment contracts when the provision of the service involves data processing activities.


Information Retention Period

The company has defined 15 years as the retention period for the information. This is because, by legal mandate, ordinary legal actions prescribe after 10 years. That is, Meythaler & Zambrano, Attorneys, will retain the information for this period, to guarantee its constitutional right to defense if necessary.

In the event that MZ consolidates medical records of its collaborators or partners, these will be preserved for a maximum period of 20 years after their disassociation from the company.

Principles of the LOPDP

The Processing of Personal Data carried out or to be carried out by MZ is expressly governed by the principles of legality, loyalty, transparency, purpose, relevance, minimization, proportionality, confidentiality, quality, accuracy, limited conservation, security, and others established in article 10 of the law.

Likewise, and in strict compliance with the LOPDP, and other applicable regulations in the field of data protection, MZ, if deemed necessary, will issue binding corporate regulations in the field of personal data.


Loyalty of Processing

MZ will process, transfer, and/or retain those personal data collected, exclusively for the purposes that have been established in this policy.

All data processed by the company will be processed legitimately, with the due consent of the concerned individuals, or other grounds provided in article 7 of the LOPDP.

The company will record the appropriate cause of legitimacy for the processing in the Treatment Activities Registry (RAT). The company is committed to ensuring the updating of the data protection register where, in addition to the aforementioned, the purposes of the processing, a description of the categories of interested parties and the categories of personal data, the categories of recipients to whom personal data are communicated, as well as national and international data transfers will be identified.

Data and metadata regarding the obtaining of consent will be kept for proof purposes and under the principle of proactive and demonstrated responsibility.

Concerned individuals may withdraw their consent as provided, in the exercise of their rights.

Rights to Guarantee for the Holders

Holders from whom MZ has collected personal data by any means, as defined in this document, will have the right to the following:

  • Be accurately informed about what personal data the company processes.

  • Access, both under the principle of portability and by the right of access, to their personal data.

  • Request the update or rectification of their data.

  • Request the deletion of their data when duly justified.

  • Request verification of the existence of their consent for the processing.

  • Revoke the express consent given to the company.

  • Be informed by the company about the compliance with the purposes that the latter has given to their personal data.

  • Not to be subject to a decision that is based solely or partially on automated evaluations, including profiling.


However, the request for deletion of information and the revocation of authorization will not proceed when the information holder has a legal or contractual duty to remain in the database and/or files, nor while the relationship between Meythaler & Zambrano, Attorneys and the holder, under which the holder provided their personal data, is in force.

Exercise of Rights of Holders - Contact Address

When Holders wish to exercise their rights (established in this instrument, as well as in the LOPDP), they must communicate by email to the address:

Procedure for the Exercise and Attention of Rights of Personal Data Holders

When the holder wishes to exercise their rights, they will follow the following procedure:

  • Send an email to the email address previously indicated by Meythaler & Zambrano, Attorneys stating the following:

  • Complete identification data of the Holder.

  • Reason for their request;

  • Due justification to support their request or petition, electronically signed by the holder;

  • Legible scan of the official identification document, which demonstrates the authenticity of their identity;

  • Identification of the right that is sought to be exercised;

  • Precise description of the personal data over which such right is sought to be exercised;

  • When seeking to exercise the right of update or ratification, the Holder must indicate clearly and precisely those modifications they want to make.

  • Other requirements established in the Regulation of the LOPDP.

  • Once this request with all its requirements is received, MZ will review it and notify the Holder, within a maximum term of 10 days, about the resolution of their request. This term will start from the date of receipt of the holder's request by MZ.

  • If the Holder's request meets the requirements of the LOPDP, Meythaler & Zambrano will proceed with its execution. The Holder acknowledges that, for their request to be accepted and proceed to its execution, it must strictly comply with the requirements and guidelines specifically contained in the LOPDP and other applicable regulations.

Consent of the Holders and Causes of Legitimization of Processing

Meythaler & Zambrano, Attorneys guarantees that, upon receiving personal data from the holders, it has previously collected unequivocal, free, informed, and express consent from the holders for the collection and processing, indicating the purpose for which the data is requested. This consent is suitable for the lawful and legitimate purposes specifically determined in this document.

The consent of the holders will be obtained using any available means for MZ, whether these are written or oral, that allow preserving proof of the authorization and/or of the unequivocal conduct through which the holder gives their consent, and may be, but not limited to, through:

  • Any written document that maintains a clause of authorization and consent for the processing of personal data.

  • Any verbal and express statement, whether by telephone call, video call, digital or analog recording.

  • Any electronic or digital means that allows identifying who has used it to demonstrate their consent.


In this sense, the person responsible for the treatment will comply with their duty to inform the holder of the personal data in everything previously described for obtaining free, specific, informed, and unequivocal consent.

The holder understands that their consent is one of the forms of legitimization of the processing contained in article 7 of the LOPDP, and that MZ reserves the right to justify any data processing based on the rest of the forms established in the norm.

Data Protection Management

In strict compliance with this instrument, as well as with the LOPDP, its Regulation, and other current regulations in the field, Meythaler & Zambrano, Attorneys is committed to maintaining continuous improvement measures to manage its data protection measures.

Likewise, they are committed to keeping constantly updated and at the forefront, all those documents that are part of their data protection system, so that they fully comply with the best standards of Personal Data Protection.

They commit to ensuring the privacy of the personal data collected, scrupulously complying with the following:

  • Data Protection from Design and by Default: MZ will implement all necessary technical and organizational measures to safeguard the privacy of the data of the interested parties from the start of each of the treatments. Likewise, it guarantees that, by default, only those personal data necessary for each specific purpose of the treatment will be subject to processing.

  • Treatment Activities Registry: MZ is committed to ensuring the updating of the data protection registry, where the purposes of the treatment, a description of the categories of interested parties and of the categories of personal data, the categories of recipients to whom personal data are communicated, as well as national and international data transfers will be identified.

  • Transparency and Information to Interested Parties: All personal data processing will be transparent in relation to the interested parties, providing them with information about the processing of their data in a comprehensible and accessible way, when required by applicable law.

  • Treatment Managers: Those providers (when applicable) who access and process personal data under the responsibility of MZ must manage the data only following the instructions of said company, which must be recorded in writing, by contract or legal document that binds both parties, so that the treatment manager adopts the necessary measures to guarantee the privacy of personal data and is able to demonstrate said compliance in case it is required.

  • Adoption of Security Measures: Due to the commercial nature of MZ, it is committed to always maintaining the best security measures, technical, administrative, organizational, and physical, on the information contained in its databases such as:

  • Physical and environmental security: Prevention of all types of unauthorized access, prevention of damage to facilities, prevention of damage to MZ's physical information. Prevention of losses, damage, theft, or dangerous circumstances that interrupt MZ's activities.

  • Security Measures for Suppliers: Evaluations of possible risks in subcontracting third parties to meet the purposes that have been established in this document. Monitor compliance and contractual requirements, to ensure that these are loyal to the purposes of the treatment.

  • Labeling Measures: MZ will label all information that has been collected, subject to this policy, in order to preserve it under security. All documents, their copies, attachments, as well as possible extracts born from this will be labeled; as long as the information used is not strictly public.

  • Security Notifications: MZ is committed to notifying the security breach within the term established in the Organic Law on Protection of Personal Data and its Regulation, both to the holder and to the competent Authorities since the event is known.

  • International Data Transfers: Meythaler & Zambrano will ensure at all times that personal data will only be communicated outside of Ecuador, to countries, territories, or specific sectors; over which the Superintendency has adopted a decision recognizing that they offer an adequate level of protection, when adequate guarantees have been offered about the protection that the data will receive at its destination, and/or when the person responsible for the treatment verifies and guarantees that the recipient complies with adequate data protection standards, which must be equal to or greater than Ecuadorian standards.

Measures of Evaluation and Control

Meythaler & Zambrano, Attorneys will maintain internal and external evaluation and control mechanisms on its data protection management, which will deliver periodic results.

The objective of these measures will be to prevent possible non-compliance with both the current regulations and this instrument, and they may materialize through audit reports in the field. The person in charge of supervising these mechanisms, in all cases, will be the Data Protection Officer appointed by Meythaler & Zambrano, Attorneys.

The results obtained through these control and evaluation mechanisms must be communicated to the company's executives directly, with the aim of taking particular actions, if necessary.

Risk Analysis and Impact Evaluation

Meythaler & Zambrano, Attorneys, in strict compliance with the LOPDP and its Regulation, by virtue of the type of personal data it processes and the treatments it gives, will carry out through its Data Protection Officer, risk analysis and impact evaluations on the data processing to be carried out, whenever required according to the provisions of the current regulations. These evaluations will be carried out on the different treatment activities that require it, which will guarantee the integral reduction of possible security incidents on the treatment activities.

Processing of Sensitive Data

Meythaler & Zambrano, Attorneys recognizes that they will process sensitive data and therefore, guarantees that both the collection, processing, and conservation of these, are carried out in compliance with all the security and confidentiality standards corresponding to their nature.

Due to this, they will implement technical, administrative, organizational, security, and physical measures, as well as risk analysis and impact evaluations to ensure that all their employees, suppliers, affiliated companies, business partners, and other third parties, have due respect for this type of information, and know in detail the criticality that their treatment entails.

Use of Computer Systems

Users of the computer systems of Meythaler & Zambrano, Attorneys must perform and promote efficient use of the same, in order to avoid unnecessary traffic on the network and interferences with their work or that of other users, or with other associated networks or the services they offer.

It is prohibited to destroy, alter, disable, or in any other way damage the data, programs, or electronic documents of MZ or third parties.

The use, reproduction, assignment, transformation, or public communication of any type of work or invention protected by intellectual or industrial property is prohibited.

It is prohibited to introduce, download from the Internet, reproduce, use or distribute software without a license and not expressly authorized by MZ. Likewise, the deletion of legally installed programs without MZ's authorization is prohibited.

Incident Management

Any identified incident must be communicated through the email indicated by MZ. Once received, it will be followed up accordingly, in order to take the appropriate actions for its correction, as well as with the start of the pertinent notification process.


Applicable Legislation

Our Personal Data Protection Policy is governed by the provisions of the Organic Law on Personal Data Protection, its Regulation, the Constitution, and other corresponding regulations and that may be issued in the future.

bottom of page