Skip links
Ecogal

GENERAL PRIVACY POLICY

General Privacy And Personal Data Protection Policy.

1. Objective


Establish guidelines and procedures for the collection, processing, storage, and deletion of personal data in accordance with the Organic Law on Personal Data Protection (LOPDP) of Ecuador. This policy ensures that personal data held by Galapagos Ecological Airport is handled responsibly, respecting data subjects’ rights and promoting transparency.

2. Scope


This policy applies to all collaborators of Galapagos Ecological Airport, including direct employees, temporary staff, interns, contractors, service providers, and any third party who directly or indirectly has access to personal data, whether digital or physical.

3. Data Controller

 
Galapagos Ecological Airport acts as the Data Controller under the LOPDP and its regulations.

Contact Information:

  • Corporate Name: Galapagos Ecological Airport
  • Address: Isla de Baltra, Galápagos
  • Phone: 052-534004
  • Email: dpo@ecogal.com.ec

4. Principles For Data Processing

  • Legality and Transparency: The processing of personal data will be carried out in accordance with the law and in a transparent manner for the data subject, who will be informed about the purpose and scope of the processing.
  • Purpose Limitation: Personal data may not be processed for purposes other than those for which they were collected.
  • Data Minimization: Only the personal data necessary for specific purposes will be collected.
    Accuracy: Measures will be taken to keep the data accurate and up to date.
    Storage Limitation: Data will be retained only for as long as necessary to fulfill the purpose of its processing.
    Confidentiality and Security: Personal data will be protected through appropriate technical and organizational measures to prevent unauthorized access or improper disclosure.

5. Collection And Use Of Personal Data


Galapagos Ecological Airport processes personal data for:

Service Provision: To manage the contracting, administration, and delivery of services related to the internal and external processes of Galapagos Ecological Airport.
Customer Service: To respond to inquiries, complaints, and provide effective assistance to our customers.
Legal Compliance: To comply with applicable legal and regulatory obligations, ensuring transparency and accountability in our operations.
Internal Management: For human resources management, internal administration, and compliance with corporate policies.
Marketing and Communications: To send commercial communications, announcements, and surveys, always with the prior consent of the data subjects and solely for the improvement and strengthening of the services of Galapagos Ecological Airport.

6. Data Subject Consent


6.1 Legal Grounds for the Processing of Personal Data

Galapagos Ecological Airport may process personal data when at least one of the following conditions is met, in accordance with Article 7 of the Organic Law on Personal Data Protection:

  • Data Subject Consent: Processing based on the data subject’s explicit, specific, and informed authorization.
  •  Contract Performance: Processing necessary for the execution of a contract to which the data subject is a party.
  • Compliance with Legal Obligations: Processing required under national, sectoral, or international regulations.
  • Vital Interest of the Data Subject or a Third Party: To protect the life, health, or physical integrity of the data subject.
  • Legitimate Interest of the Controller: When the fundamental rights and freedoms of the data subject do not prevail.
  • Public Interest or Exercise of Public Powers: In compliance with legal functions delegated to ECOGAL.
  •  Data from Public Sources: Only when used in accordance with the purpose limitation principle.

Galapagos Ecological Airport will obtain the freely given, specific, informed, and unequivocal consent of data subjects for the processing of their personal data, except in those cases permitted by the LOPDP where consent is not required in accordance with Articles 7.2 to 7.8 of the LOPDP. The data subject may revoke their consent at any time by submitting a request to the Data Protection Officer (DPO).

Specification of Consent for Different Purposes, Art. 7.1 (LOPDP)
Consent will be obtained in a clear, specific, and separate manner for each processing purpose. This includes, among others, purposes such as marketing activities, behavioral analysis, benefits management, the use of biometric data, or international data transfers. Each purpose must be duly communicated, ensuring that data subjects understand the scope of the processing and provide their authorization explicitly, freely, and knowingly.

7. Data Subject Rights


The data subject whose personal data is held by Galapagos Ecological Airport has the right to:

  1. Access: To know the personal data that is held and the purpose of its processing.
  2. Rectification: To request the correction of inaccurate or incomplete data.
  3. Deletion: To request the deletion of data when it is no longer needed or when the processing is unlawful.
  4. Objection: To refuse the processing of their personal data under specific circumstances.
  5. Data Portability: To request the transfer of their data in a structured and readable format.
  6. Data Minimization: To have only personal data that is adequate, relevant, and limited to what is necessary for the purposes for which it is processed.
  7. Restriction of Processing: To restrict the processing of their data in certain cases.
  8. Not to be Subject to Automated Decisions: The right not to be subject to decisions based solely on automated processing.

7.1 Transparency in Profiling and Automated Decisions

Galapagos Ecological Airport informs that it currently does not carry out decisions based solely on automated processing nor profiling that produces legal or significant effects on data subjects.
If such practices are implemented in the future, ECOGAL commits to:

  • Inform the data subject in advance and in a clear manner.
  •  Guarantee the right to human intervention, to express their point of view, and to challenge the decision.
  •  Apply appropriate security measures to prevent automated biases or errors.

8. Security And Protection Measures

 
Galapagos Ecological Airport will implement physical, technical, and organizational security measures to protect personal data from unauthorized access, loss, damage, or improper disclosure. These measures include, but are not limited to:

  • Physical Measures:
    – Access control to the facilities where personal data is stored.
    – Use of physical security systems such as surveillance cameras and alarms.
    – Storage of physical documents in secure locations.
  • Technological Measures:
    – Implementation of encryption for data in transit and at rest.
    – Use of firewalls, antivirus software, and intrusion detection systems.
    – Regular performance of data backups.
    – multi-factor authentication and encryption for access to sensitive data.
  • Organizational Measures:
    – Designation of a data protection officer.
    – Development and implementation of information security policies.
    – Access to personal data only by authorized personnel; only individuals with proper authorization may access personal data for processing.
    – Ongoing training for staff on information security and privacy.
    – Periodic audits to assess the security and effectiveness of the measures applied.

9. Responsibility And Proactive Management


Galapagos Ecological Airport will assume proactive responsibility in th processing of personal data, implementing mechanisms to prevent any privacy incidents and ensuring compliance with applicable regulations.

  • Data Controller Responsibility: Management will be responsible for ensuring compliance with this policy and the Organic Law on Personal Data Protection of Ecuador.
  • Specific Responsibilities: The Privacy and Information Security Committee will review and update this policy and its related procedures annually.
  • Audits and Risk Assessments: Annual security audits and privacy impact assessments will be conducted for processes that handle sensitive personal data.

10. Exceptions

This policy does not apply in the following cases:

  • Anonymized data that does not allow the identification of the data subject.
  • Data of deceased persons, except for credit data or cases where the deceased has appointed a specific representative.
  • Domestic activities that do not involve commercial purposes.
  • Data processed for journalistic or editorial purposes regulated by other specific regulations.
  • Other cases established in Article 2 of the Ecuadorian Organic Law on Personal Data Protection (LOPDP).

11. Procedures For The Exercise Of Rights


Data subjects may exercise their rights through the following steps:

  • Request: Submit the request in writing or via email to the Data Protection Officer (DPO) of Galapagos Ecological Airport (dpo@ecogal.com.ec), indicating the right they wish to exercise. The forms for exercising these rights are available on the website www.ecogal.com.ec.
  • Response Time: After verifying the identity of the data subject, Galapagos Ecological Airport will respond within a maximum period of 15 days, informing whether the request is accepted or providing the reasons why it is not feasible.

Additional Remedies: If the data subject disagrees with the response provided by Galapagos Ecological Airport, they may file a complaint with the Personal Data Protection Authority of Ecuador.

12. Transfer Of Data To Third Parties


Galapagos Ecological Airport may share personal data with third parties, including service providers and business partners, under the following conditions:

  • Data Subject Consent: When required, prior consent from the data subject will be obtained.
  • Data Protection Agreement: Third parties must implement appropriate measures to protect personal data through the signing of contracts that include confidentiality and data protection clauses.
  • Legal Compliance: Data transfer will be carried out to comply with legal and regulatory obligations.
  • Sub-processors and Vendors with Access to Data


ECOGAL may engage third parties (sub-processors) who will have access to personal data solely for the purpose of performing essential functions on its behalf. These sub-processors will be contractually required to:

  • Comply with the same legal, contractual, and security obligations as ECOGAL in its role as controller or processor.
  • Process personal data only in accordance with documented instructions.
  • Implement auditable security controls and accountability mechanisms.

ECOGAL will conduct prior assessments of the suitability of these third parties and will maintain updated records of all data processing assignments performed.

13. Data Retention


Galapagos Ecological Airport will retain personal data only for the period necessary to fulfill the purposes for which it was collected, or as required by applicable law. Once the data is no longer needed, it will be securely and permanently deleted, thereby ensuring the protection of data subjects’ privacy.

14. Definitions


ANONYMIZATION: The application of measures aimed at preventing the identification or re-identification of a natural person, without disproportionate effort.

PERSONAL DATA PROTECTION AUTHORITY: An independent public authority responsible for supervising the application of the law, regulations, and resolutions it issues, with the purpose of protecting the fundamental rights and freedoms of natural persons regarding the processing of their personal data.

DATABASE: A structured set of data, regardless of the form, method of creation, storage, organization, type of support, processing, location, or access, whether centralized, decentralized, or distributed functionally or geographically.

SPECIAL CATEGORIES OF PERSONAL DATA: The following shall be considered special categories of personal data:
a) Sensitive data;
b) Data of children and adolescents;
c) Health data; and
d) Data of persons with disabilities and their representatives, related to the disability.

CONSENT: A free, specific, informed, and unequivocal declaration of will by which the data subject authorizes the data controller to process their personal data.

BIOMETRIC DATA: Unique personal data related to the physical or physiological characteristics or behaviors of a natural person that allows or confirms their unique identification, such as facial images or fingerprint data, among others.

GENETIC DATA: Unique personal data related to inherited or acquired genetic characteristics of a natural person that provide unique information about an individual’s physiology or health.

PERSONAL DATA: Any data that identifies or makes a natural person directly or indirectly identifiable.

CREDIT PERSONAL DATA: Data that reflects the economic behavior of natural persons, used to assess their financial capacity.

HEALTH-RELATED DATA: Personal data related to a person’s physical or mental health, including the provision of healthcare services, which reveals information about the individual’s health status.

SENSITIVE DATA: Data related to ethnicity, gender identity, cultural identity, religion, ideology, political affiliation, criminal record, migration status, sexual orientation, health, biometric data, genetic data, data concerning stateless persons and refugees requiring international protection, and any data whose improper processing may result in discrimination or may affect fundamental rights and freedoms.

Data Processor: A natural or legal person, public or private, who, alone or jointly with others, processes personal data on behalf of the Data Controller (Galapagos Ecological Airport), as an ally or service provider. When the controller does not act as the processor of the database, the processor must be expressly identified.

Natural Person: Individuals capable of exercising rights and assuming obligations.

Data Subject: A natural person whose personal data is being processed.

Processing: Any operation or set of operations carried out on personal data, whether through automated, partially automated, or non-automated technical procedures, such as collection, gathering, obtaining, recording, organization, structuring, storage, safeguarding, adaptation, modification, deletion, indexing, extraction, consultation, compilation, use, possession, exploitation, distribution, assignment, communication or transfer, or any other form of access enablement, comparison, interconnection, limitation, suppression, destruction, and, in general, any use of personal data.

15. Update of the Privacy and Personal Data Protection Policy


This notice may be modified at any time to comply with new legal requirements or our operational needs. The most up-to-date version will be available on our websitewww.ecogal.com.ec.

16. Control De Cambios

CHANGE CONTROL DATE REVIEW DESCRIPTION OF THE CHANGE
CHANGE CONTROL 16/02/24 0 Approval of the document by the Privacy and Information Security Committee.
CHANGE CONTROL 27/01/25 1 Drafting of the document.
CHANGE CONTROL 10/02/25 2 Inclusion of the clause ‘Update of the Privacy and Personal Data Protection Policy’.
Widget Flotante