Resolution JPRFM-2026-010-A Incorporating the Privacy and Personal Data Processing Policy of the Central Bank of Ecuador

RESOLUTION No. JPRFM-2026-010-A THE FINANCIAL AND MONETARY POLICY AND REGULATION BOARD

CONSIDERING:

That, Article 66, numeral 19 of the Constitution of the Republic of Ecuador guarantees and recognizes the right to the protection of personal data, which includes access and decision-making regarding information and data of this nature, as well as their corresponding protection;

That, Article 226 of the Constitution of the Republic of Ecuador prescribes that public servants and persons acting under a state authority shall exercise only the competencies and powers attributed to them in the Constitution and the Law;

That, Article 227 of the same Constitution states that the Public Administration constitutes a service to the community governed by principles of efficiency, quality, hierarchy, coordination, planning, among others;

That, the first paragraph of Article 303 of the Constitution of the Republic of Ecuador determines that the formulation of monetary, credit, exchange, and financial policies is the exclusive faculty of the Executive Branch and will be implemented through the Central Bank of Ecuador;

That, on October 13, 2025, the Organic Reformatory Law of the Organic Monetary and Financial Code was published in the Sixth Supplement of Official Registry No. 142;

That, Article 13 of the Organic Monetary and Financial Code creates the Financial and Monetary Policy and Regulation Board, part of the Executive Branch, as an organ with functional, technical, and institutional autonomy, and in its decisions, responsible for the formulation of monetary, credit, financial, securities, insurance, and prepaid comprehensive health care service policy and regulation. The Financial and Monetary Policy and Regulation Board shall be the highest government body of the Central Bank of Ecuador;

That, Article 17 of the aforementioned Code, in its pertinent part, determines that:

RESOLUTION No. JPRFM-2026-010-A Page | 2

"(...) For the fulfillment of these functions, the Board will issue regulations in matters within its competence, without being able to alter legal provisions. The Financial and Monetary Policy and Regulation Board may issue regulations by segments, economic activities, and other criteria. It may even reform or repeal regulations from the former Monetary Policy and Regulation Board, Financial Policy and Regulation Board, or Monetary and Financial Policy and Regulation Board. All regulations and policies issued by the Financial and Monetary Policy and Regulation Board in the exercise of its functions, duties, and powers must be backed by duly substantiated technical and legal reports (...)";

That, Article 19 of the same Code, regarding the specific functions of the Financial and Monetary Policy and Regulation Board in the monetary sphere, among others, establishes: "(...) 2. Establish the policies of the Central Bank of Ecuador and supervise their implementation (...)";

That, Article 24 of the same Code provides that the acts of the Financial and Monetary Policy and Regulation Board enjoy the presumption of legality and will be expressed through resolutions that will have mandatory force, which will govern from their publication in the Official Registry, or from the date of their issuance when so determined by the Board, in accordance with the subject matter;

That, Article 25.2 aforementioned determines that the Technical Secretariat of the Financial and Monetary Policy and Regulation Board is exercised by the Central Bank of Ecuador, and Article 25.3 establishes as its functions the preparation of technical and legal reports to support regulation proposals, provide technical and administrative support to the Financial and Monetary Policy and Regulation Board, and those other tasks assigned to it by said Board;

That, General Provision Twenty-Ninth of the same Code states: "In current legislation where mention is made, indistinctly, of the Monetary and Financial Policy and Regulation Board, the Monetary Policy and Regulation Board; or the Financial Policy and Regulation Board, replace and understand as 'Financial and Monetary Policy and Regulation Board'";

That, Article 1 of the Organic Law on Personal Data Protection establishes as the object and purpose of said norm "(...) to guarantee the exercise of the right to the protection of personal data, which includes access and decision-making regarding information and data of this nature, as well as their corresponding protection. For this effect, it regulates, provides for, and develops principles, rights, obligations, and protection mechanisms";

That, Article 4 of the aforementioned Law defines the data controller as the "(...) natural or legal person, public or private, public authority, or other organism, that alone or jointly with others decides on the purpose and processing of personal data"; in this sense, the Central Bank of Ecuador, in its capacity as a public law legal entity, acts as the controller of personal data processing in accordance with the functions and attributions established by law;

That, Article 12 of the Organic Law on Personal Data Protection establishes that the data subject has the right to be informed, in accordance with the principles of loyalty and transparency, about all relevant aspects of the processing of their personal data, including the purpose, legal basis, retention time, planned transfers, rights they possess, mechanisms to exercise them, among other essential elements;

That, in numeral 4 of Article 47 of the Organic Law on Personal Data Protection, the data controller has as an obligation, among others, the "Implementation of personal data protection policies relevant to the processing of personal data in each particular case";

That, Article 58 of the General Regulation to the Organic Law on Personal Data Protection, the data controller is obliged to apply adequate technical, legal, administrative, and organizational measures that guarantee and demonstrate the conformity of the processing of personal data with current regulations, considering the nature, scope, purpose of the processing, and associated risks; measures that can be reviewed and updated when circumstances require it;

That, in accordance with current statistical regulations, the production and dissemination of official statistics constitutes a function of public interest, for which competent entities may collect, process, and safeguard information, observing the principle of confidentiality and the duty of secrecy regarding individual data, guaranteeing that their use is limited exclusively to statistical purposes and that their dissemination is carried out only in aggregated form or through dissociation or anonymization techniques;

RESOLUTION No. JPRFM-2026-010-A Page | 4

That, as part of its commitment to transparency, institutional responsibility, and respect for citizens' rights, the Central Bank of Ecuador, in its capacity as the data controller, must adopt measures that ensure the effective compliance with this right through clear, accessible, and understandable policies for the citizenry, in which guidelines are established for the adequate, secure, and lawful processing of the personal data it administers in the exercise of its functions and legal attributions;

That, numeral 4 of Article 85, of Subsection 2 "Information Security Management Policies", of Chapter I "Government of the Central Bank of Ecuador", of Title II "Government Policies of the Central Bank of Ecuador", of the Codification of Resolutions of Governance of the Monetary Policy and Regulation Board and of the Central Bank of Ecuador, establishes:

"4. Protection of Sensitive Information and Personal Data: Administrative units will coordinate with the Data Protection Delegate the implementation of measures to ensure the protection of personal data. Asset owners will be responsible for identifying sensitive information and coordinating with the Information Technologies Management the application of security controls, safeguarding that the original information is not exposed or accessible during its transit, processing, and storage, in order to minimize the risk of exposure, loss, or misuse of said information. For this, techniques such as masking, pseudonymization, anonymization, tokenization, encryption, among others, will be adopted";

That, First Transitional Provision of the Organic Reformatory Law of the Organic Monetary and Financial Code determines that the members of the Financial and Monetary Policy and Regulation Board, sworn in on September 16, 2025, by the National Assembly, will continue to exercise their functions for the periods for which they were designated and will maintain their labor continuity and acquired rights;

That, through Office No. T.233-SGJ-25-098 of September 5, 2025, signed by the Constitutional President of the Republic, addressed to the President of the National Assembly, the list of candidates for the designation of the Members of the Financial and Monetary Policy and Regulation Board was sent; as well as, the temporality of their stay within the initial period;

That, the Plenary of the National Assembly, on September 16, 2025, designated and swore in the members of the Financial and Monetary Policy and Regulation Board,

RESOLUTION No. JPRFM-2026-010-A Page | 5

in the persons of: Gustavo Estuardo Camacho Dávila; Silvia Daniela Moya Arteta; Roberto Javier Basantes Romero; and, María Isabel Camacho Cárdenas;

That, the Financial and Monetary Policy and Regulation Board, in ordinary session No. 008-2026, under hybrid modality, on March 23, 2026, reviewed the resolution proposal sent via Memorandum No. BCE-BCE-2026-0087-M, of March 16, 2026, by the General Manager of the Central Bank of Ecuador to the President of the Financial and Monetary Policy and Regulation Board; as well as, Technical Report No. BCE-GR-2026-022 / BCE-SSI-2026-009, of March 9, 2026; and, Legal Report No. BCE-GJ-025-2026, of March 16, 2026; and,

In exercise of its functions and in attention to Article 24 of the Organic Monetary and Financial Code, the Financial and Monetary Policy and Regulation Board,

RESOLVES:

Article 1.- Incorporate as Section 5 "PRIVACY POLICY AND PERSONAL DATA PROCESSING OF THE CENTRAL BANK OF ECUADOR", of Chapter I "Government of the Central Bank of Ecuador", of Title II "Government Policies of the Central Bank of Ecuador" of the "Codification of Resolutions of Governance of the Monetary Policy and Regulation Board" of the Central Bank of Ecuador, issued via Resolution No. JPRM-2025-007-G, of July 16, 2025, the following text:

"SECTION 5 PRIVACY POLICY AND PERSONAL DATA PROCESSING OF THE CENTRAL BANK OF ECUADOR

SUBSECTION 1: PRIVACY POLICY, OBJECT, AND SCOPE OF APPLICATION

Article 86.- Object: This Policy aims to establish the mandatory guidelines, principles, and general directives that regulate the processing of personal data carried out by the Central Bank of Ecuador, in its capacity as data controller, in order to guarantee the effective exercise of the fundamental right to the protection of personal data of the subjects, in accordance with the Organic Law on Personal Data Protection, its General Regulation, and other applicable regulations.

Article 87.- Scope: The Central Bank of Ecuador, in compliance with what is established in the Organic Law on Personal Data Protection and its regulatory norms, is the entity responsible for the processing of personal data communicated or provided by the subjects.

The Central Bank of Ecuador, in its capacity as data controller, will ensure that the data subjects manifest having been informed in a clear, sufficient, and timely manner about the essential aspects of the processing of their personal data and, consequently, will carry out the necessary actions so that prior to the processing of said data, the subjects accept the established terms, which have legally binding character.

When the Central Bank of Ecuador acts in the capacity of data processor, it will carry out such processing on personal data on behalf and under the definitions of the data controller, in accordance with what is established in the Organic Law on Personal Data Protection (LOPDP) and its complementary regulations. The Central Bank of Ecuador will process personal data exclusively based on lawful, documented, specific, and verifiable instructions from the controller, including the purpose, data categories, operations, retention periods, recipients, and conditions for return or elimination. In the absence of clear instructions, the Central Bank of Ecuador will request clarification from the controller and will refrain from executing unauthorized operations.

Article 88.- Applicable Laws: The processing of personal data carried out by the Central Bank of Ecuador will be governed by what is established in the Constitution of the Republic of Ecuador, the Organic Monetary and Financial Code, the Organic Law on Personal Data Protection (LOPDP), the General Regulation to the Organic Law on Personal Data Protection, Resolutions of the Personal Data Protection Superintendence, Resolutions issued by the Financial and Monetary Policy and Regulation Board, and other related applicable regulations in the matter.

Article 89.- Definitions: For the purposes of this Policy, the following definitions are adopted:

a) Personal data processing activity: operation or set of operations carried out by the Central Bank of Ecuador on personal data, from their collection to their elimination. It includes actions such as registration, storage, use, analysis, transfer, safeguarding, and elimination of information.

b) Anonymization: is the processing of personal data through which identifying elements are eliminated or modified, irreversibly, so that it is not possible to identify the data subject, directly or indirectly. Once anonymized, the information ceases to be considered personal data.

RESOLUTION No. JPRFM-2026-010-A Page | 7

c) Database or files: organized set of personal data maintained by the Central Bank of Ecuador, in any format or medium (digital, physical, or mixed), regardless of its location or method of access.

d) Confidentiality and statistical secrecy: legal obligation of the Central Bank of Ecuador to protect individual data collected for statistical purposes, preventing their dissemination, use, or access for purposes other than strictly statistical, in accordance with the Statistics Law and without prejudice to the guarantees established in the Organic Law on Personal Data Protection.

e) Consent: express authorization granted by the data subject for the Central Bank of Ecuador to process their data, prior to clear information about the purpose and use to be given to said data.

f) Credit data: information related to the financial or credit solvency of the subject, linked to the fulfillment or non-fulfillment of financial or commercial obligations. These data may come from public access sources, from information provided by creditors, and, in the case of the Central Bank of Ecuador, also from other financial institutions, by virtue of legal obligations. The processing of these data by the Central Bank of Ecuador fulfills functions of public interest established in current regulations, such as the elaboration of macroeconomic statistics, studies and research on the financial system, internal processes inherent to institutional management, as well as internal processes related to anti-money laundering prevention.

g) Special category data: those sensitive personal data whose inadequate use can cause discrimination or affect the rights and freedoms of persons. They include, among others, information on ethnic origin, gender identity, religion, sexual orientation, health status, judicial records, migratory status, as well as biometric or genetic data.

h) Transaction data: data subject to secrecy, related to the technical and banking operations that the institution carries out, as well as other data, documents, or information of high sensitivity, which must be protected due to their relevance in strategic decision-making and their impact on institutional systems.

i) Statistical data: data obtained or processed exclusively for statistical purposes, which are duly aggregated, anonymized, or subjected to measures that prevent the direct or indirect identification of the subjects, in accordance with the Statistics Law.

j) Financial data: information linked to an identified or identifiable natural person, which describes, reflects, or allows inferring their economic or patrimonial situation, their payment capacity, their transactional behavior, or their relationship with financial products and services, including, by way of example: income, expenses, balances, movements, operations, instruments, obligations, payment history,

RESOLUTION No. JPRFM-2026-010-A Page | 8

financial identifiers, and associated metadata. Their processing will be carried out in accordance with the principles of purpose, minimization, confidentiality, and security, and only when necessary for the fulfillment of the competencies and institutional obligations of the Central Bank of Ecuador.

k) Personal data: any information that identifies or can identify a natural person, either directly (name, ID number) or indirectly (combination of several data).

l) Sensitive data: data relating to: ethnicity, gender identity, cultural identity, religion, ideology, political affiliation, judicial history, migratory status, sexual orientation, health, biometric data, genetic data, and those whose improper processing could give rise to discrimination, infringe, or could infringe upon fundamental rights and freedoms.

m) Elimination of personal data: process by which personal data are deleted or destroyed definitively, so that they cannot be recovered. It is applied when the data have fulfilled their purpose, the retention period has expired, or when so requested by the subject, unless there is a legal obligation to maintain them.

n) Data processor: natural or legal person, public or private, that processes personal data on behalf of the Central Bank of Ecuador or another controller, in accordance with their instructions and by virtue of a contract or other valid legal instrument.

o) Publicly accessible source: database or records to which any person can access freely, publicly, and without restrictions.

p) Data controller: the Central Bank of Ecuador, in its capacity as a public law legal entity, that decides on the purpose and means of the processing of personal data, within the framework of its competencies, functions, and legally conferred attributions.

q) Pseudonymization: processing of personal data through which these cannot be attributed to a subject without using additional information, which must be kept separate and protected through adequate technical and organizational measures.

r) Data subject: natural person to whom the personal data that are the object of processing correspond, in accordance with the Organic Law on Personal Data Protection.

s) Tokenization: technical security measure that replaces sensitive personal data with non-reversible or controlled identifiers (tokens), reducing the risk of exposure.

t) Transfer or communication: any form of delivery, access, assignment, or dissemination of personal data carried out to a person other than the subject, controller, or processor. The Central Bank of Ecuador must ensure that communicated data are accurate, complete, and updated.

RESOLUTION No. JPRFM-2026-010-A Page | 9

u) Processing: any action carried out on personal data, such as their collection, storage, use, modification, transmission, elimination, or destruction.

v) Large-scale processing: that which affects a large amount of data, referring to a high number of subjects, from a wide geographical diversity, and which may entail a risk to their rights and freedoms.

w) Breach of personal data security: incident that affects the confidentiality, integrity, or availability of personal data, such as unauthorized accesses, losses, leaks, or improper destruction of information.

Article 90.- Data controller of personal data: The Central Bank of Ecuador, represented by its General Manager, acts as the data controller of personal data under the terms and conditions established in the applicable current regulations that are collected in the exercise of its functions and legal attributions.

When the Central Bank of Ecuador acts as a data processor, it will do so under the terms and conditions established in the applicable regulations and in the legal instruments that regulate said relationship, ensuring compliance with the obligations corresponding to such capacity.

Article 91.- Data Protection Delegate: The Central Bank of Ecuador will have a Data Protection Delegate, designated by the General Management, who will be in charge of advising the data controller on their legal obligations in matters of data protection, overseeing and supervising the compliance with this Policy, as well as the Organic Law on Personal Data Protection and its regulatory norms.

The Data Protection Delegate acts as a point of contact between the Central Bank of Ecuador, the data subjects, and the Personal Data Protection Authority, for all matters related to the processing of personal data.

The Central Bank of Ecuador guarantees that the Data Protection Delegate executes their functions independently and impartially, for which it undertakes to facilitate the assistance, elements, and technical, administrative, and human resources necessary for the fulfillment of their duties, functions, and responsibilities.

Article 92.- Lawful basis for the processing of personal data: The processing of personal data carried out by the Central Bank of Ecuador will be lawful only when based on at least one of the lawful bases provided for in the Organic Law on Personal Data Protection