August 2023

1. Governing Texts

The Law No. 81 on Personal Data Protection 2019 (only available in Spanish here) ('the Law') has been enacted and entered into force on March 29, 2021. In addition, rules to the Law were published on May 28, 2021, through Executive Order 285/2021 (only available in Spanish here) ('Executive Order 285/2021'). There are several laws, such as the National Constitution of the Republic of Panama (only available in Spanish here) ('the Constitution'), which regulate personal data protection. The Constitution outlines the right to privacy of personal communications and documents, the right to access information contained in databases held by public bodies or by private persons providing public services, as well as to request the correction, rectification, or deletion of such information.

1.1. Key acts, regulations, directives, bills

On March 29, 2019, Panama enacted a law that regulates privacy and data protection matters in Panama. On May 28, 2021, Panama enacted Executive Order 285/2021, which regulates privacy and data protection law in Panama.

The Constitution establishes the general principle of personal data protection. It provides for:

• the right to privacy of personal communications and documents, whereby mail and other private documents are inviolable and cannot be scanned or retained, unless a competent authority orders it for specific purposes, following legal formalities (Article 29 of the Constitution); and
• the right to access information contained in databases, whether held by public bodies or by private persons providing public services, as well as to request its correction, update, rectification, deletion, or protection of confidentiality (Articles 42, 43, and 44 of the Constitution).

1.2. Guidelines

The National Authority for Transparency and Access to Information ('ANTAI').

The National Authority for Government Innovation ('AIG') both will ensure and release guidance for the fulfillment of protocols, processes, and procedures related to data protection.

1.3. Case law

Since the Law and its regulation just entered into force in March and May 2021 respectively, there is no case law yet. However, please see the section on enforcement decisions for decisions from the ANTAI.

2. Scope of Application

2.1. Personal scope

According to the Law, all principles, rights, obligations, and procedures related to the protection of personal data, considering its interrelation with private life and other fundamental rights and freedoms of citizens, apply to:

• natural or legal persons;
• public or private law; and
• profitable or non-profit organizations.

However, according to Executive Order 285/2021, this territorial scope has been expanded to include any foreign companies' ongoing commercial online activities targeting the Panamanian market, giving them an extra-territorial effect on Panamanian Data Privacy Regulations. Although this Rule might be illegal, until Executive Order 285/2021 is challenged in Court, it will be mandatory.

2.2. Territorial scope

The territorial scope has been expanded and now the Law applies to:

• databases located in the territory of the Republic of Panama;
• databases that store or contain personal data from nationals or foreigners;
• any person in charge of data processing who is domiciled in Panama; and,
• any foreign companies' ongoing commercial online activities targeting the Panamanian market.

2.3. Material scope

The Law differentiates between various types of data and defines, and protects sensitive, personal, and confidential data. Further to the definitions in the section on key definitions, the Law defines the following:

• confidential data: such information that due to its nature must not be of public knowledge;
• obsolete data: such information that is out of date;
• data manager: a natural or legal person, public or private, responsible on behalf of the owner for the database; and
• data processing: any operation or set of operations or technical proceedings (automatic or not) that allows the collection, storage, recording, organizing, elaborate, selection, extraction, opposing, detachment, connection, association, dissociation, communication, assignment, exchange, transfer, transmission, or cancellation of data or uses it in any other way.

The Rule of the Law includes the definition of 'profiling' as any form of automated processing that uses personal data to evaluate certain aspects of a person, and in particular to analyze or predict aspects relating to their professional performance, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements (preferences).

Article 4(7) of Executive Order 285/2021 states that data owners must not be subject to automated decision-making aiming to evaluate personality aspects (profiling), medical condition, credit history, behavior, personality, job performance, and reliability when the processing of said information could lead to negative legal effects or prejudice the rights of the data subjects.

Moreover, according to Article 14(8) of Executive Order 285/2021, the data comptroller is compelled to disclose to the data owner the existence of automated decisions, including profiling, and any significant information about the logic applied, as well as the importance and expected consequences of such processing for the data subject. Data subjects could exercise the right to object to decisions based solely on automated processing which might cause harm or significant legal effects.

The most relevant requirements of the Law include the following:

• information can only be collected with the previous consent of the owner and with a defined purpose;
• all collected data is confidential and must be stored in a secure database for up to seven years, under the surveillance of the data keeper;
• the owner of the information has the right to access, modify, change, or remove their information at any time, and this must be clearly stated; and
• public institutions are allowed to request information following a judicial order; in this event, the manager of the data is obliged to provide requested information.

3. Data Protection Authority | Regulatory Authority

3.1. Main regulator for data protection

Under the Law, the regulator is ANTAI.

In addition, a new consultative and advisory agency was created, named the Council for the Protection of Personal Data ('the Council'), which includes nine members who will advise ANTAI on best general practices. For matters related to information technology and communication, the AIG has been granted powers to advice and provide guidance to ANTAI.

3.2. Main powers, duties and responsibilities

The ANTAI has the following responsibilities:

• the ANTAI, together with the AIG, will ensure that data managers comply with protocols, processes, and procedures for data management and transfers;
• determine when data is inaccurate;
• request necessary information and make verifications for administrative investigations;
• apply punishments as a result of complaints or denunciations; and
• set the amounts of fines applicable according to the seriousness of the offenses.

The Council has the following responsibilities:

• to advise the ANTAI regarding personal data protection issues, recommend actions and regulations;
• to recommend public policies related to personal data protection;
• to evaluate cases under consultation and provide recommendations; and
• to develop the internal regulations.

The regulator may provide guidance/additional legislation for further issues, such as clarifications when a person in charge of processing or transfer of personal data, is or is not in compliance with the standards, certifications, protocols, technical measures, and computer management appropriate to preserve the security of its systems or networks, whether these are carried out through the internet or any other means of electronic, digital, or physical communication.

4. Key Definitions

Data controller: Natural or legal person, public or private, lucrative or not, who has the decisions related to the processing of the data and who determines the purposes, means, and thus scope, as matters relating to them.

Data processor: There is no definition of a data processor. However, the Law defines a 'database custodian' as the natural or legal person, whether public or private, whether or not for profit, who acts on behalf of the data controller for the treatment and is responsible for the custody and conservation of the database.

Personal data: Any information concerning natural persons, which identifies them or makes them identifiable.

Sensitive data: Refers to the intimate sphere of its owner. In general terms, all personal data that may reveal racial or ethnic origin, religious, philosophical, and moral beliefs, union affiliation, political opinions, data related to health, life, sexual preference or orientation, genetic or biometric data, among others, are considered personal data, subject to regulation and aimed at univocally identifying a natural person.

Health data: Personal data relating to the physical or mental condition of a natural person, revealing information about their state of health.

Biometric data: Personal data obtained from a specific technical treatment, relating to the physical, physiological, or behavioral characteristics of a natural person that allow or confirm the unique identification of that person.

Pseudonymization: Means 'dissociated data' data that cannot be associated with the owner. Furthermore, anonymized information means such information that cannot be linked to any person.

Genetic data: Personal data relating to the genetic characteristics inherited or acquired from a natural person providing unique information on the physiology or health of that person, obtained in particular from the analysis of a biological sample of that person.

Profiling: Any form of automated processing that uses personal data to evaluate certain aspects of a natural person, and in particular to analyze or predict aspects relating to their professional performance, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.

Recipient: The natural or legal person, public authority, service, or body to which personal data are transferred.

Exporter: Natural or legal person of a public or private nature, domiciled in Panama, who makes cross-border transfers of personal data.

Personal data protection officer: Official designated to attend the liaison unit.

Violation of the security of personal data: Any breach of security that results in the accidental or unlawful destruction, loss, or alteration of personal data transmitted, stored, or otherwise processed, or unauthorized communication or access to such data.

ARCOP Rights: Basic inalienable rights of the owner of personal data, and identified as rights of access, rectification, cancellation, opposition, and portability.

5. Legal Bases

5.1. Consent

Consent is the main requirement to collect and process personal data in the Republic of Panama (Article 42 of the Constitution and Article 4 of the Law). Furthermore, parents or tutors are responsible for granting consent on behalf of their dependents when collecting and processing personal data of individuals under the legal age in the Republic of Panama.

5.2. Contract with the data subject

It is permitted to use personal data without consent when its usage is necessary for the execution of a contract or obligation provided the owner of the information is a contractual party or is involved in the transaction (Article 6(2) of the Law).

5.3. Legal obligations

The data controller can use personal data when its usage is necessary for the execution of /or the fulfillment of an obligation imposed on the data controller itself (Article 6(3) of the Law).

5.4. Interests of the data subject

Please see section on legal obligations above. 

5.5. Public interest

There is no need to obtain previous consent when the information is intended for historical purposes, statistics, or scientific reasons (Article 8(8) of the Law). There is no need to obtain consent when information is stored in public databases (Article 8 of the Law).

5.6. Legitimate interests of the data controller

Not applicable. 

5.7. Legal bases in other instances

There are some instances where the Law may not apply, such as (Article 3 of the Law):

• any data collection for personal or domestic usage only;
• when any authority collects the data for prevention, inquiry, finding, or prosecution for criminal violations or punishment;
• for financial analysis regarding national security or as per international treaties;
• when the collection is related to international organizations for the fulfillment of international treaties; and
• when usage is done with anonymized data that could in no way be traced to the owner of the information.

6. Principles

The principles under which the law is inspired and govern the protection of personal data for the interpretation and application of the security standards are:

• principle of loyalty;
• principle of purpose;
• principle of proportionality;
• principle of truthfulness;
• principle of data security;
• principle of transparency;
• principle of confidentiality;
• principle of lawfulness; and
• principle of portability.

7. Controller and Processor Obligations

7.1. Data processing notification

Not applicable. 

7.2. Data transfers

The data controller and the custodian of the database will implement the necessary mechanisms to prove compliance with the principles and obligations related to data transfers. They must be accountable to the data subject and to the supervisory authority for the processing and transfer of personal data held by them.

To do this, they must prepare a technical sheet that will contain the protocols, processes, and procedures for the management and safe transfer of the data, which will be supervised and supervised by the control authority.

Controllers and custodians of the database may, inter alia, take the following measures:

• develop protocols and processes for the protection of personal;
• periodically review the procedures for the management and secure transfer of personal data to determine the modifications that are required. To this end, they may establish a system of internal and/or external supervision and surveillance, including audits, to verify compliance with personal data protection policies;
• comply with national or international norms or standards on the protection of personal data;
• adopt binding self-regulation mechanisms in the field of personal data protection;
• prepare and keep updated the register of databases;
• evaluate the impact of the data processing to be carried out, before its execution in order to ensure proportionality and minimization of data in the treatment;
• establish protocols for the attention and response to the exercise of the rights by the data subjects;
• implement a training and updating program for staff on personal data protection obligations; and
• appoint a data protection officer ('DPO'), who will be involved in an appropriate and timely manner in all matters relating to the protection of personal data.

7.3. Data processing records

Any request for data transfers will be documented. To do this, the person responsible for the treatment that transfers and the one that receives must record the request and the receipt of the transferred data, in accordance with the obligations that correspond to each one. In the case of requests for the transfer of personal data by judicial authorities, it will be necessary for the request to comply with the principle of proportionality and to be limited to the minimum personal data that is necessary for compliance with the official request.

7.4. Data protection impact assessment

Data Protection Impact Assessment is the documentation of the controller containing the description of the processes with personal data that may generate risks for individual and social rights and duties, as well as measures, safeguards, and risk mitigation mechanisms. Controllers and custodians of the database may evaluate the impact of the data processing to be carried out, before its execution, in order to ensure proportionality and minimization of data in the treatment.

7.5. Data protection officer appointment

It is not mandatory to appoint a DPO, however, the appointment of a DPO will be taken into account as a criterion for the graduation of sanctions by the supervisory authority and is recommended for private entities. The DPO may be an employee of the company or a professional who provides specific services (Article 42 of Executive Order 285/2021). The Decree mentions that the DPO will participate in an appropriate manner and at the appropriate time, in all matters related to the protection of personal data (Article 33 (9) of the Executive Order 285/2021). Please note that the nomination of the DPO will only be considered valid when it is expressly and formally notified to ANTAI and the same must occur when the position of DPO is being revoked (Article 43 of the Executive Order 285/2021).

Role

DPOs must exercise its functions with independence and certify this independence, as well as verify that there are no conflicts of interest within their role (Article 44 of the Executive Order 285/2021). The roles of the DPO include (Article 44 of the Executive Order 285/2021):

• participating in a timely manner in matters relating to the protection of personal data;
• advising and informing the data controller of all issues related to compliance with the Law, Executive Order 285/2021, or any other relevant regulations;
• supervising compliance with laws related to data protection;
• promoting the training of employees who have tasks related to data processing;
• cooperating with control authorities;
• being the main person in the relationship with the supervisory authority;
• advising the data controller, with respect to communication and intervention of the regulatory authority; and
• being the main person of contact for data subjects in matters relating to data processing and their rights.

In regard to professional qualifications, the DPO is required to have previous experience in data protection matters and knowledge of the specific sector of the private company in which they work (Article 43 of Executive Order 285/2021).

7.6. Data breach notification

A database manager must inform any affected owners of any data breach, as well as of the security measures that will be adopted. The regulator must be notified accordingly.

The person in charge of the data processing must establish protocols, processes, and procedures for the secure management and transfer of the data, protecting the rights of the owners as granted by the Law. The minimum requirements that the data controller must comply with must be contained in the privacy policies, protocols, and procedures for secure processing and the transfer of the data. Any additional requirements may be issued by the regulator.

In case of any breach or violation of the security of any public communications network, the operator of that network must inform owners of the data about the event and security measures to be adopted. When the controller becomes aware of a breach of security (understood as any damage, loss, alteration, destruction, access, and in general, any unlawful or unauthorized use of personal data even if it occurs accidentally, at any stage of the processing and which represents a risk to the protection of personal data) it must immediately notify the supervisory authority and the operators concerned of the incident. The custodian of the database must inform the controller immediately when he becomes aware of a security breach.

The notification made by the controller to the affected holders must be in clear and simple language. The notification must be made within 72 hours of the knowledge of the incident and must contain at least the following information:

• the nature of the incident;
• the personal data compromised;
• corrective actions are taken immediately;
• recommendations to the holder on the measures that he may take to protect their interests; and
• the means available to the holder to obtain more information in this regard.

7.7. Data retention

The custodian or controller of personal data may not transfer any data that relates to an identifiable person after seven years from the statute of limitation to keep the information.

7.8. Children's data

In the case of data processing of minors and incompetents, the treatment must be carried out with the prior authorization of the parents, guardian, or whoever exercises the custody or guardianship of the minor or incapable. In such cases, the controller must demonstrate that they made all reasonable efforts to verify this authorization, taking into account the state of the technology available at any given time.

The personal data of minors and incompetents can be collected without consent when the treatment is necessary to contact the parents, guardian, or whoever exercises the custody or guardianship of the minor or incapable and solely for this purpose.

7.9. Special categories of personal data

The Law and its ruling recognize special categories of personal data as follows:

• personal data: Any information concerning natural persons, which identifies them or makes them identifiable.
• sensitive data: Refers to the intimate sphere of its owner. In general terms, all personal data that may reveal racial or ethnic origin, religious, philosophical, and moral beliefs, union affiliation, political opinions, data related to health, life, sexual preference or orientation, genetic data or biometric data, among others, are considered personal data, subject to regulation and aimed at univocally identifying a natural person.
• genetic data: Personal data relating to the genetic characteristics inherited or acquired from a natural person providing unique information on the physiology or health of that person, obtained in particular from the analysis of a biological sample of that person.
• health data: Personal data relating to the physical or mental condition of a natural person, revealing information about their state of health.
• biometric data: Personal data obtained from a specific technical treatment, relating to the physical, physiological, or behavioral characteristics of a natural person that allow or confirm the unique identification of that person.

Criminal conviction data may only be used by any public office before the extinction of the criminal action or before the fulfillment of the punishment.

7.10. Controller and processor contracts

The data controller will choose only a custodian of the database that offers sufficient guarantees to apply appropriate technical and organizational measures.

Sufficient guarantees must include, inter alia:

• a binding self-regulation mechanism;
• to appoint a DPO;
• have a certification in terms of the security of personal data; or
• have undergone a compliance audit by the controller.

The controller and the custodian of the database must record in writing or by any means admissible as evidence, including by electronic means, the content of the mandate involving data processing on behalf of the controller.

The following conditions must be included in the contract:

• the processing of personal data in accordance with the duly documented instructions of the controller;
• implement security measures in accordance with the applicable legal instruments;
• the obligation to inform the controller when a breach of the security of the personal data occurs;
• confidentiality with respect to the personal data processed;
• the prohibition of transferring personal data, unless the controller requests it, or the transfer derives from a subcontracting authorised by the controller;
• the information that the custodian must make available to the person in charge so that they can prove the fulfillment of their obligations;
• collaboration with the data controller in all matters relating to ensuring compliance, in particular about the attention and response to the exercise of rights; and
• the deletion, return, or communication, to the controller or to a new custodian designated by the controller, the personal data subject to processing, once the legal relationship with the controller has ended, unless law requires the retention of the personal data. In this case, the data will be returned to the controller who will guarantee its conservation.

Where a custodian of the database uses another custodian to carry out certain processing activities on behalf of the controller, the same personal data protection obligations as those stipulated between the controller and the original custodian must be imposed on that other custodian. If that other custodian breaches its personal data protection obligations, the initial custodian of the initial database will remain fully liable to the controller for compliance with the obligations.

When the database is fed by two or more controllers who jointly determine the objectives and means of the treatment, they will be considered jointly responsible for the treatment. The joint and severally responsible parties must determine in a transparent manner and by mutual agreement their responsibilities to comply with the obligations imposed by the Law.

The agreement as indicated must duly establish the respective functions and relationships of the joint and several controllers in relation to the holders of the data. The essential aspects of the agreement will be made available to the data subjects who may exercise its rights against each of the controllers.

8. Data Subject Rights

8.1. Right to be informed

The controller may choose the way in which they will provide the information and notify the data subject, provided that it allows them to demonstrate that they have complied with the obligation to inform. The information provided to the holder will have to be sufficient and easily accessible, as well as be written and structured in clear, simple, and easily understood language for the holders to whom it is addressed, especially if they are minors. Audio-visual resources may be used, where appropriate, in order to notify and provide the necessary information.

Where the information is to be provided via the Internet or through small-screen devices, and whenever the controller so considers, the duty to provide information may be fulfilled by means of an information system divided into layers. In this way, the privacy policy and/or the conditions of accessible services can be divided into layers. In the first layer, the affected party will be provided with basic information regarding the identity of the person responsible for the treatment, the purpose of the treatment, and the possibility of exercising the ARCOP rights.

8.2. Right to access

The owner of the information has the right to access all their personal data stored or subject to treatment in public or private databases. In addition, it encompasses the right to know the origin and purpose of the data collection. In particular, the data owner may request any information on stored data at any time and it should be provided for free within a period of 10 days. (Article 16 of the Law).

8.3. Right to rectification

It allows for the owner of the information to request correction of their personal data that they consider incorrect, irrelevant, outdated, inaccurate, false, or inappropriate.

8.4. Right to erasure

Through well-founded and legitimate reasons, the owner of the personal data may refuse to provide their data or to be subject to certain treatment, as well as to revoke any previous consent.

8.5. Right to object/opt-out

Through well-founded and legitimate reasons, the owner of the personal data may refuse to provide their data or to be subject to certain treatment, as well as to revoke any previous consent.

8.6. Right to data portability

The right to obtain a copy of personal data in a generic structured way with a commonly used format, that may allow for the management and/or transmission to another custodian, when:

• the owner has delivered their data directly to the person in charge;
• there is a relevant volume of data processed automatically; and
• the holder has given their consent for the treatment or for the execution or fulfillment of a contract.

8.7. Right not to be subject to automated decision-making

Article 19 of the Law states that the data subject has the right not to be subject to a decision based solely on the automated processing of their personal data that may produce a negative legal effect, when the information assessed relates to, among other things, their personality, health status, job performance, credit status, personal behavior, among others. However, the Law mentions that automated decisions may occur when:

• the data subject has given consent;
• it is strictly necessary to perform a contract or legal relationship between the data controller and the data subject; or
• special laws or rules authorize the data processing.

8.8. Other rights

Not applicable.

9. Penalties

The ANTAI has the power to sanction a person who infringes any rights of the personal data owner. Consequently, ANTAI may set the amounts of the fines applicable according to the seriousness of the offenses.

Minor infringements:

Not submitting or providing required information to the ANTAI within the established timeframe.

Severe infringements:

• collection and use of personal data without previous consent;
• obtain consent through misleading, misrepresentation, or illegal means;
• use personal data for a different purpose than the authorized;
• request unnecessary data for the aimed objective;
• exhibit incorrect or outdated data;
• breach confidentiality;
• deny a copy of stored personal data to its owner;
• restrict or hinder the rights of access, correction, cancelation, and objection;
• breach the duty of informing the owner when their data has been obtained through third parties;
• store data without the appropriate security measures;
• non-compliance with the requests and remarks formally served by ANTAI; and
• failing to cooperate with the ANTAI during an inspection.

Major infringements:

• malicious data collection;
• non-compliance with technical and organizational measures to ensure the protection of the database;
• contravene ANTAI's order to suspend data processing;
• store or transfer personal data breaching the law; and
• recurrence.

The ANTAI is allowed to sanction a natural or legal person responsible for the processing of personal data, and the custodian of the database, as follows:

Sanctions due to minor infringements:

ANTAI is entitled to summon the data responsible and directly request to resolve the issues.

Sanctions due to severe infringements:

Sanctions range from $1,000 to $10,000 fines due to non-compliance with legal requirements, according to the severity of the infringement.

For such calibration, the Law establishes the following criteria to impose sanctions:

• recurrence;
• intentionality;
• nature and damages value;
• duration of the infringement;
• invoicing amount affected by the infringement;
• the connection between offender's activity and processing of personal data;
• if the behavior of the affected party might have led to the infringement;
• if it affects minor's rights;
• if there is a personal data officer;
• if there are any security procedures in place;
• if corrective measures were immediately applied; and
• proportionality between infringement severity and sanction.

Sanctions due to major infringements:

ANTAI is entitled to order the provisional or permanent cease of storing and processing of personal data in the Republic of Panama (closure of the database).

9.1 Enforcement decisions

Since the entry into force of the Law, the ANTAI, has processed more than 100 complaints for violation of personal data and in turn, has applied several sanctions in this period.

Among these, the most relevant are:

• ANTAI imposed a penalty on a building in the amount of $4,000 for being a serious infraction since the Security of the Condominium did not have the consent of the owner (complainant) to capture images of their personal identification document.
• Complaint filed against a company that offers services via telephone to potential customers, where personal data of citizens were processed without their prior consent, and without informing them of the way in which the data was obtained. The holders (complainants) had not provided their telephone numbers to the company. ANTAI sanctioned the company in the amount of $3,000 after proving serious infractions for the improper handling of personal data, without the consent of its owner.
• Public complaint for violation of the security of personal data by a worker of a concessionaire company in charge of providing driving licenses. ANTAI requested the worker to be dismissed on serious violations of the Law and the confidentiality agreements.
• ANTAI determined that a national newspaper incurred a serious infraction for the Law for inappropriate treatment of the personal data of the complainant since it did not have his prior consent to publish his photo image. The data owner is a congressman whose information is allegedly to be within the public domain. This decision has been challenged.