The main additions found in the Order are as follows:

Applicability: This is one of the main issues addressed by the Order, because the PDPL limits its scope to (i) databases located in the Republic of Panama containing personal information of citizens and foreigners; or (ii) if the data responsible was domiciled in Panama, meaning that the PDPL had territorial effect only. In this scenario, foreign activities within Panamanian territory did not fall under the scope of the PDPL. 

However, the Order extends the application of the PDPL to foreign companies' ongoing commercial online activities targeting the Panamanian market, giving it an extraterritorial effect.

Although this addition may be illegal, until the Order is challenged in Court, it will be mandatory.

Data processing: Both the PDPL and the Order confirm the following criteria for personal data processing: 

• previous, unequivocal, and informed consent granted by the data owner by any means allowing traceability;
• processing within the framework of a contractual relationship in which the owner is an interested party;
• when necessary for the fulfilment of a legal obligation;
• any treatment authorised by means of a special law, such as e-commerce, telecoms, healthcare, credit history, and banking and securities, among others;
• processing necessary to protect vital interests of the owner or another person;
• if required by a public entity to safeguard the public interest or by a court order; and
• legitimate interest.

Data transfer: Previous, informed, and unequivocal consent is mandatory for the transfer of personal data. However, the new ruling calls for the data responsible to keep a record of transfers of personal data with the following minimum information:

• individualisation of recipient;
• purpose of the transfer;
• details of data to be transferred;
• notification to data subjects (of the purpose and the new responsible of the information); and
• retention period applicable to the new data responsible

Moreover, if treatment or transfer of personal data is carried out through the internet (or any other means of electronic communication), the person responsible for the treatment or the data custodian must comply with the standards, norms, certifications, protocols, measures, techniques, and computer management adequate to preserve the security in its systems or networks.

It means that data transfer is permitted by electronic mechanisms [or any other means] that allow the record of the above listed information.

Storage and custody: As a general mandate, personal data is to be stored in a database contained on any known mechanism allowing the use and transmission of information.  Still, for data that is confidential, sensitive, or restricted, the storage or transfer (cross-border treatment) will be allowed as long as the person complies with the standards of protection, or whenever it demonstrates compliance with the standards and norms equal to, or higher than, those required by Panama.

Consent requirements: The Order establishes legal requirements of transparency towards the data owner when consent is obtained directly form the data owner; but, if consent has not been obtained from the data owner, the data responsible must provide to the data subject the minimum mandatory information (such as name, contact information, purpose, intention of transfer data outside the jurisdiction, retention period, and similar), as well as the data category and the source of information.

It is relevant to point out that PDPL requires consent obtained through the internet to be 'unbundled', and clearly identified and distinguished from the acceptance of other purposes.

Data breach and notification: As per the new rules, any security breach must be immediately informed to the regulator (National Authority of Transparency and Access to Information ('ANTAI') and the data subject, after becoming aware of the event. Also, the person responsible has 72 hours to provide to the data owner the basic information regarding the breach, such as:

• type of incident;
• compromised personal data;
• mitigating actions in place;
• recommendations given to the data subject for the protection of its interests; and
• available mechanisms to obtain further information.

On the other hand, the person responsible shall provide to the ANTAI information on (i) the date of the event; (ii) cause of violation; (iii) facts and effects of the data breach; and (iv) corrective measures in place. The ANTAI will then verify the seriousness of the incident and it may order that the person responsible for the treatment to adopt measures, such as the wide dissemination of the event in the media and/or measures to reverse or mitigate the effects of the incident.

Regarding the processing of personal information of minors (under 18 years old), previous consent from their parents or legal guardians is mandatory. Nonetheless, the Order requires the person responsible to demonstrate undertaking of all reasonable efforts to verify minors' consent from their representatives or legal guardians with the available technology at the moment.

In comparing Panamanian regulations with the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), an important difference is the severity of the infringements. The most serious sanction of the GDPR is a fine of up to 4% of the annual total turnover or €20,000,000, while the PDPL contemplates the closure of the database, the suspension and disqualification of the activity of storage and/or processing of personal data temporarily or permanently, without prejudice to the corresponding fine (which is comparatively small, from USD 1,000 to USD 10,000). Overall, Panamanian regulations are similar with regards to principles, rights, and processes with the GDPR, however it has more subdued standards and requirements. As such, if your company is protected and in compliance according to European standards, it would also be secure under the Panamanian regime.

Siaska SSS Lorenzo Managing Partner
[email protected]
Arias Law, Panama City