Panama - Data Protection Overview
1. Governing Texts
The Law No. 81 on Personal Data Protection 2019 (only available in Spanish here) ('the Law') has been enacted and entered into force on 29 March 2021. In addition, rules to the Law were published on 28 May 2021, through Executive Order 285/2021 (only available in Spanish here) ('the Rule'). There are several laws, such as the National Constitution of the Republic of Panama (only available in Spanish here) ('the Constitution'), which regulate personal data protection. The Constitution outlines the right to privacy of personal communications and documents, the right to access information contained in databases held by public bodies or by private persons providing public services, as well as to request the correction, rectification, or deletion of such information.
On 29 March 2019, Panama enacted the Law, which regulates privacy and data protection matters in Panama.
On 28 May 2021, Panama enacted the Rule, which regulates privacy and data protection Law in Panama.
The Constitution establishes the general principle of personal data protection. It provides for:
- the right to privacy of personal communications and documents, whereby mail and other private documents are inviolable and cannot be scanned or retained, unless a competent authority orders it for specific purposes, following legal formalities (Article 29 of the Constitution); and
- the right to access information contained in databases, whether held by public bodies or by private persons providing public services, as well as to request its correction, update, rectification, deletion, or protection of confidentiality (Articles 42, 43 and 44 of the Constitution).
The National Authority for Government Innovation ('AIG') both will ensure and release guidance for fulfilment of protocols, processes, and procedures related to data protection.
1.3. Case law
Since the Law and its regulation just entered into force in March and May 2021 respectively, there is no case law yet.
2. Scope of Application
According to the Law, all principles, rights, obligations, and procedures related to the protection of personal data, considering its interrelation with private life and other fundamental rights and freedoms of citizens, apply to:
- natural or legal persons;
- public or private law; and
- profitable or non-profit organisations.
However, according to the Rule, this territorial scope has been expanded to include any foreign companies' ongoing commercial online activities targeting Panamanian market, giving then an extra-territorial effect to Panamanian Data Privacy Regulations. Although this Rule might be illegal, until Executive Decree 285/2021 is challenge in Court, it will be mandatory.
The territorial scope has been expanded and now the Law applies to:
- databases located in the territory of the Republic of Panama;
- databases that store or contain personal data from nationals or foreigners;
- any person in charge of data processing who is domiciled in Panama; and,
Any foreign companies' ongoing commercial online activities targeting Panamanian market.
The Law differentiates between various types of data, defines and protects sensitive, personal, and confidential data. Further to the definitions in section on key definitions, the Law defines the following:
- confidential data: such information that due to its nature must not be of public knowledge;
- obsolete data: such information that is out of date;
- data manager: a natural or legal person, public or private, responsible-on behalf of the owner-for the database; and
- data processing: any operation or set of operations or technical proceedings (automatic or not) that allows the collection, storage, recording, organising, elaborate, selection, extraction, opposing, detachment, connection, association, dissociation, communication, assignment, exchange, transfer, transmission, or cancellation of data or uses it in any other way.
The Rule of the Law includes definition of 'profiling' as any form of automated processing that uses personal data to evaluate certain aspects of a person, and in particular to analyse or predict aspects relating to his professional performance, economic situation, health, personal preferences, interests, reliability, behaviour, location, or movements (preferences).
Rule [ Article 4(7) of Executive Order 285/2021] states that data owners must not be subject to automated decision-making aiming to evaluate personality aspects (profiling), medical condition, credit history, behavior, personality, job performance, reliability, when the processing of said information could lead to negative legal effects or prejudice the rights of the data subjects.
Moreover, according to the Article 14(8) of the Executive Order 285/2021 the data comptroller is compelled to disclose to the data owner the existence of automated decisions, including profiling, and any significant information about the logic applied, as well as the importance and expected consequences of such processing for the data subject. Data subjects could exercise the right to object decisions based solely on automated processing which might cause a harm or significant legal effects.
The most relevant requirements of the Law include the following:
- information can only be collected with the previous consent of the owner and with a defined purpose;
- all collected data is confidential and must be stored in a secure database for up to seven years, under the surveillance of the data keeper;
- the owner of the information has the right to access, modify, change, or remove their information at any time, and this must be clearly stated; and
- public institutions are allowed to request information following a judicial order; in this event, the manager of the data is obliged to provide requested information.
3.1. Main regulator for data protection
Under the Law, the regulator is ANTAI.
In addition, a new consultative and advisory agency was created, named the Council for the Protection of Personal Data ('the Council'), which includes nine members who will advise ANTAI on best general practices.
For matters related to information technology and communication, the AIG has been granted powers to advice and provide guidance to ANTAI.
3.2. Main powers, duties and responsibilities
The ANTAI has the following responsibilities:
- the ANTAI, together with the AIG, will ensure that data managers comply with protocols, processes, and procedures for data management and transfers;
- determine when data is inaccurate;
- request necessary information and make verifications for administrative investigations;
- apply punishments as a result of complaints or denunciations; and
- set the amounts of fines applicable according to the seriousness of the offenses.
The Council has the following responsibilities:
- to advise the ANTAI regarding personal data protection issues, recommend actions and regulations;
- to recommend public policies related to personal data protection;
- to evaluate cases under consultation and provide recommendations; and
- to develop the internal regulations.
The regulator may provide guidance/additional legislation for further issues, such as clarifications when a person in charge of processing or transfer of personal data, is or is not in compliance with the standards, certifications, protocols, technical measures, and computer management appropriate to preserve the security of its systems or networks, whether these are carried out through the internet or any other means of electronic, digital, or physical communication
4. Key Definitions
Data controller: Natural or legal person, public or private, lucrative or not, who has the decisions related to the processing of the data and who determines the purposes, means and thus scope, as matters relating to them.
Data processor: There is no definition of data processor. However, the Law defines a 'database custodian' as the natural or legal person, whether public or private, whether or not for profit, who acts on behalf of the data controller for the treatment and is responsible for the custody and conservation of the database.
Sensitive data: Refers to the intimate sphere of its owner. In general terms, all personal data that may reveal racial or ethnic origin, religious, philosophical, and moral beliefs, union affiliation, political opinions, data related to health, life, sexual preference or orientation, genetic data or biometric data, among others, are considered personal data, subject to regulation and aimed at univocally identifying a natural person.
Biometric data: Personal data obtained from a specific technical treatment, relating to the physical, physiological, or behavioural characteristics of a natural person that allow or confirm the unique identification of that person.
Genetic data: Personal data relating to the genetic characteristics inherited or acquired from a natural person providing unique information on the physiology or health of that person, obtained in particular from the analysis of a biological sample of that person.
Profiling: Any form of automated processing that uses personal data to evaluate certain aspects of a natural person, and in particular to analyse or predict aspects relating to his professional performance, economic situation, health, personal preferences, interests, reliability, behaviour, location, or movements.
Recipient: The natural or legal person, public authority, service or body to which personal data are transferred.
Exporter: Natural or legal person of a public or private nature, domiciled in Panama, who makes cross border transfers of personal data.
Personal data protection officer: Official designated to attend the liaison unit.
Violation of the security of personal data: Any breach of security that results in the accidental or unlawful destruction, loss, or alteration of personal data transmitted, stored, or otherwise processed, or the unauthorised communication or access to such data.
ARCO Rights: Basic inalienable rights of the owner of personal data, and identified as: rights of access, rectification, cancellation, and opposition.
5. Legal Bases
Consent is the main requirement to collect and process personal data in the Republic of Panama (Article 42 of the Constitution and Article 4 of the Law).
Furthermore, parents or tutors are responsible for granting consent on behalf of their dependents when collecting and processing personal data of individuals under the legal age in the Republic of Panama.
It is permitted to use personal data without consent when its usage is necessary for the execution of a contract or obligation provided the owner of the information is a contractual party or is involved in the transaction (Article 6(2) of the Law).
The data controller can use the personal data when its usage is necessary for the execution of /or the fulfilment of an obligation imposed on the data controller itself (Article 6(3) of the Law).
Please see section on legal obligations above.
5.5. Public interest
There is no need to obtain previous consent when the information is intended for historical purposes, statistics, or scientific reasons (Article 8(8) of the Law).
There is no need to obtain consent when information is stored in public databases (Article 8 of the Law).
There are some instances where the Law may not apply, such as (Article 3 of the Law):
- any data collection for personal or domestic usage only;
- when any authority collects the data for prevention, inquiry, finding, or prosecution for criminal violations or punishment;
- for financial analysis regarding national security or as per international treaties;
- when collection is related to international organisations for the fulfilment of international treaties; and
- when usage is done with anonymised data that could in no way be traced to the owner of the information.
The principles under which the law is inspired and govern the protection of personal data for the interpretation and application of the security standards are:
- principle of loyalty;
- principle of purpose;
- principle of proportionality;
- principle of truthfulness;
- principle of data security;
- principle of transparency;
- principle of confidentiality;
- principle of lawfulness; and
- principle of portability.
7. Controller and Processor Obligations
For information regarding data processing notification requirements in Panama please see our Panama - Data Processing Notification Guidance Note.
The data controller and the custodian of the database will implement the necessary mechanisms to prove compliance with the principles and obligations related to data transfers. They must be accountable to the data subject and to the supervisory authority for the processing and transfer of personal data held by them.
To do this, they must prepare a technical sheet that will contain the protocols, processes, and procedures for the management and safe transfer of the data, which will be supervised and supervised by the control authority.
Controllers and custodians of the database may, inter alia, take the following measures:
- develop protocols and processes for the protection of personal;
- periodically review the procedures for the management and secure transfer of personal data to determine the modifications that are required. To this end, they may establish a system of internal and/or external supervision and surveillance, including audits, to verify compliance with personal data protection policies;
- comply with national or international norms or standards on the protection of personal data;
- adopt binding self-regulation mechanisms in the field of personal data protection;
- prepare and keep updated the register of databases;
- evaluate the impact of the data processing to be carried out, before its execution in order to ensure proportionality and minimisation of data in the treatment;
- establish protocols for the attention and response to the exercise of the rights by the data subjects;
- implement a training and updating program for staff on personal data protection obligations; and
- appoint a data protection officer, who will be involved in an appropriate and timely manner in all matters relating to the protection of personal data.
Any request for data transfers will be documented. To do this, the person responsible for the treatment that transfers and the one that receives, must record the request and the receipt of the transferred data, in accordance with the obligations that correspond to each one.
In the case of requests for the transfer of personal data by Judicial Authorities, it will be necessary for the request to comply with the principle of proportionality and to be limited to the minimum personal data that is necessary for compliance with the official request.
Data Protection Impact Assessment is the documentation of the controller containing the description of the processes with personal data that may generate risks for individual and social rights and duties, as well as measures, safeguards, and risk mitigation mechanisms.
Controllers and custodians of the database may evaluate the impact of the data processing to be carried out, before its execution, in order to ensure proportionality and minimisation of data in the treatment.
It is not mandatory to appoint a data protection officer, however, appointment of a data protection officer will be taken it into account as a criterion for the graduation of sanctions by the supervisory authority.
A database manager must inform any affected owners of any data breach, as well as of the security measures that will be adopted. The regulator must be notified accordingly.
The person in charge of the data processing must establish protocols, processes, and procedures for the secure management and transfer of the data, protecting the rights of the owners as granted by the Law.
The minimum requirements that the data controller must comply with must be contained in the privacy policies, protocols, and procedures for secure processing and the transfer of the data. Any additional requirements may be issued by the regulator.
In case of any breach or violation of the security of any public communications network, the operator of that network must inform owners of the data about the event and security measures to be adopted.
When the controller becomes aware of a breach of security [understood as any damage, loss, alteration, destruction, access, and in general, any unlawful or unauthorised use of personal data even if it occurs accidentally, at any stage of the processing and which represents a risk to the protection of personal data] it must immediately notify the supervisory authority and the operators concerned of the incident. The custodian of the database must inform the controller immediately when he becomes aware of a security breach.
The notification made by the controller to the affected holders must be in clear and simple language.
The notification must be made within 72 hours of the knowledge of the incident and must contain at least the following information:
- the nature of the incident;
- the personal data compromised;
- corrective actions taken immediately;
- recommendations to the holder on the measures that he may take to protect his interests; and
- the means available to the holder to obtain more information in this regard
The custodian or controller of personal data may not transfer any data that relates to an identifiable person after seven years from the statute of limitation to keep the information.
In the case of data processing of minors and incompetents, the treatment must be carried out with the prior authorisation of the parents, guardian, or whoever exercises the custody or guardianship of the minor or incapable.
In such cases, the controller must demonstrate that he or she made all reasonable efforts to verify this authorisation, taking into account the state of the technology available at any given time.
The personal data of minors and incompetents can be collected without consent when the treatment is necessary to contact the parents, guardian, or whoever exercises the custody or guardianship of the minor or incapable and solely for this purpose.
The Law and its ruling recognise special categories of personal data as follows:
- personal data: Any information concerning natural persons, which identifies them or makes them identifiable.
- sensitive data: Refers to the intimate sphere of its owner. In general terms, all personal data that may reveal racial or ethnic origin, religious, philosophical and moral beliefs, union affiliation, political opinions, data related to health, life, sexual preference or orientation, genetic data or biometric data, among others, are considered personal data, subject to regulation and aimed at univocally identifying a natural person.
- genetic data: Personal data relating to the genetic characteristics inherited or acquired from a natural person providing unique information on the physiology or health of that person, obtained in particular from the analysis of a biological sample of that person.
- health data: Personal data relating to the physical or mental condition of a natural person, revealing information about his or her state of health.
- biometric data: Personal data obtained from a specific technical treatment, relating to the physical, physiological or behavioural characteristics of a natural person that allow or confirm the unique identification of that person.
Criminal conviction data may only be used by any public office before the extinction of the criminal action or before the fulfilment of the punishment.
The data controller will choose only a custodian of the database that offers sufficient guarantees to apply appropriate technical and organisational measures.
Sufficient guarantees must include, inter alia:
- a binding self-regulation mechanism;
- to appoint a data protection officer;
- have a certification in terms of the security of personal data; or
- have undergone a compliance audit by the controller.
The controller and the custodian of the database must record in writing or by any means admissible as evidence, including by electronic means, the content of the mandate involving data processing on behalf of the controller.
The following conditions must be included in the contract:
- the processing of personal data in accordance with the duly documented instructions of the controller;
- implement security measures in accordance with the applicable legal instruments;
- the obligation to inform the controller when a breach of the security of the personal data occurs;
- confidentiality with respect to the personal data processed;
- the prohibition of transferring personal data, unless the controller requests it, or the transfer derives from a subcontracting authorised by the controller;
- the information that the custodian must make available to the person in charge so that he can prove the fulfillment of his obligations;
- collaboration with the data controller in all matters relating to ensuring compliance, in particular about the attention and response to the exercise of rights; and
- the deletion, return, or communication, to the controller or to a new custodian designated by the controller, the personal data subject to processing, once the legal relationship with the controller has ended, unless law requires the retention of the personal data. In this case, the data will be returned to the controller who will guarantee its conservation.
Where a custodian of the database uses another custodian to carry out certain processing activities on behalf of the controller, the same personal data protection obligations as those stipulated between the controller and the original custodian must be imposed on that other custodian. If that other custodian breaches its personal data protection obligations, the initial custodian of the initial database will remain fully liable to the controller for compliance with the obligations.
When the database is fed by two or more controllers who jointly determine the objectives and means of the treatment, they will be considered jointly responsible for the treatment. The joint and severally responsible parties must determine in a transparent manner and by mutual agreement their responsibilities to comply with the obligations imposed by the Law.
The agreement as indicated must duly establish the respective functions and relationships of the joint and several controllers in relation to the holders of the data. The essential aspects of the agreement will be made available to the data subjects who may exercise its rights against each of the controllers.
8. Data Subject Rights
The data owner may request any information on stored data at any time and it should be provided-for free-within a period of ten days. (Article 16 of the Law).
The controller may choose the way in which he will provide the information and notify the data subject, provided that it allows him to demonstrate that he has complied with the obligation to inform.
The information provided to the holder will have to be sufficient and easily accessible, as well as be written and structured in clear, simple, and easily understood language for the holders to whom it is addressed, especially if they are minors. Audiovisual resources may be used, where appropriate, in order to notify and provide the necessary information.
Where the information is to be provided via the Internet or through small-screen devices, and whenever the controller so considers, the duty to provide information may be fulfilled by means of an information system divided into layers.
The owner of the information has the right to access all his personal data stored or subject to treatment in public or private databases. In addition, it encompasses the right of knowing the origin and purpose of the data collection.
It allows for the owner of the information to request correction of his/her personal data that he/she considers is incorrect, irrelevant, outdated, inaccurate, false, or non-appropriate.
Through well-founded and legitimate reasons, the owner of the personal data may refuse to provide his/her data or to be subject to certain treatment, as well as to revoke any previous consent.
Through well-founded and legitimate reasons, the owner of the personal data may refuse to provide his/her data or to be subject to certain treatment, as well as to revoke any previous consent.
The right to obtain a copy of personal data in a generic structured way with a commonly used format, that may allow for the management and/or transmission to another custodian, when:
- the owner has delivered his/her data directly to the person in charge;
- there is a relevant volume of data processed automatically; and
- the holder has given his/her consent for the treatment or for the execution or fulfilment of a contract.
Article 19 of the Law states that the data subject has the right not to be subject to a decision based solely on the automated processing of their personal data that may produce a negative legal effect, when the information assessed relates to, among other things, their personality, health status, job performance, credit status, personal behaviour, among others. However, the Law mentions that automated decisions may occur when:
- the data subject has given consent;
- it is strictly necessary to perform a contract or legal relationship between the data controller and the data subject; or
- special laws or rules authorise the data processing.
The ANTAI has the power to sanction a person who infringes any rights of the personal data owner. Consequently, ANTAI may set the amounts of the fines applicable according to the seriousness of the offenses.
Not submitting or providing required information to the ANTAI within the established timeframe.
- collection and use of personal data without previous consent;
- obtain consent through mislead, misrepresentation or illegal means;
- use personal data for a different purpose than the authorised;
- request unnecessary data for the aimed objective;
- exhibit incorrect or outdated data;
- breach confidentiality;
- deny a copy of stored personal data to its owner;
- restrict or hinder the rights of access, correction, cancelation, and objection;
- breach the duty of informing the owner when their data has been obtained through third parties;
- store data without the appropriate security measures;
- non-compliance with the requests and remarks formally served by ANTAI; and
- failing to cooperate with the ANTAI during an inspection.
- malicious data collection;
- non-compliance with technical and organisational measures to ensure protection of the database;
- contravene ANTAI’s order to suspend data processing;
- store or transfer personal data breaching the law; and
The ANTAI is allowed to sanction a natural or legal person responsible for the processing of personal data, and the custodian of the database, as follows:
Sanctions due to minor infringements:
ANTAI is entitled to summon the data responsible and directly request to resolve the issues.
Sanctions due to severe infringements:
Sanctions range $1,000 to $10,000 fines due to non-compliance with legal requirements, according to the severity of the infringement.
For such calibration, the Law establishes the following criteria to impose sanctions:
- nature and damages value;
- duration of infringement;
- invoicing amount affected by the infringement;
- connection between offender’s activity and processing of personal data;
- if the behaviour of the affected party might have led to the infringement;
- if it affects minor’s rights;
- if there is a Personal Data Officer;
- if there are any Security Procedures in place;
- if corrective measures were immediately applied; and
- proportionality between infringement severity and sanction.
Sanctions due to major infringements:
ANTAI is entitled to order the provisional or permanent cease of storing and processing of personal data in the Republic of Panama (closure of the database).
There is not any notable enforcement decision yet.