What national laws regulate the processing of personal data in your jurisdiction?
For purposes of the applicable regulation in Panama, until March 29th, 2019, with the enactment of Law 81 of March 26, 2019 (“Law 81”), that regulates data protection, in general terms there was no specific law regulating the matter. However, there is existing regulation on the matter. The regulation in Panama includes: (i) our Constitution, mainly in articles 42 to 44 establish rights for data protection; and (ii) the regulation in Panama was more focused from a point of view of control, administration, and management of personal, financial, and/or confidential information of clients and customers. The regulation in place that relates to data protection is referred within the laws applicable for certain business.
For example: (a) Law 51 of July 22, 2008, which regulates electronic documents, electronic signature, service providers for technical storage of documents, certification of electronic signature and others, as amended and the regulation issued under Executive Decree 40 dated May 19, 2009 and Executive Decree 684 dated October 18, 2013; (b) Law 51 of September 18, 2009, which regulates the conservation, protection, and the provision of data to users of telecommunications services and adopts other dispositions; (c) Law 24 of May 22, 2002, which regulates informational services in regards to the credit history of consumers or clients, as amended; (d) Executive Decree 52 dated April 30, 2008, which amend and restated the Banking Law which is Decree Law 9 of February 26, 1998, as amended; (e) Law 81 of December 31, 2009, which guards the rights of credit card holders and other financial cards; and (f) Law 68 of November 20, 2003, as amended, that regulated the rights and obligations of patients, in matters of information and informed decisions.
Our Constitution, mainly in articles 42 to 44 establish rights for data protection, these articles establish:
- Every person has a right to access their personal information included in databases or registries, whether public or private, and to require the rectification and protection, as well as its deletion, as foreseen in the law. This personal information can only be collected for specific purposes, with the consent of owner of personal data or by disposition of the competent authority with basis on the law;
- Every person has a right to request information, as well as to request its correct treatment and rectification, of public access or collective interest, that is within databases or registries, that are in charge by public officials or private persons, that render that service, if that access is not limited by a written disposition or by law; and
- The habeas data action is established in these articles to guarantee the right of access to personal information collected in databases or registries (public or private), when the latter relate to companies that provide a service to the public or their business is to provide information. This action can be interposed before the court, to guarantee the right to access public information. Through this action it can be requested to correct, update, rectify, delete, or be kept as confidential the information or data considered personal information.
The answers included herein are based on Law 81. Note that Law 81 however will take effect two years after its promulgation i.e., March 29, 2021. For purposes of the answers to Panama below, data subject is the natural person to whom the personal data refers. Note that as of the date hereof no regulation has been issued for Law 81, however, we are aware that there is draft that is being worked on by which is the National Authority for Transparency and Access (in Spanish, “Autoridad Nacional de Transparencia y Acceso a la Información” and hereinafter referred as “ANTAI”). Therefore, there are relevant matter which may be include therein.
To whom do the laws apply?
Any person, natural or legal, public or private, for profit or non-profit, can be protected if they do it in accordance with Law 81 and for the purposes permitted under law, respecting fundamental rights of the data owners. Law 81 will apply to any database that is within the Republic of Panama, that stores or contains personal data of nationals or foreigners or that the person responsible for the treatment of personal data is domiciled in the Republic of Panama. Law 81 distinguishes between those responsible for the data treatment (which is to our understanding equivalent to data controller) and custodian of the database (which is to our understanding equivalent of data processor), as follows:
- Responsible party of the data treatment (in Spanish, “responsable del tratamiento de los datos”): means the natural or legal person, public or private, for profit or non-profit, who makes the decisions related with the treatment of data and who determines its purpose, means and scope.
- Custodian of the database (in Spanish “custodio de la base de datos”: means the natural or legal person, public or private, for profit or non-profit, that acts on behalf of the Responsible Party of the data treatment and oversees the custody and conservation of the database.
Different obligations apply to each and both can be directly liable for damages and subject to fines.
What type of data is covered by the law?
- Personal data: means any information concerning natural persons that identifies them or makes them identifiable; and
- Sensitive data: refers to the intimate sphere of its data subject, or that its wrongful use may originate discrimination or a serious risk for the data subject. This includes and is not limited to race, religious beliefs, philosophical or moral beliefs, affiliation to a syndicate, political opinions, health related data, sexual preference, genetic data, or biometric data, amongst others, all which identify a natural person.
What are the main exemptions (if any)?
Art. 3 of Law 81 establishes those which are exempt from the scope of said law: (i) those done by a natural person for exclusive personal reasons; (ii) those performed by a competent authority with the purpose of prevention, investigation, detection, judgement of criminal fines or enforcement of criminal sanctions; (iii) those performed for financial intelligence and in relation to national security in accordance with the applicable legislations, treaties, or international agreements; (iv) those related to international organizations in compliance with the treaties and agreements ratified by Panama; and (v) those resulting from information obtained through a prior process of anonymization and dissociation, so that the result is that the information cannot be associated with a natural personal.
What rights do the laws grant to the data owners?
- Right to access;
- Right to rectification;
- Right to cancellation;
- Right to opposition; and
- Right to portability.
Personal data must be collected for a specific purpose and not be used afterwards for an incompatible or different purpose for which they were initially requested, nor kept for a longer time than necessary for the specific purpose they were collected. All persons involved in the collection of personal data are obligated to maintain the confidentiality of the information even when the relationship with the data subject or the responsible party of the data collection has ended, therefore not allowing access or unauthorized use.
Additionally, Law 81 (Art. 16 and 17) establishes that data subjects can request their personal information and that information must be given to them by the responsible party of the collection of personal data in a term of no more than ten business days from its request.
Providing, modifying, blocking, or eliminating personal data information is free of charge.
However, for the modification of personal data it must be done within 5 business days from its request.
Lastly, if the data subject does not receive a satisfactory response from the responsible party, they can submit a complaint before the regulator (i.e., ANTAI).
What are the lawful grounds for processing personal data or sensitive personal data (if different)?
In accordance with Law 81 (Art. 5) storage and transfer of personal data originated or stored in Panama that is confidential, sensitive, and restricted, is considered cross-border and is allowed if the responsible party or the custodian complies with the norms and standards of data protection which are equal to or superior to those required by Law 81.
Additionally, Law 81 in Art. 5 establishes those instances which are exempt from compliance with said criteria if: (i) the data subject granted consent; (ii) when the transfer is necessary for the execution or performance of a contract to which the data subject is a party or is in the data subject’s interest; (iii) when it relates to bank, money, or stock exchange transfers; and (iv) when it relates to information that has to be transferred to comply with international treaties ratified by Panama.
Art. 6 of Law 81 establishes that treatment of personal data can be performed if at least one of the following conditions is met: (i) consent of the data subject; (ii) it is necessary for compliance of contractual obligations, as long as the data subject is a party thereto; (iii) it is necessary for compliance of a legal obligation which the responsible party is subject to; and (iv) the personal data is authorized by a special law or regulation.
Law 81 in article 13 establishes that sensitive data cannot be transferred except for the following cases: (1) when the data subject has given his explicit consent, except for those cases where by law said authorization is not required; (2) when it is necessary to safeguard the life of the data subject and the data subject is physically or judicially disabled; (3) when it refers to data necessary for the recognition, exercise, or defense of a right in a process with competent judicial authorization; and (4) when it has a historical, statistical, or scientific purpose. In this case, the necessary measures for the disassociation of the information from the identity of the data subject must be taken.
Law 81 in article 25 establishes that the responsible party cannot transfer information unless he has previous informed and unequivocal consent from the data subject, except for the exceptions included in Law 81 and its regulation.
Lastly, Law 81 establishes certain exceptions where authority is not required for the handling of personal data: (i) data which is public information; (ii) information collected as part of the obligations of the public administration; (iii) those with a financial, commercial, economic, or banking nature that have the previous consent of the data subject; (iv) those contained in a list of category of persons that are limited to records, related to a natural person being part of an organization, profession or activity, with it education titles, direction or birth date; (v) those necessary in a commercial relationship for the direct attention, commercialization, or sale of agreed assets or services; (vi) handling by private organizations for the exclusive use of their members with purposes of statistical, tariffication, or other general benefits; (vii) cases of medical urgencies or sanitary purposes; (viii) authorized by law for historical, statistical, or scientific purposes; (ix) treatment is necessary for the satisfaction of legitimate interests pursued by the responsible party or third party, as long as those interests do not prevail over interests or the fundamental rights and liberties of the interested party that required the data protection, especially in those circumstances where the person is a minor or is incapacitated.
What are the main obligations imposed by the law?
To have the necessary consent to handle the personal data or be included among an exception included in Law 81. Additionally, Law 81 imposes to demonstrate compliance through protocols, policies, security mechanisms, and registry of transfer of information.
Art. 31 of Law 81 requires for the responsible party and custodian of databases to keep a registry of those transfers to third-parties and said registry must be available to ANTAI.
Do the laws establish a data retention period to be observed?
Must the data processing activities be recorded under the law?
Law 81 does not require it but there is an obligation regarding a registry of transfers of the personal data as mentioned and, additionally, an obligation of traceability of the consent of the data subject, where applicable.
Is there a Data Protection National Authority? If so, what is the National Authority main role?
Yes, ANTAI has within its organization a Directorate for these matters. Their webpage is http://www.antai.gob.pa/.
Additionally, Law 81 establishes a Protection of Personal Data Council, which is comprised of different public authorities and private associations, and that serves as a consultant body to the ANTAI.
Does the law impose the obligation of designating a data protection officer (DPO)? If so, what is the role of the DPO under the law?
There is no such requirement in Law 81. However, as mentioned, we are still waiting on the regulation of Law 81 to be issued and there may be matters related to this included therein.
What rules regulate the transfer of data outside your jurisdiction?
In accordance with Law 81 (Art. 5) storage and transfer of personal data originated or stored in Panama that is confidential, sensitive, and restricted, is considered cross-border and allowed if the responsible party or the custodian complies with the norms and standards of data protection which are equal to or superior to those required by Law 81. Additionally, Law 81 in Art. 5 establishes the following exemptions: (i) the data subject granted consent; (ii) when the transfer is necessary for the execution or performance of a contract to which the data subject is a party or is in the data subject’s interest; (iii) when it relates to bank, money, or stock exchange transfers; and (iv) when it relates to information that has to be transferred to comply with international treaties ratified by Panama.
Art. 33 of Law 81 establishes that “it will be understood that any transfer of personal data is lawful if it complies with at least one of the following conditions:
- That is has the consent of the data subject;
- That the country or international organization or supranational recipient grants a protection level equal or higher;
- That it is foreseen in a law or treaty in which the Republic of Panama is a party;
- That is necessary for the prevention or medical diagnosis, medical services, medical treatment, or sanitary services;
- That it is done to any company of the same economic group of the responsible party of the controller if the personal data is not used for a different purpose for which it was collected;
- That it is necessary by virtue of an agreement executed or to be executed for the unequivocal interest of the data subject by the controller and a third party;
- That it is necessary or legally required to safeguard a public interest or for the legal representation of the data subject or administration of justice;
- That it is necessary for the recognition, exercise, or defense of a right in a judicial process or in cases of international judicial collaboration;
- That it is necessary for the maintenance or compliance of a legal relationship between the controller and the data subject;
- That it is required to complete a bank transfer or in the stock exchange, in relation to those transfers and the applicable regulation;
- That it has as purpose the international cooperation between intelligence organisms for the fight against organized crime, terrorism, money laundering, computing/tech crimes, child pornography, and drug trafficking;
- That the controller responsible for transferring the personal data and the recipient of the information adopt binding mechanisms of self-regulation to the extent those regulations are in accordance with Law 81; or
- That the transfer is made within the framework of contractual clauses that include mechanism for data protection for personal data in accordance with the provision of Law 81 to the extent the data subject is a party thereto.”
Is it necessary to notify the National Authority prior to the international transfer?
No. There is an obligation to have a registry with certain information as required under Law 81 that has be at the disposal of ANTAI if they require review or access to that information.
Do the laws impose any information security standards and/or requirements?
The responsible party of personal data and custodian of databases are required to implement the appropriate standards, norms, certifications, protocols, technical measures, and IT management adequate to preserve security in their systems and networks or in their rendering of services, to guarantee certain levels of protection of the personal data in accordance with Law 81 and its regulation. Therefore, it includes the general obligation that these measures must exist but does not include a detailed description as to requirements to be met.
Do the laws establish any kind of mandatory notification duty?
There are only two articles of Law 81 which mention specifically a security breach, that is:
- Art. 2 which includes the principle of “Security of personal data”, which expressly mentions that data subject must be informed as soon as possible if there has been a breach; and
- Art. 26 which refers to operators of public networks or that provide communications services to the public and establishes that if there is a breach, they must inform the data subjects whose information has been compromised and the measures they are taking.
What are the sanctions for noncompliance with data protection laws?
In accordance with Law 81 (36 to 43) ANTAI has the power to impose economic fines that may go up to US$10,000 and fines that include the closure of the database and suspension or complete disqualification from the storage and collection of personal data. However, the aforementioned is regardless of the civil law implications that may be imposed for damages or criminal law implications.
In accordance with Art. 19 of Law 81, data subjects have the right not to be subject to a decision based solely on automated processing, including profiling. However, those decisions are possible when: (i) there is data subject consent; (ii) it is necessary to execute or perform a contract or legal relationship between the responsible party of the personal data and the data subject; and (iii) it is authorized by special laws or norms that develop them.