Bill 665 on "Personal Data protection" was passed in its third reading on 24 October 2018 in the National Assembly. The law guarantees respect for and protection of personal data in databases located within or outside the country.

The Bill, which is in addition to the special legislation on the creation and regulation of personal databases, covers the following:

Scope of application and exceptions

The Bill will apply to all databases in Panama, or whose Chief Data Officer is domiciled in Panama, that store data, whether about Panamanian nationals or foreign citizens. For these purposes, the regulation defines the Data Officer as the person, whether natural or legal, under public or private law, for profit or not, who takes decisions about data processing and who decides on data-related matters.

The law exempts the following cases from its scope of application, as well as data processes that are explicitly regulated by special laws:

• Data processing carried out by a natural person for exclusively personal or domestic purposes.
• Data processing carried out by the competent authorities for the purposes of preventing, investigating, detecting or prosecuting criminal breaches or to execute criminal sanctions.
• Data processing carried out to analyze financial intelligence and pertaining to national security.
• Data processing relating to international organizations.
• Data processing emanating from information obtained by means of prior anonymization, such that the outcomes cannot be linked to the title owner of the personal data.

General principles

• Principle of fair dealing: personal data must be collated without the use of deception or falsehood.
• Principle of purpose: the data must be collated for specific purposes and may not be used for purposes incompatible with those for which they were requested.
• Principle of proportionality: the data requested must be appropriate, relevant and limited to the minimum necessary for the purposes for which they are requested.
• Principle of veracity and accuracy: the data must be accurate and up to date, such that they give a true picture of their owner's current situation.
• Principle of data security: technical and organizational measures must be put in place to ensure data security, particularly in the case of sensitive data.
• Principle of transparency: the information provided to the data owner must be straightforward and clear.
• Principle of confidentiality: officers in charge of processing personal data must keep that data confidential.
• Principle of lawfulness: data must be collected with the prior consent of the title owner, or with legal grounds.
• Principle of portability: the title owner is entitled to obtain from the data processing officer a copy of their personal data, which must be properly structured and in a standard format that is in general use.

Rights of the title owners of personal data

Following international personal data protection legislation, the new Panamanian law recognizes the rights of title owners to access, rectify, cancel, oppose and remove their data. Furthermore, the Bill specifies that the title owner has the right not to be subject to a decision based solely on the automated processing of their personal data and forbids the limitation of the right to block their data.

Requirements for personal data processing

Personal data may only be processed when some of the following conditions are met:

• The data owner's consent has been obtained.
• The data processing is necessary in order to execute a contractual obligation, provided that the data owner is a party in that obligation.
• The processing must be necessary to comply with the data processing officer’s legal obligation.
• The personal data processing is authorized by virtue of a special law.

Data transfer

The law allows personal data to be transferred provided that certain conditions are met, such as: having the consent of the data owner; that the receiving country provides a level of protection equivalent to, or better, than Panama; that the processing officer transferring the data and the destination officer adopt binding self-regulating mechanisms, and that the transfer is carried out within the framework of contractual clauses containing mechanisms to protect personal data, among others.

Sanctions

The National Transparency & Information Access Authority (Antai) will set the amounts of the financial sanctions that will apply in the case of breaches, depending on their severity, at between USD 1,000 and USD 10,000.

Infractions, classified as minor, severe or very severe, will be sanctioned as follows:

• Minor: Summons to the Antai to explain the records.
• Severe: Proportionate fines.
• Very severe: Shutdown of the database records, without prejudice to the corresponding fine; temporary or permanent suspension of and disbarment from the activity of storing and/or processing personal data, without prejudice to the corresponding fine.

Other considerations

The Bill recognizes the National Transparency & Information Access Authority as the regulatory body that, supported by the National Governmental Innovation Authority, will oversee checking and supervising matters relating to Information and Communication Technologies (ICT) covered by this law.

Finally, the regulation stipulates that it will come into force two years after it is published, providing a transition period so that the institutions can adapt to the requirements of the regulatory body.