Act 81 on Personal Data Protection was passed last March to establish the principles, rights, obligations and procedures regulating Personal Data Protection applicable to natural or legal persons, subject to public or private law, that handle personal data in the terms covered by the regulation.

This law, which will come into force 2 years after it was passed –29 March 2021- allows personal data to be processed provided that this is done within the terms of the law and for the purposes covered in the legislation; furthermore, secondary legislation is needed to develop it. The key areas it regulates include the following:

Consent

Personal data processing may only take place when the law explicitly allows it or when the data holder has given consent.

Sensitive data

Those concerning their holder’s private life or the improper use of which could give rise to discrimination or entail a serious risk for the date holder – of a racial nature, involving their religious beliefs or convictions, trade union affiliation, political views, relating to their health, information about their life, their sexual preferences or orientation, genetic or biometric data, among others – intended to clearly identify an individual. Sensitive data may not be transferred unless the following requirements are met:  

• When the data holder has given explicit consent;
• When it is necessary to protect the data holder’s life;
• When it is necessary in order to uphold the recognition, exercise or defense of a right in a legal process, and
• When there is a historic, statistical or scientific purpose.

Basic, inalienable rights of personal data holders

The Act lists the following basic rights:

• Access (to obtain the data and know the purpose for which they were collected and where from),
• Rectification (to access and request corrections, amendments or updates),
• Cancellation (to ask for data to be erased),
• Opposition (to refuse to provide consent, or withdraw that consent), and
• Portability (the right to obtain a copy of one’s personal data in a structured format under certain circumstances)

Personal data storage or transfer

Storage or transfer of personal data of a confidential, sensitive or restricted nature, beyond Panama’s borders by the company in charge of the data’s use, storage or custody, is permitted provided that the company and/or country of residence is bound by standards of protection comparable to those of this Law or if the institution transferring the data makes sure it adopts all the necessary processes so that they are protected.

The above requirements are relaxed in the following cases:

• When the data holder has consented to the data transfer;
• When the transfer is necessary for the data holder to be able to sign or execute an existing or new contract that is to their own benefit;
• Bank and money transfers, stock and securities market transfers, and
• When the transmission of the information concerned is required by law or to comply with international treaties that have been ratified by Panama.

In addition, the law establishes the obligation to set procedures, protocols and processes for managing and transferring data that comply with the necessary security methods.

Sanctions and payouts

The body in charge of enforcing this law is the National Transparency & Information Access Authority (ANTAI) except in the case of subjects regulated by special laws, that must be referred to the competent regulatory authority, in the first instance.

This body is authorized to impose sanctions, which can range between Balboa/USD 1,000 and Balboa/USD 10,000, depending on seriousness and recurrence of the breach.  This body can also issue written warnings, a summons to the ANTAI, close the data base record and suspend or disable the storage and/or personal data handling process.

The personal data processing officer must indemnify the economic and/or moral damages caused by improper use of these.

Data bases

The data base officers or keepers who transfer personal data that is stored in these data bases to third parties must keep a record of these data bases, which must be available for inspection by ANTAI, if so required.

Personal Data Protection Council

The law provides for the creation of a Personal Data Protection Council, whose functions include advising the ANTAI about the law, making public policy recommendations, assessing cases submitted for consultation and developing a set of internal regulations. This body will be made up of:

• The Minister for Trade & Industry;
• The General Administrator of the Consumer Protection & Competition Authority (ACODECO);
• The CEO of ANTAI;
• The People’s Ombudsman, or someone designated by this officer;
• A representative from the National Private Enterprise Council (CONEP);
• A representative from the National College of Attorneys;
• A representative from the Panamanian Banking Association;
• A representative from the Election Tribunal, and
• A representative from Panama’s Chamber of Trade, Industry & Agriculture.