Panama Privacy Laws

Panama`s data protection law came into force on March 29. The law stipulates that subcontractors must obtain the prior consent of their subjects and that they must define the purpose of the data collection. Data collectors must also take steps to ensure data security. What are the most important parts of the law and how adequate will it be to protect consumer data? How do Panamanian privacy rules compare to such laws in other countries, and should legislators for that matter use them as a model for their own privacy efforts? What are the main implications of the law for businesses in Panama? Mariela de la Guardia Oteiza, Partner at Icaza, González-Ruiz & Alemán: “Law 81 establishes the principles, rights, obligations and procedures that govern the protection of personal data in Panama, with exceptions regarding the scope for data subjects whose personal data is expressly regulated by specific laws or regulations. Law 81 applies to databases in Panama that store or contain personal data of nationals or foreigners or data controllers residing in the country. The Constitution and laws of Panama stipulate that consent is required for the processing of personal data of data subjects and that they must be duly informed of the purpose of the use of such data. In addition, data must be obtained in such a way that it can be easily traced. The law also states that sensitive data cannot be transferred without the express consent of the data subject. The National Authority for Transparency and Access to Information, the regulatory authority, has the power to sanction controllers and database managers who have violated the personal data rights of data subjects. It shall also determine the amounts of the applicable penalties, without prejudice to the material or moral damage that the unlawful processing of data could cause. An implementing decree that could clarify and develop certain points of the law has not yet been adopted to regulate this law. Confidential Data.

Data that, by its very nature, should not be known to the public or unauthorized third parties, including data protected by law, confidentiality or non-disclosure agreements to protect information. In the case of the public administration, these are data whose processing is limited for the purposes of this management or when the express consent of the owner is obtained, regardless of the provisions of the specific laws or regulations that develop them. Confidential data is always subject to limited access. Hopefully, Panama will continue to adopt more laws of the general GDPR laws and that other Central American countries will follow. Law No. 81 on the Protection of Personal Data 2019 (available only in Spanish here) (“the Law”) was promulgated and entered into force on March 29, 2021. In addition, the rules of the law were published on 28 May 2021 by Executive Decree 285/2021 (“Executive Order 285/2021”). There are several laws, such as the National Constitution of the Republic of Panama (available only in Spanish) (“the Constitution”), that govern the protection of personal data. The Constitution establishes the right to confidentiality of personal communications and documents, the right of access to information contained in the databases of public bodies or private persons providing public services, as well as the rectification, rectification or erasure of such information.

How do Panamanian data protection regulations differ from these laws in other countries? It should also be noted that, according to an opinion of the Commissioner on the protection of personal data on the websites of public and private controllers, data subjects have the right to be informed by the controller if their personal data has been compromised (lost or stolen data or if their online privacy is likely to be compromised). To our knowledge, the Commissioner`s view in this notice is for guidance purposes only and has no binding effect. Follow OneTrust on LinkedIn, Twitter or YouTube for the latest information on data protection compliance in Panama. In the case of Panama, we did not have a specific law regulating the protection of personal data; we only had general provisions on this subject, such as the national constitution, Law 68 of 2003, which regulates the rights and obligations of patients in terms of information and free and informed choice; Act No. 24 of 22 May 2002, which regulates, inter alia, the service of information on the credit history of consumers or customers. Like the GDPR definitions, Panama`s laws have a comprehensive definition of personal data. According to the laws, personal data includes any information about identified or unidentified individuals. However, anonymized data in Panama does not fall within the scope of the law. Through anonymized data, Panamanian laws define this as data that cannot be re-identified by reasonable means. According to these laws, data processors and processors must obtain consent from their subjects before collecting data. Privacy and the protection of personal data are important human rights that we must protect. In Panama, the right to privacy is enshrined in articles 29, 42 and 43 of the Constitution.

Similarly, article 11 of the American Convention on Human Rights, ratified by Panama, enshrines the protection of the right to privacy. What are the exceptions? There are exceptions to the scope of the law for data that is expressly regulated by specific laws or by regulations that develop them. Some special laws are the Banking Act or the law that regulates the rights and obligations of patients. Similarly, in Latin America, countries such as Argentina, Colombia, Brazil, Chile, Peru and Mexico have begun either to amend their personal data protection laws to meet the standards imposed by the European Union with the General Data Protection Regulation, or to develop new laws on the subject. Databases of subjects subject to special laws, such as banks, insurance companies, etc., are exempt from the law, provided that these laws, or their regulations that develop them, establish minimum technical standards necessary for the appropriate protection and processing of personal data, as established by Law 81. In addition, the following processing of personal data is excluded from the scope of Law 81: Register for the webinar: Panamanian Data Protection Law: Compliance with the Latest Data Protection Law in Central America Alejandro Valerio, Associate Practice Leader for Latin America at FrontierView: “Panama`s Data Protection Law has used the EU`s General Data Protection Regulation (GDPR) as its reference, which governs how the personal data of individuals in the European Union may be processed and transmitted. Panama`s law is an important step in attracting investment after last year`s economic impact. Good data protection legislation reassures investors about a country`s rule of law, especially for a global economic center like Panama. The main parts of the law are: 1) the extensive list of personal data protection rights of individuals and companies; (2) the establishment of ANTAI, a centralized law enforcement authority; and 3.) The exemption granted by law to the banking sector is regulated by the body that supervises it. By excluding Panama`s financial system, arguably the sector most closely linked to the global economy, the new law avoids bureaucratic tangles that could make the sector less competitive. Panama`s law is perhaps the most updated in Latin America, as countries like Argentina and Chile passed laws in this area two decades ago. While most Latin American countries are looking to update their data protection laws in line with GDPR guidelines, lawmakers elsewhere should review Panama`s law, which aims to access the economic benefits of a strong data protection framework.

The biggest impact of the law for businesses in Panama is that it will require them to be more careful with personal data to avoid reputational damage and fines. There are exceptions to the scope of the law for data that is expressly regulated by specific laws or by regulations that develop them and that we described in detail at the beginning.