Relevant aspects of Panama´s Data Protection law and its regulations

I.            Introduction

              Despite the fact that our National Constitution, in its article 42 establishes certain parameters, rights and obligations regarding access, storage and protection of data, Panama has a law that adequately regulates the Protection of Personal Data, since the entry into force of Law 81 of March 26, 2019 (March 29, 2021), which establishes the principles, obligations and procedures for the processing of data in the country, and it was not until a few months ago that Executive Decree 285 of May 28, 2021 (2 months from the entry into force of Law 81) was issued, by means of which Law 81 on Personal Data Protection was regulated, all of which, like any new legal regulation, brings with it some general uncertainty for its addressees, but we must emphasize that, in our opinion, this regulation is destined to generate a radical change in the way banking, financial and legal entities have been handling their clients’ personal information up to now, starting with the main feature and fundamental pillar of this Law, which is that from the date of its entry into force (March 29, 2021), in order for the processing of personal data to be lawful, it must be collected and processed with the prior consent of the subject, who also has the right to know what use shall be made of his or her information.

II. Scope of Application

              This new Law and its regulation have been very broad and forceful as to its main and not supplementary application in all regulated aspects and expressly determines that even when special laws exist, the Data Protection Law and its regulation shall be considered as the general regime. The special laws would become complementary to both norms.

              In addition to the above, these laws regulate three main aspects related to the protection of personal data:

1. Aspects related to the protection of the subject’s data with the recipient and its employees.

2. Aspects related to the protection of data in possession of the recipient that are provided to suppliers, custodians, or third-party controllers (partners or allies of the recipient).

3. Aspects related to the recipient’s internal policies or governance (internal policies and good practices).

III.         Relevant Aspects

1. New regulator:

– The National Authority for Transparency and Access to Information (ANTAI), as the governing body of the matter, shall have powers to oversee, supervise, inspect, and sanction violators of the rules contained in Law 81 of March 26, 2019.

– ANTAI shall also be empowered to hear complaints related to personal data, opening space for a new forum to which consumers shall be able to turn to, in addition to the existing ones.

2. Consent:

– In order for consent to be informed and unequivocal, it must be preceded by information related to the “ARCO” rights (access, rectification, cancellation, opposition, and portability) that protect the holders.

– The holders shall have the opportunity to revoke it at any time.

3. New obligations:

– New customer information requirements are created.

– Obligation to keep customer data updated.

– Attention and response to the exercise of ARCO rights.

– According to the regulation, the regulators of the different sectors (Superintendence of Banks, Securities, Insurance, etc.), must issue within a term not exceeding nine (9) months, the complementary privacy policies, protocols, processes and procedures of processing and secure transfer that the regulated subjects must comply with and, in addition, such policies must be adapted to the requirements of their data processing; Therefore, in the coming months we shall be attentive to review and be informed of the new policies developed and issued by the governing bodies in the various sectors, especially with regard to the definitions for the issues of portability and data processing.

– Suppliers and exporters who have custody of data must comply with all the requirements of this standard.

– It provides for the obligation to notify those affected if they become aware of security breaches of personal data, within a period of 72 hours.

4. Free of charge:

These regulations also provide that the actions of the data controller, associated with the exercise of the data subject’s rights, must be free of charge for the data subject, which is why it is the recipients who must bear such costs.

5. New role of “Data Protection Officer”:

The role of Data Protection Officer is created, whose designation is not mandatory for the private sector, however, it shall be considered as part of the criteria for grading penalties, so it is also important for this sector.

6. Importance in Contracts:

The basic contracts of the different entities that are recipients or custodians of data shall require multiple adjustments to reflect the requirements of the new regulation (e.g., to detail the conditions of the consents, data privacy issues and their processing must be highlighted, contact details of the data protection officer must be included, amongst others).

7. Databases transferred:

Any database transfer must comply with the required legal and regulatory formalities, all of which from our perspective shall subtract effectiveness from the current model carried out by some private cell phone, banking, financial and similar entities, to exploit the information as a revenue-generating asset.

8. Data obtained from third parties:

The subject of the data (obtained from third parties) must be informed/notified of the source from where their data is obtained (amongst other requirements). 

9. Sanctions

– The criteria for grading sanctions are established.

– ANTAI shall be empowered to publish the sanctions, which could imply a reputational risk.

10. Statute of limitations:

Specific periods of time are established in which, depending on the seriousness of the infringements and sanctions, the statute of limitations shall prescribe, being 1 year for minor infringements, 3 years for serious infringements and 5 years for very serious infringements. While for minor penalties it would be 3 years, serious penalties 5 years and very serious penalties shall not be subject to statute of limitations as detailed below.

11. Extra-border data transfers:

The extra-border transfer of data is subject to the condition only to countries that are considered to provide a degree of protection equivalent or superior to the national, and it is at the discretion of ANTAI to discern whether or not a particular jurisdiction has an equivalent or higher level of protection, without commitment to establish a list of recognized jurisdictions that allows us in advance to have identified those jurisdictions with whom data could be transferred. 

This point may imply challenges to the national private company, since at the moment of referring clients to jurisdictions where they or their subsidiaries have presence, but do not have a Data Protection Law, even with the client’s consent, if the regulation of a certain jurisdiction is not equal or equivalent to the Panamanian, they shall not be able to transfer the information.

IV. Infringements and sanctions

The Authority may establish sanctions from one thousand balboas with 00/100 (B/. 1,000.00) to ten thousand balboas with 00/100 (B/. 10,000.00 balboas).

Infractions are classified as minor, serious and very serious:

o Minor: failure to remit or inform the authority within the term. In addition, it may entail a summons from the authority.

o Serious: processing without the consent of the subject, infringing the established principles and guarantees, infringing the confidentiality commitment, restricting ARCO rights, failing to comply with the duty to inform the subject of the data processing, storing, or filing data without the security conditions, failing to comply with the reiteration of the requirements and obligations of the authority, the above may entail a fine of one thousand balboas with 00/100 (B/. 1,000.00) to ten thousand balboas with 00/100 (B/. 10,000.00 balboas), depending on its proportionality.

o Very serious: collecting personal data in a fraudulent manner, not observing the regulations, not suspending the processing when previously requested by the authority, storing, or transferring personal data internationally and repeating the serious offenses, which may lead to the closure of the database records and the corresponding fine and even the suspension and disqualification of the storage and/or processing activity.

Finally, as we have previously mentioned, here is a breakdown of what the Executive Decree establishes with respect to the time limits for the prescription of the action and the sanction:

  • Prescription of the action:
  • Minor infringements within 1 year.
  • Serious infringements within 3 years.
  • Very serious infringements within 5 years.
  • Prescription of the sanction:
  • Minor sanctions within 3 years.
  • Serious sanctions within 5 years.
  • Very serious sanctions are not subject to the statute of limitations.