DLA Piper Intelligence

Data Protection
Laws of the World

Law

Panama
Panama

Panama has taken significant legislative steps to regulate data protection this year. In fact, Bill No. 665 of August 20, 2018, which regulates the protection of personal data, was approved by the National Assembly on October 24, 2018 and is—at the time of this writing—awaiting the President’s approval in order to become law ("Draft Data Protection Law").

Until the Draft Data Protection Law is sanctioned, the primary laws that regulate data protection in Panama are:

  • The Constitution
  • The Criminal Code
  • Several sectoral laws that regulate the matter in their respective jurisdictions

Electronic commerce is regulated by:

  • Law 51 of July 22, 2008, as amended by Law 82 of November 9, 2012 (“Law 51”)
  • Executive Decree No. 40 of May 19, 2009 (“Decree 40”)
  • Executive Decree No. 684 of October 18, 2013 (“Decree 684”)

The main purpose of both Law 51 and Decree 40 is to regulate the creation, use and storage of electronic documents and signatures in Panama through a registration process, and the supervision of providers of data storage services. Law 51 and Decree 40 provide for enforcement through the General Directorate of Electronic Commerce (Direccion General de Comercio Electronico) (DGCE).

Additionally, under Panamanian criminal law, individuals or entities that unlawfully access personal data are criminally liable pursuant to articles 289 and 290 of the Panamanian Criminal Code.

Last modified 28 Jan 2019
Law
Panama

Panama has taken significant legislative steps to regulate data protection this year. In fact, Bill No. 665 of August 20, 2018, which regulates the protection of personal data, was approved by the National Assembly on October 24, 2018 and is—at the time of this writing—awaiting the President’s approval in order to become law ("Draft Data Protection Law").

Until the Draft Data Protection Law is sanctioned, the primary laws that regulate data protection in Panama are:

  • The Constitution
  • The Criminal Code
  • Several sectoral laws that regulate the matter in their respective jurisdictions

Electronic commerce is regulated by:

  • Law 51 of July 22, 2008, as amended by Law 82 of November 9, 2012 (“Law 51”)
  • Executive Decree No. 40 of May 19, 2009 (“Decree 40”)
  • Executive Decree No. 684 of October 18, 2013 (“Decree 684”)

The main purpose of both Law 51 and Decree 40 is to regulate the creation, use and storage of electronic documents and signatures in Panama through a registration process, and the supervision of providers of data storage services. Law 51 and Decree 40 provide for enforcement through the General Directorate of Electronic Commerce (Direccion General de Comercio Electronico) (DGCE).

Additionally, under Panamanian criminal law, individuals or entities that unlawfully access personal data are criminally liable pursuant to articles 289 and 290 of the Panamanian Criminal Code.

Last modified 28 Jan 2019
Definitions

Definition of personal data

Personal Data is not expressly defined under Panamanian law.

Definition of sensitive personal data

’Sensitive Personal Data’ is not defined under Panamanian Law.

Last modified 28 Jan 2019
Authority

Currently there is no National Data Protection Authority. 

For electronic commerce, the national authority is:

The General Directorate of Electronic Commerce
(Dirección General de Comercio Electrónico)

Plaza Edison, Sector El Paical, Floors 2 & 3.

T (507) 560-0600
   (507) 560-0700
F (507) 261-1942

contactenos@mici.gob.pa

Last modified 28 Jan 2019
Registration

There is no registration required for the processing of Personal Data under the current legislation.

Under Decree 40, electronic data storage companies and companies engaged in online electronic signature verification must register with the DGCE. For companies otherwise engaged in electronic commercial activities, registration with the DGCE is voluntary and can be completed online, free of charge. Registration must occur no later than 15 days prior to the commencement of data processing activities and shall include, inter alia, the following information:

  • Name of the company
  • Company´s physical address, telephone and fax number
  • Legal representative of the company
  • Company´s Internet address or URL
  • Contact email provided by company to customers
  • Public Registry and Ministry of Commerce Registration Information
  • In the event that an undertaken activity requires specific authorization or permits, evidence thereof
  • Tax Identification Number
  • Description of services offered by the company, including pricing information and applicable taxes
  • The company's code of conduct

Law 51 and Decree 40 set forth certain additional registration requirements for companies that are engaged in each of the activities for which registration is mandatory.

Further, pursuant to recently-enacted regulations, individuals or entities who wish to electronically interact with government entities must first register by activating a user account and executing a release form that is available both physically and online. To the extent necessary, government entities may also request a petitioner´s consent to access such petitioner's personal information that is available on a different government entity’s system.

Last modified 28 Jan 2019
Data Protection Officers

Appointment of a data protection officer is not required under current law.

Last modified 28 Jan 2019
Collection & Processing

In Panama, personal information is protected at the constitutional level. The Constitution provides that every person has a right of access to his / her personal information contained in data banks or public or private registries and to request their correction and protection, as well as their deletion in accordance with the provisions of the law. It also states that such information may only be collected for specific purposes, subject to the consent of the person in question, or by order of a competent authority based on the provisions of the law. The disclosure of personal information without consent is also prohibited by the Panamanian Criminal Code. Criminal penalties apply to the disclosure of personal information where the disclosure causes harm to the affected individual. Law 51 specifically establishes that this criminal law prohibition applies to electronically stored information.

Panamanian law further requires that providers of online data storage services take reasonable measures to ensure that company personnel who have access to confidential information:

  • Do not have a criminal record
  • Have obtained the necessary technical skills to handle such data and information
  • Possess reasonable knowledge of existing legal restrictions related to the disclosure of such information

Although the last requirement is specifically intended to apply to entities that provide online data storage services, it is possible that it could also be construed to apply to any company engaged in electronic commerce.

Last modified 28 Jan 2019
Transfer

With regards to personal data, the Constitution states that individuals must give their consent in order for their personal data to be transferred or processed in any way.

Additionally, although the Panamanian e-commerce regulatory framework is not yet fully developed, the existing regulations follow the constitutional principle that the consent of the affected data subject is required for the transfer of any personal information.

Pursuant to Law 51, when a customer provides his / her email address during the process of acquiring or subscribing to a service offered online, the company providing such service must disclose to the customer its intent to use the email address in the future for commercial communications and, further, must obtain the customer's express consent for such purposes.

The client or customer must also be able to withdraw such consent easily, through a simple process made available by the provider of the service.

While the manner in which this restriction appears to have been drafted suggests that it applies exclusively to online service providers, its broader application to all companies that sell products online or are engaged in e-commerce activities is possible.

Last modified 28 Jan 2019
Security

There are no security requirements under the current law regarding the protection of personal data.

Decree 40 establishes certain security requirements—applicable only to electronic data storage and electronic signature verification companies—for which registration with the DGCE is mandatory. The main requirements are adherence to the security standards periodically published by the DGCE, and the performance of annual self-audits, the results of which must be filed with the DGCE in order for the company to renew its registration. In addition, these companies must create a disaster recovery plan that allows such providers to re-establish regular operations within 12 hours of the occurrence of a disruptive event.

No similar provisions have been enacted with respect to companies who engage in other types of e-commerce (ie, those for which registration is voluntary).

Last modified 28 Jan 2019
Breach Notification

There are no breach notifications under the current legislation for Personal Data Protection.

Law 51 does not require breach notification to the affected parties.

However, the Panamanian Procedural Criminal Code does require individuals that have third party goods or interests under their care to report crimes affecting such goods or interest to the authorities. Given that article 289 and 290 of the Criminal Code make the theft of information a criminal offense, the preceding general provision may require the reporting of such crime to the authorities.  

Last modified 28 Jan 2019
Enforcement

The DGCE is responsible for enforcement of the existing e-commerce and related regulations, including the publication of additional complementary regulations. Sanctions include the suspension or permanent ban of the activities of companies that infringe certain regulations, as well as fines of up to US$150,000.

Last modified 28 Jan 2019
Electronic Marketing

With respect to email advertising, Panamanian law requires that all such emails:

  • State that they are commercial communications
  • Include the name of the sender
  • Set forth the mechanism through which the recipient may choose not to receive any further communications from the particular sender

These requirements apply to other promotional offers as well.

Further, although opt-out tools are not prohibited, the client's initial opt-in consent is specifically required if an entity wishes to use the client's email for advertising purposes. Further, although no specific prohibition has been enacted with respect to the use of information for online advertising, obtaining the customer's consent is always preferable.

Last modified 28 Jan 2019
Online Privacy

The existing regulatory framework does not yet address location data, cookies, local storage objects or other similar data-gathering tools.

Last modified 28 Jan 2019
Contacts
Diego Herrera
Diego Herrera
T +507 303 0303
James Sattin
James Sattin
T +507 303 0303
Jose Luis Sosa
Jose Luis Sosa
T +507 303 0303
Last modified 28 Jan 2019