DLA Piper Intelligence

Data Protection
Laws of the World

Online Privacy

The existing regulatory framework does not yet address location data, cookies, local storage objects or other similar data-gathering tools.

Last modified 14 Jan 2020
Law
Panama

Panama has taken significant legislative steps to regulate data protection this year. In fact, Law No. 81 of March 26th, 2019, promulgated on Official Gazette 28743-A on March 29, 2019, is the law that regulates data protection in the Republic of Panama. (Ley sobre Protección de Datos Personales in Spanish; “Data Protection Law”). The Data Protection Law sets forth 47 articles that regulate:

  • The principles, rights, obligations, and procedures applicable to the protection of personal data in Panama.
  • The individuals who are subject to the law as well as those entities that are not subject to the law since they are classified by the Data Protection Law as “regulated subjects” (i.e. banks, insurance companies, telecommunication providers, etc.).
  • The fines and penalties applicable to natural or legal persons who violate an individual’s right to data protection.  

The Data Protection Law will take effect 2 years after its promulgation (March 29th, 2021). 

In addition to the Data Protection Law, the following general rules govern data protection:

  • The Constitution
  • The Criminal Code
  • Several sectoral laws that regulate the matter in their respective jurisdictions
Last modified 14 Jan 2020
Definitions

Definition of personal data

Personal Data is defined by the Data Protection Law as the personal information of an individual that identifies him or makes him identifiable.

Definition of sensitive data

Sensitive Data is defined by the Data Protection Law as the one that refers to the intimate sphere of its owner, or whose improper use could give rise to discrimination or entail a serious risk for the individual, such as information about the racial or ethnic origin, beliefs or religious, philosophical and moral convictions; union membership; political opinions; data related to health, life, sexual preference or orientation, genetic data or biometric data, among others, subject to regulation and aimed at identifying univocally a natural person.

Last modified 14 Jan 2020
Authority

The Data Protection will be supervised and overseen by:

Panama’s National Authority of Transparency and Access to Information (“ANTAI”)
(Autoridad Nacional de Transparencia y Acceso a la Información)
Del Prado Avenue, Bulding 713, Balboa, Ancon, Panama
T (507) 527-9270 to 74
accesoinformacion@antai.gob.pa 

ANTAI will have the support of the National Authority for Government Innovation
(Autoridad Nacional para la Innovación Gubernamental) in matters related to Information and Communications Technology (ICT)
61st Street and Ricardo Arango Avenue, Sucre, Arias y Reyes Bulding, Floor 3
Obarrio, Panama
T (507) 520-7400
administracion@innovacion.gob.pa

Last modified 14 Jan 2020
Registration

The Data Protection Law does not include any registration or notification requirement prior to the processing of data before Panama’s National Authority of Transparency and Access to Information (“ANTAI”). What it does require, is for data controller’s (known in Panama as the “Responsible of the data treatment”) (Responsable del tratamiento de datos in Spanish) to have the data subject’s consent to the processing of said personal data, as a general principle.

Last modified 14 Jan 2020
Data Protection Officers

Appointment of a data protection officer is not required under the Data Protection Law.

Last modified 14 Jan 2020
Collection & Processing

In Panama, personal information is protected at the constitutional level. The Constitution provides that every person has a right of access to his / her personal information contained in data banks or public or private registries and to request their correction and protection, as well as their deletion in accordance with the provisions of the law. It also states that such information may only be collected for specific purposes, subject to the consent of the person in question, or by order of a competent authority based on the provisions of the law. The disclosure of personal information without consent is also prohibited by the Panamanian Criminal Code. Criminal penalties apply to the disclosure of personal information where the disclosure causes harm to the affected individual. 

As per the Data Protection Law, the data subject must consent to the processing of his data and be duly informed of the proposed use of his personal data. The consent must be obtained in such a way that allows its traceability with documentation, whether electronic or by any other means that are suitable to the medium of the particular case and can be revoked, without retroactive effect. If the consent of the data subject is given in the context of a sworn statement that also refers to other matters, the consent request will be presented in such a way that it is clearly distinguished from the others, in a comprehensible and easily accessible manner, using a clear and simple language, which will not be binding in any part of the declaration that constitutes an infraction of the Law and its regulation. Under the Data Protection Law, data subjects need to know how collected personal data will be used.  

The Data Protection Law established the following acceptable grounds to justify processing personal data without a person's consent:

  • Those that come or are collected from public domain sources or accessible in public media.
  • Those that are collected within the exercise of the functions of the Public Administration in the field of their competences.
  • Those of an economic, financial, banking or commercial nature that have prior consent.
  • Those that are contained in lists related to a category of people that is limited to identifying background, such as the participation of a natural person to an organization, their profession or activity, their educational titles, address or date of birth.
  • Those that are necessary within an established commercial relationship, whether for direct attention, marketing or sale of goods or services agreed.
  • The processing of personal data by private organizations for the exclusive use of their associates and the entities to which they are affiliated, for statistical purposes, for pricing or others of general benefit to them.
  • Cases of medical or health emergencies.
  • The treatment of information authorized by law for historical, statistical or scientific purposes.
  • The treatment that is necessary for the satisfaction of legitimate interests pursued by the data controller or by a third party, provided that such interests do not prevail over the interests or fundamental rights and freedoms of the interested party that require the protection of personal data, in particular when the interested party is a minor or a person with a disability.
Last modified 14 Jan 2020
Transfer

With regards to personal data, the Constitution states that individuals must give their consent in order for their personal data to be transferred or processed in any way. 

The Data Protection Law clearly states that in no case may the data controller or the data processor transfer or communicate the data related to an identified or identifiable person, after seven years have elapsed since the legal obligation of kept said personal data, unless the data subject expressly requests otherwise. Data controllers can only transfer personal data when they have the prior, informed and unequivocal consent of the data subject, with the exceptions included in the Data Protection Law. 

Additionally, the Data Protection Law states that the transfer of personal data is understood to be lawful, if any of the following conditions are met: 

  • To have the data subject’s consent.
  • That the recipient country or international or supranational organization provides an equivalent or a higher level of protection.
  • That it is included in a law or treaty in which the Republic of Panama is a party.
  • That it is necessary for the prevention or medical diagnosis, the provision of health care, medical treatment or the management of health services.
  • That it be made to any company of the same economic group of the data controller, provided that the personal data is not used for different purposes that originated their collection.
  • That it is necessary under an executed or soon to be executed contract in unambiguous interest of the data subject, by the controller and a third party.
  • That it is necessary or legally required for the safeguard of a public interest or for the legal representation of the data subject or administration of justice.
  • That is necessary for the recognition, exercise or defense of a right in a judicial process, or in cases of international judicial collaboration.
  • That is necessary for the maintenance or fulfilment of a legal relationship between the data controller and the data subject.
  • That is required to conclude bank or stock transfers, relative to the respective transactions and according to the legislation that is applicable to them.
  • That has as its object, international cooperation among intelligence agencies for the fight against organized crime, terrorism, money laundering, computer crimes, child pornography and drug trafficking.
  • That the data controller responsible for the data transfer and the recipient adopt mechanisms of binding self-regulation, provided that they are in accordance with the provisions of the Data Protection Law.
  • That is carried out within the framework of contractual clauses that contain mechanisms for protection of personal data in accordance with the provisions set out in the Data Protection Law, provided that the data subject is a party. 

In all cases, the data controller responsible for the data transfer and the recipient of the personal data will be responsible for the legality of the data processing.

Last modified 14 Jan 2020
Security

In matters of security, data controllers must establish protocols, safe management and transfer processes and procedures to protect the rights of data subjects under the precepts of this Law. The minimum requirements that must be contained in the privacy policies, protocols and procedures for data processing and transfer that must be met by the data controller, will be issued by the regulator of each sector in accordance with this law.

In the event that the treatment or transfer of personal data is carried out through the Internet or any other electronic, digital or physical means, the data controller or the data processor, whomever applies must comply with the standard certifications, protocols, technical and management measures appropriate to preserve the security in their systems or networks, in order to guarantee the levels of protection of personal data as established by the Data Protection Law. 

Last modified 14 Jan 2020
Breach Notification

Operators that manage public networks or that provide communication services available to the public shall guarantee in the exercise of their activity the protection of personal data in accordance with the Data Protection Law and the regulations that develop it. They must also adopt the appropriate technical and management measures to preserve the security in the operation of the network or in the provision of their services, in order to guarantee the levels of protection for the personal data that are required by the Data Protection Law and its regulations, as well as certifications, protocols, standards and other measures established by the respective authorities. 

In case there is a particular affectation or violation of the security of the network communication system, the operator that manages such network or provides the communication service will inform the data subjects about said affectation and about the measures to adopt.

Last modified 14 Jan 2020
Enforcement

ANTAI, through a Directorate created for this purpose, is empowered to sanction data controllers or data processors that are found to have infringed data subject’s rights, in the course of an investigation of complaints filed and proven against them. Sanctions will be subjected to ANTAI, which will set the amounts of the sanctions applicable to the respective violations, according to the seriousness of them, which they will establish from a thousand US dollars (USD 1,000.00) up to ten thousand US dollars (USD 10,000.00).

Last modified 14 Jan 2020
Electronic Marketing

Law No. 51 of July 22nd, 2008, as amended by Law 82 of November 9, 2012 (“Law 51”), and its bylaws establish in the Executive Decree No. 40 of May 19, 2009 (“Decree 40”) and Executive Decree No. 684 of October 18, 2013 (“Decree 684”) regulate the electronic documents and electronic signatures, as well as the rendering of data storage services, and the certification of the electronic signatures, and adopts other dispositions for the development of e-commerce. It establishes that Companies that sell goods or services in Panama, through the Internet, will be subject to the other provisions of national legislation that apply to them based on the activity they develop, regardless of the use of electronic means for their realization.  

With respect to email advertising, Panamanian law requires that all such emails:

  • State that they are commercial communications
  • Include the name of the sender
  • Set forth the mechanism through which the recipient may choose not to receive any further communications from the particular sender

These requirements apply to other promotional offers as well.

Further, although opt-out tools are not prohibited, the client's initial opt-in consent is specifically required if an entity wishes to use the client's email for advertising purposes. Further, although no specific prohibition has been enacted with respect to the use of information for online advertising, obtaining the customer's consent is always preferable.

Last modified 14 Jan 2020
Online Privacy

The existing regulatory framework does not yet address location data, cookies, local storage objects or other similar data-gathering tools.

Last modified 14 Jan 2020
Contacts
Ramon Ricardo Arias Porras
Ramon Ricardo Arias Porras
Galindo, Arias & Lopez
T +507 303 0303
Beatriz Cabal
Beatriz Cabal
Galindo, Arias & Lopez
T +507 303 0303
Jose Luis Sosa
Jose Luis Sosa
Galindo, Arias & Lopez
T +507 303 0303
Last modified 14 Jan 2020