With the enactment of Law No. 81 on Protection of Personal Data, the Republic of Panama aims to establish the principles, rights, obligations and procedures that regulate the protection of personal data, also considering their interrelation with private life and other rights and fundamental freedoms of citizens, by natural or legal persons, public or private law, lucrative or not, that process personal data in the terms provided in the Law.
Storage or transfer of personal data:
The storage or transfer of personal data of a confidential, sensitive or restricted nature, outside the territory of Panama, by the company responsible for the storage of data or custody thereof, will be allowed, provided that the company and/or country of residence have standards of protection comparable to those of the Law or if the entity that transfers the data makes sure to adopt all the necessary steps so that it is protected. The following cases are excepted from the aforementioned requirements: (1) when the owner has granted its consent for the transfer; (2)when the transfer is necessary for the execution or enforcement of a contract by the interested party; (3) in cases of bank or money or stock exchange transfers; and (4) in case of information whose transmission is required by law or in compliance with international treaties ratified by Panama.
It establishes the obligation to develop procedures, protocols and processes for the management and transfer of data that includes the appropriate security methods.
Consent of the owner of personal data:
It is established that the processing of personal data can only take place as permitted in this Law, or with the consent of the owner of the data.
Definition of sensitive data:
Sensitive data refers to the private sphere of its owner or whose misuse could give rise to discrimination or entail a serious risk for him/her– for example, of racial origin, religious beliefs, union affiliation, political opinions, data related to the health, life, preference or sexual orientation, genetic data or biometric data, among others aimed at uniquely identifying a natural person.
Sensitive data can not be transferred except: (i) by explicit consent of the owner; (ii) when necessary to safeguard the owner's life; (iii) when it is necessary for the recognition, exercise or defense of a right in a judicial proceeding; and (iv) when it has a historical, statistical or scientific purpose.
Rights of Access, Rectification, Cancellation, Opposition and Portability:
The rights of owners of personal data to exercise over those responsible for database processing are: (i) Access (to obtain the data and know the purpose and origin for which they were collected), (ii) Rectification (to access and request correction, modification or update), (iii) Cancellation (to request deletion of data), (iv) Opposition (refusal to provide or revoke its consent) and (v) Portability (right to obtain a copy of all personal data in a structure matter in certain circumstances).
The database custodians that transfer personal data stored in a database to third parties must keep a record of them, which must be available to ANTAI, if requested to do so.
Personal Data Protection Council:
The Personal Data Protection Council is created, which has the following functions: to advise ANTAI in relation to the Law, recommend public policies, evaluate cases submitted for consultations and develop internal regulations and it is composed by:
(1) the Minister of the Ministry of Commerce and Industries;
(2) the General Administrator of the Authority for the Protection of Consumers and the Defense of Competition (ACODECO);
(3) the General Director of ANTAI;
(4) the Ombudsman, or its nominee;
(5) a representative of the National Council of Private Enterprises (CONEP);
(6) a representative of the National Bar Association;
(7) a representative of the Panama Banking Association;
(8) a representative of Electoral Tribunal; and
(9) a representative of the Chamber of Commerce, Industry and Agriculture.
The National Government Innovation Authority will have the right to address the council as a technical advisor.
Duty to compensate for pecuniary and/or moral damages caused by the unlawful handling of personal data.
National Authority for Transparency and Access to Information (“ANTAI”):
Right to appeal against ANTAI in case of claims to any database storage operator to resolve differences in the exercise of the aforementioned rights. The competent body for the fulfillment of the obligations of this Law is ANTAI except in the case of estities regulated by special laws, in which case the claimant must first submit its claim to the competent regulatory authority. The ANTAI, through the Directorate established to consider the matter, is granted the powers to impose sanctions. The decision of the Directorate in the ANTAI established to consider these proceedings may be challenged through a reconsideration appeal. A subsequent appeal may be filed with the Director General of ANTAI.
The sanctions may be between US$1,000 and US$10,000, depending on the severity and recurrence and may be a written warning, citation before the ANTAI, fine, closure of the database registration or suspension and disqualification of the storage activity and/or treatment of personal data. There are minor infractions (for example: not sending the information required by ANTAI), serious infractions (for example: processing data without the owner's consent) and very serious infractions (for example: the collection of personal data in a malicious way).
This law will take effect two (2) years after its promulgation.