Panama’s Law No. 81 on Personal Data Protection 2019

Panama’s Law No. 81 on Personal Data Protection 2019 is a comprehensive data privacy law that was passed in 2019 and came into effect in March of this year. Law No. 81 on Personal Data Protection 2019 was enacted for the purposes of regulating privacy and data protection manners within Panama. To this end, the law outlines the various obligations and requirements that data controllers and processors within the country must abide by when handling the personal data of data subjects. As such, Law No. 81 on Personal Data Protection 2019 effectively guarantees the data privacy rights of Panamanian citizens.

What is the scope and application of Law No. 81 on Personal Data Protection 2019?

In terms of the personal scope and application of the law, Law No. 81 on Personal Data Protection 2019, “all principles, rights, obligations, and procedures related to the protection of personal data, considering its interrelation with private life and other fundamental rights and freedoms of citizens”, apply to legal or natural persons, private or public law, as well as both nonprofit and for-profit organizations and businesses. Alternatively, the territorial scope of the law applies to the following:

• Databases that are located within the territory of the Republic of Panama.
• Databases that store or contain personal data from foreigners or nationals.
• Any person in charge of data processing who is based within Panama.

What’s more, the material scope of the law also outlines four distinct terms as it relates to personal data, including confidential data, obsolete data, data managers, and data processing. These definitions for these terms are as follows:

• Confidential data– Information that must not be of public knowledge due to its nature.
• Obsolete data– Information that is out of date.
• Data manager– “a natural or legal person, public or private, responsible-on behalf of the owner for the database”.
• Data processing– “any operation or set of operations or technical proceedings (automatic or not) that allows the collection, storage, recording, organizing, elaborate, selection, extraction, opposing, detachment, connection, association, dissociation, communication, assignment, exchange, transfer, transmission, or cancellation of data or uses it in any other way”.

What are the data protection principles of Law No. 81 on Personal Data Protection 2019?

The data protection principles that govern the protection of personal data under the Law No. 81 on Personal Data Protection 2019 include:

• The principle of loyalty.
• The principle of purpose.
• The principle of proportionality.
• The principle of truthfulness.
• The principle of data security.
• The principle of transparency.
• The principle of confidentiality.
• The principle of lawfulness.
• The principle of data portability.

In addition to the data protection principles listed above, there are also a number of obligations that both data controllers and processors must act in accordance with when handling personal data. Some of these obligations include developing procedures and protocols for the purposes of protecting personal data during data transfers, maintaining accurate data processing records including the receipts of such data transfers, and informing any affected parties in the event of a data breach. Furthermore, data controllers and processors are also responsible for creating written contracts between one entity and another, ensuring that these receive parental consent when collecting data from children, and retaining personal data for a period of no longer than 7 years.

What are the rights of Panamanian citizens under Law No. 81 on Personal Data Protection 2019?

Under Law No. 81 on Personal Data Protection 2019, Panamanian citizens are guaranteed a variety of rights as it pertains to the protection of their personal data. These rights include:

• The right to be informed– Data subjects have the right to request that a data controller provide said data subjects with any personal data concerning them, without charge, for a period of ten days.
• The right to access– Data subjects have the right to access any personal data that a data controller may hold about them.
• The right to rectification– Data subjects have the right to request that a data controller rectify any personal data that is found to be false, inaccurate, outdated, irrelevant, incorrect, or non-appropriate concerning them,
• The right to erasure– Data subjects have the right to request that a data controller erase personal data pertaining to them, on the grounds of well-founded and legitimate reasons.
• The right to object or opt-out– Data subjects have the right to refuse to provide data controllers with personal data concerning them, as well as revoke any consent they may have previously given said data controllers.
• The right to data portability– Data subjects have the right to obtain a personal copy of their personal data in a generic, structured manner in a commonly used format, that may allow for transmission or management to another custodian.
• The right to not be subjected to automated decision making– Data subjects have the right to not be subject to decision making based solely on the automated processing of their personal data, if said automated processing could produce a negative legal effect.

In terms of penalties and punishments in relation to violation of the law, Law No. 81 on Personal Data Protection 109 is enforced by the Autoridad Nacional de Transparencia y Acceso a la Información or ANTAI for short. As such, the ANTAI has the authority to issue sanctions ranging from $1,000 to $10,000 to data controllers found to be in non-compliance, depending on the scope and severity of the said offense. Moreover, the ANTAI also has the power to order both data controllers and processors to cease their operations, should they violate the law repeatedly.

In passing Law No. 81 on Personal Data Protection 109 in 2019, Panama joined one of a handful of countries to pass a comprehensive data privacy law such as the EU’s General Data Protection Regulation or Brazil’s General Data Protection Law or LPGD, despite the fact such laws are not particularly common within their region. To this point, Panama is ahead of the curve as it pertains to data protection within Central America. As a result of this, Panamanian citizens can have the peace of mind that their personal data is being safeguarded and protected at all times when being collected, processed, and disclosed.