For many countries across the globe, the European Union's data privacy regulation, the General Data Protection Regulation (GDPR) served as a catalyst for enacting data privacy measures and in general, heightened the urgency around the need to regulate the flow of personal data.

Latin America was no exception, with Brazil's General Data Protection Law, Lei Geral de Proteção de Dados Pessoais, or LGPD, commanding many of the headlines there over the past several years.

While other countries have made waves - Argentina, Ecuador, and Chile, among others have implemented similar data protection measures – in Central America, Panama has paved its own way over the years. Its law regulating data protection, Law No. 81 on Personal Data Protection - Ley Sobre Protección de Datos Personales - went into effect on March 29, 2021.

What Does Panama’s Data Protection Law Require?

Born out of Executive Order 285/2021, the law, which was passed back in 2019, requires data processors to obtain the prior consent of data subjects and be duly informed of the proposed use of his or her personal data.

In this case, the law defines personal data as any information that concerns natural persons, identifies them or makes them identifiable.

In addition to consent, data can also be collected under the following circumstances:

• When it’s necessary for the fulfilling a contractual obligation, provided that the data subject is a party.
• When it’s necessary for the fulfillment of a legal obligation to which the data controller is bound.
• When it’s is authorized by a special law or the regulations that develop them

Partially inspired by GDPR, the law also requires data processors to outline the main purpose of data collection and take efforts to ensure it is handled securely. Under the law, collected data should be kept confidential and be stored in a secure database for up to seven years, under the surveillance of the data keeper.

When it comes to data transfers under the law, it’s only possible to transfer data under certain data security measures and standards.

Companies need to have protocols and systems in place designed for the secure custody, collection and treatment of personal data in their databases. Organizations must adopt the appropriate technical and management measures to preserve security in the operation of the network in order to guarantee protection for personal data under the law, along with any certifications, protocols, and standards present from other authorities.

Who’s in Charge of Enforcing the Law?

A centralized authority designed to enforce the law, the Autoridad Nacional de Transparencia y Acceso a la Informacion, or ANTAI, supervises personal data processing in the country while a nine-member advisory agency, the Council for the Protection of Personal Data, supplies it with best practices, recommends policies around personal data protection, and helps develop regulations.

What Rights Does Panama’s Data Protection Law Grant Citizens?

Much like other laws passed around data protection, the concept of Panama’s is rooted in the concept that protecting personal data is a fundamental guarantee and that everyone has the right to access his or her information contained in public and private databases.

The law recognizes ARCO rights - basic rights of the owner of personal data - i.e. the Right of Access, Right of Rectification, Right of Cancellation, Right of Opposition and Right to Portability, meaning individuals can request their information from data controllers, which have 10 business days to satisfy the request. In the event the controllers don’t respond, data subjects can submit an appeal to the aforementioned ANTAI.

Who Has to Comply with Panama’s Data Protection Law?

• Organizations that maintain databases in Panamanian territory
• Organizations with databases that store or contain personal data belonging to nationals or foreigners
• Database owners or any person in charge of data processing who are domiciled in Panama
• Foreign companies whose commercial online activities target citizens of Panama

The law does not apply to personal data processing done outside of Panamanian borders, like that performed by databases in the cloud.

In addition, Panama's banking sector does not have to comply with the law as its already bound by the Superintendency of Banks of Panama, or the SBP, the regulator and supervisor of the banks and banking groups that operate in Panama.

Are There Repercussions Around Failing to Comply with the Law?

The ANTAI could sanction an individual who infringes any rights of the personal data owner and fine them accordingly. Infringements include collecting and using data without obtaining consent to failing to comply with technical and organizational measures to protect the database. Sanctions can vary, from $1,000 to $10,000. ANTAI can also order an organization to stop storing and processing data in Panama if the infringement is grave enough.

Having a solution in place that can help encrypt, classify and safeguard sensitive and personally identifiable information can go a long way in helping comply with data protection laws like Panama’s. Whenever compliance is the desired outcome, it’s vital to have the appropriate protocols and procedures in place to ensure you’re processing data correctly.