esen
ARTICLES

Personal Data Protection in Panama

Privacy and the protection of personal data are important human rights that we must strive to protect.  In Panama, the right to privacy is enshrined in Articles 29, 42 and 43 of the Constitution. Similarly, the American Convention on Human Rights, ratified by Panama, enshrines in its article 11 the protection of the right to privacy.

 When these rights are not properly protected, the lives of real people can be adversely affected.  More and more data about each of us is being shared more and more frequently from more and more relationships with traditional businesses, e-commerce, financial institutions, government entities. In short, the list is endless. This is why many countries around the world have strengthened their data protection laws and have reinforced the compliance measures that can be imposed on an organization when privacy rights are violated.

It is for this reason that for a long time the importance of regulating the protection of personal data in Panama had been warned, due to the interactions that are constantly arising, especially in the cybernetic environment. Finally, Law 81 of March 26, 2019, published in Official Gazette 28743-A of March 29, 2019 on the Protection of Personal Data (“Law 81”) was enacted. This law will become effective on March 29, 2021.

Law 81 of March 26, 2019

This Law “aims to establish the principles, rights, obligations and procedures governing the protection of personal data, considering their interrelationship with the private life and other fundamental rights and freedoms of citizens, by natural or legal persons, public or private law, profit or not, who treat personal data under the terms provided in this Law.”

Key definitions:

Law 81 defines a series of terms related to data protection and which are included in Law 81. Among the most important are:

Sensitive data. Data that refers to the intimate sphere of the holder, or whose improper use may give rise to discrimination or entail a serious risk for the holder. Including, but not limited to: personal data that may reveal aspects such as racial or ethnic origin; religious, philosophical and moral beliefs or convictions; trade union membership; political opinions; data relating to health, life, sexual preference or orientation, genetic data or biometric data, among others, that are subject to regulation and aimed at univocally identifying a natural person, are considered sensitive.

Personal data. Any information concerning natural persons, which identifies them or makes them identifiable.

Data processing. Any operation or set of operations, or technical procedures, automated or not, that allows to collect, store, record, organize, elaborate, select, extract, confront, interconnect, associate, dissociate, communicate, yield, exchange, transfer, transmit or cancel data, or use it in any other way.

Data Controller. Natural or legal person, under public or private law, whether for profit or not, who is responsible for decisions relating to the processing of data and who determines the purposes, means and scope, as well as issues related to it.

Database custodian. Natural or legal person, of public or private law, for profit or not, acting in the name and on behalf of the data controller for the processing and entrusted with the custody and conservation of the database.

Confidential data. Data that by its nature should not be known to the public or to unauthorized third parties, including data protected by law, by confidentiality or non-disclosure agreements, in order to safeguard information. In the cases of the Public Administration, these are data which processing is limited for the purposes of this Administration or if the express consent of the owner is obtained, notwithstanding the provisions of special laws or regulations that develop them. Confidential data will always be of restricted access.

Scope of application: Law 81 applies to Databases located in the territory of the Republic of Panama, which store or contain personal data of nationals or foreigners or that the person responsible for processing the data is domiciled in the country.

Databases of subjects governed by special laws, for example, banking, insurance, etc., are excluded from the Law, provided that these laws or their regulations that develop them establish minimum technical standards necessary for the proper protection and processing of personal data, as established by Law 81. In addition, the following processing of personal data is excluded from the scope of Law 81:

  • Those carried out by a natural person for exclusively personal or domestic activities.
  • Those carried out by competent authorities for the purpose of prevention, investigation, detection or prosecution of criminal offences or the enforcement of criminal sanctions.
  • Those carried out for the analysis of financial intelligence and related to national security in accordance with the laws, treaties or international conventions that regulate these matters.
  • In the case of data processing related to international organizations, in compliance with the provisions of the treaties and conventions in force ratified by the Republic of Panama.
  • Those resulting from information obtained through a prior procedure of dissociation or anonymization, so that the result cannot be associated with the data subject.

Requirements for the processing of personal data: The processing of personal data may be carried out if any of the following conditions are met:

  • That the consent of the data subject is obtained.
  • That the processing of the data is necessary for the execution of a contractual obligation, provided that the data subject is a party.
  • That the processing is necessary for the fulfilment of a legal obligation to which the data controller is bound.
  • That the processing of personal data is authorized by a special law or the regulations that develop them.

 Cross-border processing:

The storage or transfer of original personal data or data stored within the Republic of Panama that is confidential, sensitive or restricted, that is processed across borders, shall be permitted provided that the data controller or custodian of such data complies with the standards of protection of personal data required by Law 81, or can demonstrate that it complies with the standards and rules of protection of personal data equal to or higher than those required by Law 81.

Exceptions:

  • When the data subject has given its consent to the transfer.
  • When the transfer is necessary for the signing or performance of a contract executed or to be executed by the interested party or in its interest.
  • In the case of bank, money and stock market transfers.
  • In the case of information required to be transferred in compliance with international treaties ratified by the Republic of Panama.

Processing of data that does not require the consent of the data subject:

  • Those coming from or collected from sources in the public domain or accessible in public media.
  • Those collected within the exercise of the functions of the Public Administration in the scope of its powers.
  • Those of an economic, financial, banking or commercial nature that have the prior consent.
  • Those contained in lists relating to a category of persons that merely indicate background, such as the natural person’s membership in an organization, profession or activity, educational qualifications, address or date of birth.
  • Those that are necessary within an established commercial relationship, either for direct attention, commercialization or sale of the goods or services that have been agreed upon.
  • The processing of personal data carried out by private organizations for the exclusive use of their members and of the entities to which they are affiliated, for statistical, rating or other purposes of general benefit to them.
  • In cases of medical or sanitary emergency.
  • The processing of information authorized by law for historical, statistical or scientific purposes.
  • Processing necessary for the satisfaction of legitimate interests pursued by the controller or by a third party, provided that such interests are not overridden by the interests or fundamental rights and freedoms of the data subject that require the protection of personal data, in particular where the data subject is a minor or a disabled person.

Sensitive data:

Sensitive data cannot be transferred, except in the following cases:

  • When the data subject has given his explicit authorization, except in cases where the granting of such authorization is not required by law.
  • When necessary to safeguard the life of the data subject and he or she is physically or legally incapacitated. In these cases, the guardians, custodians or those who have the guardianship must give the authorization.
  • When it refers to data that are necessary for the recognition, exercise or defense of a right in a process with competent judicial authorization.
  • When it has a historical, statistical or scientific purpose. In this case, measures must be taken to dissociate the identity of the data subjects.

Where the consent relates to sensitive personal health data, the consent shall be prior, irrefutable and explicit.

General Principles and ARCO Rights: ARCO rights are recognized as inalienable rights. They are the rights that the data subjects have to access, rectify, cancel and oppose the use of their data. In addition, Law 81 also establishes a series of general principles that inspire and govern data protection. Among the general principles in which the protection of personal data is inspired and governed, as far as the interpretation and application of this law is concerned, are: the principle of loyalty, purpose, proportionality, truthfulness and accuracy, data security, transparency, confidentiality, legality, and portability.

Conclusions: The organization that processes personal data by any means, whether it is e-commerce, a government entity or any other, has the duty to do so respecting the right to privacy of the data subject. However, it is important to keep in mind that this is not an absolute or unlimited right. That is, it may be unavoidable, for example, to process personal data by a person in order to fulfill a contractual obligation of the company or by a legal obligation determined by law, so that the consent of the data subject will not always be the basis of justification for the processing of his or her personal data. In addition, there are contexts in which this right is not applicable.

Another issue to be considered is that the notions of personal data and personal data processing can be very wide-ranging. This should be kept in mind when a company or organization requests information, since only the minimum necessary data for the purpose for which it is requested should be collected. Likewise, personal data can only be used for the specific, legitimate and explicit purposes for which they were authorized when they were originally collected. For any other use of these personal data, it is mandatory to receive the consent of the data owner, that there is a special law approving such treatment or that it is necessary for the fulfillment of a contractual obligation, to which the data owner is a party, as well as when it is required by a public entity in the exercise of its legal functions or by order of a competent authority.

The concept of data protection is based on the fact that the data subject is the owner of the personal data and has the power to determine its use.

Finally, a regulatory decree is currently being expected to develop the provisions of Law 81, which will surely add many more elements to be taken into account. However, it is recommended that companies begin a process of self-evaluation as soon as possible in order to adapt the different processes, contracts, and other documentation to comply with the obligations that arise from Law 81. 

The world changes at a dizzying pace and with each step technology takes, new environments emerge. The most significant recent development arose through the Internet, which continues to evolve and transform the way we communicate and do business, which has brought with it the need to protect the technological infrastructure against countless threats in this increasingly complex environment. Many will try to steal secrets of the competition (corporate and industrial espionage), personal data for extortion, theft of financial assets, blackmail, blocking of systems, identity theft, destruction of information, sale of data on the dark web, among others.

All of the above implies that, since data coexists in a not only physical but also digital environment, it is important for organizations to guarantee the security of data even before acquiring it.

In 2019, a new personal data protection law was passed in Panama. This law will come into force in March 2021 and will require companies to install protocols and systems for the custody, collection and treatment of personal data contained in their databases.

Author(s)

Denisse Correa

Senior Associate

Mario Preciado

Attorney

Related practices