Data Protection and Privacy in Panama
08/04/2021
Podcast: Lessons from the first reporting period of Economic Substance in the BVI
08/04/2021Do you know your rights regarding the use of your personal data? If you have a database, do you know your data protection obligations? Learn the most important aspects of Panama’s Data Protection Law and get the answers to these questions.
By: Fernando Gonzalez-Ruiz M and Mariela of the Oteiza Guard .
Every time we make online purchases, request a service or go to a medical appointment, we provide our personal data. But are we sure that the information we are providing is being treated appropriately to ensure that it is not misused or used for purposes that we do not authorize?
Everyone should be clear about how their personal data is being collected, used or processed, and know what to do when it is leaked or misused.
Likewise, companies must be clear about, among other things, how they should keep them, know that their system provides adequate guarantees of confidentiality protection, and who is responsible for protecting that information within the company.
This is why many countries are promoting laws related to the Protection of Personal Data, adapting these regulations to new technological changes, as is the case of the European Union with the General Data Protection Regulation (GDPR), which set a precedent within these regulations.
Similarly, in Latin America, countries such as Argentina, Colombia, Brazil, Peru and Mexico have begun to modify their Personal Data Protection laws, in order to comply with the standards imposed by the European Union with the GDPR, or to develop new laws on the matter.
In the case of Panama, we did not have a specific law regulating the Protection of Personal Data, we only had general provisions on the matter, such as the National Constitution, Law 68 of 2003 that regulates the rights and obligations of patients in terms of information, Law 24 of May 22, 2002, which regulates the credit history information service, among other special laws.
The absence of a special Law on Personal Data Protection left a large gap in our legislation on the subject of how the personal information of our citizens should be properly treated and how to provide real protection to our private lives and other fundamental rights and freedoms.
For this reason, on March 26, 2019, Law 81 on Personal Data Protection was approved, which came into effect on March 29, 2021. This Law establishes the principles, rights, obligations and procedures that regulate the protection of personal data in our country.
But what is Personal Data?
Personal data is defined as any information concerning natural persons that identifies them or makes them identifiable.
Some of the most important aspects of this new Panamanian law are the following:
To whom does the Panama Data Protection Law apply?
A diferencia del GDPR , que tiene un alcance extraterritorial, nuestra ley sólo aplica a las bases de datos que se encuentren en el territorio de la República de Panamá que almacenen o contengan datos personales de nacionales o extranjeros o a los responsables del tratamiento de datos que estén domiciliados en el país.
¿Qué excepciones aplican?
Existen excepciones al ámbito de aplicación de la Ley, para aquellos datos que expresamente se encuentren regulados por leyes especiales o por normativas que las desarrollen.
Dentro de las excepciones se encuentran:
- Los que realice una persona natural para actividades exclusivamente personales o domésticas.
- Los que realicen autoridades competentes con fines de prevención, investigación o enjuiciamiento de infracciones penales o de ejecución de sanciones penales.
- Los que se efectúen para el análisis de inteligencia financiera relativos a la seguridad nacional.
- Cuando se trata de tratamiento de datos relacionados con organismos internacionales en cumplimiento de tratados o convenios internacionales
¿Cuándo podrá realizarse el tratamiento de Datos Personales?
El tratamiento de datos personales, podrá realizarse cuando se cumplan las siguientes condiciones:
- Que se obtenga el consentimiento del titular.
- Que el tratamiento de los datos sea necesario para la ejecución de una obligación contractual.
- Que el tratamiento de los datos sea necesario para el cumplimiento de una obligación legal.
- Que el tratamiento de los datos personales este autorizado por una ley especial o las normativas que lo desarrollan.
Según nuestra ley, es de suma importancia que la persona que da su consentimiento para el tratamiento de sus datos personales, esté debidamente informada del propósito del uso de sus datos. Igualmente, este consentimiento debe obtenerse de tal manera que permita su fácil trazabilidad, mediante documentación, sea electrónica o mediante cualquier otro mecanismo que sea adecuado.
¿Qué se considera como Datos Sensibles?
Los datos sensibles son los que hacen referencia a la esfera íntima del titular, o cuya utilización indebida pueda dar origen a discriminación o conllevar un riesgo grave para este, como su origen racial, convicciones religiosas, opiniones políticas, datos relativos a la salud, a la vida, a la orientación sexual, ldatos genéticos o biométricos, entre otros.
Los datos sensibles no pueden ser objeto de transferencia sin el debido consentimiento del titular.
¿Cuáles son las responsabilidades de los encargados del tratamiento de los Datos Personales en Bases de Datos?
Dentro de las responsabilidades de los encargados del tratamiento de los Datos personales está la de establecer los protocolos, procesos y procedimientos de gestión y transferencia segura que protejan los derechos de los titulares de los datos.
¿Qué derechos tienen los titulares de los Datos Personales?
Among the rights that the holders of Personal Data have, as mentioned in this law, are the Right to Access, rectification, cancellation, opposition and portability of their data.
What are the violations and penalties imposed by this new law?
Violations will be considered minor, serious or very serious and the sanctions may range from a summons before the National Authority for Transparency and Access to Information (ANTAI), which is the regulatory body for these matters, to the suspension and disqualification of the activity of storing and/or processing Personal Data.
The law establishes that ANTAI will set the amounts of the applicable sanctions proportionally to the severity of the violations, which will be established from one thousand ($1,000.00) to ten thousand dollars ($10,000.00).
recommendations
Finally, we make some basic recommendations that organizations or companies that collect personal data from their clients on a daily basis should keep in mind:
- That they have the prior, informed and unequivocal consent of the owner of the data to be collected and that these are collected for the purpose for which they are required.
- If the data is to be used for another purpose, the data subject’s consent must be obtained again. This could apply to companies that have multiple lines of business or are part of a larger company that has different corporate names for different types of business.
- That they adopt technical measures to guarantee the security of the data in their custody and inform the owners as soon as possible when the data has been breached.
- Review the company’s website terms and conditions and privacy policy, as well as its cookie policies, to ensure that they are clear enough for users.
These are just some of the points mentioned in this new Data Protection Law that comes into effect in Panama at the end of March 2021.
*This article was originally published in Issue 80 of Marcasur Magazine.
