OBJETIVE

ICAZA, GONZÁLEZ-RUIZ & ALEMÁN, affiliated companies and representatives; hereinafter “IGRA”, is responsible for the processing of the Personal Data of its clients, potential clients, visitors, suppliers, professionals, partners, associates, employees, candidates, professional trainees and all those who share their data with us.

IGRA has established and makes available the following Policy in order to ensure compliance with the “ARCOP” rights (i) Access, (ii) Rectification, (iii) Cancellation, (iv) Opposition and (v) Portability. Likewise, IGRA shall apply the provisions on Personal Data Protection established in the national constitution, laws, decrees and applicable regulations.

IGRA has appointed a Data Protection Officer, in charge of supervising and ensuring true compliance with the provisions set forth in this Policy.

Name: Adolfo González Ruiz

Contact: dataprotection@icazalaw.com

Office: Calle Aquilino de la Guardia No. 8 Edificio IGRA

City: Panama

Country: Republic of Panama

 

SCOPE

This Policy shall be applicable to the databases in which Personal Data is stored or kept under the management of IGRA, of nationals or foreigners of its clients, potential clients, visitors, suppliers, professionals, partners, associates, employees, candidates, professional trainees and all those who share their data with us.

IGRA is not responsible for the information and Personal Data contained in public or private databases managed by third parties.

 

DATA PROCESSED

Data Classification

Information and Personal Data is collected when voluntarily received, when requesting or using the services offered by IGRA. This data is used and protected by the law firm, and shall only be used for the purposes set forth in this Policy. The data collected are classified as:

Personal Data

  • Identity Data: full name, birth date, nationality, Passport or personal identity number, picture or photograph.
  • Contact Data: physical address, email address, telephone numbers and in the event of being a legal person, domicile and tax identification number.
  • Academic Data: information relating to academic background such as high school diplomas and professional degrees, certificates of qualification and training.
  • Labor data: information relating to experience; as well as, knowledge and skills.
  • Demographic data: information for statistical analysis.

Personal Sensitive Data

  • Ideological Data: information relating to politically exposed persons “PEPs”, beliefs, goals, values, personal and family interests.
  • Data on administrative or judicial proceedings.
  • Property data: movable and immovable property, source of funds, income and expenses, bank accounts, insurance, bonds, credit history, tax information.
  • Health Data: information relating to the state of physical or mental conditions.

Data Update

In order to comply with the principle of truthfulness and accuracy, it shall be necessary for the Data Subject who maintains a current relationship with IGRA to inform of any change in his/her Personal Data in order to update the information in our databases. The Data Subject must inform this change within thirty (30) calendar days after the change is made.

 

PURPOSE OF DATA PROCESSING

When using the services offered by IGRA, by completing forms, sending emails among others, you will be asked for personal information to be able to contact you, identify you or to carry out our professional activity, based on the following specific purposes:

Clients, Suppliers and/or Professionals

  • To comply with special laws, as a Regulated Entity, we apply due diligence processes, risk assessments, among others.
  • For the drafting of service proposals.
  • To perform obligations under a contract entered into by you for the provision of services with IGRA, including the rendering of the service.
  • To manage the collection of obligations.
  • To confirm and update information about their Personal Data, in order to comply with legal obligations in the jurisdictions where IGRA operates.
  • To defend your legal rights; as well as, complying with judicial and/or administrative orders if necessary.
  • To answer their comments, questions and requests.
  • To send technical notices, updates, security alerts, and administrative and support messages (such as changes to terms, conditions and policies).
  • To comply with payment for the provision of their services.
  • IGRA shall process Personal Data of those who attend educational or other events which are organized by the law firm, either individually or jointly with third parties, primarily to maintain event registration, to maintain direct communications and to send information about the event. This includes the transfer of your Data to the co-organizers of the event.

Candidates

  • For assessing candidates, we collect information that you provide to us through your resume, forms, interviews or references, in accordance with internal policies.

Employees and partners

  • To comply with the know your employee policy.
  • Preparation of payroll, payment of salary and any other compensation that may be due.
  • For IGRA employees and its affiliates to comply with their obligations arising from the labor relationship; as well as to exercise their rights.
  • IGRA shall process Personal Data of those who attend educational or other events which are organized by the law firm, either individually or jointly with third parties, primarily to maintain event registration, to maintain direct communications and to send information about the event. This includes the transfer of your Data to the co-organizers of the event.

Professional Trainees

  • IGRA collects and processes your Personal Data in order to carry out its obligations arising from their professional practice, as well as to exercise their rights.

Visitors to IGRA’s facilities

  • IGRA may collect and process Personal Data, including security camera images, from visitors to the facilities as a preventative measure and to comply with internal security controls.

Public in general

  • IGRA collects and processes Personal Data from those who connect to the various platforms (websites, social networks, email), to answer queries, process complaints, send market information such as newsletters, marketing or promotional materials and other relevant information; as well as information about new products or services, events and news. For more information you can access our Privacy Notice.
 

CONSENT OF THE DATA SUBJECT

For the Processing of Personal Data, IGRA shall obtain the prior consent of the Data Subject.

The consent of the Data Subject is not required in the case of:

  • Personal Data that is required for compliance with special laws, in its condition as a Regulated Entity.
  • That which comes from or is collected from sources in the public domain or accessible in the public media.
  • Information required by a public or administrative body in the exercise of its legal functions or by judicial orders.
 

DATA RETENTION

General Data

After having terminated the professional or contractual relationship with IGRA, the Personal Data is anonymized or disassociated, unless otherwise provided for in the laws governing our professional activities.

IGRA may keep the Data, beyond its preservation:

  • For the formulation, exercise or defense of claims.
  • For compliance with the laws that govern our activities.

Images and Entry and Exit Records

The collected images (recordings) are destroyed after one (1) month. Entry and exit records of visitors are destroyed after three (3) months, unless they are required to be kept by order of a competent authority.

Recruitment Information

Personal information collected during the selection process is kept for a period of one (1) year and then destroyed.

Employees and/or Partners Information

Once the labor relationship has ended, we retain your data in accordance with the applicable special laws, such as Law 51 of 2005, which amends the Organic Law of the Social Security Institution and establishes other provisions, in which a 20-year period is defined for the statute of limitations of contributions.

 

DISCLOSURE AND TRANSFER

In the course of its professional activities, IGRA may exchange Data to its business partners, and consult external data sources for the sole purpose of providing and promoting its professional services and to comply with due diligence processes.

Whenever it is necessary to transfer or exchange personal information for the stated purpose, the protection and confidentiality of the Data is always ensured.

IGRA may resort to cloud providers, which must comply with appropriate standards, rules, certifications, protocols, technical and IT management measures to preserve the security and confidentiality of the information in the provision of its services.

 

INFORMATION SECURITY AND STORAGE

Procedures have been implemented and applied, as well as internal policies in all jurisdictions where IGRA operates, in order to maintain the confidentiality and privacy of the Data, pursuant to the provisions of special laws and best practices in the field of information security. You can view our privacy notice in the following link: Privacy Notice.

IGRA stores Personal Data for processing either in electronic form through servers that meet the requirements to ensure the confidentiality and protection of the information, or in physical files, which are kept in a secure environment and used only for purposes for which they have been collected.

Our employees’ access to your information is restricted and limited only to those who are authorized and trained in the proper handling of personal data information.

In the event that IGRA becomes aware of a breach of security of Personal Data collected in the exercise of its functions, it shall have a maximum period of seventy-two (72) hours as of the time the incident becomes known to notify both the Data Subject and the supervisory authority “National Authority for Transparency and Access to Information” (ANTAI for its acronym in Spanish).

The notice shall contain at least the following:

  • The nature of the incident
  • Compromised personal data
  • Corrective actions carried out immediately.
  • Recommendations to the Data Subject on the measures that he/she may adopt in order to protect his/her interests.
  • Means available to the Data Subject to obtain more information in this regard.
 

RIGHTS AS DATA SUBJECT

  • Access. The Data Subject may obtain his/her Personal Data, know its origin and the purpose for which it has been collected, within a period not exceeding ten (10) working days as of the request.
  • Rectification. The Data Subject may request the correction of his/her Personal Data, if he/she considers them to be incorrect, irrelevant, incomplete, outdated, inaccurate, false or inappropriate. The corresponding correction shall be made within five (5) working days following the request.
  • Cancelation. The Data Subject may request the deletion of his/her Data, if he/she considers that it is incorrect, irrelevant, incomplete, outdated, inaccurate, false or inappropriate. The deletion shall be made within five (5) working days following the request. Nevertheless, the Data may not be cancelled if the storage of the Personal Data is required by special laws, such as laws for the prevention of money laundering, taxation, among others.
  • Objection. When the Data Subject considers that there are well-founded and legitimate reasons related to a particular situation, he/she may refuse to provide his/her Personal Data or to be subject to certain processing, as well as to revoke his/her consent. The objection shall be given within a period not exceeding ten (10) working days following the request. If applicable, no alternate measures to our policies and procedures may be applied to comply with the due diligence of shareholders, directors, customers and suppliers, failing to have such Personal Data shall prevent IGRA as a Regulated Entity from starting or maintaining the relationship.
  • Portability. The right to obtain a copy of the Personal Data in a structured manner, in a generic and commonly used format, which allows it to be operated by different systems and/or transmitted to another controller, when:
    • The Data Subject has provided his/her Data directly to the Data Controller.
    • It is a relevant volume of Data, processed in an automated manner.
    • The Data Subject has consented to the processing or it is required for the performance or execution of a contract.

Portability shall be provided within ten (10) working days following the request.

At any time, the Data Subject may exercise these rights, which cannot be waived, except for the exceptions established in special laws. In certain circumstances, Data Subjects may request the limitation of the processing of their Data, in which case they shall only be kept for the exercise or defense of claims.

 

REQUEST PROCESSING

Exercise of rights: The Data Subject may exercise their rights of access, rectification, cancellation, opposition and portability of their Personal Data within the time periods and conditions set forth pursuant to the provisions of number 9. of this Policy, by means of the  Data Request Form.

If the Data Subject chooses, he/she may also deliver the form in person at our main offices located in the Republic of Panama.

In order to exercise the Data Subject’s rights, he/she must evidence his/her identity and/or invoked representation, as well as evidence of the veracity and origin of the information that he/she wishes to include, modify, update or delete.

The request shall contain, as a minimum, the following:

  • Full name and identity number of the Personal Data Subject, or of the person legally authorized to represent him/her.
  • It must be signed by the Data Subject.
  • It must contain the explanation of the right requested, the identification of the Personal Data they wish to submit for review.
  • It must contain the email address of the Personal Data Subject, in order to receive any communication related to the request; as well as a copy of the identity certificate or passport of the Personal Data Subject. Additionally, in the event that a representative is involved, a notarized power of attorney and a copy of the identity certificate or passport of the attorney in fact must be attached.

If the Personal Data Subject or representative does not submit the information requested in the forms or insists on not complying with the requirements, he/she shall be notified by e-mail that it has not been possible to address his/her request due to the lack of information to process it, and the record shall be lodged in the corresponding file.

If all the required points of the request are fulfilled, the Data Subject or representative shall be notified of the response by e-mail within the aforementioned time periods.

If the Designated Officer does not decide on the Personal Data Subject’s request within the time periods established in this Policy, the Personal Data Subject shall have the right to appeal before the “National Authority for Transparency and Access to Information (ANTAI), through the Personal Data Protection Directorate. In the case of subjects regulated by special laws, the citizen shall have to resort to the regulatory authority, and in the absence of a response from the latter, shall have to resort to the National Authority for Transparency and Access to Information (ANTAI).

 

VALIDITY AND MODIFICATION

This policy was updated on 27 October 2023.

IGRA may modify or amend the Data Protection Policy when necessary, informing about it on the website https://www.icazalaw.com/es/, when changes are made, the review date shall be updated, and such modification shall be effective as of the update date.

For this reason, it is suggested that this policy be reviewed periodically, in order to stay informed about the protection mechanisms implemented for the protection of IGRA‘s personal information.

If you have any doubts, complaints or queries regarding this policy, you can contact us at the same e-mail address dataprotection@icazalaw.com.