Do you know your rights regarding the use of your personal data? If you have a database, do you know your obligations regarding data protection? Get to know the most important aspects of Panama’s Data Protection and Privacy Law and get the answers to these questions.

By Fernando González-Ruiz and Mariela de la Guardia Oteiza

Every time we make online purchases, request a service, or go to a medical appointment, we provide our personal data. But, are we sure that the information we are providing is being given the proper treatment to ensure that it is not misused or used for other purposes that we did not authorize?

Everyone should be clear about how their personal data is being collected, used, or processed, as well as what to do when there is a breach or misuse of the data.

Likewise, companies must be clear about, among other things, for how long the data can be collected in an organization, how it must be kept, how their system provides adequate confidentiality protection guarantees, the IT security they must apply, and who is responsible for protecting this information within the company.

This is why many countries are promoting laws related to Personal Data Protection, adapting these rules to new technological changes, as is the case of the European Union with the General Data Protection Regulation (GDPR), which came into effect in May 2018 and set a precedent within these rules.

Similarly, in Latin America, countries such as Argentina, Colombia, Brazil, Chile, Peru, and Mexico have begun either modifying their Personal Data Protection laws in order to comply with the standards imposed by the European Union with the General Data Protection Regulation, or developing new laws on the subject.

In the case of Panama, we did not have a specific law regulating the Protection of Personal Data; we only had general provisions on the subject, such as the National Constitution, Law 68 of 2003, which regulates the rights and obligations of patients regarding information and free and informed decision; the Law 24 of May 22, 2002, which regulates the information service on the credit history of consumers or customers, among other special laws.

The absence of a special Law on Personal Data Protection left a great void in our legislation on the subject of how the personal information of our citizens should be properly treated and that would provide real protection to our private life and other fundamental rights and freedoms. Privacy is a Human Right!

This is why, on March 26, 2019, Law 81 on Personal Data Protection was passed, which entered into force on March 29, 2021. This Law establishes the principles, rights, obligations and procedures that regulate the protection of personal data in our country.

But what is Personal Data?
Personal data is defined as any information concerning natural persons that identifies them or makes them identifiable.

Some of the most important aspects of this new Panamanian Law are the following:

To whom does Panama’s Data Protection Law apply?
Contrary to the General Data Protection Regulation (GDPR), which has an extraterritorial scope, our Law only applies to databases located in the territory of the Republic of Panama that store or contain personal data of nationals or foreigners or to those responsible for processing personal data (data controllers) domiciled in the country.

What exceptions apply?
There are exceptions to the scope of application of the Law, for data that is expressly regulated by special laws or by regulations that develop them. Some special laws are the Banking Law or the Law regulating the rights and obligations of patients.

Exceptions include:
1. Those carried out by a natural person for exclusively personal or domestic activities.
2. Those carried out by competent authorities for purposes of prevention, investigation or prosecution of criminal offenses or enforcement of criminal penalties.
3. Those carried out for the analysis of financial intelligence related to national security.
4. When it concerns the processing of data related to international organizations in compliance with international treaties or conventions.
5. Those resulting from information obtained through a previous anonymization procedure.

When may the processing of Personal Data be carried out?

The processing of personal data may be carried out when the following conditions are met:
1. That the consent of the data subject is obtained.
2. That the data processing is necessary for the execution of a contractual obligation.

3. That the data processing is necessary for the compliance of a legal obligation.
4. That the personal data processing is authorized by a special law or the regulations that implement them.

According to our Law, it is of utmost importance that the person who gives his consent for the processing of his personal data, is duly informed as to the purpose of the use of his personal data. Likewise, this consent must be obtained in a way that allows its easy traceability, by means of documentation, whether electronic or by any other appropriate mechanism.

Personal data must be used for the specific purposes for which they were authorized. If for any reason they are to be used for other purposes, the consent of the holder of the data must be obtained again.

What is considered as Sensitive Data?
Sensitive data are those that refer to the intimate sphere of the subject, or whose improper use may give rise to discrimination or entail a serious risk to the subject, such as racial or ethnic origin, religious beliefs or convictions, labor union membership, political opinions, data relating to health, life, sexual preference or orientation, genetic data or biometric data, among others.

It is important to know that the Law establishes that sensitive data cannot be transferred without the Data Subject’s consent.

What are the responsibilities of the data controller of personal data contained in databases?
Among the responsibilities of the data controller of personal data are to establish the protocols, processes and procedures for management and secure transfer, protecting the rights of the data subjects.

What rights do the Personal Data subjects have?

Among the rights that the Personal Data subject mentioned in this Law have, are the following:
1. Right of access: All data subjects should be able to obtain their personal data stored in databases of public or private institutions.
2. Right of rectification: The subject may at any time request the correction of personal data that is incorrect, irrelevant, incomplete, outdated, inaccurate or false.
3. Right of cancellation: The subject may request the deletion of incorrect, irrelevant, incomplete, outdated, inaccurate or false personal data.

4. Right of opposition: this right allows the personal data subject to refuse to provide his personal data due to justified and legitimate reasons.
5. Right of portability: the subject has the right to obtain a copy of the personal data in a structured manner, in a generic and commonly used format which can be operated by different systems.

What are the infringements and penalties imposed by this new Law?
Infringements shall be considered as minor, serious or very serious and the sanctions may range from a citation before the National Authority of Transparency and Access to Information, which is the regulating entity for these matters, to the suspension and disqualification of the activity of storing and/or processing Personal Data. Infringements may include the collection of personal data in a fraudulent manner, processing personal data without having obtained the subject´s consent, storing or archiving personal data without adequate security conditions, among others.

The Law establishes that the National Authority of Transparency and Access to Information shall fix the amounts of the applicable sanctions and proportional to the seriousness of the offense, which shall be established from one thousand dollars (US$1,000.00) to ten thousand dollars (US$10,000.00).

These are just some of the points mentioned in this new Data Protection Law, which came into force in Panama at the end of March 2021. Up to the date of this article, the Executive Decree regulating this matter has not yet been approved, which could clarify and develop some of its points.

Recommendations
To conclude, we make some basic recommendations that organizations or companies that collect personal data from their customers on a daily basis should keep in mind:

• The company must have the prior, informed and unequivocal consent of the data subject to be collected and that the data is collected for the purpose for which they are required.
• If other use is to be made of this data, the consent of the data subject must be obtained again. This could apply to companies that have several lines of business or are part of a large company that has different corporate names for different types of business.
• We must not forget that this consent must be obtained in a way that allows its easy traceability by means of documentation, whether electronic or by any other appropriate mechanism.
• To adopt the technical measures to guarantee the security of the data under their custody and inform the data subjects as soon as possible when a data breach has occurred.
• Review the terms and conditions and privacy policy of the company’s website, as well as its cookies policy, to ensure that they are sufficiently clear to users.