Following a new Personal Data Law coming into force (law 81) on 29th March 2021 with the legislation of the regulating Executive Decree thereof a few months later on 28th May, Panama has updated its legal guidelines governing the protection of personal data handled by third parties, both for the public and private sectors, with the aim of preventing any use of said data which may infringe on people’s privacy, or worse still, expose them to be victims of fraud, scams, and identity theft.
The guidelines of these new regulations will be applicable to databases and to those responsible for treating any data within the Panamanian territory. They state that both public and private entities must make the appropriate adaptations in how they handle their clients’ personal data or what their technology providers do with said data to correctly implement and execute the new Law 81 for the protection of data.
The regulations establish the rights, obligations, and procedures for the storing of said personal data, which is the property of its holder and, therefore, its use must have the express consent of said person, with a knowledge of the scope of its use, maintenance, exchange, and treatment, in accordance with the exceptions that are established by the law for those entities regulated by specific laws.
To do this, specialists recommend to document the consent (authorization) granted by the owners of the data, collecting only the relevant information for the corresponding purposes and having a data traceability and security system in place.
Individuals can now file a claim or complaint with the National Transparency and Access of Information Authority (ANTAI, in Spanish) against whoever infringes on the transfer of their data, whether they are responsible for the treating and/or custody of said personal data. Law 81 establishes minor, serious, and very serious penalties which range from USD 1,000 to USD 10,000 under criteria that consider the intention, reiteration, nature, and extent of damages caused. Furthermore, the Executive Decree 285 also establishes the terms and conditions for the actions and penalties, depending on the severity of the infraction.
The Panamanian regulations also embody the right to the rectification of any incorrect information and to the removal thereof, with some exceptions established by law whenever the bearer deems that said data is not required for the purposes for which it was requested or if simply they have decided to withdraw their consent, or if the data has been obtained illegally.
The law establishes that ANTAI is the governing body on this matter through its Department of the Protection of Personal Data, and it is the corresponding entity to send any enquiries or claims to. In those cases related to information and communication technology, the organisation will also be supported by the National Authority for Governmental Innovation.