The Panamanian Data Protection Law


The Data Protection Law entered into force in March 2021, two years after its publication on March 29, 2019. This law -although imperfect- was a pending issue that had the Panamanian State in terms of privacy of the information of its citizens.

The Data Protection Law entered into force in March 2021, two years after its publication on March 29, 2019. This law -although imperfect- was a pending issue that had the Panamanian State in terms of privacy of the information of its citizens.

The Law 81 regulates and limits the processing of personal data, understanding the same as any information concerning a natural person that directly or indirectly identifies or makes them identifiable.

This Law establishes that the data collected must have the consent of the data owner and that they must be treated respecting the principles of loyalty, purpose, proportionality, veracity, accuracy, security, transparency, confidentiality, legality, and portability.

There are some exceptions, some controversial, that make data use more flexible in some areas. Among the uses that do not require express consent are personal data used for judicial investigation, financial intelligence, those shared with international organisations, or previously disassociated or anonymized information, such as that shared in the results of statistical surveys.

As for sensitive data, it refers to the intimate sphere of the owner, the use of which may give rise to discrimination or serious risk. Aspects of ethnic, racial origin, religious, philosophical, and moral beliefs or convictions, union affiliation, political opinions, data related to health, life, sexual preference, genetic data, biometrics, etc., fall into this category.

Another core point is to understand that for the processing of personal data by a third party that collects it, there must be consent from the owner of that data, except for legal compliance with a contract, or the use of industries. with special regulations, such as banking, examples. Consent can be given electronically and can be revoked at any time by the data owner, without retroactive effect, according to the law.

Citizens must know that they can request the suspension of the use or transfer of their data at any time, in addition to having the right to access them at any time, to rectify, cancel, oppose, or be provided with a copy of the data. themselves (portability).

On the other hand, authorization is not required if the data is collected from public domain sources, is collected by the government, financial and/or commercial entities that have prior consent, the data required for commercial relations, medical urgency or data, those collected for historical, statistical or scientific purposes.

Such information may only be used for the purpose for which it was collected and authorised. The governing entity that penalises offences against those affected is the National Authority for Transparency and Access to Information (ANTAI).

To request the cancellation or sanction for the misuse of personal data, you must first go to Antai, except for data collected under the scheme of sectors regulated by special laws. In this case, the affected party must request the regulatory entity, such as banking, medical, or insurance. If the regulators do not respond promptly, then the affected party can go to ANTAI.

The law lists the main offences and establishes a range of one thousand to ten thousand dollars to impose the fine. This was the case of the digital medium, which was denounced for publishing the public document for private access, an action for which it was fined $1,000 by ANTAI. The fine was eventually suspended due to an appeal filed by the newspaper, but at the same time, the case aroused necessary debates about the scope of the law and its interpretations, debates that perhaps did not take place in all their magnitude at the time the Law was approved.

This opens a new chapter for the improvement of this Law, which, although it covered all the interests of the financial sector, did not do so for the other information sectors. But let's not lose sight of the fact that this is a Law that protects the data rights of people, of all. And this personal right must be above any business interest.


Article provided by INPLP member: Lia Hernández Pérez (Legal IT Abogad@s, Panama)



Discover more about the INPLP and the INPLP-Members

Dr. Tobias Höllwarth (Managing Director INPLP)

What is the INPLP?

INPLP is a not-for-profit international network of qualified professionals providing expert counsel on legal and compliance issues relating to data privacy and associated matters. INPLP provides targeted and concise guidance, multi-jurisdictional views and practical information to address the ever-increasing and intensifying field of data protection challenges. INPLP fulfils its mission by sharing know-how, conducting joint research into data processing practices and engaging proactively in international cooperation in both the private and public sectors.