Icaza Gonzalez-Ruiz & Aleman
What law(s) specifically govern personal data / information?
Law No.81 of March 26th, 2019 “On Personal Data Protection”
Executive Decree No. 285 of May 28th, 2021 “Whereby Law 81 of 2019 on Personal Data Protection is regulated”
What are the key data protection principles in this jurisdiction?:
Principle of loyalty: personal data must be collected without deception or falsehood and without using fraudulent, unfair or illicit means.
Principle of purpose: personal data must be collected for specific purposes and not further processed for purposes that are incompatible or different from those for which they were requested, nor be kept for longer than necessary for the purposes of processing.
Principle of proportionality: only data that is adequate, relevant and limited to the minimum necessary in relation to the purpose for which it is required should be requested.
Principle of truthfulness and accuracy: personal data shall be accurate and updated so that they respond truthfully to the current situation of the data subject.
Principle of data security: those responsible for processing personal data must take the necessary technical and organisational measures to ensure the security of the data in their custody, especially when the data is considered sensitive, and promptly inform the data subject when the data has been obtained without authorisation or there are sufficient indications that its security has been breached.
Principle of transparency: any information or communication to the owner of the personal data regarding the processing of these must be in simple and clear language, and keep him/her informed of all the rights that protect him/her as the owner of the data, as well as the possibility of exercising ARCO rights.
Principle of confidentiality: all persons involved in the processing of personal data are obliged to keep the same secret or confidential, even when they have ended their relationship with the data subject or data controller, preventing unauthorised access or use.
Principle of legality: for the processing of personal data to be lawful, it must be collected and processed with the prior, informed and unequivocal consent of the data subject or on legal grounds.
Principle of portability: the data subject has the right to obtain from the data controller a copy of the personal data in a structured manner and in a generic and commonly used format.
What is the supervisory authority / regulator in charge of data protection?
National Authority for Transparency and Access to Information.
Is there a requirement to register with a supervisory authority / regulator?
There is no requirement to register with the supervisory authority, but the responsible party must keep a registry. If the supervisory authority requests the database, the responsible party or the data controller must provide it.
Is there a requirement to notify the supervisory authority / regulator?
Yes. When the data controller becomes aware of a security breach, the same being understood as any damage, loss, alteration, destruction, access, and in general, any unlawful or unauthorised use of personal data; even if it occurs in an accidental manner, at any stage of the processing and which represents a risk to the protection of personal data, it shall immediately notify the supervisory authority and the affected data subjects of such incident.
The database custodian shall inform the controller immediately upon becoming aware of a security breach.
The notification made by the controller to the affected data subjects shall be drafted in clear and simple language.
The notification shall be made within seventy-two hours of becoming aware of the incident and shall contain at least the following information:
- The nature of the incident.
- The personal data involved.
- Corrective actions carried out immediately.
- Recommendations to the data subject on the measures that the latter may adopt to protect its interests.
- The means available to the data subject to obtain further information in this respect.
Is it possible to register with / notify the supervisory authority / regulator online?
It is not possible to register the database with the supervisory authority.
The notification of a breach to the supervisory authority can be made by email. It is recommended to submit the notification and physical documents as proof that the notification was made within seventy-two hours of becoming aware of the incident, as required by law.
What are the key data subject rights under the data protection laws of this jurisdiction?
Right of access: it allows the data subject to obtain their personal data that is stored or subject to processing in databases of public or private institutions, as well as to know the origin and purpose for which it has been collected.
Right of rectification: allows the data subject to request the correction of their personal data that is incorrect, irrelevant, incomplete, outdated, inaccurate, false or impertinent.
Right of cancellation: allows the data subject to request the deletion of their personal data that is incorrect, irrelevant, incomplete, outdated, inaccurate, false or impertinent.
Right of opposition: allows the data subject, for justified and legitimate reasons related to a particular situation, to refuse to provide their personal data or that it be the object of a specific processing, as well as to revoke their consent.
Right of portability: the right to obtain a copy of personal data in a structured manner and in a generic and commonly used format.
Is there a requirement to appoint a data protection officer (or equivalent)?
Yes, it is mandatory for government entities.
It is recommended but not mandatory for the private sector.
Do data protection/ privacy impact assessments need to be carried out in certain circumstances?
Depending on the seriousness of the risk that the processing presents to personal data, as well as the novelty of the technology used, the supervisory authority may order the submission of a data protection impact assessment report.
The report must contain, at a minimum, a description of the type of data collected, the methodology used to collect and measures taken to ensure the security of the information, and the analysis of the data controller in relation to the measures, safeguards and risk mitigation mechanisms adopted.
The supervisory authority may request entities to publish data protection impact assessment reports that they carry out and suggest to them the adoption of standards and practices for the processing of personal data.
Does this jurisdiction have any specific data breach notification requirements?
Yes, as mentioned above, the notification made by the data controller to the affected data subjects shall be drafted in clear and simple language.
The notification shall be made within seventy-two hours of becoming aware of the incident and shall contain at least the following information:
- The nature of the incident.
- The personal data involved.
- Corrective actions carried out immediately.
- Recommendations to the data subject on the measures that they may adopt to protect their interests.
- The means available to the data subject to obtain further information in this respect.
What restrictions apply to the international transfer of personal data / information?
The data undergoing processing may be transferred to another country provided that one of the following conditions is met:
- It is transferred to countries or international organisations that provide a degree of protection of personal data equivalent or higher than that provided for in Law 81 of 2019 and Executive Decree 285 of 2021. The list of the countries has not been issued by the supervisory authority.
- When the responsible party offers and proves adequate guarantees of compliance with the principles, the data subject’s rights and the personal data protection system provided for in Law 81 of 2019 and Executive Decree 285 of 2021.
- Consent of the data subject.
- Necessary for disease prevention or medical diagnosis, provision of health care, medical treatment or management of health services.
- Necessary for the safeguarding of the public interest or for the legal representation of the data subject or administration of justice.
- Necessary for the recognition, exercise or defence of a right in a judicial proceeding, or in cases of international judicial collaboration.
- Necessary for the maintenance or fulfilment of a legal relationship between the data controller and the personal data subject.
- Required to carry out bank or stock exchange transfers in relation to the relevant transactions and in accordance with the applicable legislation.
- For the purpose of international cooperation between intelligence agencies in the fight against organised crime, terrorism, money laundering, computer crimes, child pornography and drug trafficking.
- When any of the other conditions provided for in Law 81 of 2019 are met.
Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?
No. The Law applies to databases;
- located in the territory of the Republic of Panama, which store or contain personal data of nationals or foreigners; or
- when the data controller is domiciled in the country.
What rules specifically deal with marketing?
When the data is processed for marketing purposes, the data subject shall be entitled to object at any time to the processing of personal data concerning them, including profiling insofar as it is related to a marketing activity. In such cases, the personal data shall no longer be processed for such purposes.
Do different rules apply to business-to-business and business-to-consumer marketing?
No.
What rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc)?
Not Applicable.
What rules specifically deal with cookies?
Not Applicable.
What are the consequences of non compliance with data protections laws (including marketing laws)?
The data subject shall be entitled to object at any time, on grounds relating to their particular situation, to the processing of personal data relating to them.
The data controller shall cease to process the personal data unless it can establish compelling legitimate grounds for the processing, which prevail over the interests, rights and freedoms of the data subject, or for the substantiation, exercise or defence of claims.
If the person in charge of the personal database does not make a statement on the request of the personal data subject within the established terms, the personal data subject shall be entitled to appeal to the National Authority for Transparency and Access to Information. In the case of subjects regulated by special laws, the data subject must turn to the regulatory authority and, in the absence of a response from the latter, must turn to the National Authority for Transparency and Access to Information.
The National Authority for Transparency and Access to Information is empowered to request the necessary information and make verifications in order to carry out administrative investigations related exclusively and in each case to the complaint or claim filed.
In broad terms, multinational organisations should be aware of what key factors if they process personal data / information from individuals within this jurisdiction, without being located there?
Multinationals should be aware of local laws, and be careful with complying with the applicable legal provisions in the case of international transfer of data. Also, keep in mind that the GDPR is the highest standard. Finally, always request the consent if there is no clear provision on the treatment of the data.
What upcoming data protection developments should multinational organisations be aware of?
Multinationals should be aware that a digital violence declaration was drafted by Panama for the Ibero-American network for the Protection of Personal Data. The purpose of said declaration is to urge member countries to take measures to protect the personal data. The declaration is non-binding. The list of the countries where the data can be safely transferred is being analysed.