I. Introduction
On March 29, 2019, the Republic of Panama passed Law No. 81, also known as the Panama Personal Data Protection Law (PPDPL). The law came into force on March 29, 2021, along with its implementing regulations (Regulations), the Executive Decree No. 285. The law establishes principles, rights, obligations, and procedures for protecting the personal data of Panamanians and supplements the existing special laws and rules that comprise the country’s regulatory framework governing personal data protection.
The PPDPL partially resembles the landmark European Union’s General Data Protection Regulation (GDPR) and is enforced by the National Authority of Transparency and Access to Information (ANTAI).
II. Who Needs to Comply with the PPDPL
A. Material Scope
The law applies to the processing of personal data if:
- the databases are located in the Republic of Panama that store or keep personal data of nationals and foreigners;
- the person responsible for the processing of personal data is domiciled in the Republic of Panama;
- the data originated from or is stored in the territory of the Republic of Panama; or
- the data processing is carried out for online commercial activities aimed at the Panamanian market.
B. Exemptions
The law does not apply to processing activities that are:
- expressly regulated by special laws and regulations;
- carried out by a natural person exclusively for personal or domestic activities;
- carried out by the competent authorities for prevention, investigation, detection, or prosecution of criminal offenses or execution of criminal sanctions;
- carried out for the analysis of financial intelligence and related to national security;
- carried out for compliance with the international treaties and conventions ratified by the country; or
- carried out using the information obtained through a prior disassociation or anonymization procedure.
III. Definitions of Key Terms
A. Biometric Data
Personal data obtained from specific technical processing related to a natural person's physical, physiological, or behavioral characteristics that allow or confirm the person's unique identification.
B. Database
Ordered set of data of any nature, whatever the form or modality of its creation, organization, or storage, which allows the data to be related to each other, as well as to carry out any type of processing or transmission of these by its custodian.
C. Person in Charge of the Processing/Data Controller
Natural or legal person, of public or private law, lucrative or not, that corresponds to the decisions related to the processing of the data and that determines the purposes, means, and scope, as well as issues related to these.
D. Database Custodian/Data Processor
Natural or legal person, of public or private law, lucrative or not, that acts in the name and on behalf of the person in charge of the processing and is responsible for the custody and conservation of the database.
E. Data Processing
Any operation or complex of operations or technical procedures, whether automated or not, that allows collecting, storing, recording, organizing, preparing, selecting, extracting, confronting, interconnecting, associating, disassociating, communicating, assigning, exchanging, transferring, transmitting or cancel data, or use it in any other way.
F. Data Owner/Data Subject
The natural person to whom the data refers.
G. Disassociated Data
Data that cannot be associated with the owner or allow the identification of the person, be it natural, due to its structure, content, or degree of disaggregation.
H. Genetic Data
Personal data relating to the inherited or acquired genetic characteristics of a natural person that provide unique information about the physiology or health of that person, obtained in particular from the analysis of a biological sample from that person.
I. Personal Data
Any information concerning natural persons that identifies them or makes them identifiable.
J. Profiling
Any form of automated treatment that uses personal data to evaluate certain aspects of a natural person, and in particular, to analyze or predict aspects related to his professional performance, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.
K. Sensitive Data
That which refers to the intimate sphere of its owner, or whose improper use may give rise to discrimination or entail a serious risk for it. By way of example, personal data that may reveal aspects such as racial or ethnic origin; religious, philosophical, and moral beliefs or convictions; union membership; political opinions; data related to health, life, sexual preference or orientation, genetic data or biometric data, among others, subject to regulation and aimed at unequivocally identifying a natural person are considered sensitive.
IV. General Principles for Processing
The following principles govern the protection of personal data under the PPDPL:
A. Principle of Fairness
Personal data must be collected without deceit or falsehood and without using fraudulent, unfair, or illegal means.
B. Principle of Purpose
Personal data must be used for specified and legitimate purposes.
C. Principle of Proportionality
Data controllers must only collect personal data that is adequate, pertinent, and minimum necessary for specified purposes.
D. Principle of Veracity and Accuracy
Personal data collected must be kept accurate and up-to-date.
E. Principle of Data Security
Data controllers must adopt appropriate security measures to protect personal data against breaches.
F. Principle of Transparency
Data controllers must keep the data subjects informed of their rights and all the information and communication from the data controllers must be in clear and simple language.
G. Principle of Confidentiality
Data controllers and all other persons acting on their behalf must maintain the confidentiality and secrecy of the personal data.
H. Principle of Lawfulness
Processing of personal data must be carried out in a lawful manner with the consent of the data subject or based on any other legal basis provided under the PPDPL.
I. Principle of Portability
Data subjects have the right to obtain from the data controller a copy of the personal data in a structured manner in a commonly used generic format.
V. Data Subject Rights
The data subjects have the following rights under the PPDPL:
A. Right of Access
Data subjects have the right to obtain their personal data that is stored or subject to processing in databases of public or private institutions, in addition to knowing the origin and purpose for which they have been collected.
B. Right of Rectification
Data subjects have the right to request the correction of their personal data that is incorrect, irrelevant, incomplete, outdated, inaccurate, false, or irrelevant.
C. Right of Cancellation
Data subjects have the right to request the deletion of their incorrect, irrelevant, incomplete, outdated, inaccurate, false, or irrelevant personal data.
D. Opposition Right
Data subjects have the right to, for well-founded and legitimate reasons, refuse to provide their personal data or to have them subject to a certain processing, as well as to revoke their consent.
E. Right of Portability
Data subjects have the right to obtain a copy of personal data in a structured manner, in a generic and commonly used format, which allows it to be operated by different systems and/or transmitted to another data controller.
F. Exercise of Rights by Data Subjects
Data subjects can exercise their rights by making a request (DSR request) to the data controller and specifying the right they want to exercise. Fathers, mothers, attendants, guardians or those who exercise the custody and upbringing of minors or differently-abled persons may exercise their rights in their name and representation.
G. Response Time for DSR Requests
A data controller must provide the personal data to a data subject in response to a DSR request within ten (10) business days from the date of submission of the request. However, in response to a DSR request for rectification, the data controller must modify the personal data within five (5) business days from the date of submission of the request.
H Right to Appeal
If the data controller does not entertain the request of a data subject within the prescribed timeline, the data subject can exercise the right to appeal to the ANTAI.
I. Limitations on the Exercise of Data Subject Rights
The exercise of data subject rights may be limited where:
- the processing is necessary for the public interest;
- the processing prevents or hinders due process within an administration or judicial process or for state security;
- necessary for the exercise of the functions of public authorities;
- requested by the competent judicial authorities to ensure compliance with the law;
- the data controller proves to have legitimate reasons for the processing to prevail over the rights, interests, and freedoms of the data subject;
- the processing is necessary for compliance with the law;
- the personal data is necessary for maintenance or fulfillment of legal or contractual relationships.
VI. Obligations of the Organizations Under the PPDPL
A. Lawful Processing
The organizations can only process the personal data if they meet at least one of the following conditions:
- the data subject has provided his/her prior, unequivocal, and informed by means through which the data controller can establish the traceability of the consent;
- the processing of the data is necessary for the execution of a contractual obligation to which the data subject is a party;
- the processing is necessary for compliance with a legal obligation to which the data controller is subject;
- a special law or the regulations that develop it authorize the processing of personal data;
- when the processing is necessary to protect the vital interests of the data subject or of another natural person;
- When required by a public entity in the exercise of its legal functions, to safeguard a public interest or by court order;
- where the processing is necessary for the satisfaction of legitimate interest of the data controller or a third party.
B. Privacy Notice
Organizations must provide the data subjects with a clear, simple, and easily accessible privacy notice at the time of collection of their personal data. The privacy notice must, at least, include the following information:
- the identity and contact details of the data controller;
- the purpose or purposes of the processing for which the personal data will be used;
- the legal basis of the processing; and when the processing is based on the consent, the data subject’s right to revoke consent at any time;
- the recipients or categories of recipients of personal data, if applicable;
- the intention of the data controller to transfer personal data to a third country and the legal basis for that transfer, if applicable;
- the period during which the personal data will be kept or, when this is not possible, the criteria used to determine this period;
- the existence, form and mechanisms or procedures through which the data subject can exercise the rights of access, rectification, cancellation, opposition and portability;
- the existence of automated decisions, including profiling, and, at least in such cases, significant information about the applied logic, such as the importance and expected consequences of said processing for the data subject; and
- the contact details of the personal data protection officer.
If the personal data is collected from a third party, the data subject must be provided with the privacy notice in the following manner:
- If the personal data is used to communicate with the data subject, at the latest at the time of the first communication.
- If it is communicated to another recipient, the data subject must be informed at the time of the first such communication.
C. Consent Requirements
Where the lawful basis for processing is consent, the organizations must ensure to obtain informed, unequivocal, traceable, and valid consent of the data subjects before processing their personal data. If given in the context of a written statement, the request for consent must be presented in a manner that is clearly distinguishable from other matters. The consent for the processing of sensitive data, including health data, must be irrefutable and express.
For processing the personal data of minors or incapacitated persons, the organizations must seek prior authorization from their guardians. The personal data of minors and incapacitated persons may be collected without consent when the processing is necessary to contact the parents, guardian, or any other person who exercises the custody and upbringing or guardianship of the minor or incapable person.
The data subjects must be able to revoke their consent at any time, without retroactive effect.
D. Purpose Limitation
Organizations must process personal data only for specific, explicit, and lawful purposes that are communicated to the data subjects at the time of collection of their personal data. Prior to using the personal data for any other purpose, the organizations must seek the consent of the data subject.
E. Automated Decision-Making
The PPDPL grants the data subjects the right not to be subject to a decision based solely on the automated processing of their personal data, which produces negative legal effects or causes a detriment to a right or whose purpose is to evaluate certain aspects of their personality, health status, work performance, credit, reliability, conduct, characteristics or personality, among others.
However, the organizations can carry out automated decision-making if:
- the data subject has consented to it;
- it is necessary to enter into or comply with a contract or legal relationship between the data controller and the data subject; or
- it is authorized by special laws or the regulations that develop them.
F. Database Registry
The PPDPL requires the organizations to keep a written registry of the databases, and the ANTAI can require access to such a registry at any time to assess the organizations' compliance. The registry of the databases must contain the following information:
- the identification of the database;
- the identification of the person responsible for the database;
- the nature of the personal data it contains, that is, the description of the universe of people included in the database;
- the applicable lawful basis of processing;
- the purpose or purposes of the processing;
- the procedures for obtaining and processing the data;
- the period of conservation of the data;
- the destination of the data and the natural or legal persons to whom it can be transferred;
- the technical and organizational security measures adopted, at least a summary of them or the reference to the policy or protocol where they are described;
- the protocols applicable to the database, such as those referring to the attention and response to the exercise of rights by the data subjects;
- the technical description of the database; and
- the identification and period of all the people who have entered the personal data within fifteen working days from the start of the activity.
G. Security Measures
Organizations must undertake technical and organizational measures to ensure the confidentiality, integrity, availability, and permanent resilience of the systems and services and the processing of personal data. The following factors must be considered while determining the appropriateness of security measures:
- the risk to the rights and freedoms of the data subjects;
- the state of technology;
- the costs for the application of the measures;
- the nature of the personal data processed;
- the scope, context and purposes of the processing;
- the international transfers of personal data that are made or intended to be made;
- the number of data subjects whose data is being processed;
- the possible consequences that would derive from a breach of data security for the data subjects; and
- previous data security breaches that occurred in the processing of personal data.
Organizations must also carry out a series of actions that guarantee the establishment, implementation, operation, monitoring, review, maintenance, and continuous improvement of the security measures applicable to the processing of personal data, on a regular basis.
H. Breach Notifications and Records
The PPDPL requires the organizations to immediately notify the ANTAI and the affected data subjects when they become aware of a security breach - any damage, loss, alteration, destruction, access, and in general, any illegal or unauthorized use of personal data - even when it occurs accidentally, in any phase of the processing and that represents a risk for the protection of personal data. The data processors must also immediately inform the data controllers after becoming aware of a security breach.
The notification to the data subject must be made within seventy-two (72) hours after the incident is known and must contain the following information in clear and simple language:
- the nature of the incident;
- the compromised personal data;
- corrective actions taken immediately;
- the recommendations to the data subject on the measures that he/she can adopt to protect his/her interests; and
- the means available to the data subject to obtain more information in this regard.
Further, the organizations must also keep records of the security incidents that occurred at any stage of the processing, identifying at least the following details about each security breach:
- the date of its occurrence;
- the reason for the violation;
- the facts related to it and its effects; and
- corrective measures implemented immediately and definitively.
I. Data Protection Impact Assessments
Based on the seriousness of the risk presented by a specific data processing activity and the novelty of the technology, the organization may be required by the ANTAI to conduct and submit a data protection impact assessment (DPIA) report. The DPIA report must, at least, contain a description of the types of data collected, the methodology used to collect and guarantee the security of the information, and the analysis of the data controller in relation to the measures, safeguards, and risk mitigation mechanisms adopted.
J. Data Processor Agreements
Organizations must enter into written agreements with the data processors to ensure their compliance with the provisions of the PPDPL while processing personal data. Among other things, an agreement between a data controller and a data processor must stipulate the following:
- the processing of personal data in accordance with the instructions, duly documented, of the data controller;
- Implementation of security measures in accordance with applicable legal instruments;
- the obligation to inform the data controller when a breach of the security of the personal data, that it processes according to its instructions, occurs;
- confidentiality of the personal data processed;
- the prohibition of transferring personal data, unless the data controller requests it or the transfer derives from a sub-contracting authorized by the data controller;
- the information that the data processor must make available to the data controller so that the latter can prove compliance with its obligations;
- collaboration with the data controller in everything related to guaranteeing compliance, in particular, in terms of care and response to the exercise of rights;
- the deletion, return or communication of the personal data to the data controller once the legal relationship with the data controller has been fulfilled, except that a law requires the retention of personal data.
K. Cross-Border Data Transfers
Under the PPDPL, a cross-border transfer of personal data can only take place if at least one of the following conditions is fulfilled:
- the transfer is to a country or organization which provides a degree of personal data protection equivalent to or greater than that provided by the PPDPL;
- the data controller offers and proves adequate guarantees of compliance with the principles, the rights of data subjects and the personal data protection regime provided for in the PPDPL and the Regulations;
- the data is transferred based on the consent of the data subject;
- the transfer is necessary for medical prevention or diagnosis, the provision of healthcare, medical treatment or the management of healthcare services;
- the transfer is necessary for the safeguarding of the public interest or for the legal representation of the data subject or administration of justice;
- the transfer is necessary for the recognition, exercise or defense of a right in a judicial process, or in cases of international judicial collaboration;
- the transfer is necessary for the maintenance or fulfillment of a legal relationship between the data controller and the data subject;
- the transfer is required to carry out bank or stock transfers in relation to the respective transactions and in accordance with the legalization that is applicable to them; or
- the purpose of the transfer is international cooperation between intelligence agencies in the fight against organized crime, terrorism, money laundering, computer crimes, child pornography and drug trafficking.
The PPDPL designates the following as adequate guarantees which can be used by the data controllers for cross-border data transfers:
- the contractual clauses signed between the exporter and the recipient that offer sufficient guarantees and that allow demonstrating the scope of the processing of personal data, the obligations and responsibilities assumed by the parties and the rights of the data subjects;
- the contractual clause models validated by the ANTAI to be used by the exporter and recipient as a guarantee of the transfer;
- the binding self-regulation mechanisms agreed between the exporter and the recipient and approved by the ANTAI or recognized by it; and
- if the exporter and the recipient belong to the same economic group and the processing is subject to corporate regulations that bind them.
VII. Regulatory Authority
The National Authority for Transparency and Access to Information (ANTAI) is the public administration body responsible for supervising, implementing, and controlling compliance with the PPDPL and the Regulations. Among others, the ANTAI can require the organizations to conduct and submit DPIAs, request access to the database registries, notify adequate jurisdictions for the purposes of cross-border data transfers, approve the adequate guarantees, investigate violations of the PPDPL and impose monetary fines and other penalties.
VIII. Offenses Under the PPDPL
The PPDPL classifies the violations of its provisions into minor, serious, and very serious offenses. Following is a brief description of each category:
A. Minor Offenses
Failure to comply with the timelines prescribed under the PPDPL for informing or submitting documents to the ANTAI constitutes a minor offense.
B. Serious Offenses
Following are some violations that constitute serious offenses under the PPDPL:
- Processing of personal data without obtaining consent of the data subject;
- Violation of principles and guarantees established under the PPDPL;
- Breach of confidentiality commitment in relation to the processing of personal data;
- Restricting or hindering the application of the rights of access, rectification, cancellation, and opposition;
- Failure to comply with the duty to inform the data subject about the processing of their personal data, when the data has been obtained from a third party;
- Storing or filing personal data without having the adequate security conditions provided under the PPDPL or the Regulations; and
- Hindering or not cooperating with the ANTAI when it exercises its inspection function.
C. Very Serious Offenses
The PPDPL classifies the following violations as serious offenses:
- Collecting personal data maliciously or with an intention to commit crime;
- Not complying with the obligations regarding the processing of sensitive data;
- Failure to suspend the processing of personal data immediately when required by ANTAI;
- Storing or transferring personal data internationally in violation of the provisions of the PPDPL;
- Repetition of serious offenses.
IX. Penalties for Non-Compliance
Monetary fines are the most common type of penalty imposed by the ANTAI on organizations committing serious offenses. However, very serious offenses can also result in the closure of the database records or temporary or permanent suspension and disqualification of the storing or processing of personal data. While determining the appropriate penalty, the ANTAI must consider different factors including but not limited to the following:
- the intentionality of the offense;
- recidivism;
- the nature and amount of damages caused;
- the period for which the violation is committed;
- the adverse effect on the rights of children;
- the appointment of a DPO; and
- the prompt adoption of corrective measures.
X. How Organizations Can Operationalize the PPDPL
Organizations can operationalize the PPDPL by undertaking, among others, the following measures:
- Establishing clearly defined policies and procedures for processing data in compliance with the PPDPL;
- Obtaining lawful consent of the data subjects or identifying any other legal basis before processing personal data;
- Developing a robust framework for receiving and processing requests, complaints, and appeals from the data subjects;
- Train employees who handle the personal data on the organization's policies and procedures, as well as the requirements of the PPDPL; and
- Implementing a security breach management system to identify any security breaches, assessing the risks, undertaking mitigation measures, and notifying the ANTAI and the data subjects.
XI. How Securiti Can Help
Securiti Data Command Center enables organizations to comply with the Panama Personal Data Protection Law (PPDPL) by securing the organization’s data and enabling organizations to maximize data value and fulfilling an organization’s obligations around data security, data privacy, data governance, and compliance.
Organizations can overcome hyperscale data environment challenges by delivering unified intelligence and controls for data across public clouds, data clouds, and SaaS, enabling organizations to swiftly comply with privacy, security, governance, and compliance requirements.
Request a demo to learn more.