IDC Names Securiti a Worldwide Leader in Data PrivacyView
On March 29, 2019, the Republic of Panama passed Law No. 81, also known as the Panama Personal Data Protection Law (PPDPL). The law came into force on March 29, 2021, along with its implementing regulations (Regulations), the Executive Decree No. 285. The law establishes principles, rights, obligations, and procedures for protecting the personal data of Panamanians and supplements the existing special laws and rules that comprise the country’s regulatory framework governing personal data protection.
The PPDPL partially resembles the landmark European Union’s General Data Protection Regulation (GDPR) and is enforced by the National Authority of Transparency and Access to Information (ANTAI).
The law applies to the processing of personal data if:
The law does not apply to processing activities that are:
Personal data obtained from specific technical processing related to a natural person's physical, physiological, or behavioral characteristics that allow or confirm the person's unique identification.
Ordered set of data of any nature, whatever the form or modality of its creation, organization, or storage, which allows the data to be related to each other, as well as to carry out any type of processing or transmission of these by its custodian.
Natural or legal person, of public or private law, lucrative or not, that corresponds to the decisions related to the processing of the data and that determines the purposes, means, and scope, as well as issues related to these.
Natural or legal person, of public or private law, lucrative or not, that acts in the name and on behalf of the person in charge of the processing and is responsible for the custody and conservation of the database.
Any operation or complex of operations or technical procedures, whether automated or not, that allows collecting, storing, recording, organizing, preparing, selecting, extracting, confronting, interconnecting, associating, disassociating, communicating, assigning, exchanging, transferring, transmitting or cancel data, or use it in any other way.
The natural person to whom the data refers.
Data that cannot be associated with the owner or allow the identification of the person, be it natural, due to its structure, content, or degree of disaggregation.
Personal data relating to the inherited or acquired genetic characteristics of a natural person that provide unique information about the physiology or health of that person, obtained in particular from the analysis of a biological sample from that person.
Any information concerning natural persons that identifies them or makes them identifiable.
Any form of automated treatment that uses personal data to evaluate certain aspects of a natural person, and in particular, to analyze or predict aspects related to his professional performance, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.
That which refers to the intimate sphere of its owner, or whose improper use may give rise to discrimination or entail a serious risk for it. By way of example, personal data that may reveal aspects such as racial or ethnic origin; religious, philosophical, and moral beliefs or convictions; union membership; political opinions; data related to health, life, sexual preference or orientation, genetic data or biometric data, among others, subject to regulation and aimed at unequivocally identifying a natural person are considered sensitive.
The following principles govern the protection of personal data under the PPDPL:
Personal data must be collected without deceit or falsehood and without using fraudulent, unfair, or illegal means.
Personal data must be used for specified and legitimate purposes.
Data controllers must only collect personal data that is adequate, pertinent, and minimum necessary for specified purposes.
Personal data collected must be kept accurate and up-to-date.
Data controllers must adopt appropriate security measures to protect personal data against breaches.
Data controllers must keep the data subjects informed of their rights and all the information and communication from the data controllers must be in clear and simple language.
Data controllers and all other persons acting on their behalf must maintain the confidentiality and secrecy of the personal data.
Processing of personal data must be carried out in a lawful manner with the consent of the data subject or based on any other legal basis provided under the PPDPL.
Data subjects have the right to obtain from the data controller a copy of the personal data in a structured manner in a commonly used generic format.
The data subjects have the following rights under the PPDPL:
Data subjects have the right to obtain their personal data that is stored or subject to processing in databases of public or private institutions, in addition to knowing the origin and purpose for which they have been collected.
Data subjects have the right to request the correction of their personal data that is incorrect, irrelevant, incomplete, outdated, inaccurate, false, or irrelevant.
Data subjects have the right to request the deletion of their incorrect, irrelevant, incomplete, outdated, inaccurate, false, or irrelevant personal data.
Data subjects have the right to, for well-founded and legitimate reasons, refuse to provide their personal data or to have them subject to a certain processing, as well as to revoke their consent.
Data subjects have the right to obtain a copy of personal data in a structured manner, in a generic and commonly used format, which allows it to be operated by different systems and/or transmitted to another data controller.
Data subjects can exercise their rights by making a request (DSR request) to the data controller and specifying the right they want to exercise. Fathers, mothers, attendants, guardians or those who exercise the custody and upbringing of minors or differently-abled persons may exercise their rights in their name and representation.
A data controller must provide the personal data to a data subject in response to a DSR request within ten (10) business days from the date of submission of the request. However, in response to a DSR request for rectification, the data controller must modify the personal data within five (5) business days from the date of submission of the request.
If the data controller does not entertain the request of a data subject within the prescribed timeline, the data subject can exercise the right to appeal to the ANTAI.
The exercise of data subject rights may be limited where:
The organizations can only process the personal data if they meet at least one of the following conditions:
Organizations must provide the data subjects with a clear, simple, and easily accessible privacy notice at the time of collection of their personal data. The privacy notice must, at least, include the following information:
If the personal data is collected from a third party, the data subject must be provided with the privacy notice in the following manner:
Where the lawful basis for processing is consent, the organizations must ensure to obtain informed, unequivocal, traceable, and valid consent of the data subjects before processing their personal data. If given in the context of a written statement, the request for consent must be presented in a manner that is clearly distinguishable from other matters. The consent for the processing of sensitive data, including health data, must be irrefutable and express.
For processing the personal data of minors or incapacitated persons, the organizations must seek prior authorization from their guardians. The personal data of minors and incapacitated persons may be collected without consent when the processing is necessary to contact the parents, guardian, or any other person who exercises the custody and upbringing or guardianship of the minor or incapable person.
The data subjects must be able to revoke their consent at any time, without retroactive effect.
Organizations must process personal data only for specific, explicit, and lawful purposes that are communicated to the data subjects at the time of collection of their personal data. Prior to using the personal data for any other purpose, the organizations must seek the consent of the data subject.
The PPDPL grants the data subjects the right not to be subject to a decision based solely on the automated processing of their personal data, which produces negative legal effects or causes a detriment to a right or whose purpose is to evaluate certain aspects of their personality, health status, work performance, credit, reliability, conduct, characteristics or personality, among others.
However, the organizations can carry out automated decision-making if:
The PPDPL requires the organizations to keep a written registry of the databases, and the ANTAI can require access to such a registry at any time to assess the organizations' compliance. The registry of the databases must contain the following information:
Organizations must undertake technical and organizational measures to ensure the confidentiality, integrity, availability, and permanent resilience of the systems and services and the processing of personal data. The following factors must be considered while determining the appropriateness of security measures:
Organizations must also carry out a series of actions that guarantee the establishment, implementation, operation, monitoring, review, maintenance, and continuous improvement of the security measures applicable to the processing of personal data, on a regular basis.
The PPDPL requires the organizations to immediately notify the ANTAI and the affected data subjects when they become aware of a security breach - any damage, loss, alteration, destruction, access, and in general, any illegal or unauthorized use of personal data - even when it occurs accidentally, in any phase of the processing and that represents a risk for the protection of personal data. The data processors must also immediately inform the data controllers after becoming aware of a security breach.
The notification to the data subject must be made within seventy-two (72) hours after the incident is known and must contain the following information in clear and simple language:
Further, the organizations must also keep records of the security incidents that occurred at any stage of the processing, identifying at least the following details about each security breach:
Based on the seriousness of the risk presented by a specific data processing activity and the novelty of the technology, the organization may be required by the ANTAI to conduct and submit a data protection impact assessment (DPIA) report. The DPIA report must, at least, contain a description of the types of data collected, the methodology used to collect and guarantee the security of the information, and the analysis of the data controller in relation to the measures, safeguards, and risk mitigation mechanisms adopted.
Organizations must enter into written agreements with the data processors to ensure their compliance with the provisions of the PPDPL while processing personal data. Among other things, an agreement between a data controller and a data processor must stipulate the following:
Under the PPDPL, a cross-border transfer of personal data can only take place if at least one of the following conditions is fulfilled:
The PPDPL designates the following as adequate guarantees which can be used by the data controllers for cross-border data transfers:
The National Authority for Transparency and Access to Information (ANTAI) is the public administration body responsible for supervising, implementing, and controlling compliance with the PPDPL and the Regulations. Among others, the ANTAI can require the organizations to conduct and submit DPIAs, request access to the database registries, notify adequate jurisdictions for the purposes of cross-border data transfers, approve the adequate guarantees, investigate violations of the PPDPL and impose monetary fines and other penalties.
The PPDPL classifies the violations of its provisions into minor, serious, and very serious offenses. Following is a brief description of each category:
Failure to comply with the timelines prescribed under the PPDPL for informing or submitting documents to the ANTAI constitutes a minor offense.
Following are some violations that constitute serious offenses under the PPDPL:
The PPDPL classifies the following violations as serious offenses:
Monetary fines are the most common type of penalty imposed by the ANTAI on organizations committing serious offenses. However, very serious offenses can also result in the closure of the database records or temporary or permanent suspension and disqualification of the storing or processing of personal data. While determining the appropriate penalty, the ANTAI must consider different factors including but not limited to the following:
Organizations can operationalize the PPDPL by undertaking, among others, the following measures:
Securiti Data Command Center enables organizations to comply with the Panama Personal Data Protection Law (PPDPL) by securing the organization’s data and enabling organizations to maximize data value and fulfilling an organization’s obligations around data security, data privacy, data governance, and compliance.
Organizations can overcome hyperscale data environment challenges by delivering unified intelligence and controls for data across public clouds, data clouds, and SaaS, enabling organizations to swiftly comply with privacy, security, governance, and compliance requirements.
Request a demo to learn more.
At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.
300 Santana Row
San Jose, CA 95128