Territory: Republic of Panama
Data Protection Regulations: Law 81 of 26 March 2019 (entered into force on 29 March 2021)
Regulatory purpose: Establishing the objects, principles and rules governing the protection of personal data.
- Data controller: A data controller is any natural or legal person who decides on the processing of personal data and determines its purposes, means and scope; and the custodian of the database (who acts in the name and on behalf of the data controller and is responsible for the custody and conservation of the database).
- Data Processor: No.
- Data Protection Officer: No.
Supervisory Authority: National Authority for Transparency and Access to Information (ANTAI)
- Other: Personal Data Protection Board (advisory body)
Principles: There are nine (9) principles, namely: Fairness, purpose, proportionality, truthfulness and accuracy, security, transparency, confidentiality, lawfulness, portability.
- Register of Processing Activities: Yes.
- Impact Assessments: Yes.
- Risk analysis: Yes.
- Technical and organisational security measures: Yes.
- Duty to inform: Yes.
- Data Protection Officer: No.
- Other obligations:
Not to transfer or communicate personal data after seven years have elapsed since the legal obligation to keep it has expired, unless the owner of the data expressly requests otherwise.
The person responsible for the processing of personal data must compensate the financial and/or moral damage caused by the improper processing of such data.
Data subjects' rights:
- Right of Access: Yes.
- Right of rectification: Yes.
- Right of Suppression: Yes.
- Right to limitation: No.
- Right to portability: Yes.
- Right to object: Yes.
- Automated individual decisions, including profiling: No.
- Other rights: The right to judicial defence is recognised, as well as the right to claim the protection of their ARCO rights (access, rectification, cancellation, opposition and portability) before the National Authority for Transparency and Access to Information (ANTAI), except in the cases of subjects regulated by special laws.
International transfers: No.
The Authority may set penalties from $1,000.00 to $10,000.00 balboas. Infringements are classified as minor, serious and very serious:
- Minor: failure to submit or inform the authority of the information within the deadline and may lead to a summons from the authority.
- Serious: processing without the consent of the owner, infringing the established principles and guarantees, infringing the confidentiality commitment, restricting ARCO rights, failing to inform the owner of the data processing, storing or archiving data without security conditions, failing to comply with the repeated requests and obligations of the authority, which may lead to a fine of US$1,000 to $10,000 balboas, depending on proportionality.
- Very serious: collecting personal data in a fraudulent manner, not observing the regulations, not suspending the processing when previously requested by the authority, storing or transferring personal data internationally and repeating serious offences, which may lead to the closure of the database records and the corresponding fine, and even the suspension and disqualification of the storage and/or processing activity.
Certification or accreditation of compliance for companies: No.
The law establishes time limits for the prescription of the action and of the sanction:
Prescription of the action:
- Minor infringements within 1 year.
- Serious infringements within 3 years.
- Very serious infringements within 5 years.
Limitation period for penalties:
- Minor penalties within 3 years.
- Serious infringements within 5 years.
- Very serious infringements are not time-barred.
Other related legislation: N/A