Existing Regulation on Data Protection in Panama

By: Kharla Aizpurúa Olmos, senior associate, Morgan & Morgan

In the framework of a globalized world and social networks that are established as a measure of possible interest of economic, social and political groups, data protection regulations become more relevant. In fact, the European Union through the General Data Protection Regulation 2016/679 of the European Parliament and of the Council of April 27, 2016, establishes mandatory requirements, as of May 25, 2018, on regard to data protection, and which also apply to individuals in charge of the processing of data who are outside the European Union but who handle personal data of interested parties residing in the European Union.

In the case of Panama, our greatest protection is directly established through our Constitution, mainly in articles 42 to 44. These articles establish the regulatory framework in which the criterion that must be met is the consent of the owner of the personal data to obtain, process and store them. Additionally, it allows them to have access to that information in order to update or delete it from the respective database. The habeas data action is established in these articles to guarantee the right of access to personal information.

 

How does this affect companies?

For labor purposes, our Labor Code establishes the obligation for the employer to keep a record with information of the workers; this record is subject to inspection by the Ministry of Labor and Workforce Development. The worker in accordance with the constitutional protection has the right to access, update and amend that information, as appropriate.

Based on the regulatory framework and principles established in the Constitution, in case of the local practice, personal data protection has been included in special laws that regulate them depending on the specialization of the matter or business. Special laws such as the following, all of which follow in general terms the constitutional principles:

 

  • Law 51 of July 22, 2008, as amended, which defines and regulates electronic documents and electronic signatures and the provision of data storage services for documents and certification of electronic signatures and adopts other provisions for the development of electronic commerce;
  • Law 51 of September 18, 2009, as amended, that dictates rules for the storage, protection and provision of data of telecommunications services users and adopts other provisions;
  • Law 24 of May 22, 2002, as amended, which regulates the information service on the credit history of consumers or clients;
  • Executive Decree 52 of April 30, 2008, which adopts the single text of Decree Law 9 of February 26, 1998, as amended, and which regulates the banking regime and the Superintendency of Banks;
  • Law 68 of November 20, 2003, as amended, which regulates the rights and obligations of patients, in terms of information and free and informed decision;
  • Law 81 of December 31, 2009, which protects the rights of users of credit cards and other financing cards; and
  • Law 33 of April 25, 2013, as amended, which creates the National Authority of Transparency and Access to Information.

 

Remarkably, there is no express prohibition in Panama regarding the movement of personal data outside Panama. Existing laws have a more focused approach to the administration and processing of information and its storage. In this sense, there is the General Directorate of Electronic Commerce of the Ministry of Commerce and Industries, which regulates data storage service providers, an entity that regulates the protection of data that must be followed by businesses and imposes the obligation to maintain security measures and protection of information.

I would like to conclude by mentioning that to date, there is a Personal Data Protection Bill that has been submitted to the National Assembly, being the second attempt this year to pass a national law that compiles the regulation on this matter.