Analysis of Law Number 81 for Personal Data Protection in Panama

Published on Jun 19, 2024

María Paula Orsini, a lawyer in Panama and expert in Regulatory Law, shares with us this article on the protection of personal data, which is essential in the digital era where private information can be easily shared. This is why Panama reinforces its regulatory framework with Law number 81 on Personal Data Protection.

For several decades, the Protection of Personal Data has been a relevant matter contemplated in the Panamanian regulatory body, thus article 42 of the Political Constitution of the Republic of Panama establishes general principles of Protection of Personal Data with topics such as the management by the authorities regarding private documents and the right of citizens to access information.

Likewise, Article 11 of the American Convention on Human Rights (law in Panama) protects reputation and also complements other fundamental rights related to privacy, human dignity and guarantees the protection of the honor, reputation and privacy of people. against state or private intrusion [by individuals or entities], both are provisions that give data protection not only constitutional status, but also First-Generation Human Right.

Definitions
It is important to mention that the norm also contemplates some definitions that we consider important to highlight when studying the law, which are transcribed below:

  • Personal data: Any information concerning natural persons that identifies them or makes them identifiable. Names, surnames, photographs.
  • Sensitive data: Data that refers to the intimate sphere of its owner, whose improper use may give rise to discrimination or entail a serious risk. E.g. racial or ethnic origin, religious beliefs or health condition.
  • Database: A set of ordered data of any nature, whatever the form or modality of its creation, organization or storage, which allows the data to be related to each other, as well as any type of processing or transmission of these by his custodian.
  • Technical sheet: Document that contains the records, protocols and rules related to the storage and processing of personal data.
  • Responsible for data processing: Natural or legal person, under public or private law, lucrative or not, who is responsible for decisions related to data processing and who determines the purposes, means and scope, as well as related issues.

Subjects provided for in the law
In relation to the processing of personal data, the law provides for two subjects:

  • Passive subject: Natural person, owner of the personal data; and,
  • Active subject: Any person (natural or legal) who can process personal data, as long as they do so in accordance with the law for purposes permitted in the legal system.

The aforementioned will be the main actors throughout the life cycle of personal data.

Personal data life cycle
Personal data comply with a life cycle that begins with its collection and ends with its destruction, as follows:

  • Pickup
  • Treatment
  • Use or transfer
  • Destruction

Personal data collection stage
It consists of the request by the active subject and the willingness of the passive subject to provide personal data. The above must be voluntary, for example, no one can be forced to hand over a personal identification document to be photographed to obtain a product or service.

Processing of Personal Data
When we refer to the processing of personal data, this means an obligated subject (active subject), which owns the data or database and is dedicated to executing any operation or technical procedures, whether automated or not, that allows the collection, storage, record, organize, prepare, select, extract, communicate, assign, exchange, transfer, transmit or cancel data or use it in any way.

Obligations Implied by the Processing of Personal Data
The aforementioned produces a series of obligations for the active subject, which we detail below:

  • Prepare the Technical Sheet composed of the protocols, processes and compliance records.
  • Comply with the general principles that govern data protection.
  • Base the processing of personal data on one of the legal conditions provided for in the regulations.
  • Guarantee the security of personal data by adopting technical and organizational measures.
  • Adopt guarantees in the transfers of personal data to third parties.
  • Address and respond to the exercise of the rights of data owners.

Fundamental Rights (ARCOP) and General Principles
ARCOP rights are a set of fundamental rights related to the protection of personal data, defined in different international legislation to unify the concepts in this matter. The word ARCOP derives from its acronym:

  • Access: the right to know what data is stored, for what purpose it is used and who uses it.
  • Rectification: The right to correct inaccurate or incomplete personal data.
  • Cancellation: The right to request the deletion of personal data, among other things, if the data is no longer necessary for the purposes for which it was collected.
  • Objection: the right to object to the processing of personal data in certain circumstances.
  • Portability: right to receive a copy of the data in a structured way and in a common format

Regarding the general principles, Law 81 of 2019, specifically in its article 2, highlights the following:

  • Loyalty: provides that data cannot be collected through deception.
  • Purpose: the data must be used for the purposes expressly requested.
  • Proportionality: specifically request and use the necessary data.
  • Truthfulness and accuracy: the data must be collected with truthfulness and accuracy (very specific).
  • Security: create technical procedures to safeguard the integrity of any data of the taxpayer.
  • Transparency: the information or communication concerning data processing must be clear and simple for better understanding by the data owner.
  • Confidentiality: people involved in any stage of the data life cycle have the duty to maintain secrecy and prevent unauthorized access.
  • Legality: for the data collection to be fully legal, prior consent must be obtained from the data owner.

Sanctions regime
To guarantee compliance with the rule and promote order and justice, Law 81 of 2019 specifically contemplates in its 36 sanctions with amounts ranging from US$1,000 to US$10,000, depending on the severity of the atypical behavior.

Violations Regime
Infractions can be categorized as minor, serious or very serious.

  • Minor: If the information is not sent or notified to the authorities within the established period, they may receive a subpoena.
  • Serious: Processing data without the consent of the owner, violation of established principles and guarantees, violation of confidentiality, restriction of ARCOP rights, failure to comply with the obligation to inform the owner about data processing, storage or archiving of data without security conditions, non-compliance with fines. These offenses are punishable by a fine, which is at the discretion of the judge and ranges within the aforementioned range.
  • Very serious: Intentional collection of personal data, non-compliance with regulations, international storage or transfer of personal data, and repeated serious violations may result in database closure. Stop and disable storage and/or processing operations.

Regulatory Authority
The institution that maintains the power to carry out investigations and impose sanctions on natural and/or legal persons who violate the content of Law 81 of March 26, 2019, is the National Authority for Transparency and Access to Information ( ANTAI) through the Personal Data Directorate.

Prescription
The statute of limitations refers to the period established by law within which certain legal rights can be exercised or claims filed. Executive Decree 235 of 2021, which regulates Law 81 of March 26, 2019, contemplates in its articles 63 and 64 the prescription of both the action and the sanction.

Prescription of action

  • Minor infractions: prescribed after one year
  • Serious violations: statute of limitations after 3 years
  • Very serious infractions: statute of limitations after 5 years

Prescription of the sanction
The limitation period for sanctions begins to run the day following the day they were imposed.

  • Minor infractions: they expire after 3 years.
  • Serious infractions: statute of limitations after 5 years.
  • Very serious infractions: they cannot be prescribed.
Sources:
  • Law 81 of May 26, 2019 
  • Executive Decree 285 of May 28, 2021 
 


The information provided by ARIAS® is presented for informational purposes only. This information is not legal advice and is not intended to create, and does not constitute, an attorney-client relationship. Readers should not act upon this information without seeking advice from professional advisers.