The key legislation governing data privacy in Panama is Law No. 81 of March 26, 2019, on the Protection of Personal Data, entered into force in March 2021. This law establishes the principles, rights, and obligations related to the processing of personal data by public and private entities in Panama. Its implementation is regulated by Executive Decree No. 285 of May 28, 2021, which provides further detail on consent, data subject rights, international data transfers, and security measures.
Notwithstanding the foregoing, certain sectors are subject to special legislation, such as the banking sector, whose legal framework includes specific provisions on personal data protection and whose applicable laws or regulations establish the minimum technical standards required for the proper safeguard and processing of such data.

Currently there are no notable court cases that have been shared publicly applying Panama’s Law No. 81 of 2019. Cases have been handled administratively by the National Authority for Transparency and Access to Information (Autoridad Nacional de Transparencia y Acceso a la Información – “ANTAI”) and case law is still developing. The ANTAI has issued guidance notes addressing compliance and investigating breaches.

In Panama, the data protection law (“DPL”) defines “personal data” as any information concerning natural persons that identifies them or makes them identifiable. 
“Sensitive data” is defined as information relating to the intimate sphere of its owner, or whose improper use could result in discrimination or entail a serious risk to the individual. By way of example, sensitive data includes personal information that may reveal aspects such as racial or ethnic origin; religious, philosophical, or moral beliefs or convictions; trade union membership; political opinions; health-related or life-related data; sexual preference or orientation; genetic data; or biometric data, among others, which are subject to regulation and intended to uniquely identify a natural person.

Under the DPL, the protection of personal data is governed by the principles of fairness, purpose limitation, proportionality, truthfulness and accuracy, data security, transparency, confidentiality, lawfulness, and portability. The protected data must be processed lawfully, based on at least one of the following legal grounds:
•    The data subject’s consent has been obtained.
•    The processing is necessary for the performance of a contractual obligation to which the data subject is a party.
•    The processing is necessary for compliance with a legal obligation to which the data controller is subject.
•    The processing of personal data is authorized by a special law or its implementing regulations.
Furthermore, appropriate technical and security standards must be maintained to prevent unauthorized access, loss, alteration, or misuse of the data.

Privacy obligations apply to all natural or legal persons, whether public or private, for-profit, or non-profit, who process personal data within Panamanian territory or whose data controller is domiciled in Panama. This encompasses those responsible for collecting, storing, using, transmitting, or otherwise handling personal data of both nationals and foreigners.

The Panamanian regulation defines “data processing” as any operation or set of operations or technical procedures, whether automated or not, that allow for the collection, storage, recording, organization, elaboration, selection, extraction, comparison, interconnection, association, dissociation, communication, disclosure, exchange, transfer, transmission, or cancellation of data, or the use of data in any other form.

The principles governing personal data processing under Panamanian law are:
•    Fairness: Data must be collected without deception or unlawful methods.
•    Purpose: Data should be collected for specific, legitimate purposes.
•    Proportionality: Only data necessary and relevant to the purpose should be collected.
•    Accuracy: Data must be accurate and kept up to date.
•    Security: Adequate technical and organizational measures must protect data, especially sensitive data, with prompt breach notification.
•    Transparency: Data subjects must receive clear information about data processing and their rights.
•    Confidentiality: Data handlers must keep data confidential.
•    Lawfulness: Processing requires prior informed consent or a legal basis.
•    Portability: Data subjects have the right to obtain their data.

Under Panama’s DPL, the processing of personal data must adhere to the fundamental principles described in question 5. 
Personal data processing is permitted only when based on valid consent from the data subject or other legal grounds recognized by the DPL, such as contractual necessity or legal obligation.
Data controllers and processors are required to implement appropriate technical and organizational measures to ensure the security and confidentiality of personal data throughout its lifecycle.

Storage, security, and retention of personal data in Panama are regulated under the DPL. Personal data may be stored in any format, including digital systems and information technologies. Data controllers are required to establish secure protocols, processes, and procedures to manage and store personal data safely, ensuring the protection of data subjects’ rights.
Regarding security, data controllers must implement adequate technical and organizational measures to guarantee the confidentiality, integrity and availability of the systems processing personal data. 
Retention periods must be justified by the purpose for which data was collected, and personal data should not be kept longer than necessary. If retention extends beyond this purpose, data may be retained for up to seven (7) years following the expiration of any applicable legal retention period, unless the data subject explicitly requests earlier deletion. However, certain sector-specific laws, such as those regulating employment or tax matters, set their own retention/ records-keeping periods, which would prevail over this general rule.

The data subjects’ rights under the data protection legislation are as follows:
•    Access: allows the data subject to obtain their personal data, as well as to know the origin and purpose for which such data was collected.
•    Rectification: enables the data subject to request the correction of their personal data.
•    Cancellation: Allows the data subject to request the deletion of their personal data that is incorrect, irrelevant, incomplete, outdated, inaccurate, or false.
•    Opposition: permits the data subject, for justified and legitimate reasons, to refuse to provide their personal data, as well as to revoke their consent.
•    Portability: grants the data subject the right to obtain a copy of their personal, enabling the data to be transferred to another controller or processed by different systems.
These rights are non-waivable under the DPL, except as otherwise provided by special laws.

Consent must be defined as the data subject’s voluntary expression of will by which the processing of their personal data is authorized. Under the DPL, consent must be: 
•    informed and unequivocal; and
•    obtained in a manner that allows for its traceability, which means that the data controller must be able to demonstrate that the data subject consented to the processing of their personal data. 
In the case of the processing of health data, as well as other sensitive data, consent must be explicit and irrefutable.
In the case of minors or legally incapacitated individuals, processing requires prior authorization from their legal guardian or custodian. Data may be collected without consent only to contact these responsible parties, and solely for that purpose.

Documentation of consent is considered valid, including via the use of electronic means or any other mechanism appropriate to the method used for data collection.

Authorization for the use of personal data is handled by ensuring that data is processed only for the specific, explicit, and lawful purposes for which such consent, or legal authorization was initially obtained. Any use beyond these purposes requires obtaining new, informed consent from the data subject, unless the use is justified by a special law; necessary for fulfilling a contractual obligation involving the data subject; or mandated by a public authority or court order. This framework ensures that authorization is limited to the specified purposes and fully respects the data subject’s rights.

Cross-border data transfers are permitted provided that the data subject has given their consent. The regulation mainly governs the storage or transfer of personal data originating from or stored within the Republic of Panama that is confidential, sensitive, or restricted. Such cross-border transfers are allowed only if the data controller or data custodian complies with Panama’s personal data protection standards or can demonstrate that they adhere to data protection standards and regulations that are equivalent or superior to those required under the DPL.

Incidents are not specifically defined under the DPL. However, according to the DPL a personal data breach is defined as "any security violation that results in the accidental or unlawful destruction, loss, or alteration of personal data that is transmitted, stored, or otherwise processed, or the unauthorized communication or access to such data”.

in the event of a personal data breach, there is an obligation to notify both (i) the affected individuals and (ii) the relevant authority. The notification must be made within 72 hours of becoming aware of the incident and must be communicated in clear and simple language.

The notification should include the following information:
•    The nature of the incident; 
•    The personal data affected (i.e., what data was compromised);
•    The corrective actions taken; 
•    Recommendations for data subjects on measures they can take to protect their interests.
•    Contact information or available means for the data subject to obtain further details, if needed.

The privacy regulator in Panama is the National Authority for Transparency and Access to Information (Autoridad Nacional de Transparencia y Acceso a la Información – “ANTAI”), which oversees data protection matters through its Directorate of Personal Data Protection.

In the event of a data breach, the DPL requires mandatory notification to the ANTAI and to the affected data subjects without undue delay, whenever the breach compromises the confidentiality, integrity, or availability of personal data. Data controllers must also promptly implement corrective measures to mitigate the impact of the breach and prevent future incidents. Depending on the severity and circumstances of the breach, sanctions may be imposed, such as summons before the ANTAI, monetary penalties and/or closure or suspension of data storage or processing.  

The regulation does not specifically regulate marketing or electronic marketing. However, such marketing activities may be considered as data processing for electronic marketing purposes, which requires the prior, informed, and unequivocal consent of the individual. Additionally, marketing communications must comply with applicable data protection principles and provide clear options for recipients to unsubscribe from future communications.

There are several sector-specific laws and regulations in Panama that address personal data protection within certain provisions. For example, regulations applicable to banking institutions, telecommunications companies, credit card issuers, document storage service providers, and the health sector, all contain specific data protection requirements tailored to their respective industries.

In Panama, the requirement to appoint a Data Protection Officer (“DPO”) depends on the sector or business nature of the data controller. Under the DPL, the private sector is not mandated to designate a DPO; this decision is left to the discretion of each organization. However, certain regulated activities, such as banking, may have specific obligations requiring the appointment of a DPO. In contrast, in the public sector, which includes government entities, the appointment of a DPO is mandatory.
The profile or requirement for the DPO includes prior professional experience in the field and knowledge of the sector in which the public or private entity operates.

While the Panamanian data protection framework does not explicitly establish detailed record-keeping and documentation obligations, it can be reasonably inferred that data controllers and processors must maintain documentation, especially of the data subject’s consent, to ensure traceability. 

The Data Protection Law and its regulations address Data Protection Impact Assessments (“DPIA”). Depending on the severity of the risk posed by the data processing and the novelty of the technology used, the ANTAI may require the submission of a data protection impact assessment report.
This report must at least include: a description of the types of data collected, the methodology used for data collection and security guarantees, and an analysis by the data controller regarding the measures, safeguards, and risk mitigation mechanisms adopted.
Furthermore, the ANTAI may request organizations to publish their DPIA reports and recommend the adoption of standards and best practices for personal data processing.

Data controllers and/or database custodians who transfer personal data to third parties must maintain an up-to-date record of such transfers. This record should clearly document the details of each transfer to ensure transparency.
Third-party vendors are required to implement appropriate technical and organizational measures to protect personal data, in compliance with applicable data protection laws. They must limit data processing strictly to the purposes authorized by the data controller.
All documentation regarding the transfer of personal data to third parties must be formalized in writing or through any legally valid means, including electronic methods.

The penalties provided under the data protection regulation depend on the type of violation committed, classified as minor, serious, or very serious. 
•    For minor violations, the penalty consists of a summons before ANTAI to address the issue or maintain records. 
•    For serious violations, fines may range from USD 1,000.00 up to USD 10,000.00. 
•    For very serious violations, penalties may include: (i) closure of the database records, without prejudice to the corresponding fine; (ii) temporary or permanent suspension and disqualification from activities involving the storage and/or processing of personal data, without prejudice to the corresponding fine. 
ANTAI follows a formal enforcement process which includes notifying the responsible party of the alleged violation, providing opportunities for submitting responses, and then issuing a resolution imposing the sanction if applicable. The ANTAI documents the facts leading to a sanction, considering the recurrence or repetition of the violation.

There are no explicit provisions requiring periodic audits or compliance reports. However, data controllers must implement internal controls to demonstrate ongoing compliance with the DPL and be prepared to respond to potential information requests by the authority. Except in cases where a data breach or incident occurs, in which case the data controller must comply with the specific reporting and response requirements as outlined in the response to question 13.

There are no recent developments or anticipated changes to the legislation that we are currently aware of.