The protection of Personal Data is being regulated for the first time in Panama with the implementation of the Law 81 of March 26th 2019, aligning with the most developed economies of the world. This law has been created with the purpose of establishing principles, rights, obligations and procedures; Panama has taken a leap to regulate the problematic issue of handling personal data in a globalized world.

But...What is personal data? It's any information related to a person that can be used to identify a person directly or indirectly. It can be any bit of information or item, a name, a photo, an e-mail address, banking information, public publications on web sites, medical information or from a computer IP.

The new norm establishes that all companies, independently of the country of origin or activity, must comply with if they collect, store, use or manage any type of data or information of citizens that are within the Panamanian territory, with the exception of those subjects or activities regulated by special laws, as long as they comply with the standard for the correct protection and processing of data.

"The users must be aware that the companies that manage personal data have now new obligations"

This regulation includes and recognizes rights such as cancellation and portability. The first one establish that the citizens may request and ascertain that their personal information is removed when the information is incorrect, , is irrelevant, incomplete, false, or even when the data is no longer necessary for the purpose for which they were collected. The service provider is obligated to discard the data after 7 years.

While, the right to access allows that information be stored electronically, it should be retrievable in a format e.g. Excel to allow easy sharing with other responsible parties. The data must be "in an structured format, of common use and mechanical lecture (like Excel) so that the information can be easily facilitated and transmitted to a third responsible party and facilitate the exchange of information from the service provider.


  • Treatment of personal data can only be accomplished when:
  • The person provides his consent Is part of compliance to a contractual obliga-
  • tion Becomes a necessity for the compliance of an
  • obligation The treatment of the personal data is regula-ted and authorized by a special Law

By implementation of the Data Privacy Law, request for consent must be given in a way that allows its traceability through documents, electronically or by any other mean, suitable to the case and it can be revoked, without retroactive effect. The companies should display their conditions in a comprehensive and accessible way, using clear and simple language, always informing the purpose of each request

The law grants all rights and obligations to the bearers who, are registered in a data base before the law goes into effect.

In the case of security breach, the companies must inform authorities and also the users whose information has been compromised.


The law creates the Personal Protection Data Council to advise the existing National Authority for Transparency regarding the access to information of personal data.


The sanctions applied to offenders of the norm will go from $1,000.00 Dollars up to $10,000.00 Dollars, sanctions that would be applied by the Transparency and Access to Information Authority (ANTAI).


This Law will enter into full effect two years after its promulgation, this means as of 26 of March 2021, to allow companies enough time to the companies for the proper treatment and custody of personal data, and to adopt the proper controls. Here in Arias we are ready to provide you with the proper advice in regards to the implementation of this Law.