Law No. 81 of March 26, 2019, which entered into force just two months ago, on March 29, has finally been regulated since last Friday May 28, through Executive Decree 285, establishing tangible guidelines for compliance with the principles, rights, obligations and procedures for a real protection to the handling of private, personal, confidential or sensitive data.

The regulation imposes specific obligations on the person in charge / custodian of the database, among the most relevant are: (i) having protocols, (ii) appointing a Compliance Officer, (iii) traceability of consents and register of all persons authorized to access the database, (iv) minimum acceptable when requesting information; (v) deadlines for responding to the data holders; (vi) 72-hour period to notify access/misuse of the database (hacking) and (vii) joint liability of the participants in the chain of processing of personal data.

It also defines the category of biological, genetic and data profiling; the powers of the regulator are also recognized; the power to carry out on-site inspections of those responsible/custodians; the imposition of sanctions according to the seriousness, proportionality, intentionality, benefit, and billing affected by the fault; as well as the statute of limitation for penalties imposed.

This regulation determines that all companies, regardless of their country of origin or activity, must comply with the law if they collect, store, use or manage any type of data from persons who are in Panamanian territory; except those activities regulated by special laws, as long as they comply with the standards for the correct protection and processing of data. From now on, companies will have to show their conditions to collect data in a simple and easily accessible way, using clear language and always informing about each purpose for the data processing.