Panama Data Privacy Laws: Law 81 Compliance Guide (2026)
Panama enacted Law 81 of March 26, 2019, officially titled the Law on the Protection of Personal Data (Ley de Proteccion de Datos Personales), establishing the country's first comprehensive data privacy framework. The law was published in the Official Gazette on March 29, 2019, and included an 18-month transition period for compliance. Full enforcement began in September 2020, with implementing regulations issued through Executive Decree No. 285 of May 28, 2021.
Panama's data protection law reflects the country's position as a major international business and financial hub. The legislation balances personal data protection with the country's established banking secrecy framework, creating a distinctive regulatory environment for organizations handling both personal and financial data.
This guide covers Panama's data privacy framework under Law 81, including the role of ANTAI, consent requirements, data subject rights, cross-border transfer rules, the interaction with banking secrecy, and enforcement mechanisms.
Overview of Law 81 of 2019
Law 81 applies to the processing of personal data carried out within Panamanian territory and to data controllers established in Panama. The law governs the collection, storage, use, processing, and transfer of personal data by natural persons, legal entities, and public institutions.
Fundamental Principles
The law establishes several foundational principles for data processing:
- Legality: All data processing must have a lawful basis
- Consent: Processing generally requires the data subject's prior, informed consent
- Purpose limitation: Data must be collected for specific, explicit, and legitimate purposes
- Data quality: Personal data must be accurate, complete, and up to date
- Security: Controllers must implement appropriate technical and organizational measures
- Transparency: Data subjects must be informed about processing activities
- Responsibility: Controllers are accountable for compliance with the law
- Loyalty: Data must be processed in good faith
Key Definitions
Personal data (datos personales): Any information concerning an identified or identifiable natural person.
Sensitive data (datos sensibles): Data revealing racial or ethnic origin, political opinions, religious, philosophical, or moral beliefs, trade union membership, health information, sexual life, biometric data, and genetic data.
Data controller (responsable del tratamiento): The natural or legal person, whether public or private, that decides on the purpose and means of data processing.
Data processor (encargado del tratamiento): The natural or legal person that processes personal data on behalf of the controller. Law 81 distinguishes between controllers and processors, following the GDPR model.
Data subject (titular de los datos): The natural person to whom the personal data relates.
Consent Requirements
Consent forms the central pillar of Panama's data protection framework. Law 81 sets specific standards for valid consent.
General Consent Standards
Consent must be:
- Prior: Obtained before the data processing begins
- Informed: The data subject must understand what they are consenting to, including the identity of the controller, the purpose of processing, and the types of data involved
- Express: Consent cannot be implied from silence or inaction
- Unequivocal: There must be no ambiguity about the data subject's intent to consent
Data controllers must be able to demonstrate that valid consent was obtained. The burden of proof lies with the controller.
Sensitive Data
Processing sensitive data requires explicit written consent. The data subject must be clearly informed of the sensitive nature of the data and the specific purposes for which it will be processed.
Sensitive data may be processed without consent only in limited circumstances: when required by law, when necessary to protect the vital interests of the data subject, when the data is made public by the data subject, or when processing is necessary for legal proceedings.
Exceptions to Consent
Law 81 permits data processing without consent when:
- Required by law or regulation
- Necessary for the performance of a contract to which the data subject is a party
- Data comes from publicly accessible sources
- Necessary to protect the vital interests of the data subject
- Necessary for the fulfillment of a legal obligation
- Carried out by public entities within their legal competencies
Data Subject Rights
Panama's data protection law grants individuals a comprehensive set of rights, commonly referred to as the ARCO rights (Access, Rectification, Cancellation/Deletion, and Opposition).
Right of access: Data subjects may request confirmation of whether their personal data is being processed and obtain access to that data. The controller must respond within 15 business days.
Right of rectification: Individuals may request correction of inaccurate, incomplete, or outdated personal data. The controller must make corrections within 10 business days.
Right of deletion (cancellation): Data subjects may request the deletion of their personal data when it is no longer necessary, consent has been withdrawn, or the processing violates Law 81. Controllers must act within 10 business days.
Right of objection: Individuals may object to data processing when they have legitimate grounds, even if the processing is otherwise lawful.
Right of portability: Data subjects may request their personal data in a structured and commonly used format and have it transferred to another controller.
These rights are exercised by submitting a request directly to the data controller. If the controller fails to respond or the data subject is dissatisfied with the response, the data subject may file a complaint with ANTAI.
ANTAI: The Supervisory Authority
The Autoridad Nacional de Transparencia y Acceso a la Informacion (ANTAI) serves as Panama's supervisory authority for data protection under Law 81. ANTAI was originally established to oversee transparency and access to public information, and Law 81 expanded its mandate to include personal data protection.
Powers and Functions
ANTAI exercises the following functions under Law 81:
- Regulatory guidance: ANTAI issues resolutions, guidelines, and opinions on data protection compliance
- Complaint handling: The authority receives and investigates complaints from data subjects
- Inspections: ANTAI conducts compliance inspections of data controllers and processors
- Sanctions: The authority imposes administrative penalties for violations
- Cross-border transfer oversight: ANTAI evaluates adequacy of foreign data protection regimes
- Public awareness: The authority promotes awareness of data protection rights among the public
Registration
Law 81 requires data controllers to register their databases with ANTAI. The registration must include information about the controller, the categories of data processed, the purposes of processing, and any cross-border data transfers.
Legal Bases for Processing
Beyond consent, Law 81 recognizes several legal grounds for data processing:
Consent: Prior, informed, express, and unequivocal consent of the data subject.
Contractual necessity: Processing necessary for the performance of a contract with the data subject.
Legal obligation: Processing required to comply with a legal obligation applicable to the controller.
Vital interests: Processing necessary to protect the vital interests of the data subject.
Public authority: Processing necessary for the exercise of official authority vested in the controller.
Publicly available data: Processing of data that has been made public by the data subject.
Panama's framework does not include a standalone "legitimate interests" basis comparable to the GDPR. This means organizations that rely on legitimate interests under European law must identify an alternative basis when processing personal data subject to Panamanian jurisdiction.
Cross-Border Data Transfers
Law 81 regulates international transfers of personal data using an adequacy-based model with supplementary transfer mechanisms.
Adequacy Standard
Personal data may be transferred to countries that ANTAI has determined provide an adequate level of data protection. ANTAI evaluates the legal framework of the recipient country, the existence of an independent supervisory authority, and the availability of effective remedies for data subjects.
Alternative Transfer Mechanisms
When a recipient country lacks an adequacy determination, transfers may proceed if:
- The data subject provides express consent to the specific transfer after being informed of the risks
- The transfer is necessary for the performance of a contract between the data subject and the controller
- The transfer is necessary for the conclusion or performance of a contract in the data subject's interest
- The transfer is necessary for important public interest reasons
- The transfer is necessary for the establishment, exercise, or defense of legal claims
- Standard contractual clauses approved by ANTAI are in place
- The controller provides adequate guarantees through binding corporate rules or other instruments approved by ANTAI
Financial Data Transfers
The interaction between Law 81 and Panama's banking secrecy framework creates additional considerations for financial data transfers, discussed in the next section.
Banking Secrecy and Data Protection
One of Panama's most distinctive features is the interaction between its data protection law and its longstanding banking secrecy regime.
The Banking Secrecy Framework
Panama's banking secrecy is established under the Banking Law (Decree-Law No. 238 of 1970, as amended by Decree-Law No. 2 of 2008 and Law 23 of 2015). Under this framework, banks and financial institutions are prohibited from disclosing client information to third parties without the client's authorization or a court order.
How the Two Regimes Interact
Law 81 applies to personal data processed by financial institutions, but it does not override the specific protections provided by banking secrecy legislation. In practice:
- Financial institutions must comply with both Law 81's general data protection requirements and the banking secrecy provisions
- Banking secrecy provides an additional layer of protection for financial personal data beyond what Law 81 requires
- Disclosure of banking information requires either the client's specific authorization or a judicial order, even when Law 81 might otherwise permit processing on another legal basis
- International cooperation requests for financial data follow separate procedures under Panama's anti-money laundering framework (Law 23 of 2015)
Organizations in the financial sector should implement compliance programs that address both regimes simultaneously, recognizing that the stricter standard applies when the two frameworks overlap.
Enforcement and Penalties
ANTAI has the authority to impose administrative sanctions for violations of Law 81.
Sanction Framework
Warnings: For minor or first-time violations, ANTAI may issue formal warnings requiring corrective action within a specified period.
Fines: Law 81 establishes fines ranging from 1,000 to 10,000 balboas (equivalent to USD since the balboa is pegged 1:1 to the US dollar) for initial violations, and up to 25,000 balboas for repeated or serious violations.
Suspension of processing: ANTAI may order the temporary or permanent suspension of data processing activities.
Database closure: In severe cases, ANTAI may order the closure of a database that has been used in violation of the law.
| Violation Type | Penalty Range |
|---|---|
| Minor/first-time | Warning or 1,000-10,000 balboas |
| Repeated/serious | Up to 25,000 balboas |
| Severe | Suspension or database closure |
Enforcement Activity
ANTAI has gradually developed its enforcement capacity since Law 81's full implementation. The authority processes complaints and has begun conducting proactive compliance reviews, particularly in sectors that handle large volumes of personal data such as telecommunications, financial services, and healthcare.
Recent Developments
Panama's data protection landscape continues to evolve.
Implementing regulations: Executive Decree No. 285 of May 28, 2021, provided detailed guidance on Law 81's implementation, including procedures for exercising data subject rights, database registration requirements, and the complaint process before ANTAI.
ANTAI capacity building: ANTAI has been working to build its data protection expertise, including training staff, developing enforcement protocols, and engaging with international data protection networks.
Financial sector coordination: Given the importance of Panama's financial services sector, there has been coordination between ANTAI and the Superintendency of Banks (Superintendencia de Bancos de Panama) to clarify the interaction between data protection and banking secrecy obligations.
Digital government initiatives: Panama's government has advanced digital transformation projects, including the expansion of the Panama Digital platform. These initiatives require ongoing alignment with Law 81's requirements.
International engagement: Panama participates in the Ibero-American Data Protection Network (RIPD) and has engaged with regional partners on data protection standard-setting and mutual cooperation.
Sources and References
Sources and References
- ANTAI - Official Website(antai.gob.pa).gov
- Gaceta Oficial Digital de Panama - Law 81(gacetaoficial.gob.pa).gov
- Superintendencia de Bancos de Panama(superbancos.gob.pa).gov
- Asamblea Nacional de Panama(asamblea.gob.pa).gov
- Ibero-American Data Protection Network (RIPD)(redipd.org)
- UNCTAD - Data Protection Legislation Worldwide(unctad.org)