Panama Data Privacy Laws: Law 81 and Executive Decree 285 Compliance Guide

Panama Data Privacy Laws: Law 81, Executive Decree 285, and ANTAI Oversight

Panama's primary data protection statute is Law 81 of March 26, 2019 (Ley 81 de Protección de Datos Personales), supplemented by Executive Decree 285 of May 28, 2021. Both instruments entered into force on March 29, 2021. The Autoridad Nacional de Transparencia y Acceso a la Información (ANTAI) supervises compliance, investigates complaints, and imposes sanctions. For Panama's recording consent rules, see Panama recording laws.

Information last verified on May 19, 2026. This article has not been reviewed by a licensed Panamanian attorney.

Jurisdiction scope: This article addresses Panama's national data protection framework under Law 81 of 2019 and Executive Decree 285 of 2021, including constitutional foundations, ANTAI oversight, and sectoral rules for banking, insurance, and credit. It does not address Panama's banking secrecy law in full detail; for recording law rules, see Panama recording laws.

Quick Answer: What Governs Personal Data in Panama?

Panama's data protection regime rests on three interlocking layers. At the constitutional level, Articles 29, 42, 43, and 44 of the Political Constitution of the Republic of Panama protect privacy, guarantee access to personal data in public and private registries, and create the habeas data action. At the statutory level, Law 81 of March 26, 2019, establishes the principles, rights, obligations, and procedures that govern processing of personal data by any natural person, legal entity, or public body operating in Panama. At the regulatory level, Executive Decree 285 of May 28, 2021 provides the operational rulebook: registration procedures, breach notification timelines, data subject request workflows, cross-border transfer mechanisms, and sanction procedures. ANTAI, through its dedicated Personal Data Directorate, is the sole supervisory authority. The balboa is pegged 1:1 to the US dollar, so all fines and thresholds cited below translate directly to USD.

Constitutional Foundations and Habeas Data

Panama's Constitution (as amended through 2004) contains four provisions that directly underpin data protection.

Article 29 declares the inviolability of private correspondence and documents. It prohibits interception or recording of private communications without a judicial warrant, and extends this protection to digital and electronic communications. This provision is the constitutional source of Panama's all-party consent rule for private conversations and sits at the intersection of recording law and data protection.

Article 42 grants every person the right to access their personal information held in public or private data banks or registries, to request correction and protection of that information, and to request its deletion under conditions set by law. It specifies that such information may be collected only for specific purposes, with the data subject's consent or by order of a competent authority.

Article 43 grants access to information of general interest held in databases run by public servants or by private persons providing public services.

Article 44 creates the constitutional writ of habeas data (acción de habeas data). Any person may file this writ to enforce their rights of access to personal data in official or private registries, and to demand correction, updating, rectification, deletion, or protection of that data. The habeas data action operates as a constitutional guarantee independent of and complementary to the administrative complaint procedure before ANTAI.

"Every person may submit a writ of habeas data in order to enforce the right to access to his/her personal information stored in official or private data banks or registries."

• Political Constitution of the Republic of Panama, Article 44

Panama also ratified the American Convention on Human Rights, whose Article 11 prohibits arbitrary interference with private life, family, home, or correspondence. This treaty obligation reinforces the domestic constitutional framework.

Law 81 of 2019: Scope, Definitions, and Principles

Law 81 applies to the processing of personal data carried out within Panamanian territory, and to data controllers established in Panama even when processing occurs outside the country. Executive Decree 285 broadened territorial reach further: Law 81 also applies to controllers who process personal data via the internet or other electronic or digital channels in connection with commercial activities directed at the Panamanian market. This extraterritorial clause mirrors the GDPR's targeting criterion and means foreign companies serving Panamanian consumers must assess their exposure.

Core Definitions

Personal data (datos personales): Any information concerning an identified or identifiable natural person.

Sensitive data (datos sensibles): Data that belongs to the "intimate sphere" of the owner and whose unlawful use could give rise to discrimination or serious risk. The law's categories include racial or ethnic origin; religious, philosophical, or moral beliefs; trade union affiliation; political opinions; health information; sexual orientation or sexual life; biometric data; and genetic data.

Data controller (responsable del tratamiento): The natural or legal person, public or private, that decides the purposes and means of data processing.

Data processor (encargado del tratamiento): The natural or legal person that processes personal data on behalf of the controller. Law 81 requires a written contract between the controller and any processor specifying security obligations, the scope of authorized processing, and confidentiality duties.

Data subject (titular de los datos): The natural person to whom personal data relates.

Database (base de datos): Any organized set of personal data, regardless of the medium (digital or paper).

The Eight Principles

Law 81 establishes eight foundational principles binding on all data controllers:

Failure to comply with any principle is a violation triable before ANTAI under the three-tier sanction framework described below.

Legal Bases for Processing

Law 81 recognizes six legal bases on which personal data may be processed without infringing the law.

Consent: The default basis. Consent must be prior (obtained before processing begins), informed (the data subject has been told the identity of the controller, the purposes of processing, the types of data involved, and their ARCO rights), express (silence or inaction does not constitute consent), and unequivocal (no ambiguity about the data subject's intent). Controllers must be able to demonstrate that valid consent was obtained; the burden of proof lies with the controller.

Contractual necessity: Processing is necessary for the performance of a contract to which the data subject is a party, or to take steps at their request before entering the contract.

Legal obligation: Processing is required to comply with a legal obligation applicable to the controller under Panamanian law.

Vital interests: Processing is necessary to protect the vital interests of the data subject or another natural person when the data subject is physically or legally incapable of giving consent.

Public authority: Processing is necessary for the exercise of official authority vested in the controller, including public entities acting within their legal competencies.

Publicly available data: The data has been made manifestly public by the data subject themselves.

Panama's law does not include a standalone "legitimate interests" basis comparable to GDPR Article 6(1)(f). Organizations that rely on legitimate interests in European operations must identify an alternative basis when processing data subject to Panamanian jurisdiction.

Sensitive Data: Stricter Standards

Processing sensitive data requires explicit written consent as the default rule. Written consent must clearly identify the sensitive nature of the data and the specific purposes for which it will be processed. Exceptions are narrow: processing without written consent is permitted only when required by law, to protect the vital interests of the data subject, when the data subject has made the data manifestly public, or when processing is necessary for legal proceedings in which the data subject is a party.

ANTAI: The Supervisory Authority

The Autoridad Nacional de Transparencia y Acceso a la Información was created by Law 6 of 2002 to oversee transparency and access to public information. Law 81 of 2019 expanded ANTAI's mandate to include personal data protection, and Executive Decree 285 of 2021 established a dedicated Personal Data Directorate within ANTAI.

Powers and Functions

ANTAI's Personal Data Directorate holds the following powers under Law 81 and Decree 285:

• Receiving, investigating, and resolving complaints filed by data subjects
• Initiating ex officio investigations and audits of data controllers and processors
• Issuing binding resolutions, guidance notes, and opinions on compliance questions
• Evaluating whether foreign countries provide adequate data protection for cross-border transfer purposes
• Ordering corrective measures and imposing administrative sanctions
• Promoting public awareness of data protection rights
• Coordinating with sectoral regulators (Superintendency of Banks, Superintendency of Insurance, telecommunications regulator) on sector-specific rules

Complaint Procedure Before ANTAI

A data subject who believes their rights under Law 81 have been violated may file a complaint with ANTAI. The Decree 285 procedural roadmap requires ANTAI to acknowledge the complaint, notify the controller, allow the controller an opportunity to respond, and then issue a resolution. If a violation is found, ANTAI orders corrective action and may impose sanctions. Controllers are guaranteed due process throughout. Data subjects dissatisfied with ANTAI's resolution may appeal to the administrative courts.

Database Registration

Law 81 requires data controllers to register their databases with ANTAI. The registration must include: the identity and contact details of the controller; the categories of personal data processed; the purposes of processing; any third parties to whom data is disclosed; and any cross-border transfers planned. Failure to register is itself a violation subject to sanction. ANTAI maintains the registry and publishes guidance on the registration process through its website at antai.gob.pa.

Data Subject Rights (ARCO Plus Portability)

Law 81 grants five rights to data subjects, enforceable by complaint to ANTAI or by habeas data writ to the courts.

Right of Access (Derecho de Acceso)

A data subject may request confirmation of whether their personal data is being processed, and if so, obtain a copy of that data together with information about the purposes of processing, the categories of data involved, and the recipients of the data. The controller must respond within 15 business days of receiving a valid request.

Right of Rectification (Derecho de Rectificación)

A data subject may request correction of inaccurate, incomplete, or outdated personal data. The controller must make the correction within 10 business days. Corrected data must be communicated to any third parties to whom the data was previously disclosed.

Right of Cancellation or Deletion (Derecho de Cancelación)

A data subject may request deletion of their personal data when: the data is no longer necessary for the purpose for which it was collected; consent has been withdrawn and no other legal basis exists; the data was collected unlawfully; or a legal obligation requires deletion. The controller must act within 10 business days. Data subject to legal retention requirements cannot be deleted during the mandatory retention period but must be blocked from further active processing.

Right of Opposition (Derecho de Oposición)

A data subject may object to processing even when that processing is otherwise lawful, if they have legitimate grounds relating to their particular situation. Controllers must cease processing unless they can demonstrate compelling legitimate grounds that override the data subject's interests.

Right of Data Portability

Data subjects may request their personal data in a structured and commonly used format and have it transferred directly to another controller. This right applies where processing is based on consent or contractual necessity and is carried out by automated means.

Exercising Rights and ANTAI Escalation

All five rights are exercised by submitting a written request directly to the data controller. If the controller fails to respond within the applicable deadline, responds inadequately, or refuses the request, the data subject may file a complaint with ANTAI or bring a habeas data writ before the courts. ANTAI's complaint procedure is free of charge.

Consent in Detail

Consent is the central mechanism under Law 81, and Decree 285 elaborates its requirements.

Prior: Consent must be obtained before any processing begins. Retroactive consent is not valid.

Informed: The controller must disclose, at minimum: the controller's identity and contact details; the purposes and legal basis for processing; the categories of data to be collected; the data subject's rights; any transfers to third parties; and whether the data will be transferred outside Panama and the safeguards in place.

Express: Consent cannot be inferred from silence, pre-ticked boxes, or inaction. The data subject must take a positive, affirmative step.

Unequivocal: There must be no reasonable doubt about the data subject's intent. Bundled consent (where agreement to one thing is treated as consent to unrelated processing) is problematic under this standard.

Withdrawable: Data subjects may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal. Controllers must provide a mechanism for withdrawal that is as easy as the mechanism for giving consent.

Documented: Controllers must retain evidence of consent, including the date, the information provided to the data subject, and the mechanism by which consent was expressed. This documentation is the primary evidence in any ANTAI enforcement proceeding.

Breach Notification

Executive Decree 285 establishes Panama's breach notification obligations. When a controller becomes aware of a security breach that is likely to result in a high risk to the rights and freedoms of data subjects, the controller must notify both ANTAI and the affected data subjects.

Timeline: Notification to ANTAI must be made within 72 hours of becoming aware of the breach. Where notification within 72 hours is not possible, the notification must explain the reason for the delay.

Content of ANTAI notification: The nature of the breach; the categories of personal data affected; the approximate number of data subjects affected; the likely consequences of the breach; the measures taken or proposed to address the breach and mitigate its effects; and the name and contact details of the data protection officer or other contact point.

Notification to data subjects: Where the breach is likely to result in a high risk to the data subjects' rights and freedoms, the controller must also notify affected individuals in clear and plain language, without undue delay, describing the nature of the breach and the measures they can take to protect themselves.

A breach that is unlikely to result in a high risk to data subjects does not require notification to data subjects, but must still be documented internally in the controller's record of processing activities and reported to ANTAI.

Data Protection Officer

Decree 285 creates a Data Protection Officer (DPO) role in Panama. The DPO designation is not universally mandatory for the private sector under Law 81 as currently enacted; however, Decree 285 specifies that whether an organization has designated a DPO is a factor that ANTAI considers when determining the grade and severity of penalties. In practice, organizations processing large volumes of personal data or handling sensitive data are strongly advised to appoint a DPO.

For the insurance sector, Insurance Regulation 5-2025 (enacted August 5, 2025) made DPO appointment mandatory for all regulated insurance entities, including insurance companies, reinsurers, brokers, and sales agents.

The DPO's functions include: monitoring compliance with Law 81 and Decree 285; advising on data protection impact assessments; serving as the point of contact with ANTAI; and raising awareness and training staff. The DPO must report directly to the highest management level of the organization.

Data Protection Impact Assessments

Law 81 and Decree 285 empower ANTAI to order a data protection impact assessment (DPIA) when processing presents serious risks to personal data, particularly where new technologies are involved. The DPIA must include, at minimum:

• A description of the type of data collected and the methodology for collection
• An analysis of the purposes and necessity of the processing
• The technical and organizational security measures implemented
• An assessment of the risks to data subjects' rights and the mitigation measures adopted

ANTAI may request that organizations publish their DPIA reports and may suggest adoption of specific standards or practices. Organizations engaging in large-scale processing of sensitive data, systematic profiling, or deployment of novel tracking technologies should conduct a DPIA proactively, regardless of whether ANTAI has specifically ordered one.

Cross-Border Data Transfers

Law 81 uses an adequacy-based model for international data transfers, comparable to GDPR Chapter V.

Adequacy Determinations

Personal data may be freely transferred to countries that ANTAI has determined provide an adequate level of data protection. In evaluating adequacy, ANTAI considers: the legal framework of the recipient country; the existence of an independent supervisory authority with effective enforcement powers; and the availability of judicial remedies for data subjects. ANTAI maintains the list of adequate countries and updates it periodically.

Transfer Mechanisms Without Adequacy

When the destination country lacks an ANTAI adequacy determination, transfers may proceed only if one of the following safeguards is in place:

Organizations relying on standard contractual clauses should use or adapt clauses that ANTAI has approved, not simply adopt EU-style SCCs without ANTAI review, because ANTAI approval is required for the mechanism to be valid under Panamanian law.

Financial Data and Banking Secrecy Interaction

Cross-border transfers of financial personal data require compliance with both Law 81's transfer rules and Panama's banking secrecy framework. Panama's Banking Law (Decree-Law 9 of 1998, as amended by Law 23 of 2015) prohibits banks from disclosing customer information to third parties outside Panama without the customer's specific written authorization or a judicial order. The banking secrecy standard is stricter than Law 81's general consent standard for transfers, so financial institutions must satisfy both.

Sectoral Rules That Stack on Top of Law 81

Several regulatory instruments issued after Law 81 came into force create additional data protection obligations for specific sectors.

Banking: Superintendency Rule 1-2022

On February 24, 2022, the Superintendency of Banks of Panama (Superintendencia de Bancos de Panamá, SBP) issued Rule 1-2022, which provides specific guidelines for the protection of personal data processed by banks established in Panama. Rule 1-2022 requires banks to align their data processing practices with Law 81 and sets out additional requirements for customer data governance, including enhanced security controls and specific protocols for customer-data sharing within financial groups. Banks must comply with both Rule 1-2022 and Law 81; when the two overlap, the stricter standard applies.

Public Utilities: Resolution AN 1267-ADM/2023

On June 14, 2023, ANTAI issued Resolution AN 1267-ADM/2023, which addresses the protection of personal data in the context of public utilities and services. The resolution establishes specific obligations for public utility providers regarding customer data, including transparency requirements, retention limits, and complaint handling procedures aligned with Law 81.

Insurance: Regulation 5-2025

On August 5, 2025, the Superintendency of Insurance of Panama (Superintendencia de Seguros y Reaseguros de Panamá) enacted Insurance Regulation 5-2025. The regulation applies to all insurance companies, reinsurers, brokers, sales executives, and other regulated entities that process personal data of insurance consumers or policyholders. Key requirements include:

• Mandatory appointment of a Data Protection Officer within the regulated entity
• A 90-calendar-day compliance period from the regulation's effective date
• Enhanced consent requirements for health and biometric data processed in underwriting
• Specific breach notification obligations to the insurance superintendent in addition to ANTAI
• Data retention limits aligned with the insurance contract lifecycle

Credit Data: Law 24 of 2002

Law 24 of May 22, 2002, regulates information services on the credit history of consumers and customers. This law predates Law 81 and covers entities such as the Asociación Panameña de Crédito (APC), Panama's main private credit bureau. Law 24 grants consumers rights to access their credit files and request correction of errors. Law 81 supplements Law 24 by applying the general ARCO rights framework to credit data processing; where the two overlap, the more specific Law 24 provisions continue to govern credit bureau operations, with Law 81 filling gaps on consent, security, and breach notification.

Penalties and Enforcement

ANTAI's Personal Data Directorate classifies violations into three tiers and applies sanctions proportionate to the tier, the harm caused, and the conduct of the controller.

Three-Tier Violation Framework

All fines are denominated in balboas (B/.) pegged 1:1 to the US dollar. A fine of B/.10,000 is therefore equivalent to USD 10,000. Factors that affect penalty grade include the severity of the harm, whether the violation was intentional, whether the controller has a DPO, the controller's history of compliance, and whether the controller cooperated with ANTAI's investigation.

Enforcement Activity

ANTAI's Personal Data Directorate has been building enforcement capacity progressively since the law entered into force in March 2021. The authority has processed complaints in telecommunications, financial services, and healthcare sectors. ANTAI has also issued guidance on compliance timelines for database registration and breach notification. Organizations in sectors with large customer data sets should not assume that ANTAI's relative youth as a data protection regulator means enforcement is unlikely; complaint-driven enforcement is active, and ex officio audits have increased.

Recent Developments: 2024 to 2026

Panama's data protection landscape has continued to evolve since Law 81 entered into force.

Insurance Regulation 5-2025 (August 2025): The Superintendency of Insurance enacted Regulation 5-2025 on August 5, 2025, making DPO appointment mandatory for all insurance-sector entities and imposing enhanced data protection obligations sector-wide. Regulated entities had 90 calendar days from the effective date to comply.

Budapest Convention Alignment (October 2024): On October 10, 2024, Panama's National Assembly enacted amendments to the Criminal Code, the Code of Criminal Procedure, and Law 11 of 2015 on international legal assistance in criminal matters. The amendments align Panama's cybercrime legislation fully with the Budapest Convention. New and revised offenses include unlawful interception of data, attacks on system integrity, identity theft, cyber harassment of minors, and non-consensual dissemination of intimate material. The amendments also establish a dedicated chapter on digital evidence covering preservation, real-time collection, and international cooperation. The Budapest Convention alignment strengthens the criminal law backdrop to data breaches, adding potential criminal exposure where breaches involve intentional unauthorized access or interception.

ANTAI Capacity Building: ANTAI has continued to develop its enforcement infrastructure, including staff training, development of sectoral enforcement protocols, and participation in the Ibero-American Data Protection Network (RIPD). ANTAI's engagement with RIPD supports mutual cooperation with data protection authorities in Spain, Argentina, Mexico, and other Ibero-American jurisdictions.

Digital Government and Panama Digital: Panama's government has expanded its Panama Digital platform and digital identity infrastructure. These projects require ongoing alignment with Law 81, particularly regarding the processing of biometric data and digital identity records, which fall within the sensitive data category.

Coordination Between ANTAI and SBP: Following SBP Rule 1-2022, ANTAI and the Superintendency of Banks have maintained coordination on cases involving banking data. Organizations in the financial sector should monitor both regulators for guidance, as enforcement actions can flow from either authority depending on the nature of the violation.

Business Compliance: Practical Steps

Organizations operating in Panama or targeting the Panamanian market should build a compliance program around the following obligations.

Data inventory and mapping: Identify all personal data processed, the legal basis for each processing activity, the categories of data involved, the storage locations, and any third-party processors or cross-border transfers.

Database registration: Register all databases holding personal data with ANTAI before processing begins.

Privacy notices: Provide data subjects with clear, plain-language notices at the point of data collection. Notices must cover the controller's identity, purposes of processing, legal basis, ARCO rights, and any cross-border transfers.

Consent management: Implement mechanisms to obtain, document, and manage consent. Ensure consent is withdrawable and that withdrawal is as easy as giving consent.

Sensitive data protocols: Apply heightened controls to sensitive data categories. Require explicit written consent for any processing of health, biometric, genetic, racial, or other sensitive data, unless a statutory exception clearly applies.

Processor contracts: Sign a written data processing agreement with every third-party processor specifying security obligations, the scope of authorized processing, and confidentiality requirements.

Security measures: Implement technical and organizational security measures appropriate to the risk, including access controls and encryption for sensitive data in transit and at rest.

Breach response plan: Establish a breach detection, assessment, and notification protocol that can deliver ANTAI notification within 72 hours of awareness. Maintain internal records of all breaches.

ARCO request handling: Designate a point of contact for data subject requests and implement a workflow that meets the 15-business-day (access) and 10-business-day (rectification, cancellation, opposition) response deadlines.

DPO designation: Appoint a DPO, particularly for organizations processing large volumes of sensitive data. Insurance-sector entities must appoint a DPO under Regulation 5-2025.

Cross-border transfer review: Assess whether each data transfer destination has an ANTAI adequacy determination. For transfers to non-adequate countries, implement approved safeguards before transferring.

Record of Processing Activities: Maintain a current record of processing activities (Registro de Actividades de Tratamiento) as the primary compliance documentation for ANTAI audits.

Disclaimer

This article presents general legal information about Panama's data protection framework under Law 81 of 2019, Executive Decree 285 of 2021, and related sectoral instruments. It does not constitute legal advice for any specific situation. The information was verified as of May 19, 2026, and reflects the state of Panamanian law as of that date. Legal requirements change; consult a lawyer licensed to practice in Panama for advice on your specific circumstances.

Authorities Cited

Last updated: 2026-05-19. Statutes cited reflect their in-force version as of 2026-05-19.