Law Name

Proyecto de Ley de Protección de Carácter Personal (2017)

Link to the Law

Data Transfer

Data transfer is allowed as long as the company or the country has comparable data security measures and standards in place, or if the place where the data is being transferred to adopts all the necessary steps to protect and meet the applicable international standards of data protection. For transfer of data the motive must be made clear, the data subject should be notified of the transfer, the maximum amount of time that the data will be used and how they will be destroyed must be made clear. Data can only be used for the reason it was initially collected. Sensitive data cannot be transferred unless the data subject has given express authority to do so, or it is necessary for the safeguard of the data subject's life (if the data subject cannot expressly give consent), for data that is needed for defense in a judicial process or for data that is used for historical, statistic or scientific purposes, in these cases the identity of the data subject must remain anonymous.

Data Sharing

The data subject has the right to deny the use of their data for means that are not directly related to the reason they were collected (such as marketing purposes). Data can only be used if it was consented to or if other legal dispositions authorize it. The data subject should be informed about the future use of their data. Consent is not needed if the data is in a public database, if it deals with economic or banking purposes previously consented to, medical or public health cases, or information used for historical, statistical or scientific reasons. For health data, consent must be given prior to the use of the data; it should be express and irrefutable. Public and private sanitary establishments and medical professionals can collect and process data relative to physical and mental health under their treatment while respecting professional privacy and following the laws dictating this.

Data Retention

The data subject has the right to access their data, rectify incorrect, irrelevant, incomplete, inexact or false data, as well as cancel or eliminate incorrect, irrelevant, complete, inexact or false data, and the right to oppose the use of their data and revoke consent if done under founded and legitimate reasons.


The agency responsible should establish procedures and protocols in reference to secure transfer, protecting the rights of the data subject. Data should be modified and corrected when it is incorrect or false. The agency responsible of the database has the right to eliminate, modify, or block data without notifying the data subject when there is proof of inexact data. This corresponds under the authority of the ANTAI.


The “Autoridad de Transparencia y Acceso a la Información” (ANTAI) with the aid of “la Autoridad Nacional para la Innovación Gubernamental” (AIG) are the supervising authorities. The ANTAI regulates the procedures to attend to claims of violations or infractions. The ANTAI can solicit necessary information and verify information with the claim of an infraction present.

Breach Notification

Infractions of any of the stated obligations in the law must be made known to ANTAI, who will then apply the corresponding sanctions unless the infraction that was made corresponds to another public entity. Infractions are categorized as either light or grave infractions and are handled according to their level or severity as stated in the law.

Health Privacy Law

Does not appear to have a Health Privacy Law.

Electronic Health Records Law 

Resolución No. 0690 (2016), Por medio de la cual se adopta el Convenio para el Sistema Electrónico de Información de Salud (SEIS)

The resolution formally adopts SEIS which is directed towards medical professionals in order to know how to operate the system with the technical and administrative health of the “Convenio”.


Law 51 (2008) defines and regulates electronic documents and electronic signatures. Law 82 (2012) amends the law for electronic signatures and modifies Law 51. Decree 684 (2013) regulates Law 51 and Law 82.

In 2016 a Bill was passed that updated the data protection laws in Panama.