Resource Data

The Personal Data Protection Regime of Bank Customers in Panama

By Agreement No. 001-2022 of February 24, 2022 (hereinafter “Banking Agreement 001”), the Superintendence of Banks of the Republic of Panama dictates special guidelines for the protection of personal data processed by banking entities Panamanians.

Banking Agreement 001 is intended to establish the protocols, processes, procedures, mechanisms and other special rules relating to the processing, transfer and custody of personal databases; as well as the guidelines for the exercise of personal data protection rights that banks must follow, as responsible for the processing of their customers’ personal data.

Banking Agreement 001 is primarily based on the following provisions of the Panamanian legal system:

  • Political constitution: which establishes that everyone has the right to access the information contained in public and private databases or registers, and to demand their rectification and protection, as well as their deletion, in accordance with the provisions of the law.
  • Law No. 81 of 2019, which establishes the general regime for the protection of personal data.
  • Decree-Law No. 2 of 2008, amending Decree-Law 9 of 1998, which reforms the banking regime, known as the “Banking Law”.
  • Executive Decree No. 285 of 2021, which regulates Law No. 81 of 2019.

The banking agreement 001 establishes the responsibilities without prejudice to those established in the general personal data protection regime of the banks, to be developed through their boards of directors, namely:

  • Establish and ensure that an adequate organizational and operational structure of delegation of authority and segregation of duties is maintained to ensure the application of personal data protection principles and rights throughout the organization.
  • Approve the necessary resources for the adequate development of the personal data protection measures established in Law 81 of 2019 and the regulations that develop it.
  • Approve the policies and procedures that the entity will implement to comply with regulatory obligations related to the protection of personal data.
  • Approve training, updating and certification programs in the field of data protection.
  • Foster a culture of personal data protection at all levels of the organization, extending to data custodians and banking service providers.
  • Approve procedures for receiving and responding to data subject inquiries and complaints.

In addition to the responsibilities set forth above, to certify regulatory compliance, banks must submit annually to the Superintendence of Banks of Panama (SBP), a certification signed by the president and secretary of its board of directors, which states that following :

  • That the Board of Directors is aware of the standards provided for in the Personal Data Protection Regime and the provisions established in Banking Agreement 001.
  • That the bank has policies and procedures for managing the protection of personal data.
  • That the board of directors has been informed of the effectiveness of the personal data protection measures put in place by the bank.

Finally, it establishes the obligation to appoint, within the bank’s organization, a data protection officer who, depending on the importance and degree of complexity of its activities, operations, services and the nature, the volume and means of data processed, allows him to properly manage the functions assigned by the general data protection regime and the banking agreement 001. Said data protection officer will exercise his functions independently, in direct dialogue with the management General, as a decision-making body. For the above, the bank must grant the manager sufficient authority, hierarchy and independence within the organization and provide the necessary resources to guarantee the performance of his duties.

The provisions included in the Panamanian regulations on the protection of personal data applicable to banking institutions aim to assimilate the competitiveness of the Panamanian banking system to international standards and to guarantee the protection of the personal data of consumers of financial products in Panama.