Some months ago, we published in our web and social networks, our first article about the Relevant Aspects of the Data Protection Law and its Regulation; however, and taking into consideration that article 32 of the Executive Decree No.285 of 2021 establishes that “The regulator or regulatory authority of each sector, shall have a period of nine months, as of the entry into force of this decree, to establish within its regulations all the protocols, processes and procedures of treatment and secure transfers that the regulated subjects must comply with”, therefore the Superintendency of Banks of Panama (SBP), has recently issued the Agreement No. 001-2022 dated February 24, 2022, which establishes special guidelines for the protection of personal data processed by banking entities, which is why, taking into consideration the high importance of this regulation and the impact that it will generate for banks, their customers and generally for banking in Panama, we have decided to publish these short lines with some information that will surely be of interest to the banking sector, account holders, companies and for some fellow scholars of this matter.
As we mentioned succinctly in our first article, in Panama despite the fact that our National Constitution, in its article 42 establishes certain parameters, rights and obligations regarding access, storage and protection of data, it was not until the entry into force of Law 81 of March 26, 2019 (March 29, 2021), that finally our market has a written regulation with principles, obligations, rights and procedures for the processing of data in the country; therefore, later, two (2) months after the entry into force of the aforementioned Law, Executive Decree 285 of May 28, 2021 was issued, regulating Law 81 of Personal Data Protection, all of which, as with any new legal regulation, brought with it some general uncertainty for its recipients; nevertheless, we must reiterate that this regulation is called to generate a radical change in the way banking, financial and legal entities have been handling their clients’ personal information up to now, starting with the main feature and fundamental pillar of this legal norm, which is that, from the date of its entry into force (March 29, 2021), in Panama, in order for the processing of personal data to be lawful, it must be collected and processed with the prior consent of the owner, who also has the right to know what use will be made of his information.
II. Generalities and Relevant Aspects.
With this in mind, and without sharing some sensationalist currents of the market, we must state that Agreement No. 001-2022 of February 24, 2022, does not bring a great change to the guidelines, rights and obligations already established in Law 81 and its regulations, since basically the contributions or changes implemented by this agreement can be summarized in five (5):
1. It creates and establishes the functions of the figure of the Data Protection Officer.
With regards to this change, in addition to specifying its functions, banking entities are obliged to have this figure among their collaborators, and, in addition, the agreement is forceful in stating that he/she shall perform his/her functions with independence, having a direct dialogue with the Senior Management or Top Management, as the decision-making body.
With this in mind, the governing body orders that the Data Protection Officer cannot develop or carry out functions incompatible with his/her duties and purposes and defines as specifically incompatible functions within the Bank’s structure, those carried out by the Internal Audit, Risk and Compliance areas, in order to ensure his/her independence, which we consider will be very difficult to guarantee, since his/her employer will continue to be the bank.
The specific functions to be performed by the Data Protection Officer are developed in Article 23 of Agreement No. 001-2022 of February 24, 2022, but among the most relevant we can point out that he/she must keep a record of the events affecting the protection of personal data processed by the bank, report deficiencies in the data protection systems and measures, coordinate the annual plan of training in data protection matters and be the unit or collaborator of the bank liaison with the data owners.
2. The so-called “technical file” is more specifically regulated.
The agreement assimilates the term “technical file” as all the documentation related to the procedures and processes for the inclusion, conservation, storage, modification, suppression, transfer, and any other personal data processing action.
3. It regulates the obligation to notify the owner of the data, the SBP and the database custodian of incidents of information security violations.
It is particularly important, and in our opinion a missed opportunity for the SBP, not to have established specific terms and deadlines throughout the claims process, since we are basically facing an incomplete regulation or referral to another regulatory text for its complement, i.e., no specific deadline is established for the bank to rule on the claims of the data holders, but they refer to it as follows: “as from the date on which it obtained formal response from the bank or when the bank has not complied with resolving the request or claim within the corresponding term”. Our interpretation of the phrase “the corresponding term”, is that the bank must respond through its Data Protection Officer within the term set forth in Article 4, section “a.” of Agreement 001-2008 of June 18, 2008 “On the System for Handling Claims in Banking Institutions”, which is thirty (30) calendar days, but as we stated at the beginning, we believe that the SBP misses a valuable opportunity to clearly and specifically regulate this term within the process of claims arising from the protection of personal data.
The same fate befalls the process before the SBP itself, which is regulated in the last paragraph of Article 27 of the agreement that concerns us, which states the following:
“Claims submitted to the Superintendency of Banks shall be subject to the procedures and remedies set forth in the Banking Law and in the Banking Agreements related to the matter. Once the Resolution that resolves the process filed before the Superintendency has been communicated and executed, it shall be understood that the governmental channels have been exhausted, without prejudice to the corresponding appeals in the contentious-administrative channels”.
As we can see, no special procedure is established either in the bank or in the SBP itself, but rather the procedure previously created to submit these cases is adopted.
Exactly the same happens with the “security of the processing and transfer of personal data”, since article 25 of agreement 001-2022, establishes that, for the security of the processing and transfer of personal data, the provisions established in the Agreement for the Management of Information Technology Risk and the Agreement on Electronic Banking issued by the SBP will be applied, so that the regulation continues to be referential in its complement.
4. Possible claims available to the holder of personal data who considers that the exercise of his/her ARCO rights has been violated are regulated, and makes it impossible for the holder to go to ANTAI without having exhausted the banking channel, i.e., without first filing a claim with the bank and then with the SBP (see paragraph of Article 27 of Agreement No. 001-2022 of February 24, 2022).
5. An implementation period of twelve (12) months is established for all changes related to the creation of the figure of “Data Protection Officer” (see article 30 of Agreement No. 001-2022 of February 24, 2022).
To conclude this brief article, we are of the opinion that the SBP, has also failed to regulate the Right of Portability contained in numeral 5 of Article 15 of Law 81 of March 26, 2019, therefore, without a doubt, there is ample discretion for banks to develop their policies regarding the respect of this right and how to comply with the legal mandate.