Data protection & privacy laws in Panama (2026)

Law No. 81 of 26 March 2019, supplemented by Executive Decree No. 285 of 28 May 2021, is Panama's primary data protection statute. It covers personal data processed by both public and private entities and is modelled on GDPR-style principles including purpose limitation, proportionality, and loyalty.

ANTAI (Autoridad Nacional de Transparencia y Acceso a la Información), through its Directorate of Personal Data Protection, is the sole competent supervisory authority. It investigates complaints, conducts ex-officio audits including on-site inspections, issues guidance, approves contractual clauses, and imposes administrative sanctions.

Data subjects hold rights of Access, Rectification, Cancellation, Opposition, and Portability. Data controllers must satisfy requests within 10 business days. Constitutional protections also underpin the right of access to personal data held in public and private registries.

Upon becoming aware of a security breach, data controllers must notify ANTAI and all affected data subjects within 72 hours. Decree 285 also authorises ANTAI to require a Data Protection Impact Assessment (DPIA) when processing activities carry elevated risk or use novel technology.

International transfers are permitted where the destination country offers equivalent or higher protection, or where adequate guarantees exist — such as ANTAI-validated standard contractual clauses, binding corporate rules approved by ANTAI, or other mechanisms recognised by the authority.

Sanctions range from USD 1,000–10,000 for grave infractions to permanent suspension of operations for very grave violations. In October 2025, the inaugural meeting of the Data Protection Council signalled a formal shift toward rigorous enforcement and active sanctioning after an initial education-focused implementation phase.