Superintendency of Banks concludes public consultation on guidelines for personal dataprotection in the banking sector
21 febrero 2022


On February 21, the Superintendency of Banks of Panama (SBP in Spanish) finalized the public consultation of the draft on special guidelines for the protection of personal data processed by banking entities. The document establishes the protocols, mechanisms and special rules for the treatment, transfer and custody of databases, as well as the guidelines for their protection. In this sense, it includes provisions regulating the right to the portability of information. The contributions made during the consultation period will be considered, and with the modifications included, the Executive Branch will present a final document that will be published in the Official Gazette in the medium term.

It is worth remembering that this document is in line with the regulation of the Personal Data Protection Law, enacted in May 2021. Article 32 states that the regulatory authority of each sector will have nine months to establish the protocols and procedures for the treatment and secure transfer to be complied with by the regulated entities, in this case the financial sector.

Among its main proposals, it is worth mentioning:

  • It indicates that the guidelines will be applied to the customer’s personal data held by banking entities for the provision of services, supply of banking products and as a result of banking operations.
  • It mentions as basic and inalienable rights of the holders of personal data, the right of access, rectification, cancellation, opposition and portability, recognized as ARCO rights, which may be requested at any time by customers.
  • Regarding the right of portability, it establishes that the customer may receive or obtain a copy of the data provided in a structured, generic, commonly used and machine-readable format, to be used for himself or to be transmitted to other data controllers.
  • The feasibility of portability is subject to the conditions set out in article 30 of the regulation of the law. Thus, the banking entities must take into account conditions such as the provision of data to the responsible bank by the customer and the customer’s consent to the processing of such data, among others.
  • It also establishes that the Superintendent will have to establish the minimum standards required to ensure the portability of personal data. Then the bank must establish mechanisms to ensure interoperability and that the transmission of such data is subject to the information required by the client.
  • On the other hand, it indicates that banking entities must appoint a data protection officer within their organization, according to the size and complexity of their activities, operations, services and the type of data processed. For its incorporation, the entities will have a period of 6 months from the signing of the agreement for its internal adaptation.