Since May 28, 2021, when Executive Decree 285 gave Law 81 of 2019 its implementing regulation, personal data protection in Panama stopped being a statement of principles and became a list of verifiable obligations. The authority — ANTAI (the National Authority for Transparency and Access to Information) — doesn't just respond to complaints: it can conduct audits on its own initiative, and its sanctions regime runs from fines of B/.1,000 to B/.10,000 (ANTAI sets the amount), plus warnings, closure of the registry, or suspension of the processing activity. For a fintech, or any company that runs on its data, suspension hurts far more than the fine.
The question we hear from data and compliance leaders in Panama isn't "what does the law say?" — their lawyers have already summarized that. It's "how do I produce and maintain the evidence the law requires, without it going stale every quarter?". This article answers that.
What Law 81 requires, translated into artifacts
Read with engineering eyes, Law 81 and its regulation ask for concrete things, not intentions:
1. A record of processing activities — from the controller and the processor. The regulation requires both the data controller and the data processor to maintain a record describing the types of data collected, the purposes of processing, the categories of recipients, and the retention periods. That "and the processor" matters: if you process data on behalf of others — common in technology, BPO, or financial services — the obligation is yours too.
2. A database inventory available to ANTAI on demand. This isn't a document you file once: it's a registry that must be producible whenever the authority requests it. Alongside it, the rules require you to identify the people who enter data within 15 business days of that activity beginning. Fifteen business days is an operational deadline, not a legal one: you only meet it if onboarding a new data-entry user triggers a process, not a mental note.
3. Adequate technical and organizational security measures. Security is one of the law's explicit principles, alongside fairness, purpose limitation, proportionality, accuracy, and transparency — with prior consent and ARCO rights as the backbone.
4. Documented international transfers. Decree 285 allows the use of SaaS and cloud services from abroad — there is no localization mandate — as long as a safeguard exists: a country with an adequate level of protection, standard contractual clauses (SCCs), binding corporate rules (BCRs), consent, or contractual necessity. And it requires the record of databases transferred to third parties to be documented in writing.
An honest note: unlike other frameworks in the region, in the public sources we have reviewed we did not find an explicit mandatory impact assessment (DPIA) in the Panamanian regime. Before ruling it out — or assuming it — the text of Decree 285 is worth validating with Panamanian legal counsel. The same applies if you operate in the financial sector: the Superintendency of Banks' rules on cloud and technology outsourcing deserve their own review.
Why the compliance spreadsheet expires
Most organizations solve this list once: a consultant builds the inventory, the lawyer drafts the processing record, everything lands in a spreadsheet and a PDF, and the project closes. Six months later, that spreadsheet describes a company that no longer exists.
Because data moves faster than documents. A new product launches and a purpose appears that the record doesn't capture. Marketing signs up for a SaaS tool and an international transfer is born with no documented safeguard. A CRM gets integrated and suddenly twenty new people are entering data — and the 15-business-day clock is running without anyone knowing. When ANTAI requests the inventory "on demand," what you have is an old photograph.
The problem isn't having built the spreadsheet. The problem is treating as a static document something the law designed as a living registry. "Available on demand" and "15 business days" don't describe a deliverable: they describe an operation.
How a governance program keeps every artifact alive
This is where data governance comes in — not as a tool you buy, but as a program you operate. With frameworks like DAMA-DMBOK and DCAM, each Law 81 obligation maps to a capability that produces it and keeps it current:
- The database inventory stops being a spreadsheet and becomes a data catalog: a living map of systems, databases, and tables that updates when the architecture changes, not when someone remembers. The specific tool depends on your infrastructure — your cloud provider's native catalog or an open-source catalog like OpenMetadata plays the same role.
- The data types in the processing record come from classification: tagging where personal information lives across all systems — not just where it "should" be. Without classification, the record describes what you believe you have, not what you have.
- Recipient categories and transfers come from lineage: knowing which system feeds which, what data crosses the border, and to which third party. The written record of transferred databases that Decree 285 requires is, in practice, a view of your lineage.
- Retention periods are sustained by lifecycle policies: demonstrable retention and deletion per dataset, not a promise in a PDF.
- The accuracy principle is sustained by data quality: automated rules that catch stale or inconsistent data before the data subject does — or the authority.
- Control over who enters data is sustained by ownership and process: every database has an accountable owner with a name and a role, and onboarding a new data-entry user triggers a workflow that registers them within the deadline. That's the difference between a process and a good intention.
The result: when ANTAI requests the inventory, you don't assemble a two-week task force. You export what already exists.
What technology doesn't solve on its own
We would be dishonest if we said a catalog solves Law 81. It doesn't, for three reasons:
Process. No tool knows a new processing purpose was born if nobody designed the moment where product, legal, and data teams talk. The processing record stays alive through a workflow, and workflows are designed by people.
Culture. Ownership works when data owners accept the role and answer for it — that's organization and training, not configuration. A catalog with owners nobody recognizes is the same spreadsheet with a better interface.
Legal counsel. The exact format ANTAI expects, the interpretation of deadlines, and whether additional obligations exist (such as an impact assessment) are the territory of a Panamanian data protection lawyer. Our job is to make sure that when that lawyer asks for the evidence, it exists and is current — not to replace them.
That's why we talk about a program, not a project: as in Chile and Brazil, what the authority inspects is not intentions but operational evidence. Data First is also the compliance strategy in Panama.
Where to start
Before buying anything and before drafting anything: know where you stand. Which databases exist, and which have an owner? Where does personal information live? What would you show ANTAI if the request arrived tomorrow?
A data maturity assessment answers exactly that: what you have governed, what's orphaned, and the shortest path — without over-engineering — for the evidence Law 81 demands to exist and maintain itself.
Sources: ANTAI — Regulation of Law 81 · Executive Decree 285 of 2021 (vLex) · RSM Panama — Law 81 on Personal Data Protection · Icaza — Data Protection in Panama Memo
