Considerations on the functions of the Personal Data Protection Officer in the Banking Sector

I. Precious Considerations

In previous publications, we have succinctly mentioned that, in our opinion, Agreement No. 001-2022 of February 24, 2022, does not provide a great change with respect to the guidelines, rights and obligations already established in Law 81 of March 26, 2019 and its regulations; however, regarding the figure of the Data Protection Officer, its functions are widely regulated and in addition, the functions and/or roles that this officer must perform are established. 

In this respect, while specifying their functions, banking entities are obliged to have this figure among their collaborators and, in addition, the agreement is forceful in stating that he/she shall perform his/her functions with independence, having a direct interlocution with the Senior Management or Top Management, as the decision-making body.

With this in mind, the Superintendency of Banks of Panama, by means of the aforementioned Agreement No. 001-2022 dated February 24, 2004. 001-2022 of February 24, 2022 orders that the Data Protection Officer cannot develop or carry out functions incompatible with his/her duties and purposes, and defines as specifically incompatible functions within the Bank’s structure, those carried out by the Internal Audit, Risk and Compliance areas, in order to ensure his/her independence, which we consider will be very difficult to guarantee, since despite the current regulatory efforts, the patron of the Data Protection Officer will continue to be the bank he/she is called to supervise.

II. Duties og the Data Protection Officer

The specific functions to be performed by the Data Protection Officer (DPO) are developed in Article 23 of Agreement No. 001-2022 of February 24, 2022, but we will now detail and comment thereof:

1. To Keep a record of any event affecting the protection of personal data processed by the bank. Regarding this obligation, we see that, in the first instance, much is left at the discretion of the DPO, since it does not establish an exhaustive list of the specific issues of which the DPO must keep a record, but rather it is left to his/her sole discretion whether or not to record the events or occurrences that, in the officer’s judgment, are relevant in terms of possible effects on the personal data protection.
2. To Report any deficiency detected in the personal data protection measures to Senior Management or Top Management, as well as to the Risk Management Unit and the Internal Audit Unit.
3. To coordinate with the information security area the security events that impact the personal data protection.
4. To provide suggestions regarding corrective measures that may be implemented to remedy the deficiencies detected in the processing of personal data.
5. To maintain communication with the risk, internal audit and compliance areas in order to identify the necessary improvement in personal data protection controls. It turns out that the governing body, by means of this agreement, does not provide a clearer direction on what is expected with this type of functions or obligations, since surely the improvements will vary from bank to bank and from officer to officer, for which we consider that this staff should be continuously trained and taught about the tendencies that the position pursues in this matter.
6. To contribute with the person in charge of the information security area in the attention of the security incidents that impact the treatment of personal data.
7. To be the liaison unit with the Superintendency of Banks on issues related to the processing of personal data.
8. To coordinate the annual training plan on the personal data protection.
9. To be the liaison unit with the owner of the data, without prejudice that administratively, when applicable, it may rely on the person in charge of the System for Handling Claims.

In our opinion, the SBP has omitted in the text of its Agreement No. 001-2022 of February 24, 2022, one of the main functions or roles to be performed by the DPO, which should be intended to perform auxiliary or guiding functions for the bank’s customers, who are the owners of the personal data that are subject to protection, since they will surely require a figure to guide them on the best way to exercise their ARCO rights.