Agreement No. 1 (2022): Special Guidelines for the Protection of Personal Data Processed by Banking Entities

Republic of Panama Superintendency of Banks AGREEMENT No. 001-2022 (February 24, 2022)

“Establishing special guidelines for the protection of personal data processed by banking entities”

THE BOARD OF DIRECTORS

in the exercise of its legal powers, and

CONSIDERING

That as a result of the issuance of Decree-Law No. 2 of February 22, 2008, the Executive Branch elaborated a systematic ordering in the form of a single text of Decree-Law No. 9 of February 26, 1998, and all its modifications, which was approved through Executive Decree No. 52 of April 30, 2008, hereinafter referred to as the Banking Law;

That in accordance with numerals 2, 3, and 4 of Article 5 of the Banking Law, the objectives of the Superintendency of Banks are to strengthen and foster the favorable conditions for the development of the Republic of Panama as an international financial center; as well as to promote public confidence in the banking system and to ensure the balance between the banking system and its clients;

That in accordance with numeral 5 of Article 11 of the Banking Law, it is within the technical attributes of the Board of Directors to fix, within the administrative scope, the interpretation and scope of legal or regulatory provisions in banking matters;

That in accordance with Article 111 of the Banking Law, banks may only disclose information about their clients or their operations with the consent of these, unless the information is requested by a competent authority in accordance with the law, when they must provide it in compliance with laws related to the prevention of money laundering, terrorist financing, and related crimes; as well as when it is provided to rating agencies for risk analysis purposes or to agencies or data processing offices for accounting and operational purposes;

That in accordance with numeral 3 of Article 194 of the Banking Law, confidentiality regarding the client's relationship with the bank vis-à-vis third parties, as well as their privacy, correspond to basic and inalienable rights of the banking client;

That Article 3 of Agreement No. 8-2005 establishes the obligation of banking entities to maintain the confidentiality of their clients' information, which may only be disclosed with the consent and authorization of the client, except when there is a request from a competent authority;

That through Agreement No. 5-2011 on Corporate Governance, the Superintendency of Banks establishes the principles, responsibilities, and minimum requirements of the Internal Control System that banking entities must implement;

Agreement No. 001-2022 Page 2 of 18

That through Agreements No. 6-2011 on Electronic Banking, Agreement No. 3-2012 on Information Technology Risks, and Agreement No. 11-2018 on Operational Risk, the Superintendency of Banks established the parameters and guidelines for the management and administration of these risks, contemplating the obligation for banking entities to have an information security management system, oriented to guarantee the integrity, confidentiality, and availability of information;

That Article 42 of the Political Constitution of the Republic of Panama recognizes as fundamental guarantees the right to access personal information contained in public or private databases or records, and to request its rectification and protection, as well as its suppression in accordance with what is provided by law. This information may only be collected for specific purposes, with the consent of its holder, or by order of a competent authority based on what is provided by law;

That the Legislative Branch issued Law No. 81 of March 26, 2019, which regulates the protection of personal data in the Republic of Panama, establishing its entry into force as of March 29, 2021;

That in the aforementioned Law No. 81 of March 26, 2019, the principles, rights, obligations, and other procedures that regulate the protection of personal data by natural and legal persons processing personal data are established;

That Articles 3 and 5 of Law No. 81 of 2019 establish that those treatments expressly regulated by special laws or by the regulations that develop them are exempt from its scope of application; as well as the database of subjects regulated by special laws, provided that they establish the minimum technical standards necessary for the correct protection and processing of personal data;

That in accordance with Article 7 of Law No. 81 of 2019, the responsible party for the processing of personal data contained in databases must comply with the minimum requirements of privacy policy, protocols, processes, and secure management, processing, and transfer procedures established by the regulator of each sector, in accordance with the aforementioned Law;

That through Executive Decree No. 285 of May 28, 2021, Law No. 81 of 2019 on Personal Data Protection is regulated;

That Article 1 of Executive Decree No. 285 of 2021 establishes that, in the case of subjects regulated by special laws, these must regulate those special requirements for data processing indicated therein; as well as the requirements for privacy policies, protocols, processes, and procedures for secure processing and transfer, in order to complement and expand the provisions of Law No. 81 of 2019 and its regulation;

That banking entities, from the beginning of the pre-contractual or contractual relationship with clients and throughout it, collect, store, and use a significant amount of personal data of clients, manually, automatically, or digitally, which are necessary for the proper daily operational management of the banking business;

That taking into consideration the nature and special character of banking operations and the different types of risks to which banks are exposed, it is indispensable to develop a special provision that establishes the minimum parameters for the processing and custody of personal data that banking entities must comply with, for the purpose of allowing the adequate protection of clients' personal data and the exercise of the banking business;

Agreement No. 001-2022 Page 3 of 18

That the provisions enshrined in Law No. 81 of 2019 and its regulation related to personal data protection, as well as the guidelines of this Agreement, lay the initial foundations for the development and future implementation of an open financial system, which would foster the conditions for the development of Panama as an international financial center, thereby stimulating the competitiveness of our system;

That in working sessions of this Board of Directors, the need and convenience of establishing special guidelines for the protection of personal data processed by banking entities within the ordinary course of their operations has been highlighted, in concordance with what is provided in the banking regime and in follow-up to the principles, rights, and general aspects of personal data protection established by Law No. 81 of March 26, 2019, and Executive Decree No. 285 of May 28, 2021, as applicable.

AGREES:

CHAPTER I GENERAL ASPECTS

ARTICLE 1. SCOPE OF APPLICATION. In follow-up to the principles, rights, and general obligations on personal data protection and to the powers attributed in the Personal Data Protection Regime, the provisions on personal data protection established in this Agreement shall be applied to banking entities established in the Republic of Panama.

ARTICLE 2. OBJECTIVE. This Agreement aims to establish the protocols, processes, procedures, mechanisms, and other special rules relative to the processing, transfer, and custody of personal databases; as well as the guidelines for the exercise of personal data protection rights that banks must follow, as responsible parties for the processing of their clients' personal data.

ARTICLE 3. SCOPE. The special guidelines on personal data protection established in this Agreement are minimum and shall be applied to the personal data of the client processed by banking entities, due to the provision of a service, the supply of a banking product, and generally as a result of their banking operations. The protection of the client's personal data shall be applied regardless of the client's nationality, residence, or domicile, and the means or forms of its processing by the banking entity. The provisions of this Agreement extend to the processing of personal data processed by a database custodian and banking service providers who, by virtue of an outsourcing contract or other relationship with the bank, have access to or are involved directly or indirectly, totally or partially, in the processing of the client's personal data. It shall be the responsibility of the bank to ensure that the database custodian and banking service providers comply with the minimum principles and standards of personal data protection established in this Agreement, when they administer and carry out the processing of personal data. PARAGRAPH: The provisions established in this Agreement shall be applicable together with the parameters and guidelines that, regarding processing, security, and general handling of client information, the banking regime establishes.

Agreement No. 001-2022 Page 4 of 18

Any provision related to the processing of personal data that is not expressly provided for in the banking regime and in the other special laws related to data processing matters, shall be subject to the general provisions contained in the personal data protection regime regarding its general principles and the exercise of the client's fundamental rights, provided that these do not make impossible or obstruct the due exercise of banking activity and the way the bank identifies, monitors, mitigates, and manages its risks.

ARTICLE 4. TERMS AND DEFINITIONS. For the purposes of applying the provisions contained in this Agreement and without limiting those defined by Law No. 81 of 2019 and its regulation, the following glossary of terms is established:

1. Data Storage: Conservation or custody of the client's personal data in a database established in any provided medium, including that of information and communication technology, by a banking entity or a database custodian.
2. Privacy Notice: Communication generated by the bank, through physical or digital means, directed to the client for the processing of their personal data, through which it informs about the existence and main characteristics of the processing to which their personal data will be subjected, the way to access them, the purposes of the processing intended for the personal data, and other elements that allow the client to be informed, at the time of obtaining their data, about the purposes of the processing of their personal data.
3. Database: Ordered set of personal data of any nature, whatever the form or modality of its creation, organization, or storage, which allows relating the client's data to each other, as well as carrying out any type of processing or transmission of these by its custodian.
4. Client: Natural person who is the holder of the personal data, who acquires a banking service or product, active or passive, or who is in the previous phase of acquiring a banking service or product (potential client). The concept of banking consumer is included in this term.
5. Consent: Manifestation of the free, specific, informed, and unequivocal will of the data holder, through which the processing of these is carried out.
6. Database Custodian: Natural or legal person, of public or private law, profitable or non-profitable, who acts on behalf and for the account of the banking entity responsible for the processing of the client's personal data and whose duty is the custody and conservation of the database.
7. Personal Data: Any information concerning the client that identifies or makes them identifiable.
8. ARCO Rights: Basic and inalienable rights of data holders, identified as: right of access, rectification, cancellation, opposition, and portability, in accordance with the terms defined in the Personal Data Protection Regime.
9. Technical Sheet: Document containing the records, protocols, and rules related to the storage and processing of personal data, understood for the purposes of this Agreement as the policies and procedures adopted by the Bank for compliance with the provisions on personal data protection, to which Section II of Chapter IV of this Agreement refers.
10. Banking Service Provider: Natural or legal person, distinct from the database custodian, hired by the bank to develop and carry out activities, functions, or processes linked to the banking business and who is involved in the processing of personal data.

Agreement No. 001-2022 Page 5 of 18

11. Banking Regime: For the purposes of what is provided in this Agreement, it comprises the Banking Law, the Agreements and Resolutions that develop it, including this Agreement.
12. Personal Data Protection Regime: For the purposes of what is provided in this Agreement, it comprises Law No. 81 of 2019 and Executive Decree No. 285 of 2021 and their respective modifications.
13. Responsible Party for Data Processing: Banking entity authorized by the Superintendency to exercise the banking business, which is responsible for decisions related to the processing of personal data and which determines the purposes, means, and scope, as well as issues related to these.
14. Data Holder: Natural person to whom the personal data refer.
15. Data Processing: Any operation or complex of operations or technical procedures, automated or not, that allows collecting, storing, recording, organizing, elaborating, selecting, extracting, confronting, interconnecting, associating, dissociating, communicating, ceding, exchanging, transferring, transmitting, or canceling data, or using them in any form.

CHAPTER II PRINCIPLES AND RIGHTS FOR THE PROTECTION OF PERSONAL DATA

SECTION I THE PRINCIPLES

ARTICLE 5. GENERAL PRINCIPLES OF PERSONAL DATA PROTECTION. Banks, as responsible parties for the processing of personal data, must observe and apply the general principles of personal data protection in the daily processing of the client's personal data that they carry out in their operations, which comprise: the principles of loyalty, purpose, proportionality, veracity, accuracy, data security, transparency, confidentiality, lawfulness, and portability established in the Personal Data Protection Regime.

These principles must be included from the design and marketing stage of banking products and services, during the validity of the contractual relationship, and until the legal obligation for their conservation persists, in accordance with what is established for each case by the Banking Regime and other special laws.

ARTICLE 6. PRINCIPLE OF TRANSPARENCY. The bank, at the client's request, shall inform about the flow of information regarding their personal data maintained in its database, in order to facilitate and guarantee by any means (physical or digital) the due exercise of the rights of access, rectification, cancellation, opposition, and portability (ARCO) recognized in the Personal Data Protection Regime.

Likewise, at the time of obtaining personal data, the bank must take timely measures to facilitate to the client or their representative, free of charge and by any means, physical or digital, all the information indicated in Articles 14 and 15 of Executive Decree No. 285 of 2021.

Likewise, the bank must facilitate communication mechanisms that allow the client to access the required information through the exercise of their ARCO rights.

PARAGRAPH. Without prejudice to what is provided in this article regarding personal data, banking entities must also ensure compliance with numeral 1 of Article 194 of the Banking Law regarding the client's right to know clearly, truthfully, and free of charge information related to a banking product or service.

ARTICLE 7. PRINCIPLE OF LAWFULNESS THROUGH CONSENT. Obtaining by the bank the free, express, precise, prior, informed, and unequivocal consent of the holder of the personal data for the processing and custody of personal data; as well as for the transfer of said data throughout the time that their legal obligation of conservation persists, constitutes a basic element of personal data protection, except for the conditions of lawful processing indicated in this Agreement.

For such purposes, banking entities shall take into consideration the following aspects when obtaining consent from the client:

1. Free. There must be no error, bad faith, violence, intimidation, fraud, or any other condition that could affect or vitiate the will of the data holder;
2. Specific. It must refer to one or several determined and defined purposes that justify the processing;
3. Informed. The client must be kept informed by any means, prior to the processing of personal data, with the information referred to in Article 14 of Executive Decree No. 285 of 2021; Likewise, when the data has not been obtained directly from the client, the data holder, the same must be informed in the first communication, in accordance with what is provided in Article 15 of Executive Decree No. 285 of 2021;
4. Unequivocal: It must be granted by any means or through unequivocal conduct of the client in such a way that its granting can be demonstrated indubitably and allow its subsequent consultation.

The conditions and other elements for the processing of personal data shall be governed by the provisions established in Article 10 of this Agreement.

SECTION II THE ARCO RIGHTS

ARTICLE 8. ARCO RIGHTS OF THE DATA HOLDER. The ARCO rights are basic and inalienable rights recognized to the holders of personal data, which comprise the rights of access, rectification, cancellation, opposition, and portability (ARCO). Banking entities must ensure that all client information under their processing and stored in their database allows at all times the full exercise of ARCO rights, independently, by physical or digital means, without one being required for the exercise of another right or without the exercise of one excluding another right.

Any client or their authorized representative, regardless of the type of banking service or product related or linked, may request at any time from the bank access, rectification, cancellation, opposition, and portability of their personal data that the bank collects, stores, or conserves in its database in its capacity as the responsible party for the processing of personal data, without prejudice to the limitations established in Article 31 of Executive Decree No. 285 of 2021 and those established in Article 9 of this Agreement.

The bank must develop and offer simple, accessible, and free mechanisms that allow the full and effective exercise of data protection rights by clients.

Likewise, the bank must ensure that it attends the request made within the time established by this Agreement.

Once the request is presented by the client or their authorized representative, in which the action to be taken (required ARCO right) is indicated, the specific data to which it refers, and any information requested by the bank to effectively attend the request is completed, the bank must respond to it within the corresponding terms established by the Personal Data Protection Regime.

ARTICLE 9. EXERCISE OF ARCO RIGHTS. In compliance with the provisions of Law No. 81 of 2019, the bank must take into consideration the aspects contemplated in this article for the exercise of ARCO rights.

1. RIGHT OF ACCESS. The client has the right to obtain from the bank confirmation of whether or not they are processing personal data concerning them, and to know and verify their correct processing in accordance with the provisions of the Personal Data Protection Regime and according to the guidelines established in this numeral.

1.1. Supply of information. In the event that the client requests information about their personal data, the bank must provide to their request the information established in Article 24 of Executive Decree No. 285 of 2021, which comprises the following aspects:

a. The purposes of the processing; b. The categories of personal data involved; c. The recipients or categories of recipients to whom the personal data have been or will be communicated; d. The planned period for the conservation of personal data or, if not possible, the criteria used to determine this period; e. The right to exercise the rectification or cancellation of personal data, or to oppose such processing, or to the portability of the data; f. If the personal data have not been obtained from the interested party, any information about their origin; g. The existence of automated decisions, including the profiling referred to in Law No. 81 of 2019. In such case, significant information about the logic applied, as well as the importance and expected consequences of such processing for the holder.

The obligation to supply information shall be considered fulfilled when the requested information is communicated or made available to the client, or when a remote, direct, and secure access system to personal data is provided that guarantees, on a permanent basis, access to the information. In the case of remote access systems for personal data, they must allow access to the information free of charge.

Banks must have mechanisms that allow the transmission of information by physical or digital means, correctly, pr[cut off in source text]