Data Protection Policy
The Protection of Your Data is Our Objective
At Morgan & Morgan, we recognize the importance of maintaining the privacy and sensitivity of the information we hold in our database, particularly personal information about people we deal with, whether they are clients, users, collaborators, candidates, suppliers, or others.
As attorneys in practice and legal service providers, we have a professional, ethical, and legal obligation to keep confidential all information we receive as part of our attorney-client relationship. In addition, we are committed to safeguarding the information we store and/or process of all individuals, whether natural or legal.
In this Data Protection Policy ("Policy"), we set forth the practices we have implemented in our companies in relation to the handling of your data, from its collection, use and with whom we share such information.
This Policy supplements all prior agreements, whether oral or written, between You and us with regarding the collection, use and disclosure of your personal, commercial, or financial information.
To whom this Policy applies
This policy applies to us, as the custodian of the database and as the party responsible for the processing of your personal data, and to you, as the natural or legal person, as the data holder.
When we talk about "Us," we mean "Morgan & Morgan Legal" and "Morgan & Morgan".
When we talk about "You," we refer to you as client, user, visitor, employees, candidate, supplier, or person who for any other reason shares your data with us.
Legal basis of this Policy
This Policy is based on Law 81 of March 26, 2019 (Panama) on Personal Data Protection, which seeks the protection of the rights of natural persons as holders of their personal data, regarding the use of such data and Executive Decree 285 of May 28, 2021 (Panama) which regulates it.
Law 81 applies to all databases located in the territory of the Republic of Panama, when personal data of nationals or foreigners is stored, or when the responsible of handling the data is domiciled in the Republic of Panama. Databases of subjects regulated by special laws are exempt, provided that these laws establish minimum technical standards necessary for equal or greater protection than those established by Law 81.
Morgan & Morgan is also regulated by Law 23 of April 27, 2015, as amended, which adopts measures to prevent money laundering, the financing of terrorism and the financing of the proliferation of weapons of mass destruction and other provisions, and the decrees and agreements that complement it, among others.
Below you will find the definitions that are provided by Law 81 for the terminology we use in this policy.
Types of Data
- Personal data. Any information concerning natural persons which identifies them or makes them identifiable. We treat all personal data as confidential data.
- Confidential data. Data that by its nature should not be known be public knowledge or unauthorized third parties, including data protected by law, by confidentiality or non-disclosure agreements, to safeguard information. In the cases of Public Administration, are those data whose processing is limited for the purposes of this administration or if the express consent of the owner is given, without prejudice to the provisions of special laws or by the regulations that develop them. Access to confidential data will always be restricted.
- Sensitive data. Data that refers to the intimate sphere of its holder, or whose misuse may give rise to discrimination or entail a serious risk to the owner. By way of example, personal which reveal aspects such as racial or ethnic origin; religious, philosophical, and moral beliefs or convictions; trade union affiliation or political opinions; data relating to health, life, sexual preference or orientation, genetic data, or biometric data, among others, subject to regulation and aimed at uniquely identifying a natural person, are considered sensitive.
- Data storage. Preservation or custody of data in a database established in any medium provided, including Information and Communication Technologies (TICs for the abbreviation in Spanish).
- Database. A structured set of data of any nature, created by any form or modality, organization, or storage, which allows the data to be related to each other, as well as to perform any type of processing or transmission of these by its custodian.
- Accessible source. Databases that are not of restrictive access or contain any reservation to queries, or that are public access, such as official governmental publications, the media, telephone directories and lists of persons belonging to a group of professionals containing only name, title or profession, activity, work, or business address, as well as information indicating their membership in organizations.
- Data holder. Natural or legal person to whom the data relates.
- Database custodian. Natural or legal person, subject to public or private law, profitable or not, acting in the name and on behalf of the data controller and is responsible for the custody and preservation of the database.
- Controller. Natural or legal person, public or private law, profitable or not, who is responsible for decisions related to the processing of data and who determines the purposes, means and scope, as well as issues related to these.
- Data processing. Any operation or complex of operations or technical procedures, whether automated or not, that makes it possible to collect, store, record, organize, elaborate, select, extract, confront, interconnect, associate, dissociate, communicate, assign, exchange, transfer, transmit or cancel data, or use them in any other way.
- Consent. Manifestation of the will of the data holder, by means of which the processing of such data is carried out.
- Data blocking. Temporary restriction of any access to or processing of stored data.
- Cancellation or deletion of data. To permanently delete or erase data stored in databases, regardless of the procedure used to do so.
- Data modification. Any change to the content of data stored in databases.
- Dissociation or anonymization procedure. Any data processing that prevents the information available in the database from being associated with a particular or determinable natural person.
- Data transfer. Making known, disclose, communicating, exchanging and/or transmitting, in any form and by any means, from one point to another, intra or extra-border, the data to natural or legal persons other than the holder, whether determined or undetermined.
Our Guiding Principles
- Loyalty. We only collect your personal data with your knowledge and consent.
- Purpose. When we collect your personal data, we inform you about the purpose and we will only use it for the stated purposes.
- Proportionality. We will only ask you for the necessary personal data related to the stated purpose.
- Veracity and Accuracy. We will always ensure that your data is accurate and kept up to date. Remember that updating is a shared responsibility.
- Data security. We have taken appropriate technical and organizational measures against the unauthorized and unlawful processing of your personal data and information. You can rest assured that we have a robust technological platform, international expert advice and a highly specialized team that has developed a strategy to continuously optimize the safety of your personal data.
- Transparency. We will always seek to communicate our data protection policies in an easy-to-understand language. Pleas also refer to sections We take care of your Rights as a Personal Data Owner and Access to Your Information and Procedure to Exercise Your Rights.
- Confidentiality. All persons who by their role have access to your data are obliged not to disclose it. We have internal processes, policies, and tools to support us in maintaining the confidentiality of your data.
- Legality. When we obtain your data, we make sure we have your consent and document it for future inquiries.
- Portability. If required by you, we will share your personal data in a timely manner in a generic and common format.
HOW AND WHY WE COLLECT PERSONAL INFORMATION
As a forensic firms and legal service providers, we collect personal data as part of our professional activities in order to serve our clients and to comply with the legal regulations that apply to us.
We never collect personal data without your knowledge and consent. We do not use your personal data for purposes other than those stated.
It is important to note that we do not disclose or sell your personal information or business contact information to third parties to enable them to market their products and services.
If you are a client or potential client
When you request a service or quote for a service, we may collect your information and data as part of the introductory process, to understand, access and assist you with your legal needs, to comply with obligations under special laws or to ensure that the information is correct and up to date, among others. We only collect your data through legal and consented means.
Some of the information we typically collect is:
- Basic information and personal data to unequivocally identify you: full name, date of birth, nationality, passport, or identification number. If you are a legal entity, your role within the organization.
- Contact details to be able to communicate with you and for invoicing: physical address, email address, and telephone numbers. if you are a legal entity, domicile, and tax identification number.
- Necessary information to comply with the “Know Your Client” policy and Due Diligence requirements: in addition to the data mentioned in the above points, a copy of your identification document and proof of address. If you are a legal entity, certificate of existence or equivalent, among others.
Generally, you provide information and data during our relationship. However, as it becomes necessary to provide the requested services and/or comply with legal obligations, we may validate or collect information about you with the different databases, such as those of other companies in our economic group, or through third parties such as accessible sources, other authorities and/or state entities and service providers.
We use your personal data only in our regular professional activities and to comply with our contractual obligations or agreements entered into to provide you with our services, to conduct verifications for possible conflicts or anti money laundering searches, to comply with our legal obligations in the jurisdictions where we operate and to defend your legal rights, as well as to comply with court and/or administrative orders if necessary.
Due to the diversity of legal services that we provide, we are unable to define a generalized timeframe for the deletion of personal data in our custody. In general terms, we will keep your personal data for a minimum of 5 years after the end of any commercial or contractual relationship. We will keep your personal data after this period for as long as necessary for us to deal with any claims or concerns arising from the processing for which they have been collected or to comply with special laws or regulations implementing them.
As part of our professional relationship, we may send you information about our legal services, about new products or services, events and news about our company or other companies in our economic group. You may at any time withdraw your consent by notifying us at [email protected].
If you visit us at our facilities
We as well as MMG Tower use video surveillance around and inside our offices to maintain the security of our clients, employees, and other visitors, as well as to protect us from theft, fraud, and property damage. Therefore, when you visit us in our facilities, you may be recorded. All recordings are destroyed after a maximum period of time of 1 year and will not be used for purposes other than those described herein. For further information we recommend you refer to the Data Protection Policy of MMG Tower.
If you visit our Websites or Service Portals
Upon entering one of our customer service portals, such as payment portals, we also collect the information that you provide to us at the time and that it is strictly necessary for it to fulfill the purpose for which it was designed, for example to transfer payment for an invoice. In all cases we always seek your convenience and security of your data. In these cases, your data will be stored for the periods established by the applicable laws and in this policy.
If you, through our contact form, provide us with your contact information to communicate with us, we will pass on your information to the indicated persons to attend to your message. It is not used for any other purpose. If a relationship with you is not established, your data will be discarded after a suitable time.
If you visit us on our social media accounts.
By visiting the social media accounts of MORGAN & MORGAN on Twitter, LinkedIn, Facebook, Instagram, or YouTube, you will have accepted the Data Protection Policies of these networks. We do not collect your data or offer advice through social media.
If you provide a service to us as a supplier or participate in a bidding process.
When you are our supplier or tender with us, we may ask you for general information about your business, such as public registration, contact details, business references, references in the APC (for its abbreviation in Spanish), officers and any other information that is required to perform due diligence and assess the risk of a contractual relationship.
We will keep the personal data that you provide us during our business relationship for a minimum of 5 years after finalizing any commercial or contractual relationship. We will keep your personal data after this period for as long as necessary to deal with any complaints or representations arising from the treatment for which they have been collected or to comply with special laws or regulations implementing them.
If you are an employee or candidate
When you apply for a position with us, we collect the information that you provide us with your resume. In addition, we may be collecting further information, for example through forms, interviews, or your references. We use this information to evaluate candidates to fill a position with us or another company part of our economic group. If you are not hired, we keep your data for a period of 12 months and then delete it. If hired, your information will be part of our employee database and your personnel file, for which we may request and store additional information, to develop the employment relationship. Once the employment relationship has ended, we keep your data in accordance with the special applicable laws, such as Law 51 of 2005, which reforms the Organic Law of the Social Security Fund and dictates other provisions, in which a record keeping time of 20 years is defined for the prescription of contributions, so the relevant information will be kept for at least 20 years after terminating the employment relationship.
HOW WE SHARE OR TRANSFER YOUR INFORMATION
During our business relationship, we provide information to our staff for reasonable business purposes and to provide services to you. Our staff is trained to keep the confidentiality and security of your data.
As part of an economic group, we may share some information between our companies for the sole purpose of providing the service to you or developing the relevant business relationship. We ensure that at all times they guarantee the same level of data protection that we demand.
All our personnel and that of our related companies have signed a confidentiality agreement and receive continuous training on confidentiality policies and protocols, data protection and our code of ethics, among others.
To provide some of our services, we may sometimes use external service providers or professionals who work with us, such as experts, translators, IT service providers, banks, and others, who may have access to your personal data. In these cases, we require these providers to comply with practices and policies that ensure the security and confidentiality of your personal information and they are not processed for purposes other than those specified above.
Some of our companies, headquarters or service providers may be located in different jurisdictions. Where it is necessary to transfer or transmit your personal information for the stated purpose, we always ensure that the protection and confidentiality of your data is kept as if it were in national territory and always in compliance with the applicable regulations.
Please always keep in mind that we must and will provide your data and basic information to government authorities if requested and required to do so by law.
WE KEEP YOUR DATA SAFE
The information we collect is strictly used for the purposes indicated. Our employees’ access to your information is restricted and limited only to those who have authorization and training in the proper handling of personal data.
We have adopted and implemented physical, electronic, procedural and security safeguards to ensure that your information is kept confidential and secure as required by law and our internal procedures and practice.
If you have any questions about our security measures, you may contact us at [email protected].
Retention of Information
You agree that we may store and use information about You in our records for the purposes described in this Policy, even if you cease to be a client, subject to applicable laws.
Accuracy of Personal Information
As long as there is a business relationship with Us, you must at all times provide and keep all personal information up-to-date, and you must notify us as soon as there are changes to it so that we can update our databases and ensure that there are no mishaps in our contractual relationship.
We take care of your Rights as a Personal Data Owner
- Access. You may obtain your personal data, know its origin and the purpose for which it has been collected.
- Rectification. You may request correction of your personal data if you believe that it is incorrect, irrelevant, incomplete, outdated, inaccurate, false, or impertinent. In such case we will proceed with the corresponding correction within 5 working days following the request.
- Cancellation. You may request deletion of your data if you believe it is incorrect, irrelevant, incomplete, outdated, inaccurate, false, or irrelevant.
- Opposition. When you consider that there are justified and legitimate reasons relating to something in particular, you may refuse to provide your personal data or to be subject to certain processing, as well as to revoke your consent.
- Portability. If requested by you, we will share your personal data in a generic and usual format within a period not exceeding 10 business days from the request.
Please note that to protect your rights we may delete, cancel, modify, or block your personal data without a request from you when there is evidence of inaccuracy of your data. When the accuracy of your data cannot be established or is of doubtful validity, we may block your data.
Access to Your Information and Procedure to Exercise Your Rights
To exercise the rights detailed above, please send an email to our Data Protection Officer, attaching the completed form corresponding to your request and with the required supporting documentation. We will respond to you within no more than 5 business days.
- Right of Access Request Form
- Right of Rectification Request Form
- Right of Cancellation Request Form
- Right of Opposition Request Form
- Right of Portability Request Form
Data Protection Officer
We have appointed a Data Protection Officer, who ensures the timely attention to personal data owners and competent authorities in accordance with the Personal Data Protection Law:
Data Protection Officer: Manuel Samudio
Contact: [email protected]
Office: MMG Tower, 23rd floor, Paseo del Mar Ave., Costa del Este, Panama City
Functions of the Data Protection Officer (extract):
- Participate in matters related to the protection of personal data
- To inform and advise the data controller and/or the database custodian on issues related to compliance with the Personal Data Protection Law, its regulations, or any legal provision applicable to each case.
- To supervise compliance with regulations.
- Promote the training of people who assume tasks related to the processing of personal data.
- Cooperate with the supervisory authority and be its liaison unit.
- Advise the data controller and/or the database custodian in the response to the requirements or observations formally notified by the control authority.
- To be the liaison unit with the data owners for questions regarding data processing and their rights.
Validity of this Policy
This Policy was updated as of October 24th, 2021. You agree that we may review and change our Policy at any time to update our privacy commitment to you, based on current privacy laws and best practices.