Data Protection Policy

The Protection of Your Data is Our Objective

At MMG TRUST S.A., we recognize the importance of maintaining the privacy and sensitivity of the information we hold in our database, particularly personal information about people we deal with, whether they are clients, users, collaborators, candidates, suppliers, or others.

As attorneys in practice and fiduciary service providers, we have a professional, ethical, and legal obligation to keep confidential all information we receive as part of our attorney-client relationship. In addition, we are committed to safeguarding the information we store and/or process of all individuals, whether natural or legal.

In this Data Protection Policy ("Policy"), we set forth the practices we have implemented in our companies in relation to the handling of your data, from its collection, use and with whom we share such information.

This Policy supplements all prior agreements, whether oral or written, between you and us regarding the collection, use and disclosure of your personal, commercial, or financial information.

To whom this Policy applies

This policy applies to us, as the custodian of the database and as the party responsible for the processing of your personal data, and to you, as the natural or legal person, as the data holder.

When we talk about "Us," we mean "MMG TRUST S.A."  

When we talk about "You," we refer to you as client, user, visitor, employees, candidate, supplier, or person who for any other reason shares your data with us.

Legal basis of this Policy

This Policy is based on Law 81 of March 26, 2019 (Panama) on Personal Data Protection, which seeks the protection of the rights of natural persons as holders of their personal data, regarding the use of such data and Executive Decree 285 of May 28, 2021 (Panama) which regulates it.

Law 81 applies to all databases located in the territory of the Republic of Panama, when personal data of nationals or foreigners is stored, or when the responsible of handling the data is domiciled in the Republic of Panama. Databases of subjects regulated by special laws are exempt, provided that these laws establish minimum technical standards necessary for equal or greater protection than those established by Law 81.

MMG TRUST S.A. is also a  regulated and supervised entity by the Superintendency of Banks of Panamá, in accordance with Law No. 1-1984 of January 5th, 1984 amended by means of Law No. 21 of May 10th, 2017, and by Law 23 of April 27, 2015 which adopts measures to prevent money laundering, the financing of terrorism and the financing of the proliferation of weapons of mass destruction and other provisions, and the decrees and agreements that complement it, among others.


Below you will find the definitions that are provided by Law 81 for the terminology we use in this policy.

Types of Data

  1. Personal data. Any information concerning natural persons which identifies them or makes them identifiable. We treat all personal data as confidential data.
  2. Confidential data. Data that by its nature should not be known be public knowledge or unauthorized third parties, including data protected by law, by confidentiality or non-disclosure agreements, to safeguard information. In the cases of Public Administration, are those data whose processing is limited for the purposes of this administration or if the express consent of the owner is given, without prejudice to the provisions of special laws or by the regulations that develop them. Access to confidential data will always be restricted.
  3. Sensitive data. Data that refers to the intimate sphere of its holder, or whose misuse may give rise to discrimination or entail a serious risk to the owner. By way of example, personal which reveal aspects such as racial or ethnic origin; religious, philosophical, and moral beliefs or convictions; trade union affiliation or political opinions; data relating to health, life, sexual preference or orientation, genetic data, or biometric data, among others, subject to regulation and aimed at uniquely identifying a natural person, are considered sensitive.


  1. Data storage. Preservation or custody of data in a database established in any medium provided, including Information and Communication Technologies (TICs for the abbreviation in Spanish).
  2. Database. A structured set of data of any nature, created by any form or modality, organization, or storage, which allows the data to be related to each other, as well as to perform any type of processing or transmission of these by its custodian.
  3. Accessible source. Databases that are not of restrictive access or contain any reservation to queries, or that are public access, such as official governmental publications, the media, telephone directories and lists of persons belonging to a group of professionals containing only name, title or profession, activity, work, or business address, as well as information indicating their membership in organizations.  


  1. Data holder. Natural or legal person to whom the data relates.
  2. Database custodian. Natural or legal person, subject to public or private law, profitable or not, acting in the name and on behalf of the data controller and is responsible for the custody and preservation of the database.
  3. Data. Controller. Natural or legal person, public or private law, profitable or not, who is responsible for decisions related to the processing of data and who determines the purposes, means and scope, as well as issues related to these.

Data Processing

  1. Data processing. Any operation or complex of operations or technical procedures, whether automated or not, that makes it possible to collect, store, record, organize, elaborate, select, extract, confront, interconnect, associate, dissociate, communicate, assign, exchange, transfer, transmit or cancel data, or use them in any other way.
  2. Consent. Manifestation of the will of the data holder, by means of which the processing of such data is carried out.
  3. Data blocking. Temporary restriction of any access to or processing of stored data.
  4. Cancellation or deletion of data. To permanently delete or erase data stored in databases, regardless of the procedure used to do so.
  5. Data modification. Any change to the content of data stored in databases.
  6. Dissociation or anonymization procedure. Any data processing that prevents the information available in the database from being associated with a particular or determinable natural person.
  7. Data transfer. Making known, disclose, communicating, exchanging and/or transmitting, in any form and by any means, from one point to another, intra or extra-border, the data to natural or legal persons other than the holder, whether determined or undetermined.

Our Guiding Principles

  1. Loyalty. We only collect your personal data with your knowledge and consent.  
  2. Purpose. When we collect your personal data, we inform you about the purpose and we will only use it for the stated purposes.
  3. Proportionality. We will only ask you for the necessary personal data related to the stated purpose.
  4. Veracity and Accuracy. We will always ensure that your data is accurate and kept up to date. Remember that updating is a shared responsibility.
  5. Data security. We have taken appropriate technical and organizational measures against the unauthorized and unlawful processing of your personal data and information. You can rest assured that we have a robust technological platform, international expert advice and a highly specialized team that has developed a strategy to continuously optimize the safety of your personal data.
  6. Transparency. We will always seek to communicate our data protection policies in an easy-to-understand language. Pleas also refer to sections We take care of your Rights as a Personal Data Owner and Access to Your Information and Procedure to Exercise Your Rights.
  7. Confidentiality. All persons who by their role have access to your data are obliged not to disclose it. We have internal processes, policies, and tools to support us in maintaining the confidentiality of your data.
  8. Legality. When we obtain your data, we make sure we have your consent and document it for future inquiries.
  9. Portability. If required by you, we will share your personal data in a timely manner in a generic and common format.

¿How and why we collect personal information?

As a fiduciary service provider, we collect personal data as part of our professional activities in order to serve our clients and to comply with the legal regulations that apply to us.

We never collect personal data without your knowledge and consent. We do not use your personal data for purposes other than those stated.

It is important to note that we do not disclose or sell your personal information or business contact information to third parties to enable them to market their products and services.

If you are a client or potential client

When you request a service or quote for a service, we may collect your information and data as part of the introductory process, to understand, access and assist you with your legal needs, to comply with obligations under special laws or to ensure that the information is correct and up to date, among others. We only collect your data through legal and consented means. 

Some of the information we typically collect is:

  1. Basic information and personal data to unequivocally identify you: full name, date of birth, nationality, passport, or identification number. If case of an entity, your role within the organization.
  2. Contact details to be able to communicate with you and for invoicing: physical address, email address, and telephone numbers. if case of entity, domicile, and tax identification number.
  3. Necessary information to comply with the “Know Your Client” policy and Due Diligence requirements: in addition to the data mentioned in the above points, a copy of your identification document and proof of address. If you are a legal entity, certificate of existence or equivalent, among others.

Generally, you provide information and data during our relationship. However, as it becomes necessary to provide the requested services and/or comply with legal obligations, we may validate or collect information about you with the different databases, such as those of other companies in our economic group, or through third parties such as accessible sources, other authorities and/or state entities and service providers.

We use your personal data only in our regular professional activities and to comply with our contractual obligations or agreements entered into to provide you with our services, to conduct verifications for possible conflicts or anti money laundering searches, to comply with our legal obligations in the jurisdictions where we operate and to defend your legal rights, as well as to comply with court and/or administrative orders if necessary.

Due to the diversity of services that we provide, we are unable to define a standard timeframe for the deletion of personal data in our custody. In general terms, we will keep your personal data for a minimum of 5 years after the end of any commercial or contractual relationship, in accordance to the terms established by Law 23 of April 27, 2015. We will keep your personal data after this period, for as long as necessary for us to deal with any claims or concerns arising from the processing for which they have been collected or to comply with special laws or regulations implementing them. If you want your data to be deleted after the legal obligation to keep it has been fulfilled, you can make use of your right of Cancellation by sending a request to our Data Protection Officer, following the indications in the section "Access to Your Information and Procedure to exercise your rights".  The viability of this request will be analyzed and addressed within five (5) working days.

The right of cancellation shall not apply in the following circumstances:

  1. When the data must be kept or processed for the fulfillment of a fiduciary provision or other legal provision;
  2. When the legal period for its conservation has elapsed, there is a special provision that establishes another legal period of conservation;
  3. When the legal period for its conservation has elapsed, there is a legitimate interest of the fiduciary for its conservation;
  4. Any other circumstance that based on a legitimate reason requires its conservation, provided that the rights of the data subject do not prevail;
  5. When any of the limitations established in article 31 of Executive Decree No. 285 of 2021 is configured, as well as in any other legal provision or the norm that develops it, when they apply.
  6. When the cancellation has been previously made.
  7. As part of our professional relationship, we may send you information about our legal services, about new products or services, events and news about our company or other companies in our economic group. You may at any time withdraw your consent by notifying us at [email protected].

If you visit us at our facilities

We, as well as MMG Tower use video surveillance around and inside our offices to maintain the security of our clients, employees, and other visitors, as well as to protect us from theft, fraud, and property damage. Therefore, when you visit us in our facilities, you may be recorded. All recordings are destroyed after a maximum period of time of 1 year and will not be used for purposes other than those described herein. For further information we recommend you refer to the Data Protection Policy of MMG Tower.

If you visit our Websites or Service Portals

When you browse our internet pages, we do not collect personal data through cookies or similar methods. However, our pages use the Google Analytics service, which is operated by Google Inc., a company located in California, USA. Google Analytics provides us with reports on the use of our pages and general statistics about the people who visit us, such as country, browser type, general interests, etc. At no time do these reports allow us to identify a specific person through these reports. We use the service to optimize the operation and security of our technology platforms, as well as to offer more relevant content. Google Analytics uses cookies to provide its service. You have the possibility to disable Google Analytics in your browser. For more information about how Google Analytics collects and uses your data and how to disable it, please refer to

Upon entering one of our customer service portals, such as payment portals, we also collect the information that you provide to us at the time and that it is strictly necessary for it to fulfill the purpose for which it was designed, for example to transfer payment for an invoice. In all cases we always seek your convenience and security of your data. In these cases, your data will be stored for the periods established by the applicable laws and in this policy.

If you, through our contact form, provide us with your contact information to communicate with us, we will pass on your information to the indicated persons to attend to your message. It is not used for any other purpose. If a relationship with you is not established, your data will be discarded after a suitable time.

If you provide a service to us as a supplier or participate in a bidding process.

When you are our supplier or tender with us, we may ask you for general information about your business, such as public registration, contact details, business references, references in the APC (for its abbreviation in Spanish), officers and any other information that is required to perform due diligence and assess the risk of a contractual relationship.

We will keep the personal data that you provide us during our business relationship for a minimum of 5 years after finalizing any commercial or contractual relationship. We will keep your personal data after this period for as long as necessary to deal with any complaints or representations arising from the treatment for which they have been collected or to comply with special laws or regulations implementing them.

If you are an employee or candidate

When you apply for a position with us, we collect the information that you provide us with your resume. In addition, we may be collecting further information, for example through forms, interviews, or your references. We use this information to evaluate candidates to fill a position with us or another company part of our economic group. If you are not hired, we keep your data for a period of 12 months and then delete it. If hired, your information will be part of our employee database and your personnel file, for which we may request and store additional information, to develop the employment relationship. Once the employment relationship has ended, we keep your data in accordance with the special applicable laws, such as Law 51 of 2005, which reforms the Organic Law of the Social Security Fund and dictates other provisions, in which a record keeping time of 20 years is defined for the prescription of contributions, so the relevant information will be kept for at least 20 years after terminating the employment relationship.

How we share or transfer your information

During our business relationship, we provide information to our staff for reasonable business purposes and to provide services to you. Our staff is trained to keep the confidentiality and security of your data.

As part of an economic group, we may share some information between our companies for the sole purpose of providing the service to you or developing the relevant business relationship. We ensure that at all times they guarantee the same level of data protection that we demand.

All our personnel and that of our related companies have signed a confidentiality agreement and receive continuous training on confidentiality policies and protocols, data protection and our code of ethics, among others.

To provide some of our services, we may sometimes use external service providers or professionals who work with us, such as experts, translators, IT service providers, banks, and others, who may have access to your personal data. In these cases, we require these providers to comply with practices and policies that ensure the security and confidentiality of your personal information and they are not processed for purposes other than those specified above.

Some of our companies, headquarters or service providers may be located in different jurisdictions. Where it is necessary to transfer or transmit your personal information for the stated purpose, we always ensure that the protection and confidentiality of your data is kept as if it were in national territory and always in compliance with the applicable regulations.

Please always keep in mind that we must and will provide your data and basic information to government authorities if requested and required to do so by law.

We keep your data safe

The information we collect is strictly used for the purposes indicated. Our employees’ access to your information is restricted and limited only to those who have authorization and training in the proper handling of personal data.

We have adopted and implemented physical, electronic, procedural and security safeguards to ensure that your information is kept confidential and secure as required by law and our internal procedures and practice.

If you have any questions about our security measures, you may contact us at [email protected].

Retention of information

You agree that we may store and use information about You in our records for the purposes described in this Policy, even if you cease to be a client, subject to applicable laws.

Accuracy of personal information

As long as there is a business relationship with Us, you must at all times provide and keep all personal information up-to-date, and you must notify us as soon as there are changes to it so that we can update our databases and ensure that there are no mishaps in our contractual relationship.

We take care of your rights as a personal data owner

  1. Access. You may obtain your personal data, know its origin and the purpose for which it has been collected.
  2. Rectification. You may request correction of your personal data if you believe that it is incorrect, irrelevant, incomplete, outdated, inaccurate, false, or impertinent. In such case we will proceed with the corresponding correction within 5 working days following the request.
  3. Cancellation. You may request deletion of your data if you believe it is incorrect, irrelevant, incomplete, outdated, inaccurate, false, or irrelevant.
  4. Opposition. When you consider that there are justified and legitimate reasons relating to something in particular, you may refuse to provide your personal data or to be subject to certain processing, as well as to revoke your consent.
  5. Portability. If requested by you, we will share your personal data in a generic and usual format within a period not exceeding 10 business days from the request.

Please note that to protect your rights we may delete, cancel, modify, or block your personal data without a request from you when there is evidence of inaccuracy of your data. When the accuracy of your data cannot be established or is of doubtful validity, we may block your data.

Access to Your Information and Procedure to Exercise Your Rights

To exercise the rights detailed above, please send an email to our Data Protection Officer, attaching the completed form corresponding to your request and with the required supporting documentation. We will respond to you within no more than 5 business days.

Data Protection Officer

We have appointed a Data Protection Officer, who ensures the timely attention to personal data owners and competent authorities in accordance with the Personal Data Protection Law:

                 OData Protection Officer:        Manuel Samudio

                 Contact:                                                    [email protected].

                 Office:                                                       MMG Tower, Piso 23, Paseo del Mar Ave.,

                                                                                         Costa del Este, Panama City


Functions of the Data Protection Officer (extract):

  1. Participate in matters related to the protection of personal data
  2. To inform and advise the data controller and/or the database custodian on issues related to compliance with the Personal Data Protection Law, its regulations, or any legal provision applicable to each case.
  3. To supervise compliance with regulations.
  4. Promote the training of people who assume tasks related to the processing of personal data.
  5. Cooperate with the supervisory authority and be its liaison unit.
  6. Advise the data controller and/or the database custodian in the response to the requirements or observations formally notified by the control authority.
  7. To be the liaison unit with the data owners for questions regarding data processing and their rights.

Validity of this Policy

This Policy was updated as of April 5th, 2022  You agree that we may review and change our Policy at any time to update our privacy commitment to you, based on current privacy laws and best practices.

MMG TRUST S.A. is an entity regulated by the Superintendency of Banks of Panama, with trustee license accredited by SBP-FID, Resolution No. 11-1998 of September 16, 1998


MMG Tower, Piso 23

Avenida Paseo del Mar, Costa del Este

Ciudad de Panamá, República de Panamá

Telephone: +507 265-7633

E-mail: [email protected]