Last modified 19 December 2023

Data Protection in Macau SAR

Breach notification in Macau SAR

Download PDF

Download current country

Change countries

Change country

Law

Data protection laws in Macau SAR

Macau Personal Data Protection Law no. 8/2005 of August 22nd (Law).

Related resources

Definitions

Definitions in Macau SAR

Definition of personal data

The Law defines personal data as any information of any type, in any format, including sound and image, related to a specific or identifiable natural person (data subject). An ‘identifiable natural person’ is anyone who can be identified, directly or indirectly, in particular by reference to a specific number or to one or more specific elements related to his or her physical, physiological, mental, economic, cultural or social identity.

Definition of sensitive personal data

The Law defines sensitive personal data as any personal data revealing political persuasion or philosophical beliefs, political and joint trade union affiliation, religion, private life, racial or ethnical origin or data related to health or sex life, including genetic data.

Authority

National data protection authority in Macau SAR

The Office for Personal Data Protection (OPDP) is the Macau regulatory authority responsible for supervising and coordinating the implementation of the Law.

Registration

Registration in Macau SAR

The OPDP must be notified of any processing of personal data by a data controller, within 8 days from the commencement of the processing activity, unless an exemption applies.

For certain data categories (e.g. certain sensitive personal data, data regarding illicit activities or criminal and administrative offenses or credit and solvency data) and certain specific personal data processing, data controllers must obtain prior authorization from the OPDP.

The OPDP provides (official) forms that must be submitted regarding personal data processing, either in Portuguese or Chinese language, along with the following information (if applicable):

Identification and contact details of the data controller and its representatives;
The personal data processing purpose;
Identification and contact details of any third party carrying out the personal data processing;
The commencement date of the personal data processing;
The categories of personal data processed (disclosing whether sensitive personal data, data concerning the suspicion of illicit activities, criminal and / or administrative offenses or data regarding credit and solvency are to be collected);
The legal basis for processing personal data;
The means and forms available to the data subject for updating his or her personal data;
Any transfer of personal data outside Macau, along with the grounds for, and measures to be adopted with, the transfer;
Personal data storage time limits;
Interconnection of personal data with third parties; and
Security measures adopted to protect the personal data.

Data protection officers

Data protection officers in Macau SAR

There is no legal requirement to appoint a data protection officer in Macau.

Collection and processing

Collection and processing in Macau SAR

Personal data may be processed only if the data subject has given his or her unequivocal consent or if processing is deemed necessary:

Execution of an agreement where the data subject is a party, or, at the data subject’s request, negotiation in relation to such an agreement;
Compliance with a legal obligation to which the data controller is subject;
Protection of vital interests of the data subject if he or she is physically or legally unable to give his or her consent;
Performance of a public interest assignment or exercise of public authority powers vested in the data controller or in a third party to whom the personal data is disclosed; or
Pursuing a data controller's legitimate interest (or the legitimate interest of a third party to whom the data is disclosed), provided that the data subject’s interests or rights, liberties and guarantees do not prevail.

The data subject must be provided with all relevant processing information, including the identification of the data controller, the purpose of processing, and the means and forms available to the data subject for accessing, amending and deleting his or her personal data. Moreover, if applicable, the data subject should also be informed of the possibility of their data being transferred to a jurisdiction outside of Macau.

Related resources

Transfer

Transfer in Macau SAR

The transfer of personal data outside Macau can only take place if the recipient country ensures an adequate level of personal data protection, unless the data subject has provided clear consent or the required legal conditions have been met, and the required filings have been made with the OPDP.

In view of the close relationship with Mainland China and the entry into force of the Chinese Personal Information Protection Law ("PIPL") with extraterritorial effect, the Macao Office for Personal Data Protection (OPDP) has urged local data controllers and processors to be aware of the data transfer requirements pursuant to the PIPL, including to proceed / take part in a data security assessment prior to the transfer of data from Mainland China to Macao.

Related resources

Security

Security in Macau SAR

The data controller must implement adequate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular, where the processing involves the transmission of data over a network, and against all other unlawful forms of processing. Such measures must ensure a security level appropriate to the risks represented by the personal data processing and the nature of the personal data, taking into consideration the state of the art and costs of the measures.

Related resources

Breach notification

Breach notification in Macau SAR

The Law does not require data controllers to notify either the OPDP or data subjects about any personal data breach.

However, a new Law on Cybersecurity came into effect in 2019, which implemented the requirement to notify the Cybersecurity Incident Alert and Response Center (CARIC) and respective regulatory authority, in the event of a system breach – this obligation is, however, limited to operators of critical infrastructures.

Related resources

Enforcement

Enforcement in Macau SAR

Violations of the Law are subject to civil liability and administrative and criminal sanctions, including fines and / or imprisonment.

Electronic marketing

Electronic marketing in Macau SAR

Under the Law, data subjects have the right to object, upon their request and free of charge, to the processing of their personal data for direct marketing purposes, to be informed before their personal data is disclosed or used by third parties for the purpose of direct marketing and to be expressly offered, also free of charge, the right to object to such disclosure or use.

Online privacy

Online privacy in Macau SAR

The Law also applies in the online environment.

For example, a Macau company that collects personal data from Macau residents through its website (e.g. through cookies) must fulfil all obligations under the Law imposed on data processors. In particular, the Macau company must inform data subjects of the personal data processing purpose and notify the OPDP about the personal data processing.