DLA Piper Intelligence

Data Protection
Laws of the World

Law

Macau
Macau

Macau personal data protection Law no. 8/2005 of August 22nd ('Law).  

Last modified 24 Jan 2017
Law
Macau

Macau personal data protection Law no. 8/2005 of August 22nd ('Law).  

Last modified 24 Jan 2017
Definitions

Definition of personal data

The Law defines 'personal data' as any information of any type, in any format, including sound and image, related to

  • a specific or identifiable natural person ('data subject')
  • an identifiable person is anyone who can be identified, directly or indirectly, in particular by reference to a specific number or to one or more specific elements related to his/her physical, physiological, mental, economic, cultural or social identity.

Definition of sensitive personal data

Pursuant to the Law, 'sensitive personal data' can be defined as any personal data revealing political persuasion or philosophical beliefs, political and joint trade unions affiliation, religion, private life and racial or ethnical origin as well as data related to health or sex life, including genetic data.

Last modified 24 Jan 2017
Authority

'Gabinete para a Protecção de Dados Pessoais', in Portuguese, '個人資料保護辦公室', in Chinese, and 'Office for Personal Data Protection', in English ('OPDP') is the Macau regulatory authority responsible, inter alia, for supervising and coordinating the implementation of the Law.

Avenida da Praia Grande, n.º 804, Edifício "China Plaza", 13.º andar, A-F, Macau
T: +853 2871 6006
F: +853 2871 6116

www.gpdp.gov.mo 

Last modified 24 Jan 2017
Registration

The processing of personal data shall be notified to the OPDP by the data processor unless an exemption applies.

For certain data categories (e.g. some sensitive data, data regarding illicit activities or criminal and administrative offences or credit and solvability data) and certain specific personal data processing, prior authorisation from the OPDP is required.

Any variations or changes to the personal data processing determine the amendment of the initial registration.

As for filing requirements, the OPDP provides (official) forms that must be submitted either in Portuguese or Chinese language along with, in particular, the following information (if applicable):

  1. identification and contact details of the data processor as well as its representatives

  2. the personal data processing purpose

  3. identification and contact details of any third party carrying out the personal data processing

  4. the commencement date of the personal data processing

  5. the categories of personal data processed (disclosing whether sensitive data is to be collected as well as data concerning the suspicion of illicit activities, criminal and/or administrative offences, as well as data regarding credit and solvability)

  6. the legitimacy grounds to process personal data

  7. the means and forms available to the data subject for updating his/her personal data

  8. any transfer of personal data outside Macau, along with the grounds of and measures to be adopted with the transfer

  9. personal data storage time limit

  10. interconnection of personal data with third parties, and

  11. security measures adopted for the protection of personal data.
Last modified 24 Jan 2017
Data Protection Officers

There is no legal requirement to appoint a data protection officer in Macau.

Last modified 24 Jan 2017
Collection & Processing

Personal data may only be processed if the data subject has given his/her unequivocal consent or if processing is deemed necessary to:

  1. the execution of an agreement where the data subject is a party to or in previous diligences for the conclusion of an agreement at the request of the data subject

  2. the compliance of a legal obligation to which the data processor is subject

  3. the protection of vital interests of the data subject if he/she is physically or legally unable of giving his/her consent

  4. the performance of a public interest assignment or in the exercise of public authority powers vested in the data processor or in a third party to whom the personal data is disclosed, or

  5. pursuing a data processor (or a third party to whom the data is disclosed) legitimated interest, provided that the data subject interests or rights, liberties and guarantees shall not prevail.

Moreover, the data subject shall be provided with all relevant processing information, including the identification of the data processor, the personal data processing purpose and the means and forms available to the data subject for accessing, amending and deleting his/her personal data.

Last modified 24 Jan 2017
Transfer

The transfer of personal data outside Macau can only take place if the recipient country ensures an adequate level of personal data protection.

Exceptionally, the transfer of personal data outside Macau pursuant to a data subject unequivocal consent is allowed. In such case, the data transfer can be carried out immediately after filing the registration with the OPDP.

Last modified 24 Jan 2017
Security

The data processor must implement adequate technical and organisational measures to protect the personal data against accidental or illicit destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other illicit forms of processing. Such measures shall ensure a security level appropriate to the risks represented by the personal data processing and the nature of the personal data, taking into consideration the state of the art and related costs with its implementation.

Last modified 24 Jan 2017
Breach Notification

Under the Law, there is no mandatory requirement for data processors to notify the OPDP or data subjects about any personal data breach in Macau.

Last modified 24 Jan 2017
Enforcement

Breaches of the Law are subject to civil liability, administrative and criminal sanctions, including fines and/or imprisonment.

Last modified 24 Jan 2017
Electronic Marketing

Under the Law, data subjects have the right to object, on their request and free of charge, to the processing of their personal data for the purpose of direct marketing and to be informed before their personal data is disclosed or used by third parties for the purpose of direct marketing, and to be expressly offered, also free of charge, the right to object to such a disclosure or use.

Last modified 24 Jan 2017
Online Privacy

The rules stated in the Law also apply in the online environment.

For example, where a Macau company collects personal data from Macau residents through its website (by cookies, for instance), such Macau company must fulfil all obligations under the Law imposed on data processors, in particular to inform data subjects of the personal data processing purpose and to duly notify the OPDP about the personal data processing, etc.

Last modified 24 Jan 2017
Contacts
Tang Weng Hang
Tang Weng Hang
Partner
T +853 2871 5588
António Lobo Vilela
António Lobo Vilela
Partner
T +853 2871 5588
Last modified 24 Jan 2017