DLA Piper Intelligence

Data Protection
Laws of the World

Law

Macau
Macau

Macau personal data protection Law no. 8/2005 of August 22nd (Law).

Last modified 28 Jan 2019
Law
Macau

Macau personal data protection Law no. 8/2005 of August 22nd (Law).

Last modified 28 Jan 2019
Definitions

Definition of personal data

The Law defines personal data as any information of any type, in any format, including sound and image, related to a specific or identifiable natural person (data subject). An ‘identifiable natural person’ is anyone who can be identified, directly or indirectly, in particular by reference to a specific number or to one or more specific elements related to his or her physical, physiological, mental, economic, cultural or social identity.

Definition of sensitive personal data

The Law defines sensitive personal data as any personal data revealing political persuasion or philosophical beliefs, political and joint trade union affiliation, religion, private life, racial or ethnical origin or data related to health or sex life, including genetic data.

Last modified 28 Jan 2019
Authority

The Office for Personal Data Protection (OPDP) is the Macau regulatory authority responsible for supervising and coordinating the implementation of the Law. https://www.gpdp.gov.mo/

Last modified 28 Jan 2019
Registration

The OPDP must be notified of any processing of personal data by a data processor unless an exemption applies.

For certain data categories (eg, certain sensitive personal data, data regarding illicit activities or criminal and administrative offenses or credit and solvency data) and certain specific personal data processing, data processors must obtain prior authorization from the OPDP.

The OPDP provides (official) forms that must be submitted regarding personal data processing, either in Portuguese or Chinese language, along with the following information (if applicable):

  • Identification and contact details of the data processor and its representatives
  • The personal data processing purpose
  • Identification and contact details of any third party carrying out the personal data processing
  • The commencement date of the personal data processing
  • The categories of personal data processed (disclosing whether sensitive personal data, data concerning the suspicion of illicit activities, criminal and / or administrative offenses or data regarding credit and solvency are to be collected)
  • The legal basis for processing personal data
  • The means and forms available to the data subject for updating his or her personal data
  • Any transfer of personal data outside Macau, along with the grounds for, and measures to be adopted with, the transfer
  • Personal data storage time limits
  • Interconnection of personal data with third parties
  • Security measures adopted to protect the personal data
Last modified 28 Jan 2019
Data Protection Officers

There is no legal requirement to appoint a data protection officer in Macau.

Last modified 28 Jan 2019
Collection & Processing

Personal data may be processed only if the data subject has given his or her unequivocal consent or if processing is deemed necessary:

  • Execution of an agreement where the data subject is a party, or, at the data subject’s request, negotiation in relation to such an agreement
  • Compliance with a legal obligation to which the data processor is subject
  • Protection of vital interests of the data subject if he or she is physically or legally unable to give his or her consent
  • Performance of a public interest assignment or exercise of public authority powers vested in the data processor or in a third party to whom the personal data is disclosed, or
  • Pursuing a data processor’s legitimate interest (or the legitimate interest of a third party to whom the data is disclosed), provided that the data subject’s interests or rights, liberties and guarantees do not prevail

The data subject must be provided with all relevant processing information, including the identification of the data processor, the purpose of processing, and the means and forms available to the data subject for accessing, amending and deleting his or her personal data.

Last modified 28 Jan 2019
Transfer

The transfer of personal data outside Macau can only take place if the recipient country ensures an adequate level of personal data protection, unless the data subject has provided clear consent and the required filings have been made with the OPDP.

Last modified 28 Jan 2019
Security

The data processor must implement adequate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular, where the processing involves the transmission of data over a network, and against all other unlawful forms of processing. Such measures must ensure a security level appropriate to the risks represented by the personal data processing and the nature of the personal data, taking into consideration the state of the art and costs of the measures.

Last modified 28 Jan 2019
Breach Notification

None. The Law does not require data processors to notify either the OPDP or data subjects about any personal data breach.

Last modified 28 Jan 2019
Enforcement

Violations of the Law are subject to civil liability and administrative and criminal sanctions, including fines and / or imprisonment.

Last modified 28 Jan 2019
Electronic Marketing

Under the Law, data subjects have the right to object, on their request and free of charge, to the processing of their personal data for direct marketing purposes, to be informed before their personal data is disclosed or used by third parties for the purpose of direct marketing and to be expressly offered, also free of charge, the right to object to such disclosure or use.

Last modified 28 Jan 2019
Online Privacy

The Law also applies in the online environment.

For example, a Macau company that collects personal data from Macau residents through its website (eg, through cookies) must fulfil all obligations under the Law imposed on data processors. In particular, the Macau company must inform data subjects of the personal data processing purpose and notify the OPDP about the personal data processing.

Last modified 28 Jan 2019
Contacts
Tang Weng Hang
Tang Weng Hang
Partner
T +853 2871 5588
António Lobo Vilela
António Lobo Vilela
Partner
T +853 2871 5588
Last modified 28 Jan 2019