The OPDP must be notified of any processing of personal data by a data controller, within 8 days from the commencement of the processing activity, unless an exemption applies.
For certain data categories (e.g. certain sensitive personal data, data regarding illicit activities or criminal and administrative offenses or credit and solvency data) and certain specific personal data processing, data controllers must obtain prior authorization from the OPDP.
The OPDP provides (official) forms that must be submitted regarding personal data processing, either in Portuguese or Chinese language, along with the following information (if applicable):
- Identification and contact details of the data controller and its representatives;
- The personal data processing purpose;
- Identification and contact details of any third party carrying out the personal data processing;
- The commencement date of the personal data processing;
- The categories of personal data processed (disclosing whether sensitive personal data, data concerning the suspicion of illicit activities, criminal and / or administrative offenses or data regarding credit and solvency are to be collected);
- The legal basis for processing personal data;
- The means and forms available to the data subject for updating his or her personal data;
- Any transfer of personal data outside Macau, along with the grounds for, and measures to be adopted with, the transfer;
- Personal data storage time limits;
- Interconnection of personal data with third parties; and
- Security measures adopted to protect the personal data.
Macau Personal Data Protection Law no. 8/2005 of August 22nd (Law).
Definition of personal data
The Law defines personal data as any information of any type, in any format, including sound and image, related to a specific or identifiable natural person (data subject). An ‘identifiable natural person’ is anyone who can be identified, directly or indirectly, in particular by reference to a specific number or to one or more specific elements related to his or her physical, physiological, mental, economic, cultural or social identity.
Definition of sensitive personal data
The Law defines sensitive personal data as any personal data revealing political persuasion or philosophical beliefs, political and joint trade union affiliation, religion, private life, racial or ethnical origin or data related to health or sex life, including genetic data.
The Office for Personal Data Protection (OPDP) is the Macau regulatory authority responsible for supervising and coordinating the implementation of the Law.
The OPDP must be notified of any processing of personal data by a data controller, within 8 days from the commencement of the processing activity, unless an exemption applies.
For certain data categories (e.g. certain sensitive personal data, data regarding illicit activities or criminal and administrative offenses or credit and solvency data) and certain specific personal data processing, data controllers must obtain prior authorization from the OPDP.
The OPDP provides (official) forms that must be submitted regarding personal data processing, either in Portuguese or Chinese language, along with the following information (if applicable):
- Identification and contact details of the data controller and its representatives;
- The personal data processing purpose;
- Identification and contact details of any third party carrying out the personal data processing;
- The commencement date of the personal data processing;
- The categories of personal data processed (disclosing whether sensitive personal data, data concerning the suspicion of illicit activities, criminal and / or administrative offenses or data regarding credit and solvency are to be collected);
- The legal basis for processing personal data;
- The means and forms available to the data subject for updating his or her personal data;
- Any transfer of personal data outside Macau, along with the grounds for, and measures to be adopted with, the transfer;
- Personal data storage time limits;
- Interconnection of personal data with third parties; and
- Security measures adopted to protect the personal data.
There is no legal requirement to appoint a data protection officer in Macau.
Personal data may be processed only if the data subject has given his or her unequivocal consent or if processing is deemed necessary:
- Execution of an agreement where the data subject is a party, or, at the data subject’s request, negotiation in relation to such an agreement;
- Compliance with a legal obligation to which the data controller is subject;
- Protection of vital interests of the data subject if he or she is physically or legally unable to give his or her consent;
- Performance of a public interest assignment or exercise of public authority powers vested in the data controller or in a third party to whom the personal data is disclosed; or
- Pursuing a data controller's legitimate interest (or the legitimate interest of a third party to whom the data is disclosed), provided that the data subject’s interests or rights, liberties and guarantees do not prevail.
The data subject must be provided with all relevant processing information, including the identification of the data controller, the purpose of processing, and the means and forms available to the data subject for accessing, amending and deleting his or her personal data. Moreover, if applicable, the data subject should also be informed of the possibility of their data being transferred to a jurisdiction outside of Macau.
The transfer of personal data outside Macau can only take place if the recipient country ensures an adequate level of personal data protection, unless the data subject has provided clear consent or the required legal conditions have been met, and the required filings have been made with the OPDP.
In view of the close relationship with Mainland China and the entry into force of the Chinese Personal Information Protection Law ("PIPL") with extraterritorial effect, the Macao Office for Personal Data Protection (OPDP) has urged local data controllers and processors to be aware of the data transfer requirements pursuant to the PIPL, including to proceed / take part in a data security assessment prior to the transfer of data from Mainland China to Macao.
The data controller must implement adequate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular, where the processing involves the transmission of data over a network, and against all other unlawful forms of processing. Such measures must ensure a security level appropriate to the risks represented by the personal data processing and the nature of the personal data, taking into consideration the state of the art and costs of the measures.
The Law does not require data controllers to notify either the OPDP or data subjects about any personal data breach.
However, a new Law on Cybersecurity came into effect in 2019, which implemented the requirement to notify the Cybersecurity Incident Alert and Response Center (CARIC) and respective regulatory authority, in the event of a system breach – this obligation is, however, limited to operators of critical infrastructures.
Violations of the Law are subject to civil liability and administrative and criminal sanctions, including fines and / or imprisonment.
Under the Law, data subjects have the right to object, upon their request and free of charge, to the processing of their personal data for direct marketing purposes, to be informed before their personal data is disclosed or used by third parties for the purpose of direct marketing and to be expressly offered, also free of charge, the right to object to such disclosure or use.
The Law also applies in the online environment.
For example, a Macau company that collects personal data from Macau residents through its website (e.g. through cookies) must fulfil all obligations under the Law imposed on data processors. In particular, the Macau company must inform data subjects of the personal data processing purpose and notify the OPDP about the personal data processing.