The OPDP must be notified of any processing of personal data by a data controller, within 8 days from the commencement of the processing activity, unless an exemption applies.

For certain data categories (e.g. certain sensitive personal data, data regarding illicit activities or criminal and administrative offenses or credit and solvency data) and certain specific personal data processing, data controllers must obtain prior authorization from the OPDP.

The OPDP provides (official) forms that must be submitted regarding personal data processing, either in Portuguese or Chinese language, along with the following information (if applicable):

• Identification and contact details of the data controller and its representatives;
• The personal data processing purpose;
• Identification and contact details of any third party carrying out the personal data processing;
• The commencement date of the personal data processing;
• The categories of personal data processed (disclosing whether sensitive personal data, data concerning the suspicion of illicit activities, criminal and / or administrative offenses or data regarding credit and solvency are to be collected);
• The legal basis for processing personal data;
• The means and forms available to the data subject for updating his or her personal data;
• Any transfer of personal data outside Macau, along with the grounds for, and measures to be adopted with, the transfer;
• Personal data storage time limits;
• Interconnection of personal data with third parties; and
• Security measures adopted to protect the personal data.