DATA PROTECTION
LAWS OF THE WORLD
Macau
Date of Download: 6 February 2015
DATA PROTECTION LAWS OF THE WORLD
MACAU
Last modified 28 January 2015
LAW IN MACAU
Macau personal data protection Law no. 8/2005 of August 22nd ('Law). DEFINITIONS
Definition of personal data
The Law defines 'personal data' as any information of any type, in any format, including sound and image, related to
a specific or identifiable natural person ('data subject')
an identifiable person is anyone who can be identified, directly or indirectly, in particular by reference to a
specific number or to one or more specific elements related to his/her physical, physiological, mental, economic,
cultural or social identity.
Definition of sensitive personal data
Pursuant to the Law, 'sensitive personal data' can be defined as any personal data revealing political persuasion or
philosophical beliefs, political and joint trade unions affiliation, religion, private life and racial or ethnical origin as well as
data related to health or sex life, including genetic data.
NATIONAL DATA PROTECTION AUTHORITY
'Gabinete para a Protecção de Dados Pessoais', in Portuguese, '', in Chinese, and 'Office for Personal Data Protection',
in English ('OPDP') is the Macau regulatory authority responsible, inter alia, for supervising and coordinating the
implementation of the Law.
Avenida da Praia Grande, n.º 804, Edifício "China Plaza", 13.º andar, A-F, Macau
T: +853 2871 6006
F: +853 2871 6116
www.gpdp.gov.mo REGISTRATION
The processing of personal data shall be notified to the OPDP by the data processor unless an exemption applies.
For certain data categories (e.g. some sensitive data, data regarding illicit activities or criminal and administrative
offences or credit and solvability data) and certain specific personal data processing, prior authorisation from the OPDP
is required.
01 | Data Protection Laws of the World | Macau | http://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Any variations or changes to the personal data processing determine the amendment of the initial registration.
As for filing requirements, the OPDP provides (official) forms that must be submitted either in Portuguese or Chinese
language along with, in particular, the following information (if applicable):
1. identification and contact details of the data processor as well as its representatives
2. the personal data processing purpose
3. identification and contact details of any third party carrying out the personal data processing
4. the commencement date of the personal data processing
5. the categories of personal data processed (disclosing whether sensitive data is to be collected as well as data
concerning the suspicion of illicit activities, criminal and/or administrative offences, as well as data regarding
credit and solvability)
6. the legitimacy grounds to process personal data
7. the means and forms available to the data subject for updating his/her personal data
8. any transfer of personal data outside Macau, along with the grounds of and measures to be adopted with the
transfer
9. personal data storage time limit
10. interconnection of personal data with third parties, and
11. security measures adopted for the protection of personal data.
DATA PROTECTION OFFICERS
There is no legal requirement to appoint a data protection officer in Macau.
COLLECTION & PROCESSING
Personal data may only be processed if the data subject has given his/her unequivocal consent or if processing is
deemed necessary to:
1. the execution of an agreement where the data subject is a party to or in previous diligences for the conclusion of
an agreement at the request of the data subject
2. the compliance of a legal obligation to which the data processor is subject
3. the protection of vital interests of the data subject if he/she is physically or legally unable of giving his/her
consent
4. the performance of a public interest assignment or in the exercise of public authority powers vested in the data
processor or in a third party to whom the personal data is disclosed, or
5. pursuing a data processor (or a third party to whom the data is disclosed) legitimated interest, provided that the
data subject interests or rights, liberties and guarantees shall not prevail.
Moreover, the data subject shall be provided with all relevant processing information, including the identification of the
02 | Data Protection Laws of the World | Macau | http://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
data processor, the personal data processing purpose and the means and forms available to the data subject for
accessing, amending and deleting his/her personal data.
TRANSFER
The transfer of personal data outside Macau can only take place if the recipient country ensures an adequate level of
personal data protection.
Exceptionally, the transfer of personal data outside Macau pursuant to a data subject unequivocal consent is allowed. In
such case, the data transfer can be carried out immediately after filing the registration with the OPDP.
SECURITY
The data processor must implement adequate technical and organisational measures to protect the personal data
against accidental or illicit destruction or accidental loss, alteration, unauthorised disclosure or access, in particular
where the processing involves the transmission of data over a network, and against all other illicit forms of processing.
Such measures shall ensure a security level appropriate to the risks represented by the personal data processing and
the nature of the personal data, taking into consideration the state of the art and related costs with its implementation.
BREACH NOTIFICATION
Under the Law, there is no mandatory requirement for data processors to notify the OPDP or data subjects about any
personal data breach in Macau.
ENFORCEMENT
Breaches of the Law are subject to civil liability, administrative and criminal sanctions, including fines and/or
imprisonment.
ELECTRONIC MARKETING
Under the Law, data subjects have the right to object, on their request and free of charge, to the processing of their
personal data for the purpose of direct marketing and to be informed before their personal data is disclosed or used by
third parties for the purpose of direct marketing, and to be expressly offered, also free of charge, the right to object to
such a disclosure or use.
ONLINE PRIVACY
The rules stated in the Law also apply in the online environment.
For example, where a Macau company collects personal data from Macau residents through its website (by cookies, for
instance), such Macau company must fulfil all obligations under the Law imposed on data processors, in particular to
inform data subjects of the personal data processing purpose and to duly notify the OPDP about the personal data
processing, etc.
03 | Data Protection Laws of the World | Macau | http://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
KEY CONTACTS
LVT Lawyers
www.lvt-lawyers.com
Tang Weng Hang
Partner
T +853 2871 5588
[email protected]
António Lobo Vilela
Partner
T +853 2871 5588
[email protected]
04 | Data Protection Laws of the World | Macau | http://www.dlapiperdataprotection.com
© Copyright 2024 ExpyDoc
