Support Centre

Macau

Summary

Law: Personal Data Protection Act (Act 8/2005) (the Act)

Regulator: Office for Personal Data Protection (GPDP)

Summary: On August 10, 2005, the Personal Data Protection Act (Act 8/2005) (the Act) was signed and published, entering into effect 180 days thereafter. The Act provides general personal data protection requirements and provisions, including establishing data subject rights and regulating the activities of data controllers and data processors, and provides for penalties of up to MOP 200,000 (approx. $24,830) for the violation of its provisions. The Act does not, however, provide for the appointment of data protection officers nor any specific requirements for data controllers and/or processors to notify data breaches. In addition to the Act, the Cybersecurity Law No. 13/2019 (only available in Portuguese and Chinese here) entered into effect on December 21, 2019, and stipulates requirements for operators of critical information infrastructure.

The Office for Personal Data Protection (GPDP) has released several guidelines on matters including app development, data protection in the workplace, and biometric monitoring. There are no notable enforcement decisions by the GPDP. In particular, the GPDP has primarily dealt with cases of non-compliance with the principles of data processing, as highlighted in its 2022 annual report (only available in Chinese here).

Insights

China's Personal Information Protection Law ('PIPL') came into force on 1 November 2021 and directly affects data transfers between Macau and China. Bruno Nunes, Managing Partner at BN Lawyers, explains the impact of the PIPL on data transfers between Macau and China and discusses key-differences between the PIPL and Macau's Personal Data Protection Act (Act 8/2005) ('PDPA').