Law: There is no general personal data protection law.

Regulator: There is no data protection authority.

Summary: Whilst there is no general data protection law in Timor-Leste, the Constitution of the Democratic Republic of Timor-Leste (the Constitution), which entered into force on May 20, 2002, provides every individual with the right to privacy (Article 36). Furthermore, Article 38 of the Constitution specifically addresses personal data protection and provides every citizen with the right to access, and the right to know the purpose for which their personal data was collected, as well as outlines consent requirements for the processing of certain types of data. In addition, there are sectoral laws regulating money laundering (Law No. 17/2011 on Legal Regime Covering the Prevention of and Combat against Money Laundering and Financing of Terrorism, as amended by Law No. 5/2013), which regulates instances of data processing for client identification, and the national health system (Law No. 20/2004 on the National Health System, only available in Portuguese here), which establishes the right to privacy in the private and public healthcare sectors.

In addition to sector-specific laws, Decree Law 19/2009 approving the Penal Code (as amended), provides for penalties in case of privacy intrusion, violation of secrecy, and violations of correspondence or telecommunications.

Since Timor-Leste is currently arranging for its adherence to the Association of Southeast Asian Nations (ASEAN), it is likely to also adhere to ASEAN's Framework on Personal Data Protection.