Law: Personal Data Protection Act (Act 8/2005) (the Act)

Regulator: Office for Personal Data Protection (GPDP)

Summary: On August 10, 2023, the Personal Data Protection Act (Act 8/2005) (the Act) was signed and published, entering into effect 180 days thereafter. The Act provides general personal data protection requirements and provisions, including establishing data subject rights and regulating the activities of data controllers and data processors, and provides for penalties of up to MOP 200,000 (approx. $24,830) for the violation of its provisions. The Act does not, however, provide for the appointment of data protection officers nor any specific requirements for data controllers and/or processors to notify data breaches. In addition to the Act, the Cybersecurity Law No. 13/2019 (only available in Portuguese and Chinese here) entered into effect on December 21, 2019, and stipulates requirements for operators of critical information infrastructure.

The Office for Personal Data Protection (GPDP) has released several guidelines on matters including app development, data protection in the workplace, and biometric monitoring. There are no notable enforcement decisions by the GPDP. In particular, the GPDP has primarily dealt with cases of non-compliance with the principles of data processing, as highlighted in its 2022 annual report (only available in Chinese here).