August 2023

1. Governing Texts

As per the Constitution of the Democratic Republic of Timor-Leste ('the Constitution'), which was enacted on May 20, 2002, following the formal declaration of the country's independence, Timor-Leste has established constitutional safeguards regarding the protection of personal data and privacy as a general right applicable to citizens.

Without prejudice to this right, there is no general and comprehensive legislation on the protection of personal data i.e. there is no national general law on the protection of privacy and data, cybercrime, cybersecurity, and other privacy-adjacent legislation. Non-binding, political discussion in the country has demonstrated a growing awareness and intention to legislate on data protection and cybersecurity matters in the country, and both data protection/privacy and cybersecurity legislative documents are said to have been undergoing discussion in the Timor-Leste Parliament for some time (although no public, official texts have been published)

Since Timor-Leste is currently arranging for its adherence to the Association of Southeast Asian Nations ('ASEAN'), it is likely to also adhere to ASEAN's Framework on Personal Data Protection.

In any event and in the meantime, there are some provisions on the processing of personal data and the protection of privacy included in different legislative instruments, aimed either at specific legal and regulatory obligations or at the processing of information by public entities.

1.1. Key acts, regulations, directives, bills

The Constitution provides that:

• every individual has the right to honor and privacy (Article 36); and
• the household, correspondence, and any private means of communication are inviolable, save in cases provided for by law (Article 37).

Additionally, in Article 38, under the epigraph 'Personal Data Protection, the Constitution provides for the following:

• every citizen has the right to access personal data which concerns them (contained in either automated or non-automated records);
• every citizen may require the rectification and updating of their personal data, as well as the right to know the purpose for which their personal data is intended/was collected;
• the law defines the concept of personal data and the conditions applicable to processing; and
• automated processing of personal data relating to private life, political beliefs and philosophical, religious faith, party affiliation or trade union affiliation and ethnic origin it is expressly prohibited without the consent of the data subject.

The recently approved Law nr. 14/2022, dated December 22 (Copyright and Related Rights Code) (only available in Portuguese here) ('the Code'), which establishes general measures towards the legitimate use of technology (indirectly impacting the possible processing of personal data through electronic means), includes a provision whereby the regime set out in the Code is without prejudice to any legal or regulatory provision provides for the right to secrecy, the protection of confidentiality of sources, and/or the legal regime for the protection of personal data. 

We note also the country's Customs Code (Decree-Law nr. 14/2017, dated April 5, as amended by Decree-Law nr. 87/2022, dated December 14 (only available in Portuguese here)) (only available in Portuguese here). While this diploma does not specifically aim to regulate the protection of personal data, it includes provisions with an impact on privacy since, in addition to measures aimed at ensuring information security and limitation of access to information, it determines that the storage of customs data (including through electronic means) should be carried out in terms that facilitate the tracing and availability of the information processed.

Law No. 17/2011 on Legal Regime Covering the Prevention of and Combat against Money Laundering and Financing of Terrorism, as amended by Law No. 5/2013 ('the AML/CFT Framework').

In addition to sector-specific penalties (for further detail see the section on scope below), Decree Law 19/2009 approving the Penal Code (as amended), provides for the following:

• Privacy intrusion: any person who, by any means, even lawful ones, becomes aware of facts concerning another person's private or sexual life without consent or just cause, and discloses them publicly, shall be punishable by imprisonment for up to one year or a fine (Article 183).
• Violation of secrecy: any person who, without consent, discloses confidential information of which they have become aware, because they operate in trade or employment profession, shall be punishable by imprisonment for up to one year or a fine. If the confidential information is related to commercial, industrial, professional, or artistic activities, and the disclosure causes damage to another person or to the State, and the agent becomes aware of it under the aforementioned conditions, those responsible are punishable by imprisonment for up to two years or a fine (Article 184).

Violation of correspondence or telecommunications: any person who, without consent or outside of the cases admissible by law, opens a letter or any other writing addressed to another person, becomes aware of its contents, or prevents it from being received by its addressee, shall be punishable by imprisonment for up to two years or a fine. The same penalty shall apply to anyone who, under the same circumstances, interferes, or becomes aware of the content of telephone, telegraph, or any other means of telecommunication. Anyone who discloses the contents of letters, closed writings, telephone calls, or other communications above referred shall be punishable by imprisonment for up to one year or by a fine, even if they have lawfully known those facts. If the crimes referred to are committed by postal, telegraph, telephone, or telecommunications employees, the penalties shall be increased by one-third in their limits (Article 187). 

1.2. Guidelines

As there is no data protection law, or data protection authority for Timor-Leste. there are no official guidelines on data protection.

1.3. Case law

As far as we are aware, there is no relevant jurisprudence directly referring to procedures on privacy and data protection matters in Timor-Leste.

2. Scope of Application

2.1. Personal scope

Not applicable.

2.2. Territorial scope

Not applicable.

2.3. Material scope

Not applicable.

3. Data Protection Authority | Regulatory Authority

3.1. Main regulator for data protection

Not applicable.

3.2. Main powers, duties and responsibilities

Not applicable.

4. Key Definitions

Data controller: Not applicable, given the absence of a general data protection framework.

Data processor: Not applicable, given the absence of a general data protection framework.

Personal data: Not applicable, given the absence of a general data protection framework.

Sensitive data: Not applicable, given the absence of a general data protection framework.

Health data: Not applicable, given the absence of a general data protection framework.

Biometric data: Not applicable, given the absence of a general data protection framework.

Pseudonymisation: Not applicable, given the absence of a general data protection framework.

5. Legal Bases

5.1. Consent

Not applicable, given the absence of a general data protection framework.

5.2. Contract with the data subject

Not applicable, given the absence of a general data protection framework.

5.3. Legal obligations

Not applicable, given the absence of a general data protection framework.

5.4. Interests of the data subject

Not applicable, given the absence of a general data protection framework.

5.5. Public interest

Not applicable, given the absence of a general data protection framework.

5.6. Legitimate interests of the data controller

Not applicable, given the absence of a general data protection framework.

5.7. Legal bases in other instances

Not applicable, given the absence of a general data protection framework.

6. Principles

Not applicable, other than the general principles set out in Article 38 of the Constitution and those set out in key acts, regulations, directives, bills above, and sector-specific concerns.

7. Controller and Processor Obligations

7.1. Data processing notification

Not applicable, given the absence of a general data protection framework.

7.2. Data transfers

Not applicable, given the absence of a general data protection framework.

7.3. Data processing records

Not applicable, given the absence of a general data protection framework.

7.4. Data protection impact assessment

Not applicable, given the absence of a general data protection framework.

7.5. Data protection officer appointment

Not applicable, given the absence of a general data protection framework.

7.6. Data breach notification

Not applicable, given the absence of a general data protection framework.

7.7. Data retention

Not applicable, given the absence of a general data protection framework. While specific data retention periods may apply on a sector-specific basis, such as for tax and accounting obligations, compliance with judicial decisions, AML provisions, and employment law, there is no general data protection-oriented principle applicable to data retention.

7.8. Children's data

Not applicable.

 All provisions regarding the processing of information and the legal conditions of minors are those set out (i) in the general rules of civil law, and (ii) in Law 6/2023, dated March 1 (the Law for Protection of Endangered Children and Young People)  (only available in Portuguese here) which, while not expressly and directly providing for data protection rules, establishes a general principle that any and all decisions regarding children or young people should respect and protect their intimacy, image and private life, namely through the adoption of adequate safeguards towards confidentiality and limitation of access, by the public, to information which may identify the child or young person at stake. This law also establishes general rights of protection of intimacy for children held in foster/institutional care.

Other than this, no specific data protection-oriented principles are applicable in this respect.

7.9. Special categories of personal data

Not applicable. Criminal/sanctions information, health data or other types of information generally perceived as sensitive data would be processed as applicable under penal, healthcare, administrative and public law.

7.10. Controller and processor contracts

Not applicable, given the absence of a general data protection framework.

8. Data Subject Rights

Under the Decree Law 2/2004 (Legal Framework on Civil Identification), there is a right to be provided information regarding, and to access records related to, themselves contained in the civil identification database (Article 30). In addition, there is the right to require the rectification of inaccurate data, to have incomplete data completed, and to require the suppression of data unduly recorded in this database (Article 31).

8.1. Right to be informed

Not applicable.

8.2. Right to access

Not applicable.

8.3. Right to rectification

Not applicable.

8.4. Right to erasure

Not applicable.

8.5. Right to object/opt-out

Not applicable.

8.6. Right to data portability

Not applicable.

8.7. Right not to be subject to automated decision-making

Not applicable.

8.8. Other rights

Not applicable.

9. Penalties

Not applicable.

9.1 Enforcement decisions

Not applicable.