Support Centre



Law: Personal Data Protection Act (Act 8/2005) ('the Act')

Regulator: Office for Personal Data Protection ('GPDP')

Summary: The Act provides general personal data protection requirements and provisions, including establishing data subject rights and regulating the activities of data controllers and data processors. The Act does not, however, provide for the appointment of data protection officers and is unclear in relation to data breach notification requirements. In addition to the Act, the Cybersecurity Law No. 13/2019 (only available in Portuguese and Chinese here) ('the Cybersecurity Law') entered into effect on 21 December 2019, and stipulates requirements for operators of critical information infrastructure. The GPDP has released several guidelines on matters including, among other things, app development, data protection in the workplace, and biometric monitoring. 


China's Personal Information Protection Law ('PIPL') came into force on 1 November 2021 and directly affects data transfers between Macau and China. Bruno Nunes, Managing Partner at BN Lawyers, explains the impact of the PIPL on data transfers between Macau and China and discusses key-differences between the PIPL and Macau's Personal Data Protection Act (Act 8/2005) ('PDPA').