Support Centre



Law: Personal Data Protection Act (Act 8/2005) ('the Act')

Regulator: Office for Personal Data Protection ('GPDP')

Summary: The Act provides general personal data protection requirements and provisions, including establishing data subject rights and regulating the activities of data controllers and data processors. The Act does not, however, provide for the appointment of data protection officers and is unclear in relation to data breach notification requirements. In addition to the Act, the Cybersecurity Law No. 13/2019 (only available in Portuguese and Chinese here) ('the Cybersecurity Law') entered into effect on 21 December 2019, and stipulates requirements for operators of critical information infrastructure. The GPDP has released several guidelines on matters including, among other things, app development, data protection in the workplace, and biometric monitoring. 


In this report, OneTrust DataGuidance provides a means of analyzing and comparing data protection requirements and recommendations under the General Data Protection Regulation (GDPR) and the Personal Data Protection Act (Act 8/2005) (PDPA).

The report examines and compares the scope, main definitions, legal bases, data controller and processor obligations, data subject rights, and enforcement capacities of the PDPA with the  GDPR.

You can access the latest version of the report here.

China's Personal Information Protection Law ('PIPL') came into force on 1 November 2021 and directly affects data transfers between Macau and China. Bruno Nunes, Managing Partner at BN Lawyers, explains the impact of the PIPL on data transfers between Macau and China and discusses key-differences between the PIPL and Macau's Personal Data Protection Act (Act 8/2005) ('PDPA').