Macau - Data Protection Overview
1. Governing Texts
Macau's legal framework is strongly inspired by European Union legislation. The provisions of the Personal Data Protection Act (Act 8/2005) ('the Act') were mostly drawn from the Portuguese Law No. 68/98 of 26 October on the Protection of Personal Data (only available in Portuguese here), which transposed the EU's Data Protection Directive (Directive 95/46/EC).
The purpose of the Macau data privacy legal framework is to ensure that the processing of personal data is carried out transparently and with strict respect for an individual's privacy.
Therefore, the Act regulates any acts or operations on personal data, including sensitive data, whether or not by automatic means, such as:
- collecting, recording, or storing of data;
- modifying, destroying, or deleting data;
- using, querying, or reconciling data;
- disclosing, sharing, or transferring data; and
- combination or interconnection of data.
Recently, data privacy and security concerns have increased worldwide, and the Macau authorities have therefore become more proactive in terms of data protection rights. Thus, it is expected that the Act will be amended in order to face the challenges, issues, and implications of the technological era.
The Act is the primary data protection legislation in Macau, establishing the legal regime for collecting, processing, and transferring personal data.
Other legislation with implications for data protection includes:
- Law No. 2/2012, which establishes the legal framework for video surveillance in public spaces (available in Chinese here and Portuguese here); and
- Law No. 13/2019, which regulates Macau's Cybersecurity Law (available in Chinese here and Portuguese here).
The General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') should also be taken into consideration, since entities established within or outside the EU have an obligation to comply with the data protection provisions of the GDPR regarding:
- the processing of personal data in regard to the activities of an establishment of a controller or a processor in the EU, whether or not the processing takes place in the EU; and
- the processing of the personal data of data subjects who are in the EU, by a controller or processor not established in the EU, where the processing relates to the offering of goods or services (whether free or paid for), or the monitoring of behaviour which takes place within the EU.
China's Personal Information Protection Law ('PIPL') came into force on 1 November 2021. The PIPL has extra-territorial effect, and therefore governs the processing of personal information of individuals located in China, regardless of whether the entities processing that information are in China.
If a Macau company processes personal data of individuals in China's territory to provide products or services to individuals in China or to analyse and evaluate the activities of individuals in China, the PIPL is applicable.
Institutions or individuals based in Macau must observe the abovementioned requirements when they process personal data within China or process personal data outside China for purposes of providing products or services to individuals within China.
Institutions or individuals based in Macau will need to obtain separate consent from individuals pertaining to the transfer of their personal information and must agree to a standard contract issued by authorities overseeing cyberspace matters and fulfilling requirements outlined in other laws and regulations established by the authorities.
It is also required to establish a domestic agent or designated representative within China to be responsible for matters related to personal information matters. Furthermore, the name and contact information of such agency or representative must be reported to the competent authorities.
Although the PIPL imposes obligations of implementing data security measures, risk assessment and evaluation reports, specification of a person in charge of the data security and prior authorisation from the competent authorities in China before transferring data, it is expected that the impact will be mitigated since the principles of the PIPL and the Act are similar.
By comparison, the PIPL affords extra protection over sensitive personal information.
There are several guidelines issued by the Office for Personal Data Protection ('GPDP') aimed at providing more information to the public regarding privacy and data protection matters. Such guidelines (a list of which is available here) include:
- Principles Concerning the Protection of Personal Data in the Workplace: Guidelines for Employee Monitoring (only available in Chinese here);
- Guidelines on Issues Relating to Using Fingerprint/ Hand Geometry Devices to Check on Work Attendance;
- Guidelines on Using Facial Identification Attendance Control Systems;
- Guidelines on Devices of Biometric Technologies other than Fingerprint or Hand-geometry Identification;
- Guidelines on the Right to Information in Indirect Collection of Personal Data;
- Guidelines on Publication of Personal Data on the Internet;
- Guidelines on Merchants' Processing of Identification Documents of Payment Cardholders; and
- Guidelines for Apps Development.
1.3. Case law
Currently, there is no relevant case law in Macau.
2. Scope of Application
The Act applies to entities which, directly or indirectly, collect, process, or transfer personal data in Macau.
The GDPR applies to a company or other legal entity which processes personal data as part of the activities of one of its branches established in the EU, regardless of where the data is processed, or a company established outside the EU offering goods/services (paid or for free) or monitoring the behaviour of individuals in the EU.
The Act applies if the controller or processor:
- is domiciled or based in Macau; or
- uses a computer or data communication network access provider established in Macau.
The Act applies to the processing of personal data, wholly or partly, by automatic means, and to the processing, otherwise than by automatic means, of personal data which form or is intended to form part of a manual filing system. It does not apply to the processing of personal data carried out by a natural person in the course of a purely personal or household activity, except where it is for the purposes of systematic communication and dissemination.
3.1. Main regulator for data protection
The public regulatory body in charge of monitoring and enforcing compliance with the provisions of the Act is the GPDP, established under the Chief Executive's Dispatch No. 83/2007 (available in Chinese and Portuguese here).
3.2. Main powers, duties and responsibilities
The GPDP is responsible for monitoring, enforcing, and coordinating the Act, as well as for establishing an adequate confidentiality regime, and monitoring its execution. The GPDP is also responsible for:
- accepting and registering notifications of personal data processing;
- handling applications for authorisations;
- issuing opinions based on applications;
- simplifying the procedures of notifications and declarations;
- handling inquiries, as well as complaints or reports of personal data protection violations; and
- investigating and penalising violations of the Act.
4. Key Definitions
Data controller: A natural or legal person, public entity, agency, or any other body which has the capacity to decide, independently or in collaboration with others, the purposes of personal data processing and the means of personal data processing (Article 4(5) of the Act).
Personal data: Any information of any type, irrespective of the type of medium involved, including sound and image, relating to an identified or identifiable natural person. An 'identifiable person' is one who can be identified, directly or indirectly, in particular by reference to an indication number, or to one or more factors specific to their physical, physiological, mental, economic, cultural, or social identity (Article 4(1) of the Act).
Sensitive data: Personal data revealing philosophical or political beliefs, political association, or trade-union membership, religion, privacy, and racial or ethnic origin, and the processing of data concerning health, sex life, or sexual orientation, including genetic data (Article 7(1) of the Act).
Biometric data: Physical or behavioural human characteristics that can be used to digitally identify a person to grant access to systems, devices, or data (e.g. fingerprints, facial patterns, voice, or typing cadence).
Data subject: Any individual person to whom the data being processed pertains (Article 4(2) of the Act).
Processing of personal data: Any operation or set of operations which is performed upon personal data, whether by automatic means or otherwise, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure, or destruction of such data (Article 4(3) of the Act).
5. Legal Bases
Under Article 6 of the Act, the collection and processing of personal data is only admissible where the data subject provides their unambiguous consent to such processing, or under one of the additional legal bases provided by Article 6 and outlined below.
The data subject's consent is defined as any freely given specific and informed indication of their wishes by which the data subject signifies their agreement to personal data relating to them being processed.
Personal data may also be processed if processing is necessary for the performance of a contract or contracts to which the data subject is a party, or in order to take steps at the request of the data subject prior to entering into a contract or a declaration of their intention to negotiate (Article 6(1) of the Act).
Personal data may also be processed if processing is necessary for compliance with a legal obligation to which the data controller is subject (Article 6(2) of the Act).
Personal data may also be processed if processing is necessary in order to protect the vital interests of the data subject where the latter is physically or legally incapable of giving their consent (Article 6(3) of the Act).
Personal data may also be processed if processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data is disclosed (Article 6(4) of the Act).
Personal data may also be processed if processing is necessary for pursuing the legitimate interests of the controller or the third party to whom the data is disclosed, except where such interests should be overridden by the interests for fundamental rights, freedoms, and guarantees of the data subject (Article 6(5) of the Act).
There is no specific provision on direct marketing. However, data must be collected for specific, determined, and lawful purposes, which are directly related to the activity of the data controller and cannot subsequently be processed in a way that is incompatible with those purposes (Article 5 (1)(2) of the Act).
Therefore, if the data controller has declared marketing communications as one of the purposes of processing, and if the data subject has given their consent, such processing is lawful under the Act.
The relevant principles are as follows:
Transparency: Data processing will be made in a transparent way and in strict compliance with the respect of privacy (Article 2 of the Act).
Lawful basis for processing: Data will be processed in a lawful way and in compliance with the principle of good faith, as well as with the principles enunciated in article 2 of the Act, which includes the respect of rights, freedoms, and guarantees in Macau, in international instruments and in existing legislation (Article 5(1)(1) of the Act).
Purpose limitation: Data will be collected for specific, determined, and lawful purposes, which are directly related to the activity of the data controller, and cannot subsequently be processed in a way that is incompatible with those purposes (Article 5(1)(2) of the Act).
Data minimisation: The Act does not provide a specific stipulation; however this principle is included in Article 5(1)(3) of the Act.
Proportionality: Data will be adequate, pertinent, and non-excessive in relation to the purposes for which is being collected and processed (Article 5(1)(3) of the Act).
Confidentiality: The data controller/data processor must comply with the security requirements to maintain confidentiality, integrity, and security of the data (Article 15 of the Act).
Storage limitation: Data will be kept in a way that allows the identification of its owner only for the duration necessary for the purposes of collection or subsequent processing (Article 5(1)(5) of the Act).
7. Controller and Processor Obligations
The data controller has the right to use, process, and transfer personal data for the purposes for which it has been collected, as well as the right to keep personal data for as long as necessary for the purposes of data collection. Data controllers also have the right to refuse the provision of a service where the data subject does not provide the requisite personal data.
Nevertheless, there are obligations that the data controller must observe, such as:
- complying with the requirements of notification and prior authorisation with the GPDP;
- implementing appropriate technical and organisational measures to protect personal data against accidental, unlawful destruction, or accidental loss, alteration, unauthorised disclosure or access, thus ensuring appropriate levels of security and protection of the processed data; and
- only using processors that can give sufficient guarantees that they will implement appropriate technical and organisational measures to ensure their processing meet the Act's requirements and protect data subject rights.
The data processor has the right to process and use personal data within the scope of the data controller's instructions. The data processor must:
- only act on the documented instructions of a data controller;
- take the appropriate technical and organisational measures to adequately protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data;
- ensure the confidentiality of the personal data that it undertakes to process; and
- keep records of processing activities.
In accordance with Article 21 of the Act, the collection, processing, and transfer of personal data is subject to the issuance of a notice to the GPDP, whereby the entity proposing to carry out these activities declares its intention to collect, process, and/or transfer personal data, within eight days after the commencement of processing of personal data.
Regarding submissions and filing requirements, the GPDP provides official forms. Submissions must be made in one of the official languages (i.e. Chinese or Portuguese), executed by a representative of the entity making the filing (director or duly appointed attorney submitting Power of Attorney documentation), along with information including the following:
- the name and address of the controller and of its representative, if any;
- the purposes of the processing;
- a description of the category or categories of data subjects and of the data or categories of personal data relating to them;
- the recipients or categories of recipients to whom the data might be disclosed and in what circumstances;
- the body entrusted with processing the information, if it is not the controller;
- any combination of personal data processing;
- the length of time for keeping personal data;
- the form and circumstances in which the data subjects may be informed of or may correct the personal data relating to them;
- proposed transfers of data to third countries; and
- a general description enabling a preliminary assessment to be made of the adequacy of the measures and to ensure the security of processing pursuant to Article 15 of the Act, as well as any special security measures pursuant to Article 16 of the Act.
In terms of non-automatic processing, such processing is subject to notification if (Article 21(5) of the Act, read in conjunction with Articles 7(1) and 7(3)(1) of the Act):
- it involves sensitive personal data (i.e. data revealing philosophical or political beliefs, political, society or trade union membership, religion, privacy, and racial or ethnic origin, or data concerning health or sex life, including genetic data); and
- it is processed to protect the vital interest of the data subject or of another person, and the data subject is physically or legally incapable of giving their consent.
There are certain cases where, due to the recurrence and necessity of processing certain personal data, the legal requirements of notification to the GPDP are waived. Among these cases, the Authorisation No. 02/2007 Exemption from the Obligation of Notification ('the Authorisation on Exemption to the Notification Obligation') creates an exemption to the obligation of notification for data processing relating to the administration of employees and service providers, applicable to automated processing of personal data relating to employees and service providers for administration purposes.
The GPDP issued Authorisation on Exemption to the Notification Obligation, which created an exemption to the obligation of notification for data processing relating to the administration of employees and service providers, applicable to automated processing of personal data relating to employees and service providers for administration purposes.
The processing of the employee data includes:
- identification data (name, age or date of birth, place of birth, sex, nationality, type of identification document, identification document number, address, telephone number, fax number, email address, internal identification card number, photograph); and
- other information (such as education and employment experience, language ability, duties, position, place of work).
The GPDP also issued the following authorisations:
- Authorisation No. 01/2008 on Exemption from the Obligation of Notification in relation to Processing of Contact Data with Suppliers, Service Providers, and Billing Customers ('Authorisation No. 01/2008'); and
- Authorisation No. 01/2011 on Exemption from the Notification Obligations in relation to Processing of Recruitment Data, which applies to the automated processing of applicants' personal data for recruitment purposes
Register of processing
Accordingly, when personal data processing is required to be authorised or notified, it shall be set down in a register operated by the GPDP that is open to consultation by any person (Article 25(1) of the Act). Specifically, prior authorisation of the GPDP is required for (Article 22(1) of the Act):
- the processing of sensitive personal data;
- the processing of personal data relating to credit and the solvency of the data subject;
- the combination of personal data provided for in Article 9 of the Act; and
- the use of personal data for purposes other than those for which it was collected.
Applications for authorisations are subject to the same requirements provided for in Article 23 of the Act as outlived above.
Where the controller processes sensitive personal data or data relating to persons suspected of illegal activities, criminal and administrative offences, and decisions applying penalties, security measures, fines, and additional penalties, the register must indicate (Article 24(1) of the Act):
- the controller of the filing system and its representative, if any;
- the categories of personal data processed;
- the purposes of the data and the categories of body to whom they might be disclosed;
- the form of exercising the right of access and rectification;
- any combinations of personal data processing; and
- proposed transfers of data to third countries or regions.
In this regard, any changes to the information referred to in Article 24(1) of the Act will be subject to an obligation to notify and prior authorisation (Article 24(2) of the Act, read in conjunction with Articles 21 and 22 of the Act).
Exemptions authorised by the GPDP
The GPDP may authorise the simplification of, or exemption from, the notification. In so doing, the GPDP must take account of the kind of data processed, along with factors such as efficiency and cost (Article 21(2) of the Act). The GPDP has published the categories of processing that are exempt or subject to simplified notification requirements include, among other things, the following:
- processing personal data for the prevention and control of infectious diseases;
- processing biometric data for identity authentication in relation to attendance tracking;
- processing biometric data for identity authentication for security purposes;
- processing by vehicle position systems and devices;
- processing by video surveillance systems for security purposes;
- processing of recruitment data; and
- processing relating to the administration of employees and service providers.
Exemptions under the Act
In addition to the above, the processing of data for the sole purpose of keeping a public register which is required by law or administrative regulations, and which is open to consultation for the general public or for any person demonstrating a legitimate interest is exempted from notification (Article 21(4) of the Act, see also Article 25(4) of the Act).
Exemptions from prior authorisation
Processing may be authorised by legal provisions or statutory regulations with organisational nature, in which case it does not require the authorisation from the GPDP (Article 22(2) of the Act).
Finally, the GPDP has issued its Guide to Notification and Authorisation (available under the 'Service' section of the GPDP website, here) ('the Guide') which, among other things, provide guidance on:
- one notification form is required for data processing intended to serve a single or several related purposes;
- separate forms are required if the processing involves multiple unrelated purposes;
- if necessary, the GPDP will request the applicant to submit additional documents required for the application; and
- the GPDP will notify the applicant of the processing result in an official letter and will register and disclose the relevant notice in accordance with the Act.
Forms must be completed in either Chinese or Portuguese and can be filled in online (accessible in here) or submitted via post or in person.
Forms, including simplified versions, can be accessed here.
The transfer of data collected in Macau is subject to authorisation by the GPDP, upon verification of whether the destination jurisdiction of the data affords an adequate level of protection. However, Article 20 of the Act sets certain exceptions to the requirement of prior authorisation, by allowing transfers in, among others, the following cases:
- where there is unambiguous consent on the part of the data subject;
- when the transfer of data is necessary for the performance of a contract between the data subject and the entity collecting and processing the data; or
- where it is necessary or legally required based on public interest grounds, or for the establishment, exercise and/or defence to legal claims, the requirement of authorisation can be dispensed.
In such cases, a simple notification to the GPDP declaring the transfer of data would suffice for the purposes of validly transferring data outside Macau.
There are no specific record-keeping requirements. However, personal data must be kept in a form that permits data subject identification for no longer than is necessary for the purposes for which it was collected or for which it is further processed (Article 5(1)(5) of the Act).
It should be noted that customer data has a maximum retention period of five years after the relationship ends (Authorisation No. 01/2008).
The Act does not provide specific requirements/recommendations for data controllers and/or processors to carry out Data Protection Impact Assessment or a Privacy Impact Assessment.
According to industry practice in Macau, the GPDP may waive certain security measures, considering the nature of the bodies responsible for processing and the type of premises where the processing occurs.
The Act does not provide specific requirements/recommendations for the appointment of a data protection officer.
In the Q&A on the appointment of a personal data officer (December 2013) ('the Q&A'), the GPDP states that it is advisable for private institutions and associations 'to appoint their own officers in charge of personal data protection affairs, to better implement [the Act], as well as to ensure the interests of [the institution] and their staff' . However, the GPDP notes that this recommendation is not mandatory, and organisations are not required to report such appointment to the GPDP.
The Act does not provide specific requirements/recommendations for data controllers and/or processors to notify data breaches.
According to the Act, personal data must be stored in a form in which the data subject can be identified, for the period necessary for the purposes of collecting and follow-up processing of the data. The periods of storage may be extended for purposes of historical, statistical, and scientific pursuits.
Macau citizens under the age of 18 do not have the capacity to provide the express consent to processing generally required by the Act.
However, minors can be represented by parents provided that the data is not to be used for illegal purposes.
With respect to processing of personal data relating to security and criminal prevention or investigation, the right of access should be exercised through the competent authority.
In accordance with Article 8 of the Act, central registers relating to persons suspected of illegal activities, criminal and administrative offences, and decisions applying penalties, security measures, fines, and additional penalties may only be created and kept by public services vested with that specific responsibility by a legal provision.
The processing of personal data for the purposes of police investigations will be restricted to the processing necessary to prevent a specific danger or to prosecute a particular offence and to exercise the responsibilities provided for in a legal provision, in a provision of a regulation or in the terms of instruments of international law or interregional agreements applicable in Macau.
The processing of personal data between the data controller and data processor should be governed by a contract or some other legal act binding both parties. Such contract/legal act should clearly mention the subject matter, duration, nature, and purpose of the data processing involved, as well as the type of personal data and categories of data subjects.
In particular, it should be stipulated that the processor must only act under the instructions of the data controller, and that it must implement appropriate technical and organisational security measures to protect personal data.
Regarding liabilities, it should be included in the agreement that data processors are subject to liability for failure to comply with their contractual obligations owed to data controllers, and that the data controller is responsible for complying with the statutory requirements relating to data protection and privacy, particularly regarding the disclosure and transfer of personal data to the data processor, and the processing of personal data.
8. Data Subject Rights
Data subjects are entitled to receive the following information concerning the data they provide:
- the identity of the data controller;
- the purposes of the processing;
- recipients or categories of recipients to whom the data is disclosed;
- whether replies are obligatory or voluntary;
- the consequences of the failure to reply; and
- their rights concerning access to and rectification of their data along with the conditions to exercising their rights.
Data subjects are entitled, without constraints and within a reasonable timeframe, to access information regarding their data, including:
- whether their personal data has been processed;
- the purposes for which their data is processed; and
- whether their data is to undergo any automatic processing.
Data subjects have the right to rectify, delete, or block data, where the processing does not comply with the Act, including incomplete or inaccurate data.
Data subjects have the right to rectify, delete, or block data, where the processing does not comply with the Act, including incomplete or inaccurate data.
Data subjects have the right to object at any time, based on legitimate reasons, to the processing of part or all of their data. Moreover, and with particular relevance to the collection of personal data for commercial purposes, data subjects are entitled to:
- object to processing of data for the purposes of direct marketing or market research; and
- to be informed of data disclosed to third parties for such purposes, prior to disclosure.
The Act does not provide for a right to data portability.
Data subjects have the right not to be subject to a decision that produces legal effects for them or which significantly affects them, and which is based solely on automated processing of data intended to evaluate certain personal aspects relating to data subjects, in particular, their performance at work, creditworthiness, reliability, or conduct.
Right to indemnification
If unlawful processing of personal data results in damage to the data subject, they are entitled to reparation for the damage sustained.
The Act sets out administrative and criminal sanctions.
From an administrative perspective, violations/infractions may incur fines ranging from MOP 2,000 (approx. €230) to MOP 200,000 (approx. €22,958), depending on their nature.
Conduct such as intentionally failing to comply with the authorisation and notification requirements as set out in Articles 21 and 22 of the Act may result in prison sentences of up to two years or a fine of up to 240 days.
Moreover, improper access to personal data, as well as the violation or destruction of personal data is considered a crime and can also lead to prison sentences of up to two years or a fine of up to 240 days. Such penalty is doubled if the damage is particularly severe.
According to the Penal Code of Macau (available in Chinese here Portuguese here) ('the Code'), for fine penalties fixed in days, each day of the fine corresponds to an amount between MOP 50 and MOP 10,000 (approx. €6 and €1,148), which the court determines according to the economic and financial situation of the convict (Article 45(2) of the Code). A fine of up to 240 days would equal a fine between MOP 12,000 and MOP 2.4 million (approx. €1,377 and €275,455).
Furthermore, additional penalties include:
- the temporary prohibition of collection or processing of personal data;
- an order to partially or fully erase the unduly collected data;
- the publication of the judgment against the infringing entity in the Macau newspapers; and/or
- a public warning or censure of the infringing entity.
There are no notable enforcement decisions by the GPDP. However, according to the GPDP's Annual Report 2020, a total amount of MOP 12.6 million (approx. €1,446,095) were issued in 2020. Furthermore, the GPDP has focused on illegal telemarketing activities, as highlighted in its preliminary statistics report published in November 2020 (only available in Portuguese here).