Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Timor Leste - Data Protection Overview
July 2022
1. Governing Texts
As per the Constitution of the Democratic Republic of Timor-Leste ('the Constitution'), which was enacted on 20 May 2002 following the formal declaration of the country's independence, Timor-Leste has established constitutional safeguards regarding the protection of personal data and privacy as a general right applicable to citizens.
Without prejudice to this right, there is no general and comprehensive legislation on the protection of personal data i.e. there is no national general law on the protection of privacy and data, cybercrime, cybersecurity, and other privacy-adjacent legislation.
In any event, there are some provisions on the processing of personal data and the protection of privacy included in different legislative instruments, aimed either at specific legal and regulatory obligations, or at the processing of information by public entities.
1.1. Key acts, regulations, directives, bills
The Constitution provides that:
- every individual has the right to honour and privacy (Article 36); and
- the household, correspondence, and any private means of communication are inviolable, save in cases provided for by law (Article 37).
Additionally, in Article 38, under the epigraph 'Personal Data Protection', the Constitution provides for the following:
- every citizen has the right to access personal data which concerns them (if contained in either automated or non-automated records);
- every citizen may require the rectification and updating of their personal data, as well as the right to know the purpose for which their personal data is intended/was collected;
- the law defines the concept of personal data and the conditions applicable to processing; and
- automated processing of personal data relating to private life, political beliefs and philosophical, religious faith, party affiliation or trade union affiliation and ethnic origin it is expressly prohibited without the consent of the data subject.
Law No. 17/2011 on Legal Regime Covering the Prevention of and Combat against Money Laundering and Financing of Terrorism, as amended by Law No. 5/2013 ('the AML/CFT Framework').
In addition to sector-specific penalties (for further detail see section 2 below), the Decree Law 19/2009 approving the Penal Code (as amended), provides for the following:
- Privacy intrusion: any person who, by any means, even lawful ones, becomes aware of facts concerning another person's private or sexual life without consent or just cause, and discloses them publicly, shall be punishable by imprisonment for up to one year or a fine (Article 183).
- Violation of secrecy: any person who, without consent, discloses confidential information of which they have become aware of, because of they operate in trade or employment profession, shall be punishable by imprisonment for up to one year or a fine. If the confidential information is related to a commercial, industrial, professional, or artistic activities, and the disclosure causes damage to another person or to the State, and the agent becomes aware of it under the aforementioned conditions, those responsible are punishable by imprisonment for up to two years or a fine (Article 184).
- Violation of correspondence or telecommunications: any person who, without consent or outside of the cases admissible by law, opens a letter or any other writing addressed to another person, or becomes aware of its contents, or prevents it from being received by its addressee, shall be punishable by imprisonment for up to two years or a fine. The same penalty shall apply to anyone who, under the same circumstances, interferes, or becomes aware of the content of telephone, telegraph, or any other means of telecommunication. Anyone who discloses the contents of letters, closed writings, telephone calls, or other communications above referred shall be punishable by imprisonment for up to one year or by a fine, even if they have lawfully known those facts. If the crimes referred to are committed by postal, telegraph, telephone, or telecommunications employees, the penalties shall be increased by one third in their limits (Article 187).
1.2. Guidelines
As there is no data protection law, or official guidelines, there is no data protection authority for Timor-Leste.
1.3. Case law
As far as we are aware, there is no relevant jurisprudence directly referring to procedures on privacy and data protection matters in Timor-Leste. Note, in any case, that non-binding, political discussion in the country has demonstrated a growing (albeit still reduced) awareness and intention to legislate on data protection and cybersecurity matters in the country.
2. Scope of Application
2.1. Personal scope
Not applicable.
2.2. Territorial scope
Not applicable.
2.3. Material scope
Not applicable.
3. Data Protection Authority | Regulatory Authority
3.1. Main regulator for data protection
Not applicable.
3.2. Main powers, duties and responsibilities
Not applicable.
4. Key Definitions
Data controller: Not applicable, given the absence of a general data protection framework.
Data processor: Not applicable, given the absence of a general data protection framework.
Personal data: Not applicable, given the absence of a general data protection framework.
Sensitive data: Not applicable, given the absence of a general data protection framework.
Health data: Not applicable, given the absence of a general data protection framework.
Biometric data: Not applicable, given the absence of a general data protection framework.
Pseudonymisation: Not applicable, given the absence of a general data protection framework.
5. Legal Bases
5.1. Consent
Not applicable, given the absence of a general data protection framework.
5.2. Contract with the data subject
Not applicable, given the absence of a general data protection framework.
5.3. Legal obligations
Not applicable, given the absence of a general data protection framework.
5.4. Interests of the data subject
Not applicable, given the absence of a general data protection framework.
5.5. Public interest
Not applicable, given the absence of a general data protection framework.
5.6. Legitimate interests of the data controller
Not applicable, given the absence of a general data protection framework.
5.7. Legal bases in other instances
Not applicable, given the absence of a general data protection framework.
6. Principles
Not applicable, other than the general principles set out in Article 38 of the Constitution noted in section on key acts, regulations, directives, bills above, and sector-specific concerns.
7. Controller and Processor Obligations
7.1. Data processing notification
Not applicable, given the absence of a general data protection framework.
7.2. Data transfers
Not applicable, given the absence of a general data protection framework.
7.3. Data processing records
Not applicable, given the absence of a general data protection framework.
7.4. Data protection impact assessment
Not applicable, given the absence of a general data protection framework.
7.5. Data protection officer appointment
Not applicable, given the absence of a general data protection framework.
7.6. Data breach notification
Not applicable, given the absence of a general data protection framework.
7.7. Data retention
Not applicable, given the absence of a general data protection framework. While specific data retention periods may apply on a sector-specific basis, such as for tax and accounting obligations, compliance with judicial decisions, AML provisions, and employment law, there is no general data protection-oriented principle applicable to data retention.
7.8. Children's data
Not applicable, all provisions regarding the processing of information and the legal conditions of minors are those set out in the general rules of civil law, no specific data protection-oriented principles are applicable in this respect.
7.9. Special categories of personal data
Not applicable. Criminal/sanctions information, health data or other types of information generally perceived as sensitive data would be processed as applicable under penal, healthcare, administrative and public law.
7.10. Controller and processor contracts
Not applicable, given the absence of a general data protection framework.
8. Data Subject Rights
Under the Decree Law 2/2004 (Legal Framework on Civil Identification), there is a right to be provided information regarding, and to access records related to, themselves contained in the civil identification database (Article 30). In addition, there is the right to require the rectification of inaccurate data, to have incomplete data completed, and to require the suppression of data unduly recorded in this database (Article 31).
8.1. Right to be informed
Not applicable.
8.2. Right to access
Not applicable.
8.3. Right to rectification
Not applicable.
8.4. Right to erasure
Not applicable.
8.5. Right to object/opt-out
Not applicable.
8.6. Right to data portability
Not applicable.
8.7. Right not to be subject to automated decision-making
Not applicable.
8.8. Other rights
Not applicable.
9. Penalties
Not applicable.
9.1 Enforcement decisions
Not applicable.