Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Already have an account? Log in

Timor Leste - Data Protection Overview

Back

Timor Leste - Data Protection Overview

July 2022

1. Governing Texts

As per the Constitution of the Democratic Republic of Timor-Leste ('the Constitution'), which was enacted on 20 May 2002 following the formal declaration of the country's independence, Timor-Leste has established constitutional safeguards regarding the protection of personal data and privacy as a general right applicable to citizens.

Without prejudice to this right, there is no general and comprehensive legislation on the protection of personal data i.e. there is no national general law on the protection of privacy and data, cybercrime, cybersecurity, and other privacy-adjacent legislation.

In any event, there are some provisions on the processing of personal data and the protection of privacy included in different legislative instruments, aimed either at specific legal and regulatory obligations, or at the processing of information by public entities.

1.1. Key acts, regulations, directives, bills

The Constitution provides that:

every individual has the right to honour and privacy (Article 36); and
the household, correspondence, and any private means of communication are inviolable, save in cases provided for by law (Article 37).

Additionally, in Article 38, under the epigraph 'Personal Data Protection', the Constitution provides for the following:

every citizen has the right to access personal data which concerns them (if contained in either automated or non-automated records);
every citizen may require the rectification and updating of their personal data, as well as the right to know the purpose for which their personal data is intended/was collected;
the law defines the concept of personal data and the conditions applicable to processing; and
automated processing of personal data relating to private life, political beliefs and philosophical, religious faith, party affiliation or trade union affiliation and ethnic origin it is expressly prohibited without the consent of the data subject.

Law No. 17/2011 on Legal Regime Covering the Prevention of and Combat against Money Laundering and Financing of Terrorism, as amended by Law No. 5/2013 ('the AML/CFT Framework').

In addition to sector-specific penalties (for further detail see section 2 below), the Decree Law 19/2009 approving the Penal Code (as amended), provides for the following:

Privacy intrusion: any person who, by any means, even lawful ones, becomes aware of facts concerning another person's private or sexual life without consent or just cause, and discloses them publicly, shall be punishable by imprisonment for up to one year or a fine (Article 183).
Violation of secrecy: any person who, without consent, discloses confidential information of which they have become aware of, because of they operate in trade or employment profession, shall be punishable by imprisonment for up to one year or a fine. If the confidential information is related to a commercial, industrial, professional, or artistic activities, and the disclosure causes damage to another person or to the State, and the agent becomes aware of it under the aforementioned conditions, those responsible are punishable by imprisonment for up to two years or a fine (Article 184).
Violation of correspondence or telecommunications: any person who, without consent or outside of the cases admissible by law, opens a letter or any other writing addressed to another person, or becomes aware of its contents, or prevents it from being received by its addressee, shall be punishable by imprisonment for up to two years or a fine. The same penalty shall apply to anyone who, under the same circumstances, interferes, or becomes aware of the content of telephone, telegraph, or any other means of telecommunication. Anyone who discloses the contents of letters, closed writings, telephone calls, or other communications above referred shall be punishable by imprisonment for up to one year or by a fine, even if they have lawfully known those facts. If the crimes referred to are committed by postal, telegraph, telephone, or telecommunications employees, the penalties shall be increased by one third in their limits (Article 187).

1.2. Guidelines

As there is no data protection law, or official guidelines, there is no data protection authority for Timor-Leste.

1.3. Case law

As far as we are aware, there is no relevant jurisprudence directly referring to procedures on privacy and data protection matters in Timor-Leste. Note, in any case, that non-binding, political discussion in the country has demonstrated a growing (albeit still reduced) awareness and intention to legislate on data protection and cybersecurity matters in the country.

2. Scope of Application

2.1. Personal scope

Not applicable.

2.2. Territorial scope

Not applicable.

2.3. Material scope

Not applicable.

3. Data Protection Authority | Regulatory Authority

3.1. Main regulator for data protection

Not applicable.

3.2. Main powers, duties and responsibilities

Not applicable.

4. Key Definitions

Data controller: Not applicable, given the absence of a general data protection framework.

Data processor: Not applicable, given the absence of a general data protection framework.

Personal data: Not applicable, given the absence of a general data protection framework.

Sensitive data: Not applicable, given the absence of a general data protection framework.

Health data: Not applicable, given the absence of a general data protection framework.

Biometric data: Not applicable, given the absence of a general data protection framework.

Pseudonymisation: Not applicable, given the absence of a general data protection framework.

5. Legal Bases

5.1. Consent

Not applicable, given the absence of a general data protection framework.

5.2. Contract with the data subject

Not applicable, given the absence of a general data protection framework.

5.3. Legal obligations

Not applicable, given the absence of a general data protection framework.

5.4. Interests of the data subject

Not applicable, given the absence of a general data protection framework.

5.5. Public interest

Not applicable, given the absence of a general data protection framework.

5.6. Legitimate interests of the data controller

Not applicable, given the absence of a general data protection framework.

5.7. Legal bases in other instances

Not applicable, given the absence of a general data protection framework.

6. Principles

Not applicable, other than the general principles set out in Article 38 of the Constitution noted in section on key acts, regulations, directives, bills above, and sector-specific concerns.

7. Controller and Processor Obligations

7.1. Data processing notification

Not applicable, given the absence of a general data protection framework.

7.2. Data transfers

Not applicable, given the absence of a general data protection framework.

7.3. Data processing records

Not applicable, given the absence of a general data protection framework.

7.4. Data protection impact assessment

Not applicable, given the absence of a general data protection framework.

7.5. Data protection officer appointment

Not applicable, given the absence of a general data protection framework.

7.6. Data breach notification

Not applicable, given the absence of a general data protection framework.

7.7. Data retention

Not applicable, given the absence of a general data protection framework. While specific data retention periods may apply on a sector-specific basis, such as for tax and accounting obligations, compliance with judicial decisions, AML provisions, and employment law, there is no general data protection-oriented principle applicable to data retention.

7.8. Children's data

Not applicable, all provisions regarding the processing of information and the legal conditions of minors are those set out in the general rules of civil law, no specific data protection-oriented principles are applicable in this respect.

7.9. Special categories of personal data

Not applicable. Criminal/sanctions information, health data or other types of information generally perceived as sensitive data would be processed as applicable under penal, healthcare, administrative and public law.

7.10. Controller and processor contracts

Not applicable, given the absence of a general data protection framework.

8. Data Subject Rights

Under the Decree Law 2/2004 (Legal Framework on Civil Identification), there is a right to be provided information regarding, and to access records related to, themselves contained in the civil identification database (Article 30). In addition, there is the right to require the rectification of inaccurate data, to have incomplete data completed, and to require the suppression of data unduly recorded in this database (Article 31).

8.1. Right to be informed

Not applicable.

8.2. Right to access

Not applicable.

8.3. Right to rectification

Not applicable.

8.4. Right to erasure

Not applicable.

8.5. Right to object/opt-out

Not applicable.

8.6. Right to data portability

Not applicable.

8.7. Right not to be subject to automated decision-making

Not applicable.

8.8. Other rights

Not applicable.

9. Penalties

Not applicable.

9.1 Enforcement decisions

Not applicable.

Privacy Law Reform Privacy Law Concepts

About the authors

Magda Cocco

Vieira De Almeida

Magda Cocco is the Head of Practice of Information, Communication & Technology (ICT) and the responsible for the Aerospace sector at VdA.

Specifically, in the field of data protection and cybersecurity, Magda regularly advises domestic and international clients in a huge range of sector, if not them all, and has been involved in projects such as the conduction of data protection risk management reviews; dealing with the legal, business-related impact of international flows of personal data; advising on the implementation of data protection compliance programs; the roll-out of global whistleblowing hotlines; drafting prevention plans and procedures handbooks in case of incident/cyberattack; legal advice in response to an incident/cyberattack (breach response) as well as guidance for data protection officers. Magda has also drafted some data protection laws and cybersecurity policies in some jurisdictions across the world, namely in Africa and Asia, having also led multidisciplinary teams in different projects, in several sectors, and assisted Governments and Regulatory Entities.

The VdA’s ICT Head of Practice also has in-depth knowledge and experience in other relevant fields of the new digital economy challenges, such as electronic communication, media, data economy and technology across several jurisdictions. Magda holds several teaching chairs, lecturing electronic communications regulation, data protection and space law and is a regular guest speaker in national and international conferences. The Financial Times appointed her as one of the legal innovators of the year and included her in top ten most innovative European Lawyers.

[email protected]

Inês Antas de Barros

VdA

Inês Antas de Barros is a managing associate integrated in the Information, Communication & Technology (ICT) practice at VdA.

Inês focuses her practice on privacy and information security, having been directly involved in negotiation with various key players and projects from multiple sectors and market areas, with underlying challenges from a data protection perspective, but also involving related legal issues across multiple jurisdictions and/or legal or regulatory areas (such as electronic communications, insurance, banking, transportation, pharmaceutical, distribution and retail). These projects include the conduction of data protection risk management reviews; prevention plans and procedures handbooks in case of incident/cyberattack; legal advice in response to a data breach; dealing with the legal, business-related impact of international flows of personal data; advising on the implementation of data protection compliance programs in Portugal and Africa; drafting privacy policies, codes of conduct, cross-border data transfer agreements, charters for the use of information and communication methods as well as guidance for data protection officers. Inês has also drafted some data protection laws and cybersecurity policies in some jurisdictions across the world, namely in Africa and East Timor.

More recently, Inês has been advising clients on the impact and challenges of the new GDPR transition, having been appointed as a Legal Expert from the Europrise Privacy Shield, a rare qualification in the Portuguese market.

[email protected]

Isabel Ornelas

Vieira De Almeida

Isabel Ornelas is a managing associate integrated in the Information, Communication & Technology (ICT) practice at VdA.

Isabel has worked over the years in several transactions in the telecommunications and privacy fields, both domestic and abroad (in particular, in Portuguese-speaking and English-speaking African countries, although she has consistently extended her activity to French-speaking countries, including Gabon, Guinea and RDC).

In this context, she has taken an active role in providing assistance to private and public entities in the course of their activity and has worked with ICT providers in major transactions over active and passive assets, as well as day-to-day activity, such as for compliance with obligations before national regulators and negotiation with third parties. In the field of privacy and data protection, Isabel has taken an active role in several privacy compliance audits carried out by companies in various sectors (in particular, banking and finance, health, industry, communications and services), in the set-up of privacy policies and ethics lines, as well as providing project-oriented legal counselling in various operations and market products and services, particularly those including international data transfers.

Isabel has also provided significant assistance in other matters applicable to entities operating in the telecoms sector, such as the implications and context of privacy and data protection issues in telecommunications services, products and networks, considering that she is a Legal Expert from the Europrise Privacy Shield.

[email protected]

Maria de Lurdes Gonçalves

Vieira De Almeida

Maria de Lurdes Gonçalves is a senior associate integrated in the Information, Communication & Technology (ICT) practice at VdA.

Maria de Lurdes has been a key lawyer in several privacy and data protection projects, in Portugal and abroad, mainly focused on life sciences and healthcare, energy, infrastructures and mobility, industry and services.

These projects include advising on the implementation of data protection compliance programs, including the GDPR and NIS Directive; the conduction of data protection risk management reviews; advising on data breach procedures; evaluating technological solutions according to data protection rules; advising in the definition of business models and the launching of new products and services; developing of Customer Relationship Management projects, loyalty programs and marketing campaigns; implementation of video surveillance systems; assisting the launch of teleconsultation and e-health projects; advising on the adoption of cloud computing services and in the definition of strategies for commercialization thereof the public and private sectors, among others.

Maria de Lurdes also advises Brazilian companies on the GDPR implementation and participated in legal conferences in Brazil and Angola. She often conducts training sessions and workshops regarding data protection and cybersecurity. She is a Legal Expert from the Europrise Privacy Shield.

[email protected]

Continue reading on DataGuidance with:

Free Member

Free Trial

Timor Leste - Data Protection Overview

July 2022

1. Governing Texts

1.1. Key acts, regulations, directives, bills

1.2. Guidelines

1.3. Case law

2. Scope of Application

2.1. Personal scope

2.2. Territorial scope

2.3. Material scope

3. Data Protection Authority | Regulatory Authority

3.1. Main regulator for data protection

3.2. Main powers, duties and responsibilities

4. Key Definitions

5. Legal Bases

5.1. Consent

5.2. Contract with the data subject

5.3. Legal obligations

5.4. Interests of the data subject

5.5. Public interest

5.6. Legitimate interests of the data controller

5.7. Legal bases in other instances

6. Principles

7. Controller and Processor Obligations

7.1. Data processing notification

7.2. Data transfers

7.3. Data processing records

7.4. Data protection impact assessment

7.5. Data protection officer appointment

7.6. Data breach notification

7.7. Data retention

7.8. Children's data

7.9. Special categories of personal data

7.10. Controller and processor contracts

8. Data Subject Rights

8.1. Right to be informed

8.2. Right to access

8.3. Right to rectification

8.4. Right to erasure

8.5. Right to object/opt-out

8.6. Right to data portability

8.7. Right not to be subject to automated decision-making

8.8. Other rights

9. Penalties

9.1 Enforcement decisions

Get the Latest News

Thanks for signing up!

Company

Our Policies

Your Rights

Follow us