Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Timor Leste - Data Protection Overview
Back

Timor Leste - Data Protection Overview

July 2022

1. Governing Texts

As per the Constitution of the Democratic Republic of Timor-Leste ('the Constitution'), which was enacted on 20 May 2002 following the formal declaration of the country's independence, Timor-Leste has established constitutional safeguards regarding the protection of personal data and privacy as a general right applicable to citizens.

Without prejudice to this right, there is no general and comprehensive legislation on the protection of personal data i.e. there is no national general law on the protection of privacy and data, cybercrime, cybersecurity, and other privacy-adjacent legislation.

In any event, there are some provisions on the processing of personal data and the protection of privacy included in different legislative instruments, aimed either at specific legal and regulatory obligations, or at the processing of information by public entities.

1.1. Key acts, regulations, directives, bills

The Constitution provides that:

  • every individual has the right to honour and privacy (Article 36); and
  • the household, correspondence, and any private means of communication are inviolable, save in cases provided for by law (Article 37).

Additionally, in Article 38, under the epigraph 'Personal Data Protection', the Constitution provides for the following:

  • every citizen has the right to access personal data which concerns them (if contained in either automated or non-automated records);
  • every citizen may require the rectification and updating of their personal data, as well as the right to know the purpose for which their personal data is intended/was collected;
  • the law defines the concept of personal data and the conditions applicable to processing; and
  • automated processing of personal data relating to private life, political beliefs and philosophical, religious faith, party affiliation or trade union affiliation and ethnic origin it is expressly prohibited without the consent of the data subject.

Law No. 17/2011 on Legal Regime Covering the Prevention of and Combat against Money Laundering and Financing of Terrorism, as amended by Law No. 5/2013 ('the AML/CFT Framework').

In addition to sector-specific penalties (for further detail see section 2 below), the Decree Law 19/2009 approving the Penal Code (as amended), provides for the following:

  • Privacy intrusion: any person who, by any means, even lawful ones, becomes aware of facts concerning another person's private or sexual life without consent or just cause, and discloses them publicly, shall be punishable by imprisonment for up to one year or a fine (Article 183).
  • Violation of secrecy: any person who, without consent, discloses confidential information of which they have become aware of, because of they operate in trade or employment profession, shall be punishable by imprisonment for up to one year or a fine. If the confidential information is related to a commercial, industrial, professional, or artistic activities, and the disclosure causes damage to another person or to the State, and the agent becomes aware of it under the aforementioned conditions, those responsible are punishable by imprisonment for up to two years or a fine (Article 184).
  • Violation of correspondence or telecommunications: any person who, without consent or outside of the cases admissible by law, opens a letter or any other writing addressed to another person, or becomes aware of its contents, or prevents it from being received by its addressee, shall be punishable by imprisonment for up to two years or a fine. The same penalty shall apply to anyone who, under the same circumstances, interferes, or becomes aware of the content of telephone, telegraph, or any other means of telecommunication. Anyone who discloses the contents of letters, closed writings, telephone calls, or other communications above referred shall be punishable by imprisonment for up to one year or by a fine, even if they have lawfully known those facts. If the crimes referred to are committed by postal, telegraph, telephone, or telecommunications employees, the penalties shall be increased by one third in their limits (Article 187).

1.2. Guidelines

As there is no data protection law, or official guidelines, there is no data protection authority for Timor-Leste.

1.3. Case law

As far as we are aware, there is no relevant jurisprudence directly referring to procedures on privacy and data protection matters in Timor-Leste. Note, in any case, that non-binding, political discussion in the country has demonstrated a growing (albeit still reduced) awareness and intention to legislate on data protection and cybersecurity matters in the country.

2. Scope of Application

2.1. Personal scope

Not applicable.

2.2. Territorial scope

Not applicable.

2.3. Material scope

Not applicable.

3. Data Protection Authority | Regulatory Authority

3.1. Main regulator for data protection

Not applicable.

3.2. Main powers, duties and responsibilities

Not applicable.

4. Key Definitions

Data controller: Not applicable, given the absence of a general data protection framework.

Data processor: Not applicable, given the absence of a general data protection framework.

Personal data: Not applicable, given the absence of a general data protection framework.

Sensitive data: Not applicable, given the absence of a general data protection framework.

Health data: Not applicable, given the absence of a general data protection framework.

Biometric data: Not applicable, given the absence of a general data protection framework.

Pseudonymisation: Not applicable, given the absence of a general data protection framework.

5. Legal Bases

5.1. Consent

Not applicable, given the absence of a general data protection framework.

5.2. Contract with the data subject

Not applicable, given the absence of a general data protection framework.

5.3. Legal obligations

Not applicable, given the absence of a general data protection framework.

5.4. Interests of the data subject

Not applicable, given the absence of a general data protection framework.

5.5. Public interest

Not applicable, given the absence of a general data protection framework.

5.6. Legitimate interests of the data controller

Not applicable, given the absence of a general data protection framework.

5.7. Legal bases in other instances

Not applicable, given the absence of a general data protection framework.

6. Principles

Not applicable, other than the general principles set out in Article 38 of the Constitution noted in section on key acts, regulations, directives, bills above, and sector-specific concerns.

7. Controller and Processor Obligations

7.1. Data processing notification

Not applicable, given the absence of a general data protection framework.

7.2. Data transfers

Not applicable, given the absence of a general data protection framework.

7.3. Data processing records

Not applicable, given the absence of a general data protection framework.

7.4. Data protection impact assessment

Not applicable, given the absence of a general data protection framework.

7.5. Data protection officer appointment

Not applicable, given the absence of a general data protection framework.

7.6. Data breach notification

Not applicable, given the absence of a general data protection framework.

7.7. Data retention

Not applicable, given the absence of a general data protection framework. While specific data retention periods may apply on a sector-specific basis, such as for tax and accounting obligations, compliance with judicial decisions, AML provisions, and employment law, there is no general data protection-oriented principle applicable to data retention.

7.8. Children's data

Not applicable, all provisions regarding the processing of information and the legal conditions of minors are those set out in the general rules of civil law, no specific data protection-oriented principles are applicable in this respect.

7.9. Special categories of personal data

Not applicable. Criminal/sanctions information, health data or other types of information generally perceived as sensitive data would be processed as applicable under penal, healthcare, administrative and public law.

7.10. Controller and processor contracts

Not applicable, given the absence of a general data protection framework.

8. Data Subject Rights

Under the Decree Law 2/2004 (Legal Framework on Civil Identification), there is a right to be provided information regarding, and to access records related to, themselves contained in the civil identification database (Article 30). In addition, there is the right to require the rectification of inaccurate data, to have incomplete data completed, and to require the suppression of data unduly recorded in this database (Article 31).

8.1. Right to be informed

Not applicable.

8.2. Right to access

Not applicable.

8.3. Right to rectification

Not applicable.

8.4. Right to erasure

Not applicable.

8.5. Right to object/opt-out

Not applicable.

8.6. Right to data portability

Not applicable.

8.7. Right not to be subject to automated decision-making

Not applicable.

8.8. Other rights

Not applicable.

9. Penalties

Not applicable.

9.1 Enforcement decisions

Not applicable.