Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Timor Leste - Data Protection Overview
June 2024
1. Governing Texts
As per the Constitution of the Democratic Republic of Timor-Leste (the Constitution), which was enacted on May 20, 2002, following the formal declaration of the country's independence, Timor-Leste has established constitutional safeguards regarding the protection of personal data and privacy as a general right applicable to citizens.
Without prejudice to this right, there is no general and comprehensive legislation on the protection of personal data i.e. there is no national general law on the protection of privacy and data, cybercrime, cybersecurity, and other privacy-adjacent legislation. Non-binding, political discussion in the country has demonstrated a growing awareness and intention to legislate on data protection and cybersecurity matters in the country, and both data protection/privacy and cybersecurity legislative documents are said to have been undergoing discussion in the Timor-Leste Parliament for some time (although no public, official texts have been published).
Since Timor-Leste is currently arranging for its adherence to the Association of Southeast Asian Nations (ASEAN), it is likely to also adhere to ASEAN's Framework on Personal Data Protection.
The National Strategic Plan for Digital Development and Information and Communication Technologies Development for 2022 to 2032 (Timor Digital 2032) – approved by the Government Resolution nr. 4/2023, dated February 8, 2023, (only available in Portuguese here) aims to successfully develop digital technologies. One of its goals is to settle down a legal framework for protecting privacy and personal data.
In any event and in the meantime, there are some provisions on the processing of personal data and the protection of privacy included in different legislative instruments, aimed either at specific legal and regulatory obligations or at the processing of information by public entities.
1.1. Key acts, regulations, directives, bills
The Constitution provides that:
- every individual has the right to honor and privacy (Article 36); and
- the household, correspondence, and any private means of communication are inviolable, save in cases provided for by law (Article 37).
Additionally, in Article 38, under the epigraph Personal Data Protection, the Constitution provides for the following:
- every citizen has the right to access personal data which concerns them (contained in either automated or non-automated records);
- every citizen may require the rectification and updating of their personal data, as well as the right to know the purpose for which their personal data is intended/was collected;
- the law defines the concept of personal data and the conditions applicable to processing; and
- automated processing of personal data relating to private life, political beliefs and philosophical, religious faith, party affiliation or trade union affiliation, and ethnic origin it is expressly prohibited without the consent of the data subject.
The recently approved Law nr. 14/2022, dated December 21, 2022, (Copyright and Related Rights Code) (only available in Portuguese here) (the Code), which establishes general measures towards the legitimate use of technology (indirectly impacting the possible processing of personal data through electronic means), includes a provision whereby the regime set out in the Code is without prejudice to any legal or regulatory provision provides for the right to secrecy, the protection of confidentiality of sources, and/or the legal regime for the protection of personal data.
We note also the country's Customs Code (Decree-Law nr. 14/2017, dated April 5, 2017, (only available in Portuguese here), as amended by Decree-Law nr. 87/2022, dated December 14, 2022, (only available in Portuguese here)). While this diploma does not specifically aim to regulate the protection of personal data, it includes provisions with an impact on privacy since, in addition to measures aimed at ensuring information security and limitation of access to information, it determines that the storage of customs data (including through electronic means) should be carried out in terms that facilitate the tracing and availability of the information processed.
Additionally, the recently approved Decree-Law nr. 12/2024, dated February 13, 2024, (only available in Portuguese here) which has been in effect since August 2024, introduces a new legal framework for electronic transactions, records, and electronic signatures, particularly in the context of e-commerce. This framework applies to any individual or entity selling or offering goods or services through e-commerce to individuals or entities domiciled, headquartered, or established in Timor-Leste, regarding the formation and acceptance of electronic records, the use and legal status of electronic signatures, and the formation of contracts by electronic means. One of the measures arising from this new framework is the prohibition of sending unsolicited commercial electronic messages (spam). Consequently, companies must implement a functional return email address or another mechanism for recipients to object to future messages (Article 55).
Although this Decree-Law does not specifically aim to regulate the protection of personal data, it includes a provision (Article 35) that limits the personal data that can be collected by public or private entities competent for issuing certificates (the certifying entities). These entities can only collect personal data necessary for the exercise of their activity and must obtain the data directly from the individual or from duly authorized third parties. Furthermore, this data cannot be used for any purposes other than certification, unless another use is authorized by law or by the individual concerned.
The Agência de Tecnologias de Informação e Comunicação I.P. (TIC TIMOR) established by Decree-Law nr. 29/2017, dated August 2, 2017, (only available in Portuguese here) has been designated as the accrediting authority for certifying entities for electronic signatures (Articles 47-50 of Decree-Law nr. 12/2024, dated February 13, 2024).
This new legal framework for electronic transactions reflects the best international practices in the field, including the UNCITRAL Model Law on Electronic Commerce, the UNCITRAL Model Law on Electronic Signatures, and the UNCITRAL Model Law on Electronic Transferable Records.
Law nr. 17/2011 on Legal Regime Covering the Prevention of and Combat against Money Laundering and Financing of Terrorism, as amended by Law nr. 4/2013 (the AML/CFT Framework).
In addition to sector-specific penalties (for further detail see the section on scope below), Decree Law nr. 19/2009 approving the Penal Code (as amended), provides for the following:
- Privacy intrusion: any person who, by any means, even lawful ones, becomes aware of facts concerning another person's private or sexual life without consent or just cause, and discloses them publicly, shall be punishable by imprisonment for up to one year or a fine (Article 183).
- Violation of secrecy: any person who, without consent, discloses confidential information of which they have become aware because they operate in trade or employment profession, shall be punishable by imprisonment for up to one year or a fine. If the confidential information is related to commercial, industrial, professional, or artistic activities, and the disclosure causes damage to another person or to the State, and the agent becomes aware of it under the aforementioned conditions, those responsible are punishable by imprisonment for up to two years or a fine (Article 184).
- Violation of correspondence or telecommunications: any person who, without consent or outside of the cases admissible by law, opens a letter or any other writing addressed to another person, becomes aware of its contents, or prevents it from being received by its addressee, shall be punishable by imprisonment for up to two years or a fine. The same penalty shall apply to anyone who, under the same circumstances, interferes, or becomes aware of the content of telephone, telegraph, or any other means of telecommunication. Anyone who discloses the contents of letters, closed writings, telephone calls, or other communications above referred shall be punishable by imprisonment for up to one year or by a fine, even if they have lawfully known those facts. If the crimes referred to are committed by postal, telegraph, telephone, or telecommunications employees, the penalties shall be increased by one-third in their limits (Article 187).
Access to criminal records is granted only to the data subject or any duly authorized third party, as well as to the descendants, ascendants, or the legal guardian of the data subject (Article 10 of Decree-Law nr. 16/2003, dated October 1, 2023, only available in Portuguese here).
Regarding statistics, personal data is strictly confidential and cannot be disclosed except with written authorization from the person or entity to whom it pertains, in accordance with Article 4 of Decree-Law nr. 17/2003, dated October 1, 2023, (only available in Portuguese here).
1.2. Guidelines
As there is no data protection law, or data protection authority for Timor-Leste there are no official guidelines on data protection.
1.3. Case law
As far as we are aware, there is no relevant jurisprudence directly referring to procedures on privacy and data protection matters in Timor-Leste.
2. Scope of Application
2.1. Personal scope
Not applicable.
2.2. Territorial scope
Not applicable.
2.3. Material scope
Not applicable.
3. Data Protection Authority | Regulatory Authority
3.1. Main regulator for data protection
Not applicable.
3.2. Main powers, duties and responsibilities
Not applicable.
4. Key Definitions
Data controller: Not applicable, given the absence of a general data protection framework.
Data processor: Not applicable, given the absence of a general data protection framework.
Personal data: Not applicable, given the absence of a general data protection framework.
Sensitive data: Not applicable, given the absence of a general data protection framework.
Health data: Not applicable, given the absence of a general data protection framework.
Biometric data: Not applicable, given the absence of a general data protection framework.
Pseudonymization: Not applicable, given the absence of a general data protection framework.
5. Legal Bases
5.1. Consent
Not applicable, given the absence of a general data protection framework.
5.2. Contract with the data subject
Not applicable, given the absence of a general data protection framework.
5.3. Legal obligations
Not applicable, given the absence of a general data protection framework.
5.4. Interests of the data subject
Not applicable, given the absence of a general data protection framework.
5.5. Public interest
Not applicable, given the absence of a general data protection framework.
5.6. Legitimate interests of the data controller
Not applicable, given the absence of a general data protection framework.
5.7. Legal bases in other instances
Not applicable, given the absence of a general data protection framework.
6. Principles
Not applicable, other than the general principles set out in Article 38 of the Constitution and those set out in key acts, regulations, directives, bills above, and sector-specific concerns.
7. Controller and Processor Obligations
7.1. Data processing notification
Not applicable, given the absence of a general data protection framework.
7.2. Data transfers
Not applicable, given the absence of a general data protection framework.
7.3. Data processing records
Not applicable, given the absence of a general data protection framework.
7.4. Data protection impact assessment
Not applicable, given the absence of a general data protection framework.
7.5. Data protection officer appointment
Not applicable, given the absence of a general data protection framework.
7.6. Data breach notification
Not applicable, given the absence of a general data protection framework.
7.7. Data retention
Not applicable, given the absence of a general data protection framework. While specific data retention periods may apply on a sector-specific basis, such as for tax and accounting obligations, compliance with judicial decisions, AML provisions, and employment law, there is no general data protection-oriented principle applicable to data retention. Additionally, personal data contained in civil identification documents shall be retained only for five years after the date of the holder's death (Article 32 of Decree-Law No. 2/2004, dated February 4, 2004, establishing the legal regime of civil identification available in English here).
7.8. Children's data
Not applicable.
All provisions regarding the processing of information and the legal conditions of minors are those set out in the general rules of civil law, and in Law 6/2023, dated March 1, 2023, (the Law for Protection of Endangered Children and Young People) (only available in Portuguese here) which, while not expressly and directly providing for data protection rules, establishes a general principle that any and all decisions regarding children or young people should respect and protect their intimacy, image and private life, namely through the adoption of adequate safeguards towards confidentiality and limitation of access, by the public, to information which may identify the child or young person at stake. This law also establishes general rights of protection of intimacy for children held in foster/institutional care.
Other than this, no specific data protection-oriented principles are applicable in this respect.
7.9. Special categories of personal data
Not applicable. Criminal/sanctions information, health data, or other types of information generally perceived as sensitive data would be processed as applicable under penal, healthcare, administrative, and public law.
In this context, any person processing health data must comply with the obligation of confidentiality (Article 7 of Law No. 10/2004, dated November 24, as amended by Law No. 24/2021 and Law nr. 13/2022, dated December 21, 2022, establishing the national health system, only available in Portuguese here).
7.10. Controller and processor contracts
Not applicable, given the absence of a general data protection framework.
8. Data Subject Rights
Under the Decree Law 2/2004 (Legal Framework on Civil Identification), there is a right to be provided information regarding, and to access records related to, themselves contained in the civil identification database (Article 30). In addition, there is the right to require the rectification of inaccurate data, to have incomplete data completed, and to require the suppression of data unduly recorded in this database (Article 31).
8.1. Right to be informed
Not applicable.
8.2. Right to access
Not applicable, given the absence of a general data protection framework. While specific rights may be applicable on a sector-specific basis, such as in the context of civil identification.
Personal data contained in civil identification documents might be accessed by the data holder (Article 30 of Decree-Law nr. 2/2004, establishing the legal regime of civil identification available in English here).
8.3. Right to rectification
Not applicable, given the absence of a general data protection framework. While specific rights may be applicable on a sector-specific basis, such as in the civil identification context. The data subject has the right to request the rectification of their data contained in civil identification documents (Article 31 of Decree-Law nr. 2/2004, establishing the legal regime of civil identification available in English here).
8.4. Right to erasure
Not applicable.
8.5. Right to object/opt-out
Not applicable.
8.6. Right to data portability
Not applicable.
8.7. Right not to be subject to automated decision-making
Not applicable.
8.8. Other rights
Not applicable.
9. Penalties
Not applicable.
9.1 Enforcement decisions
Not applicable.