MACAU SAR, CHINA Law and Practice Contributed by: Pedro Cortés and Luís Rôlo, Lektou
The Personal Data Protection Act (PDPA) The processing of personal data under the PDPA is subject to key mandatory principles, such as transparency, lawful basis for processing (includ - ing the strict observance of privacy rights and of the rights, freedoms and guarantees set out by the Macau Basic Law and applicable legislation), collection limited to specified, explicit and legiti - mate purposes, and proportionality, and may only be carried out if the data subject has given their unequivocal consent or if the processing is necessary for the purposes set out in the law. The Macau Personal Data Protection Bureau (PDPB) must be notified in writing within eight days of the start of any processing of personal data under the PDPA (either wholly or partly exe - cuted by automatic means), without prejudice to the cases where prior authorisation must be sought. Whenever data is retrieved directly from the data subject, the person responsible for processing the data, or their representative, must provide the data subject with the information set out in the PDPA (eg, the identity of the controller and their representative, the purpose of the pro - cessing, and other ancillary information), and the documents used to retrieve the personal data must contain such information. Also, in the case of data collection in open networks, the data subject must be informed that their per - sonal data may circulate in the network without security, at the risk of being seen and used by unauthorised third parties. The Personal Data Protection Bureau (PDPB) Directly under the Chief Executive of the Special Administrative Region of Macau, the PDPB is the public authority vested with the regulatory and supervisory powers provided by the PDPA.
or “e-MOP”. The regulations required for actual issuance and operation of the e-MOP are yet to be enacted and the government has launched, in December 2024, the trial issuance and operation of the e-MOP, to be carried out by the Bank of China (Macau). As to blockchain, it is still regarded as an emerg - ing technology. The government has actively promoted training in this area but no regulation has been published. While the expectations of upcoming develop - ments are high, the actual progress of official recognition and regulation is still an open ques - tion. 2. Cloud and Edge Computing 2.1 Highly Regulated Industries and Data Protection Laws and Regulations The processing of personal data in the Macau Special Administrative Region (MSAR or Macau) is subject to the legal regime of the Personal Data Protection Act (Law No 8/2005, dated 22 August 2005 ‒ PDPA), which defines personal data as “any information of any kind and regard - less of the respective format, pertaining to an identified or identifiable natural person”. Sen - sitive personal data is further defined as “data related to philosophical or political beliefs, mem - bership of a political or trade union association, religious belief, private life and racial or ethnic origin, health and sex life, including genetic data”. With regard to cloud and edge comput - ing, there is currently no specific regulation on this matter in Macau.
201 CHAMBERS.COM
Powered by FlippingBook