MACAU SAR, CHINA Law and Practice Contributed by: Pedro Cortés and Luís Rôlo, Lektou
7. Challenges with Technology Agreements 7.1 Legal Framework Challenges There are currently no specific stipulations on IT service agreements in Macau, without preju - dice to the general stipulations regarding data in general (regulated and protected under the general civil and commercial regime) and the stipulations on personal data protection (set out in the PDPA). In accordance with the Cybersecurity Law, which established the general structure of the cyber - security system of the MSAR, public and private operators of critical infrastructures defined in the law are subject to the general responsibilities and cybersecurity duties (organisational duties; procedural, preventive and reactive duties; self- evaluation duties; and co-operation duties) set out therein. For the organisational and procedural duties of the private operators of critical infrastructures, refer to 6.1 Scope of Regulation and Pre-Mar- keting Requirements . Regarding self-assessment and reporting, these duties are: • assess, by themselves or through specialised entities, the security and risks existing in their networks and systems; and • submit an annual cybersecurity report to the respective supervisory entity, mentioning, inter alia, any recorded incidents, the results of the assessment referred to in the previous bullet point and the improvement measures taken. The duties of private operators of critical infra - structures, as well as their administrators, man -
agers or representatives, with regard to collabo - ration with CARIC and supervisory entities, are to: • allow the representatives of those services to enter their premises, provide them with access to their networks and provide them with the information they request, to the extent necessary to verify compliance with the procedural, preventive and reactive duties referred to above; and • provide the support and collaboration nec - essary to ensure the good management of cybersecurity. Any IT service agreement entered into with a local organisation defined as a private operator of critical infrastructures under the Cybersecu - rity Law must encompass (and comply with) the duties and responsibilities set out in this chapter. Furthermore, and should the IT service agree - ment touch upon personal data, it is likely that the local entity shall be either the data controller (understood as the natural or legal person, the public entity, the service or any other body that, individually or together with others, determines the purposes and means of processing of per - sonal data under the PDPA) or a subcontractor/ processor (classified in the PDPA as the natural or legal person, the public entity, the service or any other body that processes personal data on behalf of the controller). Processing of personal data is defined by the PDPA as “any operation or set of operations performed upon personal data, such as collection, recording, organisation, stor - age, adaptation or alteration, retrieval, consulta - tion, use, disclosure by transmission, dissemina - tion or otherwise making available, alignment or combination, blocking, erasure or destruction”. 7.2 Service Agreements and Interconnection Agreements
210 CHAMBERS.COM
Powered by FlippingBook