	Global Data Privacy Guide
	Macau
	(Asia Pacific) Firm MdME Contributors José Leitão Updated 07 Aug 2025
1. What is the key legislation?	Law No. 8/2005 (the “*Data Protection Law*”), which sets the legal regime for collecting, processing and transferring personal data. This piece of legislation provides for regulation in respect of the collection, treatment and transfer of personal data. It advances the basic definitions in respect of personal data and establishes requirements and sanctions in respect of data privacy and protection issues.
2. What are the key decisions applying that legislation?	The Data Protection Law is applicable to the processing of personal data taking place in Macau.
1. How are “personal data” and “sensitive data” defined?	“Personal data” is defined as any information of any type, irrespective of the type of medium involved, including sound and image, relating to an identified or identifiable natural person. “Sensitive data” refers to personal data revealing philosophical or political beliefs, political association or trade-union membership, religion, privacy and racial or ethnic origin, data concerning health or sex life, including genetic data.
2. How is the defined data protected?	Data must be processed with transparency, lawfulness, purpose limitation, data minimization, proportionality, confidentiality, and storage limitation. Personal data should only be processed if the data controller has a legitimate basis. Personal data should be protected by appropriate technical and organizational safeguards to protect the data against unauthorized access, loss, or disclosure.
3. Who is subject to privacy obligations?	Any individual or collective persons wishing to collect, treat and/or transfer personal data.
4. How is “data processing” defined?	“Data processing” is defined as any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
5. What are the principles applicable to personal data processing?	Generally, personal information must be collected from the individual concerned and must only be collected for a lawful purpose connected with a function or activity of the person/ entity collecting/ treating the personal data. The individual must be made aware of certain matters before collection.
6. How is the processing of personal data regulated?	Subject to specific exceptions, persons/entities covered by these provisions may only use or disclose personal information for the purpose for which it was collected.
7. How are storage, security and retention of personal data regulated?	Personal information must be protected from unauthorized loss, use, modification or disclosure with reasonable security safeguards. persons/entities covered by these provisions must not keep personal information for longer than is required.
8. What are the data subjects' rights under the data legislation?	An individual is entitled to have access to any personal information about them held by persons/entities covered by these provisions. An individual may request correction/amendment/reply of personal information.
9. What are the consent requirements for data subjects?	For non-sensitive personal data, data subject’s unambiguous consent is required. To obtain the data subject’s unambiguous consent, the data controller should inform the data subject about its data processing activities, and obtain the data subject’s declaration of will by which the latter agrees that their personal data be processed. For sensitive personal data, data subject’s explicit consent is required. To obtain the data subject’s explicit consent, the data controller should inform the data subject about its data processing activities, and obtain the data subject’s clear, direct and specific agreement to the processing of personal data.
10. How is authorization for use of data handled?	The authorization from the regulator may be required for the processing of sensitive data, personal data relating to credit and the solvency of the data subjects, a combination of data, and the use of personal data for purposes not giving rise to their collection.
11. Are cross-border data transfers regulated? If so, what are the restrictions on cross-border data transfers?	Yes. Personal data may be transferred outside of Macau provided the transfer is carried out pursuant to a legitimate criteria.
12. How are data "incidents" and "breaches" defined?	There are no such definitions under current legislation.
13. Are there any notification requirements for incidents and/or data breaches?	There are no mandatory reporting requirements for data breaches.
14. Who is/are the privacy regulator(s)?	The Macau Personal Data Protection Bureau (“PDPB”).
15. What are the consequences of a data breach?	Consequences of privacy breach include fines, potential criminal sentences and and accessory sanctions
16. How is electronic marketing regulated?	No specific regulation at this stage, direct marketing is subject to specific restrictions
17. Are there sector-specific or industry-specific privacy requirements?	Yes – additional requirements for certain sectors may exist for financial institutions and gaming industry players. Furthermore, the Macau Cybersecurity Law provides for additional requirements for operators of critical infrastructures.
18. What are the requirements for appointing Data Protection Officers or similar roles?	There are no such requirements under current legislation.
19. What are the record-keeping and documentation obligations?	Personal data should be kept for no longer than is necessary for the purposes for which they were collected or for which they are further processed.
20. What are the requirements for conducting Data Protection Impact Assessments (DPIAs)?	There are no such requirements under current legislation.
21. What are the requirements for third-party vendor management and data sharing?	A contract or a legally binding act should be concluded between the data controller and its processors, stipulating in particular that the processor shall act only on instructions from the controller and that the processor should also be responsible for the security measures to protect data.
22. What are the penalties and enforcement mechanisms for non-compliance?	A fine between MOP 2,000 and MOP 100,000 could be applicable against administrative infractions. Ancillary penalties may also be applicable. The PDPB supervises compliance with the Data Protection Law, investigates violations, and applies sanctions.
23. What are the ongoing compliance and audit requirements?	The Data Protection Law does not specify specific ongoing compliance and audit requirements.
24. Are there any recent developments or expected reforms?	Envisaged changes to the *Data Protection Law*.

Global Data Privacy Guide

Back XLS

1. What is the key legislation?

Law No. 8/2005 (the “Data Protection Law”), which sets the legal regime for collecting, processing and transferring personal data.

This piece of legislation provides for regulation in respect of the collection, treatment and transfer of personal data. It advances the basic definitions in respect of personal data and establishes requirements and sanctions in respect of data privacy and protection issues.

2. What are the key decisions applying that legislation?

The Data Protection Law is applicable to the processing of personal data taking place in Macau.

1. How are “personal data” and “sensitive data” defined?

“Personal data” is defined as any information of any type, irrespective of the type of medium involved, including sound and image, relating to an identified or identifiable natural person.
“Sensitive data” refers to personal data revealing philosophical or political beliefs, political association or trade-union membership, religion, privacy and racial or ethnic origin, data concerning health or sex life, including genetic data.

2. How is the defined data protected?

Data must be processed with transparency, lawfulness, purpose limitation, data minimization, proportionality, confidentiality, and storage limitation. Personal data should only be processed if the data controller has a legitimate basis. Personal data should be protected by appropriate technical and organizational safeguards to protect the data against unauthorized access, loss, or disclosure.

3. Who is subject to privacy obligations?

Any individual or collective persons wishing to collect, treat and/or transfer personal data.

4. How is “data processing” defined?

“Data processing” is defined as any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.

5. What are the principles applicable to personal data processing?

Generally, personal information must be collected from the individual concerned and must only be collected for a lawful purpose connected with a function or activity of the person/ entity collecting/ treating the personal data. The individual must be made aware of certain matters before collection.

6. How is the processing of personal data regulated?

Subject to specific exceptions, persons/entities covered by these provisions may only use or disclose personal information for the purpose for which it was collected.

7. How are storage, security and retention of personal data regulated?

Personal information must be protected from unauthorized loss, use, modification or disclosure with reasonable security safeguards. persons/entities covered by these provisions must not keep personal information for longer than is required.

8. What are the data subjects' rights under the data legislation?

An individual is entitled to have access to any personal information about them held by persons/entities covered by these provisions. An individual may request correction/amendment/reply of personal information.

9. What are the consent requirements for data subjects?

For non-sensitive personal data, data subject’s unambiguous consent is required. To obtain the data subject’s unambiguous consent, the data controller should inform the data subject about its data processing activities, and obtain the data subject’s declaration of will by which the latter agrees that their personal data be processed.

For sensitive personal data, data subject’s explicit consent is required. To obtain the data subject’s explicit consent, the data controller should inform the data subject about its data processing activities, and obtain the data subject’s clear, direct and specific agreement to the processing of personal data.

10. How is authorization for use of data handled?

The authorization from the regulator may be required for the processing of sensitive data, personal data relating to credit and the solvency of the data subjects, a combination of data, and the use of personal data for purposes not giving rise to their collection.

11. Are cross-border data transfers regulated? If so, what are the restrictions on cross-border data transfers?

Yes. Personal data may be transferred outside of Macau provided the transfer is carried out pursuant to a legitimate criteria.

12. How are data "incidents" and "breaches" defined?

There are no such definitions under current legislation.

13. Are there any notification requirements for incidents and/or data breaches?

There are no mandatory reporting requirements for data breaches.

14. Who is/are the privacy regulator(s)?

The Macau Personal Data Protection Bureau (“PDPB”).

15. What are the consequences of a data breach?

Consequences of privacy breach include fines, potential criminal sentences and and accessory sanctions

16. How is electronic marketing regulated?

No specific regulation at this stage, direct marketing is subject to specific restrictions

17. Are there sector-specific or industry-specific privacy requirements?

Yes – additional requirements for certain sectors may exist for financial institutions and gaming industry players. Furthermore, the Macau Cybersecurity Law provides for additional requirements for operators of critical infrastructures.

18. What are the requirements for appointing Data Protection Officers or similar roles?

There are no such requirements under current legislation.

19. What are the record-keeping and documentation obligations?

Personal data should be kept for no longer than is necessary for the purposes for which they were collected or for which they are further processed.

20. What are the requirements for conducting Data Protection Impact Assessments (DPIAs)?

There are no such requirements under current legislation.

21. What are the requirements for third-party vendor management and data sharing?

A contract or a legally binding act should be concluded between the data controller and its processors, stipulating in particular that the processor shall act only on instructions from the controller and that the processor should also be responsible for the security measures to protect data.

22. What are the penalties and enforcement mechanisms for non-compliance?

A fine between MOP 2,000 and MOP 100,000 could be applicable against administrative infractions. Ancillary penalties may also be applicable. The PDPB supervises compliance with the Data Protection Law, investigates violations, and applies sanctions.

23. What are the ongoing compliance and audit requirements?

The Data Protection Law does not specify specific ongoing compliance and audit requirements.

24. Are there any recent developments or expected reforms?

Envisaged changes to the Data Protection Law.