Notification and Authorization

    When processing personal data as listed below, a data controller shall, in accordance with Law 8/2005 (the Personal Data Protection Act, or known as the PDPA) notify the Office for Personal Data Protection (GPDP). Failure to notify the GPDP is considered as a violation of law.

  1. Automatic processing of personal data (Article 21(1) of the PDPA)
       “Automatic processing” normally refers to the personal data processing by means of computers or electronic technology, with which a data controller shall inform the GPDP within eight days after a processing is initiated.
    (Note: If the automatic processing falls within the scope of authorization exemptions of the GPDP, notification is not needed or only a simplified notification is needed.  Please refer to the "Authorization for Notification Obligation" section on the GPDP's website for further information.)
  2. Processing of sensitive data (See Articles 7(3)(1) and Article 21(5) of the PDPA)
       When a processing is necessary to protect the vital interests of the data subject(s) or others, in addition that the data subject(s) is physically or legally incapable to give his consent, the data involved should not be processed by automatic means.
  3. Exemption from the obligation to provide information ( Article 10(5) of the PDPA)
       The obligation to provide information is exempted should the processing serve statistical purposes or be needed for historical or scientific researches, in addition that it is infeasible to inform the data subjects or it involves disproportionate effort to inform, or when a law or administrative regulation specified registration or publication of the data. As such, the processing should be notified to the GPDP.
  4. Transferring personal data outside the MSAR ( Article 20(1) of the Personal Data Protection Act)
       Under the following conditions, transferring personal data outside the MSAR is allowed when the GPDP is notified of the transfer, given any of the following conditions is met:
    1. the data subject has given his consent for the transfer explicitly;
    2. the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken in response to the data subject’s request;
    3. the transfer is necessary for the performance or conclusion of a contract concluded or to be concluded in the interests of the data subject between the controller and a third party;
    4. The transfer is necessary or legally required on important public interest grounds, or for the establishment, exercise of defence of legal claims;
    5. the transfer is necessary in order to protect the vital interests of the data subject(s);or
    6. the transfer is made from a register which according to laws or administrative regulations is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate legitimate interest, provided the conditions laid down in law for consultation are fulfilled in the particular case.


    When processing personal data under any of the following conditions, before starting a processing operation a controller should, in accordance with the Personal Data Protection Act (Law No. 8/2005, or the PDPA), apply to the Office for Personal Data Protection(GPDP) for authorization. Failure to do so constitutes a violation of the law.*

  1. Processing sensitive data (See Article 22(1)(1) of the PDPA)
       Sensitive data is processed when, on important public interest grounds, such processing is essential for exercising the legal or statutory rights of the controller.
  2. Processing credit and solvency data (Article 22(1)(2) of the PDPA)
       The processing of personal data relates to credit and the solvency of the data subjects.
  3. Combination of data (Article 22(1)(3) of the PDPA)
       It refers to the combination of personal data not provided for in a legal provision or a statutory regulation with organizational nature.
  4. Change of purpose (Article 22(1)(4) of the PDPA)
       It refers to the use of personal data for purposes which are different from the collection purpose.
  5. Extending the data preservation period (Article 5(2) of the PDPA)
       The preservation period of personal data is extended for proper interests and for the historical, statistical or scientific purposes.
  6. Transferring personal data outside the MSAR (Article 20(2) of the PDPA)
       If the transfer does not fulfill the legal requirements as specified for notification, a controller may transfer personal data after the GPDP has issued an authorization, provided that the controller adduces adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals and with respect to their exercise, particularly by means of appropriate contractual clauses.
  7. Transitional Provision (Article 45(3) of the PDPA)
       Before the date the PDPA coming into force, (i.e., February 19th, 2006), if any data has already been documented in manual filing systems and only serves for historical research purposes that will not to be reused for other purposes, the concerned data controller may request from the GPDP for an exemption from the obligations relating to the processing of sensitive data, the processing of data related to suspected illegal activities, criminal and administrative offences, and obligations relating to the personal data combination.
*(Note: In Points 1-4, if it is already authorized by legal provisions or regulations with organizational nature, then the controller need not apply to the Office for Personal Data Protection for authorization. In Point 6, if the transfer of personal data is necessitated by protecting public safety, preventing crimes, criminal investigations, stopping criminal acts and safeguarding public health, and the transfer is regulated by international law or inter-regional law applicable to the Macao SAR, it is no longer necessary to apply to the Office for Personal Data Protection for authorization to transfer the data.)