The Macao Special Administrative Region (Macau SAR) of the People’s Republic of China is a global hub for gaming. Its casino industry is the largest in the world and a major attraction for tourists. Despite the growth of the sector, it has struggled to diversify its economy.

Data Privacy and Security

The Personal Data Protection Act (Law 8/2005, August 22, 2005) is the primary law governing the protection of personal data in Macau SAR. The OPDP, as the regulatory authority, enforces the law and imposes penalties for non-compliance. The PDPA has several provisions that apply to entities that collect, process or transfer personal data in Macau SAR.

Consent

The PDPA defines consent as any freely given, specific, and informed indication of the data subject’s wishes by which the data subject signifies agreement to the processing of personal data relating to him/her. This means that a data subject can opt-out of any processing of his/her personal information by providing written consent to such an action.

Cybersecurity and Data Breaches

The Macau SAR has taken steps to address cybersecurity concerns by enacting Law No. 13/2019, which imposes a duty on controllers to notify designated supervisory authorities of cybersecurity incidents that affect personal data. In addition, controllers of critical infrastructure must appoint a person responsible for cybersecurity who can notify the authorities.

Legal System and Judicial Procedure

Under “one country, two systems”, Macau maintains Continental European law as its foundation, based on the rule of law and the independence of the judiciary. The judicial process is procedurally competent, fair, and reliable. The Commercial Code and Civil Code form a comprehensive source of commercial law, while the Courts have jurisdiction over administrative and tax cases, providing an effective means for enforcing property rights.

Financial Institutions

Macau is home to a number of financial institutions, most notably the Macau Monetary Authority (MMA), a de facto central bank. It controls currency reserves and foreign assets, as well as the issuance of electronic money stored value cards.

There are also a number of local banks, as well as a few international branches of major Chinese banks. In addition to these, there are a number of finance companies and non-bank credit institutions in Macau that provide financial services.

Data Retention and Storage

There is no set timeframe on how long a company must store personal data in Macau SAR, but it should be noted that the PDPA allows data to be retained for a longer period of time if necessary to fulfill any legal or other obligations. This can be particularly the case in industries such as finance, where the OPDP considers it necessary to retain data for an extended period of time to safeguard against any financial risks.

To determine how long a company must keep data, it is advisable to consider the nature of the business and its location. If a company has branches in the EU, it must ensure that those offices are compliant with the GDPR, which sets out the rules for how and when personal data may be transferred out of the EU. In addition, it is advisable to check that the data is stored in accordance with the Macau SAR’s local laws and regulations.