Vietnam issues first legal document on Personal Data, Privacy Rights ProtectionAAA IPRIGHT2
Vietnam will soon have the first legal document on personal data and privacy rights protection of relevant agencies, organizations and individuals with the issuance of Decree No. 13/2023/ND-CP on Personal Data Protection (PDP Decree) on April 17, 2023, effective from July 1, 2023.
According to the PDP Decree, data processing activities include collecting, recording, analyzing, validating, storing, editing, disclosing, combining, accessing, retrieving, encrypting, decrypting, copying, sharing, transmitting, providing, transferring, deleting, destroying and related actions will have specific provisions, the most important of which is the restriction on the parties’ handling, collection of data can be made, with and without the permission of the data subject.
The PDP Decree stipulates the rights of data subjects; conditions and forms of consent including consent in writing and via SMS, among others; various types of personally sensitive data including the health status of the data subject and related political views; basic personal data protection measures; new requirements for cross-border data transmission; respective responsibilities of the Department of Cybersecurity and High-Tech Crime Prevention and Control and relevant authorities, etc.
Notable main points in Decree No. 13
Classification of basic data and sensitive data
Personal data is divided into two categories, basic data and sensitive data.
Clause 3, Article 2 of Decree No. 13 stipulates basic personal data including: full name; Date of birth; date of death; sex; place of birth, place of permanent residence, place of temporary residence, place of current residence; nationality; personal image; phone number; identity card number or personal identification number, passport number; driver’s license, license plate; Personal tax code; social insurance and health insurance codes; marital status; information about family relationships.
Clause 4, Article 2 of Decree No. 13 stipulates that sensitive personal data is personal data related to an individual’s privacy, which, if violated, will directly affect that individual’s rights and interests, including: Political views, religion; health status, private life recorded in the medical record; origin or ethnicity; genetic traits; special characteristics; sexual life and orientation; evidence of criminal conduct collected or stored by law enforcement; bank customer information such as identity, accounts, deposits, deposited assets, transactions; Personal location is determined through location services.
For the first time, Vietnam has a legal document specifically regulating basic data and personal data in Vietnam, which is of great importance in protecting privacy, personal data and ensuring information security of Vietnamese people.
In addition, this is also an important international demonstration that Vietnam is willing to comply with international standards and regulations, such as the General Data Protection Regulation (GDPR) and similar regulations. Clearly distinguishing the types of personal data will create a basis to protect and sanction personal data violations as well as the responsibility of protection and non-disclosure of personal data processing agencies, especially when dealing with sensitive types of personal data.
Data subject rights
Article 9 of Decree 13 details the rights of data subjects, including the following 11 rights:
1. Right to know: Data subjects know about their personal data processing activities, unless otherwise provided for by law.
2. Right of Consent: The data subject may or may not agree to allow the processing of their personal data, except in some urgent cases like when it is necessary to immediately process the relevant personal data for protection of life and health of the data subject or other people or when there is a threat to national security.
3. Right of access: The data subject is entitled to access to view, correct or request correction of his/her personal data, unless otherwise provided for by law.
4. Right to withdraw consent: Data subject has the right to withdraw his/her consent, unless otherwise provided by law.
5. Right to data erasure: The data subject may have his or her personal data deleted as requested, unless otherwise provided for by law.
6. Right to restrict data processing:
a) Data subjects may require to limit the processing of their personal data, unless otherwise provided by law;
b) Restriction of data processing is carried out within 72 hours after the request of the data subject, with all personal data that the data subject requests to limit, unless otherwise provided for by other law.
7. Right to provide data: Data subject is required by Personal Data Controller, Personal Data Controller and Processor to provide his/her own personal data, unless otherwise required by other laws.
8. Right to object to data processing:
a) The data subject may object the Controller of personal data, the Controller and Processor of personal data to process its personal data to prevent or limit the disclosure of personal data or its use for advertising or marketing purposes, unless otherwise provided by law;
b) The Controller of personal data, the Controller and the processor of personal data shall fulfill the request of the data subject within 72 hours after receiving the request, unless otherwise provided for by law.
9. Right to complain, denounce and initiate lawsuits: Data subjects have the right to complain, denounce or initiate lawsuits in accordance with the law.
10. Right to claim for damages: Data subjects have the right to claim damages in accordance with the law when a breach of regulations on the protection of their personal data occurs, unless the parties agreed or otherwise provided by law.
11. Right to self-protection: Data subjects have the right to protect themselves according to the provisions of the Civil Code, other relevant laws and this Decree, or request competent agencies or organizations to implement measures regarding to civil rights protection in accordance with Article 11 of the Civil Code.
Requires consent of data subject
Decree No. 13 on the protection of personal data has new requirements related to the consent of the data subject, which is a mandatory condition in many activities related to the collection and processing of personal data.
According to the provisions of Article 11 of Decree No. 13, before performing and during the processing of personal data, the personal data controller and the personal data processor need the consent of the data subject in all activities, unless otherwise provided by law.
The consent of the data subject must be expressed clearly, specifically in writing, by voice, by ticking the consent box, by the syntax of consent by text message, by selecting settings consent or otherwise express this and may be printed, reproduced in writing, including in verifiable electronic or written format.
In it, it is noted that the silence or non-response of the data subject is not considered as consent.
Consent must be made for the same purpose. When there are multiple purposes, the Personal Data Controller, Personal Data Controller and Processor lists the purposes for the data subject to agree to one or more of the stated purposes.
The consent of the data subject is valid until the data subject decides otherwise or when requested in writing by the competent authority.
In the event of a dispute, the responsibility for proving the consent of the data subject lies with the Controller of personal data, the Controller and the processor of personal data.
Procedures for handling violations of regulations on personal data protection
In case of detecting a violation of personal data protection regulations, the Personal Data Controller, the Personal Data Controller and Processor shall notify the Ministry of Public Security (Department of Cybersecurity and of Public Security to combat crimes using high technology) within 72 hours after the violation occurs.
In case of notification after 72 hours, the reason for the late notice must be attached. In particular, the notification needs to be done on the principle as quickly as possible, with the spirit of trying to remedy the damage, absolutely prohibiting the situation be discovered but wait until the 72-hour time limit is almost over to notify.
Contents of notice of violation of regulations on personal data protection:
a) Describe the nature of the breach of personal data protection regulations, including: time, place, behavior, organization, individual, types of personal data and the amount of related data;
b) Contact details of the employee assigned the task of data protection or the organization or individual responsible for the protection of personal data;
c) Describe possible consequences and damages of violating regulations on protection of personal data;
d) Describe the measures taken to deal with and minimize the harms of violations of personal data protection regulations.
In case it is not possible to fully notify the contents, the notification may be made in batches and stages with reasonable reasons.
The Controller of personal data, the Party that controls and processes personal data must make a written confirmation of the occurrence of a violation of the regulations on protection of personal data, and coordinate with the Ministry of Public Security in handling the violation.
Towards the future
The PDP Decree on Personal Data Protection in Vietnam will set a new standard for all domestic and foreign organizations regarding how personal data is handled in Vietnam.
It is expected that the Vietnamese Government will soon approve a draft decree on administrative sanctions in the field of cybersecurity, thereby facilitating the implementation of more detailed regulations on cybersecurity and data protection.
Higher than Decree No. 13, the Personal Data Protection Law will also begin the drafting phase in 2024. In the meantime, data privacy is also mentioned in a number of bills, such as: bills on electronic transactions, telecommunications and consumer protection.
Thereby, it can be said that Vietnam is paying more and more attention to the protection of personal data, the privacy of the Vietnamese people, and promoting human rights – the most basic and fundamental factor for the development of a civilized and modern society.
*** Other Articles***
– You could visit here to see the Trademark Registration in Vietnam.
– You can also check the Vietnam Trademark Law: Detailed Guide And Legal Notes.
Contact AAA IPRIGHT: Email: firstname.lastname@example.org
Or sending your inquiry by filling the form: