November 8, 2023
On April 17, 2023, the Decree on Personal Data Protection has been issued as Decree No. 13/2023/ND-CP (hereinafter referred as “Decree”) and officially takes effect on July 1st, 2023. This is the first legal document that directly regulates the issue of personal data in Vietnam, which is anticipated to have substantial impacts on not only data subjects but also the enterprises conducting personal data processing activities.
Accordingly, there are some notable provisions as follows:
The provisions on personal data protection under the Decree will apply not only to domestic organizations and individuals or the foreign ones which operate in Vietnam but also to Vietnamese entities in other countries or offshore entities directly engaging in and/or related to personal data processing activities in Vietnam.
A definition of “personal data” has been developed in the Decree to be applied in the process of regulating related activities, avoiding the overlap when “personal data” is defined differently in many legal documents as before
Specifically, “personal data is information in the form of symbols, letters, numbers, images, sounds or the like on an electronic medium that is associated with a particular person or helps to identify a person”, which includes basic personal data and sensitive personal data.
The Decree clarifies a list of data types that are deemed sensitive, as a basis for implementing better measures to protect this data group against attacks by cyber-criminals. The list also includes information on political or religious views; health and private life status; genetic and biological characteristics; sexual life and orientation; data on crimes, criminal acts; etc.
The rights of data subjects are clearly determined, with a fairly wide scope, to support citizens’ self-protection of personal data. Accordingly, data subjects have the following rights: 1. Right to know; 2. Right to consent; 3. Access right; 4. Right to withdraw consent; 5. Right to data erasure; 6. Right to restrict data processing; 7. Right to to be provided with data; 8. Right to object to data processing; 9. Right to complain, denounce and file lawsuits; 10. Right to request compensation for damage; 11. Right to self-protection.
Besides, the Decree also sets out compulsory obligations that data subjects must comply with, such as the obligation to protect personal data (as both a right and an obligation); the obligation to respect and protect the data of other subjects; the obligation to provide complete and accurate information when agreeing to the processing of personal data;…
In order to ensure data security, the Decree stipulates a series of responsibilities that personal data processors must perform throughout related activities, such as requiring the data subjects’ consent, especially in the case of public audio and video recording or the processing data of the deceased/missing person; responsibility to notify before processing data; storing, correcting or deleting personal data; managing data transfer activities abroad.
In addition, the Decree also allows the processing of personal data without the data subject’s consent in some specific cases, such as for the purpose of protecting the life and health of the data subject or others; during national security emergencies or severe disasters, etc.
Personal data protection means the acts to avoid, detect, prevent, and handle violations related to personal data in accordance with the law. The Decree requires the Personal Data Processor to apply legitimate safeguards from the initial outset and throughout the processing of personal data.
Specifically, the basic measures set forth by the Decree include: 1. Management measures and technical measures implemented by organizations and individuals related to the processing of personal data; 2. Management measures of state agencies; 3. Investigative and procedural measures; 4. Other measures as prescribed by law. In addition, for each type of data (basic or sensitive), other specialized methods are applied.
It can be seen that the legal framework that Decree No. 13/2023/ND-CP on personal stipulates is expected to completely change the approach and processing of personal data of enterprises (the Processors) in the future. Therefore, preparing for this data “revolution” is essential, and we, PrivacyCompliance are always ready to accompany and support your business.
Please contact us for more information!
Do foreign enterprises have to store their data in Vietnam? In this day and age, data in general is increasingly becoming more and more valuable. Most service-based companies live off data collected from their clients, prime examples of this type of companies include social media networks such as Facebook or search engines such as Google […]
Learn more
Managing spam messages and calls in Vietnam Spam messages and calls have been defined as advertising messages and calls which are made without users’ prior consent as well as not being under the receiving responsibility of the recipients. So the question to be raised is why, despite the unwillingness to receive advertising information, do people […]
Learn more
Data privacy in Vietnam’s medical examination and treatment Confidentiality of information in medical examination and treatment activities is an paramount issue. Leakages of patients’ information will negatively affect the patient’s psyche and could lead to many unwanted consequences. Such events also degrades the reputation of medical examination and treatment facilities in the eyes of patients. […]
Learn more