Regulations on consumers’ information protection according to the law on protection of consumers’ rights 2023

November 7, 2023

Regulations on consumers’ information protection according to the law on protection of consumers’ rights 2023

On June 20, 2023, the National Assembly passed the Law on Protection of Consumers’ Rights No. 19/2023/QH15 (“LPCR”), effective from July 1, 2024, replacing the Law on Protection of Consumers’ Rights No. 59/2010/QH12. The new LPCR has set many requirements for protecting consumers’ information for trading organizations and individuals based on standards of personal data security prescribed in Decree 13/2023/ND-CP issued on April 17, 2023 (“Decree 13”).

Definition of consumers’ information

Consumers’ information is defined in Clause 3, Article 3 of LPCR as “consumers’ personal information, information about their process of purchasing and using products, goods and services and other information related to transactions between consumers and trading organizations and individuals.

Based on Clause 15, Article 3 of the Law on Cyber Information Security 2015 and Article 2 of Decree 13, the consumer’s personal information can be determined as information that pertains to a specific person or is used to identify a specific person, such as full name, phone number, bank account, residence, and other information specified in Clauses 3 and 4, Article 3, Decree 13.

Obligation to protect consumers’ information of trading organizations and individuals

According to Article 15 of LPCR, trading organizations and individuals that, on their own or by authorizing or hiring a third party, collect, store, use, edit, update, and delete consumers’ information, must ensure the safety and security of consumers’ information. In order to fulfill this information protection obligation, trading organizations and individuals must fully comply with the provisions of LPCR.

Formulating principles of consumers’ information protection

Trading organizations and individuals collecting, storing, and using consumers’ information must formulate information protection principles that apply generally to consumers with the following contents:

  • Purpose of collecting information;
  • Scope of information use;
  • Information storage period;
  • Measures to protect information and ensure consumers’ information security.

Principles of consumers’ information protection must be made public by trading organizations and individuals via posting them in a visible position at headquarters, and business locations and posting on websites, and application software (if any), facilitating consumers’ access before or at the time of information collection.

 Notifying when collecting and using consumers’ information

Trading organizations and individuals must notify consumers clearly, publicly, and in a suitable form about the purposes, scope of collecting and using information, storage period of consumers’ information before carrying on and must obtain the consent of the consumers, except in the case of collecting information that has been made public by the consumers or other cases as prescribed by law.

Trading organizations and individuals are responsible for establishing a mechanism for consumers to choose the scope of information to provide and express their agreement or disagreement, except in the case of collecting information that has been made public by the consumers or other cases as prescribed by law.

Before changing the purposes or scope of information use notified to consumers, trading organizations, and individuals must re-notify and obtain consumers’ consent to the change.

Using consumers’ information for the exact purpose and scope agreed by the consumers

Using consumer information includes sharing, disclosing, and transferring consumers’ information to third parties.

Trading organizations and individuals are obliged to use consumers’ information accurately, in accordance with the notified purposes and scope, and must obtain the consent of the consumers, except in the following cases:

  • Having a separate agreement with consumers on the purposes and scope of use other than the notified purposes and scope;
  • In order to sell and provide products, goods and services at the request of consumers and only within the scope of information agreed by consumers;
  • In order to perform obligations according to the provisions of laws.

Article 17 of Decree 13 also stipulates cases where personal data can be processed without the consent of the data subject, including some cases not mentioned in the LPCR as follows:

  • In an emergency where it is necessary to immediately process relevant personal data to protect the life and health of the data subjects or other people;
  • Disclosure of personal data according to laws.

Trading organizations and individuals collecting and using consumers’ information must have a mechanism for consumers to choose whether or not to allow the following acts:

  • Sharing, disclosing, and transferring information to third parties, except in cases where trading organizations or individuals transfer information that has been collected in accordance with laws to a third party for storage or analysis to serve the transferor’s business activities and both parties have a written agreement that the third party is responsible for protecting consumers’ information according to regulations;
  • Using consumers’ information to advertise and introduce products, goods, services and other commercial activities.

Ensuring the safety and security of consumers’ information

Trading organizations and individuals are obliged to ensure the safety and security of consumers’ information that they collect, store, use, and take measures to prevent the following acts:

  • Theft or illegal access to information;
  • Illegal use of information;
  • Illegal editing, updating, or destruction of information.

When there are feedback, requests, or complaints from consumers related to information being illegally collected or used for the wrong purposes or outside the scope as notified, trading organizations and individuals must receive and resolve the issue quickly and timely.

In case the information system is attacked, creating a risk of consumers’ information safety and security loss, trading organizations, individuals or relevant information storage parties must notify the competent state authorities within 24 hours from the time of discovering that the information system has been attacked and take necessary measures to ensure the safety and security of consumers’ information according to the provisions of laws on cybersecurity, cyber information security, electronic transactions and other relevant laws. This regulation is different from Clause 1, Article 23 of Decree 13 where the time limit for notifying the Ministry of Public Security in case of detecting a violation of personal data protection regulations in the Decree is up to 72 hours, triple the time limit specified in the LPCR.

Inspecting, modifying, updating, destroying, transferring, and stopping the transfer of consumers’ information

Consumers have the right to request trading organizations and individuals to inspect, modify, update, destroy, transfer, or stop transferring their information to third parties. Trading organizations and individuals are responsible for performing the above requirements or providing consumers with tools and information to perform such actions themselves according to the provisions of laws.

Trading organizations and individuals must destroy consumer information at the end of the storage period as prescribed in their consumers’ information protection principles or other relevant laws.

The new regulations on protecting consumer’s information in the new LPCR are quite comprehensive, setting out detailed obligations for trading organizations and individuals throughout the process of collection, storage, use and destruction of consumer information. These regulations have a strong impact on the customer policies of domestic and foreign trading organizations and individuals whose goods and services are produced or consumed in Vietnam, forcing sellers to pay attention to and properly protect consumers’ information in the context that the rights to privacy, personal secrets, and family secrets are being threatened by the explosion of information technology.

PrivacyCompliance provides solutions related to ensuring compliance with personal data regulations, assessing the impacts of personal data processing, drafting impact assessment dossiers, and cross-border data transfer dossiers.

PrivacyCompliance

#consumerprotection #LPCR #dataprotection #consumerinformation #Decree13


Privacy Compliance

 Territorial Scope of GDPR

 Territorial Scope of GDPR In the modern world, data is flowing across borders at an unprecedented rate. This creates risks for the data since most laws are only effective within their respective borders and cannot guarantee adequate protection when the data is transferred abroad. It is for this reason that the General Data Protection Regulation […]

Learn more

Privacy Compliance

Independent Supervisory Authorities Under GDPR

Independent Supervisory Authorities Under GDPR The EU’s General Data Protection Regulation (“GDPR”) is an incredibly useful framework to protect personal data. However, all rules are only as good as our ability to enforce them, a legal framework alone cannot protect personal data. As such, independent enforcement agencies are required to put the regulations into practice. […]

Learn more

Privacy Compliance

E-Privacy Directive

E-Privacy Directive The Directive 2002/58/EC or e-Privacy Directive (ePD) – also known as the Privacy and Electronic Communications Directive, is a regulatory framework established by the European Union (EU) to protect the privacy of individuals. With similar functions to the General Data Protection Regulation (GDPR), the ePD remains in effect alongside the GDPR with the […]

Learn more