November 7, 2023
On June 20, 2023, the National Assembly passed the Law on Protection of Consumers’ Rights No. 19/2023/QH15 (“LPCR”), effective from July 1, 2024, replacing the Law on Protection of Consumers’ Rights No. 59/2010/QH12. The new LPCR has set many requirements for protecting consumers’ information for trading organizations and individuals based on standards of personal data security prescribed in Decree 13/2023/ND-CP issued on April 17, 2023 (“Decree 13”).
Consumers’ information is defined in Clause 3, Article 3 of LPCR as “consumers’ personal information, information about their process of purchasing and using products, goods and services and other information related to transactions between consumers and trading organizations and individuals.”
Based on Clause 15, Article 3 of the Law on Cyber Information Security 2015 and Article 2 of Decree 13, the consumer’s personal information can be determined as information that pertains to a specific person or is used to identify a specific person, such as full name, phone number, bank account, residence, and other information specified in Clauses 3 and 4, Article 3, Decree 13.
According to Article 15 of LPCR, trading organizations and individuals that, on their own or by authorizing or hiring a third party, collect, store, use, edit, update, and delete consumers’ information, must ensure the safety and security of consumers’ information. In order to fulfill this information protection obligation, trading organizations and individuals must fully comply with the provisions of LPCR.
Trading organizations and individuals collecting, storing, and using consumers’ information must formulate information protection principles that apply generally to consumers with the following contents:
Principles of consumers’ information protection must be made public by trading organizations and individuals via posting them in a visible position at headquarters, and business locations and posting on websites, and application software (if any), facilitating consumers’ access before or at the time of information collection.
Trading organizations and individuals must notify consumers clearly, publicly, and in a suitable form about the purposes, scope of collecting and using information, storage period of consumers’ information before carrying on and must obtain the consent of the consumers, except in the case of collecting information that has been made public by the consumers or other cases as prescribed by law.
Trading organizations and individuals are responsible for establishing a mechanism for consumers to choose the scope of information to provide and express their agreement or disagreement, except in the case of collecting information that has been made public by the consumers or other cases as prescribed by law.
Before changing the purposes or scope of information use notified to consumers, trading organizations, and individuals must re-notify and obtain consumers’ consent to the change.
Using consumer information includes sharing, disclosing, and transferring consumers’ information to third parties.
Trading organizations and individuals are obliged to use consumers’ information accurately, in accordance with the notified purposes and scope, and must obtain the consent of the consumers, except in the following cases:
Article 17 of Decree 13 also stipulates cases where personal data can be processed without the consent of the data subject, including some cases not mentioned in the LPCR as follows:
Trading organizations and individuals collecting and using consumers’ information must have a mechanism for consumers to choose whether or not to allow the following acts:
Trading organizations and individuals are obliged to ensure the safety and security of consumers’ information that they collect, store, use, and take measures to prevent the following acts:
When there are feedback, requests, or complaints from consumers related to information being illegally collected or used for the wrong purposes or outside the scope as notified, trading organizations and individuals must receive and resolve the issue quickly and timely.
In case the information system is attacked, creating a risk of consumers’ information safety and security loss, trading organizations, individuals or relevant information storage parties must notify the competent state authorities within 24 hours from the time of discovering that the information system has been attacked and take necessary measures to ensure the safety and security of consumers’ information according to the provisions of laws on cybersecurity, cyber information security, electronic transactions and other relevant laws. This regulation is different from Clause 1, Article 23 of Decree 13 where the time limit for notifying the Ministry of Public Security in case of detecting a violation of personal data protection regulations in the Decree is up to 72 hours, triple the time limit specified in the LPCR.
Consumers have the right to request trading organizations and individuals to inspect, modify, update, destroy, transfer, or stop transferring their information to third parties. Trading organizations and individuals are responsible for performing the above requirements or providing consumers with tools and information to perform such actions themselves according to the provisions of laws.
Trading organizations and individuals must destroy consumer information at the end of the storage period as prescribed in their consumers’ information protection principles or other relevant laws.
The new regulations on protecting consumer’s information in the new LPCR are quite comprehensive, setting out detailed obligations for trading organizations and individuals throughout the process of collection, storage, use and destruction of consumer information. These regulations have a strong impact on the customer policies of domestic and foreign trading organizations and individuals whose goods and services are produced or consumed in Vietnam, forcing sellers to pay attention to and properly protect consumers’ information in the context that the rights to privacy, personal secrets, and family secrets are being threatened by the explosion of information technology.
PrivacyCompliance provides solutions related to ensuring compliance with personal data regulations, assessing the impacts of personal data processing, drafting impact assessment dossiers, and cross-border data transfer dossiers.
PrivacyCompliance
#consumerprotection #LPCR #dataprotection #consumerinformation #Decree13
Territorial Scope of GDPR In the modern world, data is flowing across borders at an unprecedented rate. This creates risks for the data since most laws are only effective within their respective borders and cannot guarantee adequate protection when the data is transferred abroad. It is for this reason that the General Data Protection Regulation […]
Learn more
Independent Supervisory Authorities Under GDPR The EU’s General Data Protection Regulation (“GDPR”) is an incredibly useful framework to protect personal data. However, all rules are only as good as our ability to enforce them, a legal framework alone cannot protect personal data. As such, independent enforcement agencies are required to put the regulations into practice. […]
Learn more
E-Privacy Directive The Directive 2002/58/EC or e-Privacy Directive (ePD) – also known as the Privacy and Electronic Communications Directive, is a regulatory framework established by the European Union (EU) to protect the privacy of individuals. With similar functions to the General Data Protection Regulation (GDPR), the ePD remains in effect alongside the GDPR with the […]
Learn more