The Decree on personal data protection has been officially issued
On April 17, 2023, the Decree on Personal Data Protection has been issued as Decree No. 13/2023/ND-CP (hereinafter referred as “Decree”) and officially takes effect on July 1st, 2023. This is the first legal document that directly regulates the issue of personal data in Vietnam, which is anticipated to have substantial impacts on not only data subjects but also the enterprises conducting personal data processing activities.
Accordingly, there are some notable provisions as follows:
The universal scope of application
The provisions on personal data protection under the Decree will apply not only to domestic organizations and individuals or the foreign ones which operate in Vietnam but also to Vietnamese entities in other countries or offshore entities directly engaging in and/or related to personal data processing activities in Vietnam.
Unifying definition of personal data
A definition of “personal data” has been developed in the Decree to be applied in the process of regulating related activities, avoiding the overlap when “personal data” is defined differently in many legal documents as before
Specifically, “personal data is information in the form of symbols, letters, numbers, images, sounds or the like on an electronic medium that is associated with a particular person or helps to identify a person”, which includes basic personal data and sensitive personal data.
Regulations on sensitive personal data
The Decree clarifies a list of data types that are deemed sensitive, as a basis for implementing better measures to protect this data group against attacks by cyber-criminals. The list also includes information on political or religious views; health and private life status; genetic and biological characteristics; sexual life and orientation; data on crimes, criminal acts; etc.
Rights and obligations of data subjects
The rights of data subjects are clearly determined, with a fairly wide scope, to support citizens’ self-protection of personal data. Accordingly, data subjects have the following rights: 1. Right to know; 2. Right to consent; 3. Access right; 4. Right to withdraw consent; 5. Right to data erasure; 6. Right to restrict data processing; 7. Right to to be provided with data; 8. Right to object to data processing; 9. Right to complain, denounce and file lawsuits; 10. Right to request compensation for damage; 11. Right to self-protection.
Besides, the Decree also sets out compulsory obligations that data subjects must comply with, such as the obligation to protect personal data (as both a right and an obligation); the obligation to respect and protect the data of other subjects; the obligation to provide complete and accurate information when agreeing to the processing of personal data;…
Responsibilities of the Data Controller and Data Processor
In order to ensure data security, the Decree stipulates a series of responsibilities that personal data processors must perform throughout related activities, such as requiring the data subjects’ consent, especially in the case of public audio and video recording or the processing data of the deceased/missing person; responsibility to notify before processing data; storing, correcting or deleting personal data; managing data transfer activities abroad.
In addition, the Decree also allows the processing of personal data without the data subject’s consent in some specific cases, such as for the purpose of protecting the life and health of the data subject or others; during national security emergencies or severe disasters, etc.
Measures for the protection of personal data
Personal data protection means the acts to avoid, detect, prevent, and handle violations related to personal data in accordance with the law. The Decree requires the Personal Data Processor to apply legitimate safeguards from the initial outset and throughout the processing of personal data.
Specifically, the basic measures set forth by the Decree include: 1. Management measures and technical measures implemented by organizations and individuals related to the processing of personal data; 2. Management measures of state agencies; 3. Investigative and procedural measures; 4. Other measures as prescribed by law. In addition, for each type of data (basic or sensitive), other specialized methods are applied.
It can be seen that the legal framework that Decree No. 13/2023/ND-CP on personal stipulates is expected to completely change the approach and processing of personal data of enterprises (the Processors) in the future. Therefore, preparing for this data “revolution” is essential, and we, PrivacyCompliance are always ready to accompany and support your business.
Please contact us for more information!
CJEU confirms that competitors can sue each other for GDPR infringements
CJEU confirms that competitors can sue each other for GDPR infringements A German pharmacy sued another pharmacy for failing to guarantee explicit consent when processing the health data of the clients as prescribed under GDPR. The German Court held that such activity does amount to unfair and unlawful practice. However, the Court was unsure whether […]
Learn more
EDPB’s Guidelines on Legitimate Intesrest
EDPB’s Guidelines on Legitimate Intesrest Recently, the European Data Protection Board (“EDPB”) adopted Guidelines 01/2024 on processing of personal data based on Article 6(1)(f) GDPR (processing based on legitimate interest). Legitimate interest is one of the lawful grounds on which personal data can be processed. Its flexible nature makes it quite hard to actually apply […]
Learn more
Can data subjects be data controllers?
Can data subjects be data controllers? With the rise of AI trained on user data, the question of whether data subjects be considered data controllers for the personal data in their AI prompts and outputs has once again taken the spotlight. This is not a new issue, the possibility of the data subjects acting as […]
Learn more