HOT NEWS
The draft Personal Data Protection Law has officially been released for public consultation!
The draft Personal Data Protection Law has proposed regulations on the protection of personal data and the responsibilities of relevant agencies, organizations, and individuals in protecting personal data. Additionally, the draft Personal Data Protection Law is expected to apply to:
- Vietnamese agencies, organizations, and individuals;
- Foreign agencies, organizations, and individuals in Vietnam;
- Vietnamese agencies, organizations, and individuals operating abroad;
- Foreign agencies, organizations, and individuals 1 directly participating in or related to personal data processing activities in Vietnam;
- Agencies, organizations, and individuals collecting and processing personal data of foreigners within the territory of the Socialist Republic of Vietnam.
Below are some specific provisions proposed in the draft Personal Data Protection Law:
(1) Regulations on personal data protection in financial, banking, credit, and credit information activities
- Financial, banking, and credit companies:
- Shall not buy, sell credit information or illegally transfer credit information between financial, banking, and credit institutions;
- Shall not send or transmit plaintext data on the finances and credit of data subjects between financial, banking, and credit institutions;
- Shall fully apply regulations on the protection of sensitive personal data and security standards for payments and credit as prescribed by law;
- Shall not use the credit information of data subjects to score creditworthiness and assess the creditworthiness of data subjects without the consent of the data subject;
- The results of the credit information assessment of data subjects shall only be in the form of Pass or Fail, Yes or No, True or False, or a score based on data that financial, banking, and credit institutions collect directly from customers;
- Shall clearly identify and declare the stages that require the application of personal data de-identification measures;
- Must notify data subjects of incidents and losses of financial account information.
- Organizations providing credit information, banking, insurance, finance, and payment intermediary services shall not illegally provide or transfer personal data to each other and to other organizations and businesses, except as permitted by law.
- Credit information and credit information products of data subjects shall only be provided to organizations and individuals that are financial, banking, and credit institutions when there are legal provisions.
- The competent authority for personal data protection is the focal point for requesting the provision of credit information to serve the investigation and handling of violations of the law as prescribed.
(2) Additional provisions on Personal Data Protection Experts
- Personal data protection experts, including:
- Personal data protection experts with sufficient technological and legal capacity;
- Personal data protection experts with sufficient technological capacity;
- Personal data protection experts with sufficient legal capacity.
- Conditions for granting certificates to personal data protection experts with sufficient technological and legal capacity:
- Have a college degree or above in security, information security, or cybersecurity;
- Have a college degree or above in law;
- Have completed a course to certify sufficient legal and technological capacity for personal data protection.
- Conditions for granting certificates to personal data protection experts with sufficient legal capacity:
- Have a college degree or above in law;
- Have completed a course to certify sufficient legal capacity for personal data protection.
- Conditions for granting certificates to personal data protection experts with sufficient technological capacity:
- Have a college degree or above in security, information security, or cybersecurity;
- Have completed a course to certify sufficient technological capacity for personal data protection.
- Micro-enterprises, small enterprises, medium-sized enterprises, and startups are entitled to exempt the provision on personal data protection experts for the first 2 years from the date of establishment of the enterprise, but this does not apply to micro-enterprises, small enterprises, medium-sized enterprises, and startups that directly engage in personal data processing activities.
PDPL QUEST 01: ARE YOU PREPARED TO DELETE EMPLOYEE’S PERSONAL DATA?
ARE YOU PREPARED TO DELETE EMPLOYEE’S PERSONAL DATA? Under Article 25 of Vietnam’s Personal Data Protection Law 2025, employers are required to delete or destroy employees’ personal data once the employment contract ends, unless otherwise agreed or legally required to retain it. ➡️ To continue processing personal data post-employment (e.g. for legal or compliance […]
Learn more
OFFICIALLY ISSUE THE LAW ON PERSONAL DATA PROTECTION
OFFICIALLY ISSUE THE LAW ON PERSONAL DATA PROTECTION Source: Hoàng Ngọc – People’s Deputies Online On the morning of June 26, under the chairmanship of Vice President of the National Assembly, Senior Lieutenant General Trần Quang Phương, the National Assembly voted to pass the Law on Personal Data Protection with 433 out of 435 deputies […]
Learn more
IN-HOUSE DPO VS. OUTSOURCED DPO – WHICH SOLUTION SAVES COSTS AND ENSURES COMPLIANCE?
💥 IN-HOUSE DPO VS. OUTSOURCED DPO – WHICH SOLUTION SAVES COSTS AND ENSURES COMPLIANCE? 🔒 Decree No. 13/2023 and the Draft Law on Personal Data Protection require all businesses to appoint a Data Protection Officer (DPO). The draft law explicitly gives businesses the right to choose between appointing an internal DPO or engaging […]
Learn more