HOT NEWS
The draft Personal Data Protection Law has officially been released for public consultation!
The draft Personal Data Protection Law has proposed regulations on the protection of personal data and the responsibilities of relevant agencies, organizations, and individuals in protecting personal data. Additionally, the draft Personal Data Protection Law is expected to apply to:
- Vietnamese agencies, organizations, and individuals;
- Foreign agencies, organizations, and individuals in Vietnam;
- Vietnamese agencies, organizations, and individuals operating abroad;
- Foreign agencies, organizations, and individuals 1 directly participating in or related to personal data processing activities in Vietnam;
- Agencies, organizations, and individuals collecting and processing personal data of foreigners within the territory of the Socialist Republic of Vietnam.
Below are some specific provisions proposed in the draft Personal Data Protection Law:
(1) Regulations on personal data protection in financial, banking, credit, and credit information activities
- Financial, banking, and credit companies:
- Shall not buy, sell credit information or illegally transfer credit information between financial, banking, and credit institutions;
- Shall not send or transmit plaintext data on the finances and credit of data subjects between financial, banking, and credit institutions;
- Shall fully apply regulations on the protection of sensitive personal data and security standards for payments and credit as prescribed by law;
- Shall not use the credit information of data subjects to score creditworthiness and assess the creditworthiness of data subjects without the consent of the data subject;
- The results of the credit information assessment of data subjects shall only be in the form of Pass or Fail, Yes or No, True or False, or a score based on data that financial, banking, and credit institutions collect directly from customers;
- Shall clearly identify and declare the stages that require the application of personal data de-identification measures;
- Must notify data subjects of incidents and losses of financial account information.
- Organizations providing credit information, banking, insurance, finance, and payment intermediary services shall not illegally provide or transfer personal data to each other and to other organizations and businesses, except as permitted by law.
- Credit information and credit information products of data subjects shall only be provided to organizations and individuals that are financial, banking, and credit institutions when there are legal provisions.
- The competent authority for personal data protection is the focal point for requesting the provision of credit information to serve the investigation and handling of violations of the law as prescribed.
(2) Additional provisions on Personal Data Protection Experts
- Personal data protection experts, including:
- Personal data protection experts with sufficient technological and legal capacity;
- Personal data protection experts with sufficient technological capacity;
- Personal data protection experts with sufficient legal capacity.
- Conditions for granting certificates to personal data protection experts with sufficient technological and legal capacity:
- Have a college degree or above in security, information security, or cybersecurity;
- Have a college degree or above in law;
- Have completed a course to certify sufficient legal and technological capacity for personal data protection.
- Conditions for granting certificates to personal data protection experts with sufficient legal capacity:
- Have a college degree or above in law;
- Have completed a course to certify sufficient legal capacity for personal data protection.
- Conditions for granting certificates to personal data protection experts with sufficient technological capacity:
- Have a college degree or above in security, information security, or cybersecurity;
- Have completed a course to certify sufficient technological capacity for personal data protection.
- Micro-enterprises, small enterprises, medium-sized enterprises, and startups are entitled to exempt the provision on personal data protection experts for the first 2 years from the date of establishment of the enterprise, but this does not apply to micro-enterprises, small enterprises, medium-sized enterprises, and startups that directly engage in personal data processing activities.
CJEU confirms that competitors can sue each other for GDPR infringements
CJEU confirms that competitors can sue each other for GDPR infringements A German pharmacy sued another pharmacy for failing to guarantee explicit consent when processing the health data of the clients as prescribed under GDPR. The German Court held that such activity does amount to unfair and unlawful practice. However, the Court was unsure whether […]
Learn more
EDPB’s Guidelines on Legitimate Intesrest
EDPB’s Guidelines on Legitimate Intesrest Recently, the European Data Protection Board (“EDPB”) adopted Guidelines 01/2024 on processing of personal data based on Article 6(1)(f) GDPR (processing based on legitimate interest). Legitimate interest is one of the lawful grounds on which personal data can be processed. Its flexible nature makes it quite hard to actually apply […]
Learn more
Can data subjects be data controllers?
Can data subjects be data controllers? With the rise of AI trained on user data, the question of whether data subjects be considered data controllers for the personal data in their AI prompts and outputs has once again taken the spotlight. This is not a new issue, the possibility of the data subjects acting as […]
Learn more