The draft Personal Data Protection Law has officially been released for public consultation

October 25, 2024

HOT NEWS

The draft Personal Data Protection Law has officially been released for public consultation!

The draft Personal Data Protection Law has proposed regulations on the protection of personal data and the responsibilities of relevant agencies, organizations, and individuals in protecting personal data. Additionally, the draft Personal Data Protection Law is expected to apply to:

  • Vietnamese agencies, organizations, and individuals;
  • Foreign agencies, organizations, and individuals in Vietnam;
  • Vietnamese agencies, organizations, and individuals operating abroad;
  • Foreign agencies, organizations, and individuals 1 directly participating in or related to personal data processing activities in Vietnam;
  • Agencies, organizations, and individuals collecting and processing personal data of foreigners within the territory of the Socialist Republic of Vietnam.

Below are some specific provisions proposed in the draft Personal Data Protection Law:

(1) Regulations on personal data protection in financial, banking, credit, and credit information activities

  • Financial, banking, and credit companies:
    • Shall not buy, sell credit information or illegally transfer credit information between financial, banking, and credit institutions;
    • Shall not send or transmit plaintext data on the finances and credit of data subjects between financial, banking, and credit institutions;
    • Shall fully apply regulations on the protection of sensitive personal data and security standards for payments and credit as prescribed by law;
    • Shall not use the credit information of data subjects to score creditworthiness and assess the creditworthiness of data subjects without the consent of the data subject;
    • The results of the credit information assessment of data subjects shall only be in the form of Pass or Fail, Yes or No, True or False, or a score based on data that financial, banking, and credit institutions collect directly from customers;
    • Shall clearly identify and declare the stages that require the application of personal data de-identification measures;
    • Must notify data subjects of incidents and losses of financial account information.
  • Organizations providing credit information, banking, insurance, finance, and payment intermediary services shall not illegally provide or transfer personal data to each other and to other organizations and businesses, except as permitted by law.
  • Credit information and credit information products of data subjects shall only be provided to organizations and individuals that are financial, banking, and credit institutions when there are legal provisions.
  • The competent authority for personal data protection is the focal point for requesting the provision of credit information to serve the investigation and handling of violations of the law as prescribed.

(2) Additional provisions on Personal Data Protection Experts

  • Personal data protection experts, including:
    • Personal data protection experts with sufficient technological and legal capacity;
    • Personal data protection experts with sufficient technological capacity;
    • Personal data protection experts with sufficient legal capacity.
  • Conditions for granting certificates to personal data protection experts with sufficient technological and legal capacity:
    • Have a college degree or above in security, information security, or cybersecurity;
    • Have a college degree or above in law;
    • Have completed a course to certify sufficient legal and technological capacity for personal data protection.
  • Conditions for granting certificates to personal data protection experts with sufficient legal capacity:
    • Have a college degree or above in law;
    • Have completed a course to certify sufficient legal capacity for personal data protection.
  • Conditions for granting certificates to personal data protection experts with sufficient technological capacity:
    • Have a college degree or above in security, information security, or cybersecurity;
    • Have completed a course to certify sufficient technological capacity for personal data protection.
  • Micro-enterprises, small enterprises, medium-sized enterprises, and startups are entitled to exempt the provision on personal data protection experts for the first 2 years from the date of establishment of the enterprise, but this does not apply to micro-enterprises, small enterprises, medium-sized enterprises, and startups that directly engage in personal data processing activities.

Privacy Compliance

IN-HOUSE DPO VS. OUTSOURCED DPO – WHICH SOLUTION SAVES COSTS AND ENSURES COMPLIANCE?

  💥 IN-HOUSE DPO VS. OUTSOURCED DPO – WHICH SOLUTION SAVES COSTS AND ENSURES COMPLIANCE?   🔒 Decree No. 13/2023 and the Draft Law on Personal Data Protection require all businesses to appoint a Data Protection Officer (DPO). The draft law explicitly gives businesses the right to choose between appointing an internal DPO or engaging […]

Learn more

Privacy Compliance

THE DPO AND A CULTURE OF DATA PROTECTION – THE KEY TO BUILDING LASTING TRUST

🌟 THE DPO AND A CULTURE OF DATA PROTECTION – THE KEY TO BUILDING LASTING TRUST In the digital age, personal data is both a valuable asset and a vulnerable one. That’s why the role of the Data Protection Officer (DPO) goes beyond legal compliance—it serves as a foundation for embedding a strong culture of […]

Learn more

Privacy Compliance

WHICH BUSINESSES ARE REQUIRED TO APPOINT A DATA PROTECTION OFFICER (DPO)?

Here is the English translation of your content, localized for clarity and professional tone: 🔒 WHICH BUSINESSES ARE REQUIRED TO APPOINT A DATA PROTECTION OFFICER (DPO)? 👉 Under Decree No. 13/2023/NĐ-CP, any organization that processes sensitive personal data—such as health information, biometric data, financial data, religious beliefs, etc.—is required to appoint a Data Protection Officer […]

Learn more