The draft Personal Data Protection Law has officially been released for public consultation

October 25, 2024

HOT NEWS

The draft Personal Data Protection Law has officially been released for public consultation!

The draft Personal Data Protection Law has proposed regulations on the protection of personal data and the responsibilities of relevant agencies, organizations, and individuals in protecting personal data. Additionally, the draft Personal Data Protection Law is expected to apply to:

  • Vietnamese agencies, organizations, and individuals;
  • Foreign agencies, organizations, and individuals in Vietnam;
  • Vietnamese agencies, organizations, and individuals operating abroad;
  • Foreign agencies, organizations, and individuals 1 directly participating in or related to personal data processing activities in Vietnam;
  • Agencies, organizations, and individuals collecting and processing personal data of foreigners within the territory of the Socialist Republic of Vietnam.

Below are some specific provisions proposed in the draft Personal Data Protection Law:

(1) Regulations on personal data protection in financial, banking, credit, and credit information activities

  • Financial, banking, and credit companies:
    • Shall not buy, sell credit information or illegally transfer credit information between financial, banking, and credit institutions;
    • Shall not send or transmit plaintext data on the finances and credit of data subjects between financial, banking, and credit institutions;
    • Shall fully apply regulations on the protection of sensitive personal data and security standards for payments and credit as prescribed by law;
    • Shall not use the credit information of data subjects to score creditworthiness and assess the creditworthiness of data subjects without the consent of the data subject;
    • The results of the credit information assessment of data subjects shall only be in the form of Pass or Fail, Yes or No, True or False, or a score based on data that financial, banking, and credit institutions collect directly from customers;
    • Shall clearly identify and declare the stages that require the application of personal data de-identification measures;
    • Must notify data subjects of incidents and losses of financial account information.
  • Organizations providing credit information, banking, insurance, finance, and payment intermediary services shall not illegally provide or transfer personal data to each other and to other organizations and businesses, except as permitted by law.
  • Credit information and credit information products of data subjects shall only be provided to organizations and individuals that are financial, banking, and credit institutions when there are legal provisions.
  • The competent authority for personal data protection is the focal point for requesting the provision of credit information to serve the investigation and handling of violations of the law as prescribed.

(2) Additional provisions on Personal Data Protection Experts

  • Personal data protection experts, including:
    • Personal data protection experts with sufficient technological and legal capacity;
    • Personal data protection experts with sufficient technological capacity;
    • Personal data protection experts with sufficient legal capacity.
  • Conditions for granting certificates to personal data protection experts with sufficient technological and legal capacity:
    • Have a college degree or above in security, information security, or cybersecurity;
    • Have a college degree or above in law;
    • Have completed a course to certify sufficient legal and technological capacity for personal data protection.
  • Conditions for granting certificates to personal data protection experts with sufficient legal capacity:
    • Have a college degree or above in law;
    • Have completed a course to certify sufficient legal capacity for personal data protection.
  • Conditions for granting certificates to personal data protection experts with sufficient technological capacity:
    • Have a college degree or above in security, information security, or cybersecurity;
    • Have completed a course to certify sufficient technological capacity for personal data protection.
  • Micro-enterprises, small enterprises, medium-sized enterprises, and startups are entitled to exempt the provision on personal data protection experts for the first 2 years from the date of establishment of the enterprise, but this does not apply to micro-enterprises, small enterprises, medium-sized enterprises, and startups that directly engage in personal data processing activities.

Privacy Compliance

Personal Data Protection Workshop – Course 03 Now Open for Registration!

🎓 Personal Data Protection Workshop – Course 03 Now Open for Registration! Building on the success of the first two editions of the Personal Data Protection Workshop Series, PrivacyCompliance is pleased to introduce Workshop 03, designed to help organisations stay up to date with the latest legal developments and strengthen their personal data protection compliance […]

Learn more

Privacy Compliance

RECAP OF THE “PERSONAL DATA PROTECTION” WORKSHOP SERIES

RECAP OF THE “PERSONAL DATA PROTECTION” WORKSHOP SERIES ✨ The specialized Personal Data Protection workshop series organized by PrivacyCompliance has officially concluded, supporting participants in strengthening their legal compliance capabilities in the field of personal data protection. 📚 The program was structured around four key modules: 🔹 Legal framework for personal data protection. 🔹 Establishing […]

Learn more

Privacy Compliance

Legal Update | Guidance on Submitting Soft Copies of Personal Data Protection Impact Assessment Dossiers

Recently, the Department for Receiving and Returning Administrative Procedure Results on Personal Data Protection issued guidance on the submission of soft copies of the Personal Data Processing Impact Assessment Dossier and/or the Cross-border Personal Data Transfer Impact Assessment Dossier. Under the guidance, organizations and enterprises are required to submit the dossier in a .ZIP compressed […]

Learn more