The issue of protecting personal data in Vietnam is currently recognized as highly important and has attracted significant attention. Previously, the protection of personal data did not receive adequate attention.
However, with the strong development of information technology and the increasing use of data, this issue has become a top priority. In recent years, people across the country have been facing concerning situations related to personal information breaches, spam calls, spam messages, and so on. According to authorities, an urgent and essential solution is to ensure the safety of the national population data system.
The current reality demonstrates that over 80 countries worldwide have recognized the laws on personal data protection. Despite the delay in issuing policies and laws in the same field, Vietnam is making concerted efforts to catch up with and improve the relevant legal framework. Specifically, on 17 April 2023, the Government issued Decree 13/2023/ND-CP, which regulates the protection of personal data and the responsibilities of related agencies, organizations, and individuals (“Decree 13”). The purpose of this article is to provide a preliminary introduction to some essential contents of Decree 13, with the aim of offering readers an initial perspective on the aforementioned legal document.
SCOPE OF APPLICATION
Decree 13 came into effect on 01 July 2023. With the Law on Cybersecurity 2018 dated 12 June 2018 and its first implementing Decree 53/2022/ND-CP dated 15 August 2022, Decree 13 forms the third legal document issued in the Government’s initiative to strengthen the legal framework governing cyberspace. Decree 13 outlines more specific data protection and cybersecurity obligations with respect to personal data processing activities.
Decree 13 applies to the following entities:
- Vietnamese agencies, organizations and individuals;
- Foreign authorities, entities and individuals in Vietnam;
- Vietnamese agencies, organizations and individuals that operate in foreign countries;
- Foreign agencies, organizations and individuals that directly process or are involved in processing personal data in Vietnam.
TERMS AND DEFINITIONS
- “Data subject” refers to an individual to whom the data relates.
- “Personal data” refers to electronic information in the form of symbols, letters, numbers, images, sounds, or equivalences associated with an individual or used to identify an individual. The personal data includes basic personal data and sensitive personal data.
- “Basic personal data” includes names, date of birth, date of death, contact information, marital status and family relations, nationality, ethnicity, personal image, gender, personal identification numbers (citizen identification number, passport, tax code, social/medical insurance code, driving license number, vehicle plate number) but also including blood type, digital accounts and data reflecting individuals’ activity history on cyberspace.
- “Sensitive personal data” refers to personal data in association with individual privacy which, when being infringed, will directly affect an individual’s legal rights and interests, including political and religious views, health conditions (except blood type), biometric data, genetic data, sexual orientation, criminal records, customer data of credit institutions, intermediate payment services, geographic location identified via location services and other types of sensitive personal data as stipulated by Vietnamese laws.
- “Cross border transfer of personal data” refers to an act of using cyberspace, electronic devices, equipment, or other forms to transfer personal data of a Vietnamese citizen to a location outside the territory of the Socialist Republic of Vietnam or using a location outside the territory of the Socialist Republic of Vietnam to process personal data of a Vietnamese citizen, including:
- (i) An organization, enterprise or individual transfers personal data of a Vietnamese citizen to an overseas organization, enterprise or management department in order to process the data for the purposes agreed upon by the data subject;
- (b) The personal data of a Vietnamese citizen is processed by automatic systems outside the territory of the Socialist Republic of Vietnam of the Personal Data Controller, Personal Data Controller and Processor, Personal Data Processor for the purposes agreed upon by the data subject.
- “Personal Data Controller” refers to an organization or individual that decides purposes and means of processing personal data.
- “Personal Data Processor” refers to an organization or individual that processes data on behalf of the Personal Data Controller via a contract or agreement with the Personal Data Controller.
- “Personal Data Controller and Processor” refers to an organization or individual that jointly decides purposes and means, and directly processes personal data.
- “Third Party” refers to an organization or individual other than the data subject, Personal Data Controller, Personal Data Processor, and Personal Data Controller and Processor that is permitted to process personal data.
PRINCIPLES OF PROTECTION OF PERSONAL DATA
Article 3 of Decree 13 sets out 8 principles for enforcing personal data protection. The principles mainly revolve around complying with the law in ensuring the security of personal data. There are several principles emphasizing the rights of data subjects and the limits of data collection and processing by related parties:
-
- The personal data shall be processed as prescribed by law.
- The data subject shall be entitled to receive information related to the processing of his/her personal data, unless otherwise provided by law.
- The personal data shall be processed for the purposes that have been registered and declared by the Personal Data Controller, the Personal Data Processor, the Personal Data Controller and Processor and the Third Party.
- The personal data collected must be appropriate for the scope and purposes of processing. The purchase or sale of personal data shall be prohibited in any form, unless otherwise provided for by law.
- The personal data shall be updated and added for the processing purposes.
- The personal data shall be protected and secured throughout the processing. To be specific, the personal data shall be protected from violations against regulations on protection of personal data and prevention of loss, destruction or damage caused by incidents and use of technical measures.
- The personal data shall be stored within a period of time that is appropriate for the processing purposes, unless otherwise provided for by law.
- The Personal Data Controller and the Personal Data Controller and Processor shall comply with the principles for data processing specified above and prove their compliance with such principles.
PROHIBITED ACTS
-
- Processing personal data in violation of regulations of law on protection of personal data.
- Processing personal data to generate information and data that contravene regulations of the Socialist Republic of Vietnam.
- Processing personal data to generate information and data that affect national security, social order and safety, and legitimate rights and interests of other organizations and individuals.
- Obstructing personal data protection activities of competent authorities.
- Taking advantage of personal data protection activities to violates the law.
RIGHTS OF DATA SUBJECTS
Article 9 of Decree 13 stipulates 11 rights of the Data Subject, including: (i) the right to be informed, (ii) the right to consent, (iii) the right to access, (iv) the right to withdraw consent, (v) the right to delete data, (vi) the right to restrict data processing, (vii) the right to data provision, (viii) the right to object to data processing, (ix) the right to complain, denounce and initiate lawsuits, (x) the right to claim compensation for damages, and (xi) the right to self-defense.
Among these rights, data subjects should pay special attention to the right to restrict data processing, and the right to object to data processing, as compliance in these regards would be subject to a 72-hours restriction. Particularly as follows:
-
- Right to restrict data processing: The restriction on the processing of personal data shall be implemented within 72 hours after receiving request of the data subject, applying to all personal data that the data subject requests the restriction, unless otherwise provided by law.
- Right to object to data processing: The Personal Data Controller and the Personal Data Controller and Processor shall fulfil with the data subject’s request within 72 hours after receiving the request, unless otherwise provided by law.
REQUIREMENTS FOR CONSENT OF DATA SUBJECT
The consent is only valid when the data subject voluntarily consents and is clearly aware of the following:
-
- Type of personal data to be processed;
- Purpose of the personal data processing;
- Organizations and individuals authorized to process personal data;
- Rights and obligations of the data subject.
The consent of the data subject must be expressed in a clear and specific manner in writing, by voice, by ticking the consent box, by consent syntax via message, by selecting consent in technical settings or by other forms that demonstrate this. The consent must be conducted for the same purpose. In case of multiple purposes, the Personal Data Controller and the Personal Data Controller and Processor must list the purposes for the data subject to consent to one or several purposes specified.
Decree 13 explicitly provides that silence or non-response by the data subject shall not be considered as consent.
Additionally, Decree 13 also provides that the withdrawal of consent does not affect the lawfulness of the prior processing of the agreed data.
Article 17 of Decree 13 specifies circumstances where processing of personal data without consent is allowed, including:
-
- In emergencies, where relevant personal data must be immediately processed in order to protect the life or health of the data subject or other;
- Where the disclosure of personal data is in accordance with the law;
- When the processing of data is done by competent state agencies for national security or in the event of a national security emergency, social order and safety, major disasters, or dangerous epidemics; when there is a threat to national security or defense, but not to the extent of declaring a state of emergency; preventing and combating riots, terrorism, preventing and combating crimes and violations of law in accordance with the provisions of law;
- To fulfil the contractual obligations of the data subject with relevant agencies, organizations, and individuals as prescribed by law; or
- To serve the activities of state agencies as prescribed by sector-specific laws.
PERSONAL DATA PROTECTIVE MEASURES
Measures for protecting personal data shall be adopted from the beginning of and throughout the processing of personal data. Measures for protecting personal data include:
- Management measures taken by organizations or individuals related to processing of personal data;
- Technical measures taken by organizations or individuals related to processing of personal data;
- Measures taken by competent state authorities according to regulations of Decree 13 and relevant laws;
- Investigation and procedural measures taken by competent state authorities;
- Other measures as prescribed by law.
For basic personal data, other than abovementioned measures, Article 27 of Decree 13 additionally stipulates the following measures:
-
- Formulating and promulgating regulations on personal data protection, which specify tasks to be performed in accordance with Decree 13;
- Encouraging application of standards of personal data protection in conformity with sectors, industries and activities related to the processing of personal data;
- Inspecting cybersecurity for systems, means and equipment for processing personal data before processing, permanent deletion or destruction of devices containing personal data.
For sensitive personal data, standards for processing of sensitive personal data are more stringent than those for basic personal data. Pursuant to Article 28 of Decree 13, protection of sensitive personal data includes the following measures: - All of the measures required for the protection of basic personal data;
- Appointing the department with functions of protecting personal data and the personnel in charge of protection of personal data, and exchanging information regarding such department and individual in charge of protection of personal data with the Personal Data Protection Authority. In case the Personal Data Controller, the Personal Data Controller and Processor, the Personal Data Processor or the Third Party is an individual, the exchanged information shall be of the conducting individual;
- Notifying data subjects that their sensitive personal data is processed, except in specified cases as stipulated in Article 13.6, Article 17 and Article 18 of Decree 13.
CROSS BORDER TRANSFER OF PERSONAL DATA
Transfer of personal data of Vietnamese citizens abroad requires the Transferor of personal data to prepare a relevant impact assessment and follow the procedures in according with Decree 13. Cross border transferors of personal data include Personal Data Controller, the Personal Data Controller and Processor, the Personal Data Processor, and the Third Party.
The cross-border transferor of personal data shall submit 01 original of the assessment to the Ministry of Public Security (Department of Cybersecurity and Hi-tech Crime Prevention) within 60 days from the date of processing of personal data.
In addition, it is worth noting that the Ministry of Public Security of Vietnam has the power to halt cross-border data transfers in the following cases:
-
- Detection of the data is used for activities that violate the interests and national security of the Socialist Republic of Vietnam;
- The transferor fails to complete, update or supplement the impact assessment dossier of cross border transfer of personal data;
- The personal data of Vietnamese citizens is disclosed or lost.
Decree 13 represents the preliminary establishment of privacy and information security regulations, setting forth principles to be adhered to in order to ensure the lawful, transparent, and secure processing of personal data. However, alongside these regulations, individuals and enterprises themselves also need to develop a deep understanding of the importance of privacy rights and the potential risks associated with personal information disclosure. By being aware of these risks and taking necessary measures to protect personal data, such as using highly secure passwords, updating security software, and selecting reliable online services, individuals and enterprises can contribute to safeguarding their own personal information, as well as building a safer digital environment.