Decree 13/2023/ND-CP on protection of personal data

On April 17, 2023, the Government issued Decree No. 13/2023/ND-CP on personal data protection to meet data protection requirements in the context of information globalization. The Decree is built on the experience from the General Data Protection Regulation of the European Union and has significant changes to meet the context of data mining practices in Vietnam.

Full text of Decree 13/2023/ND-CP on the protection of personal data issued by the Government

Download Decree 13/2023/ND-CP here

Basic information of Decree 13/2023/ND-CP

Basic information about Decree 13/2023/ND-CP issued by the Government regulating personal data protection includes:

Contents of Decree 13/2023/ND-CP on protection of personal data

Decree 13/2023/ND-CP includes 4 Chapters 44 Articles, comprehensively recognizing the basic rights of individuals as data subjects and setting technical and legal requirements for businesses processing and controlling data of Vietnamese citizens. In addition, the Decree also stipulates the function and authority of the agency in charge of personal data protection in Vietnam.

Subjects of application

The provisions of Decree 13/2023/ND-CP apply to all individuals and organizations, both domestic and foreign, that are involved in the processing of personal data in Vietnam and also outside Vietnam.

The regulation in Decree 13/2023/ND-CP places an obligation on businesses to re-examine their internal policies and privacy management practices to identify gaps and adjusted according to the requirements of Decree 13/2023/ND-CP and proposed corresponding action plans.

Basic personal data and sensitive personal data

According to Clause 3, Article 3 of Decree 13/2023/ND-CP, basic personal data includes the following information:

• Full name, middle name and birth name, other name (if any);
• Date of birth; day, month, year dead or missing;
• Sexual;
• Place of birth, birth registration, permanent residence, temporary residence, current residence, hometown, contact address;
• Nationality;
• Personal image;
• Phone number, identity card number, personal identification number, passport number, driver’s license number, license plate number, personal tax identification number, social insurance number, health insurance card number;
• Marital status;
• Information about family relationships (parents, children);
• Information about the individual’s digital account;
• Personal data reflects activities, history of activities in cyberspace;
• Other information relating to a specific person or helping to identify a specific person is not included in the data in Clause 4, Article 3.

Clause 4, Article 3 of the Decree stipulates that sensitive personal data is personal data associated with an individual’s privacy that, when violated, will directly affect the legitimate rights and interests of the individual includes:

• Political views, religious views;
• Health status and private life are recorded in the medical record, not including blood type information;
• Information related to racial or ethnic origin;
• Information about inherited or acquired genetic characteristics of an individual;
• Information about the individual’s physical attributes and biological characteristics;
• Information about an individual’s sex life and sexual orientation;
• Data on crimes and offenses are collected and stored by law enforcement agencies;
• Customer information of credit institutions, foreign bank branches, payment intermediary service providers and other authorized organizations includes: customer identification information as prescribed by law, information account information, deposit information, information about deposited assets, transaction information, information about organizations and individuals being the guarantor at credit institutions, bank branches, payment intermediary services;
• Personal location data identified through location services;
• Other personal data required by law is unique and requires necessary security measures.

What behaviors are prohibited?

Personal data protection means activities to prevent, detect, prevent and handle violations related to personal data in accordance with the law.

Pursuant to Article 8, Decree 13/2023/ND-CP, prohibited acts include:

• Individuals when processing personal data in contravention of the provisions of the law on protection of personal data;
• Processing personal data for the purpose of releasing information and data to oppose the State of the Socialist Republic of Vietnam;
• Processing personal data in order to create information and data that adversely affect national security, cause social disorder and safety, and infringe upon the legitimate rights and interests of other organizations and individuals;
• Processing personal data obstructs personal data protection activities of competent State agencies in accordance with the law;
• Taking advantage of the protection of personal data to break the law.

Pursuant to Article 4 of Decree 13/2023/ND-CP, any violation of regulations on protection of personal data, depending on the severity, can be administratively sanctioned and more serious can be will be prosecuted according to the provisions of the law. The Decree also stipulates that buying and selling personal data is illegal and strictly prohibited in any form.

Cases in which personal data is processed without the subject’s consent

Article 17 of Decree 13/2023/ND-CP stipulates cases in which personal data is processed without the consent of the data subject as follows:

• In the event that it is necessary to immediately process relevant personal data to protect the life and health of the data subject or others. The Personal Data Controller, Personal Data Processor, Personal Data Controller and Processor, Third Party is responsible for proving this case.
• Performing activities to publicize personal data must comply with the provisions of the law.
• In the case of the following emergency, the data will be processed by a competent state agency: emergency on national defense, national security, social order and safety, major disaster, epidemic dangerous diseases; when there is a risk of threatening security and national defense but not to the extent of declaring a state of emergency; to prevent and combat riots and terrorism, to prevent and combat crimes and violations of the law in accordance with the law.
• To fulfill the contractual obligations of the data subject with relevant agencies, organizations and individuals as prescribed by law.
• Comply with specialized laws on serving activities of state agencies.

Processing of personal data

Decree 13/2023/ND-CP stipulates the processing of personal data including the collection, recording, analysis, confirmation, storage, modification, disclosure, combination, access, retrieval, collection recovery, encryption, decryption, copying, sharing, transmission, provision, transfer, deletion, destruction of personal data or other related actions. All activities in the personal data processing process must be consented to by the data subject, unless otherwise provided for by law. It should be noted that this consent is only valid when the data subject voluntarily and fully knows the following:

• Type of personal data to be processed;
• Purpose of processing personal data;
• Organizations and individuals process data;
• Rights and obligations of data subjects.

Assess the impact of personal data processing and assess the impact of data transfer abroad

According to Article 24 of Decree 13/2023/ND-CP, businesses and related parties are required to make and maintain records of impact assessment of personal data processing and ensure that they are available at all times to serve the inspection, review and inspection activities of the Ministry of Public Security right from the beginning of data processing.

In the case of transferring personal data of Vietnamese citizens abroad (usually for transnational and multinational corporations), the enterprise must prepare a dossier to assess the impact of transferring personal data out of the country. foreign countries and must also ensure that they are always available to serve inspection and inspection activities of the Ministry of Public Security.

In addition, the enterprise must also send an original of the dossier to the Ministry of Public Security (Department of Cybersecurity and High-Tech Crime Prevention) using form No. 06 in the Appendix to Decree 13/2023/ND- CP within 60 days from the date of processing personal data (Article 25).

Agency dedicated to the protection of personal data

According to the provisions of Decree 13/2023/ND-CP, the agencies with the task of protecting personal data are the Department of Cybersecurity and high-tech crime prevention and control, which is responsible for helping the Ministry of Public Security perform state management on the protection of personal data.

The national portal on personal data protection also plays an important role in the dissemination of the law, updating and receiving information.

Proposing the implementation of Decree 13/2023/ND-CP

In the current context, many people become victims of online fraud, a lot of personal data is illegally disclosed, bought and sold openly, scammers build sophisticated scripts such as sending fraudulent messages to children who have had an accident to give money for medical treatment or scamming people to use bank accounts to borrow money, etc. to appropriate money illegally, the issuance of a separate decree on protection of personal data is very necessary and important. Decree 13/2023/ND-CP has helped to create a legal corridor for state management agencies to review, evaluate, inspect and test for compliance with individuals data protection regulations with agencies and organizations.

In order to fully comply with the provisions of Decree 13/2023/ND-CP, the provisions of Articles 11 and 13 on the notification and confirmation of consent of the data subject when the data processor performs any data processing operation seems infeasible and difficult to perform.

For example, a credit institution, a credit institution’s products must follow many processes, each process includes many different steps and most must involve collecting, evaluating, providing the data on the customer sets is very large, the request for all activities requires the consent of the data subject in the processing processes and must notify the individual data subject causes many difficulties for organizations and individuals in the credit sector. In addition, credit institutions will have to calculate to reserve a large financial and human resource to be able to review and adjust the system to operate in reality and can make the service provision progress of the credit institutions. It takes longer for credit institutions to reach customers due to the extra steps of operation.

Some provisions in Decree 13/2023/ND-CP are expressed in a vague and qualitative manner. In addition, the interpretation to implement these provisions encountered some difficulties, in too short a time (before July 1, 2023), the internal inspection and adjustment of organizations to meet regulations Decree 13/2023/ND-CP is not feasible and very difficult to implement.

If you have a need for civil legal advice, issues related to the National Security Law and the Cybersecurity Law, please contact Viet An Law Firm for the best support.