On April 17, 2023, the Government issued Decree No. 13/2023/ND-CP on personal data protection to meet data protection requirements in the context of information globalization. The Decree is built on the experience from the General Data Protection Regulation of the European Union and has significant changes to meet the context of data mining practices in Vietnam.
Basic information about Decree 13/2023/ND-CP issued by the Government regulating personal data protection includes:
|Date issued||April 17, 2023|
Decree 13/2023/ND-CP includes 4 Chapters 44 Articles, comprehensively recognizing the basic rights of individuals as data subjects and setting technical and legal requirements for businesses processing and controlling data of Vietnamese citizens. In addition, the Decree also stipulates the function and authority of the agency in charge of personal data protection in Vietnam.
The provisions of Decree 13/2023/ND-CP apply to all individuals and organizations, both domestic and foreign, that are involved in the processing of personal data in Vietnam and also outside Vietnam.
The regulation in Decree 13/2023/ND-CP places an obligation on businesses to re-examine their internal policies and privacy management practices to identify gaps and adjusted according to the requirements of Decree 13/2023/ND-CP and proposed corresponding action plans.
According to Clause 3, Article 3 of Decree 13/2023/ND-CP, basic personal data includes the following information:
Clause 4, Article 3 of the Decree stipulates that sensitive personal data is personal data associated with an individual’s privacy that, when violated, will directly affect the legitimate rights and interests of the individual includes:
Personal data protection means activities to prevent, detect, prevent and handle violations related to personal data in accordance with the law.
Pursuant to Article 8, Decree 13/2023/ND-CP, prohibited acts include:
Pursuant to Article 4 of Decree 13/2023/ND-CP, any violation of regulations on protection of personal data, depending on the severity, can be administratively sanctioned and more serious can be will be prosecuted according to the provisions of the law. The Decree also stipulates that buying and selling personal data is illegal and strictly prohibited in any form.
Article 17 of Decree 13/2023/ND-CP stipulates cases in which personal data is processed without the consent of the data subject as follows:
Decree 13/2023/ND-CP stipulates the processing of personal data including the collection, recording, analysis, confirmation, storage, modification, disclosure, combination, access, retrieval, collection recovery, encryption, decryption, copying, sharing, transmission, provision, transfer, deletion, destruction of personal data or other related actions. All activities in the personal data processing process must be consented to by the data subject, unless otherwise provided for by law. It should be noted that this consent is only valid when the data subject voluntarily and fully knows the following:
According to Article 24 of Decree 13/2023/ND-CP, businesses and related parties are required to make and maintain records of impact assessment of personal data processing and ensure that they are available at all times to serve the inspection, review and inspection activities of the Ministry of Public Security right from the beginning of data processing.
In the case of transferring personal data of Vietnamese citizens abroad (usually for transnational and multinational corporations), the enterprise must prepare a dossier to assess the impact of transferring personal data out of the country. foreign countries and must also ensure that they are always available to serve inspection and inspection activities of the Ministry of Public Security.
In addition, the enterprise must also send an original of the dossier to the Ministry of Public Security (Department of Cybersecurity and High-Tech Crime Prevention) using form No. 06 in the Appendix to Decree 13/2023/ND- CP within 60 days from the date of processing personal data (Article 25).
According to the provisions of Decree 13/2023/ND-CP, the agencies with the task of protecting personal data are the Department of Cybersecurity and high-tech crime prevention and control, which is responsible for helping the Ministry of Public Security perform state management on the protection of personal data.
The national portal on personal data protection also plays an important role in the dissemination of the law, updating and receiving information.
In the current context, many people become victims of online fraud, a lot of personal data is illegally disclosed, bought and sold openly, scammers build sophisticated scripts such as sending fraudulent messages to children who have had an accident to give money for medical treatment or scamming people to use bank accounts to borrow money, etc. to appropriate money illegally, the issuance of a separate decree on protection of personal data is very necessary and important. Decree 13/2023/ND-CP has helped to create a legal corridor for state management agencies to review, evaluate, inspect and test for compliance with individuals data protection regulations with agencies and organizations.
In order to fully comply with the provisions of Decree 13/2023/ND-CP, the provisions of Articles 11 and 13 on the notification and confirmation of consent of the data subject when the data processor performs any data processing operation seems infeasible and difficult to perform.
For example, a credit institution, a credit institution’s products must follow many processes, each process includes many different steps and most must involve collecting, evaluating, providing the data on the customer sets is very large, the request for all activities requires the consent of the data subject in the processing processes and must notify the individual data subject causes many difficulties for organizations and individuals in the credit sector. In addition, credit institutions will have to calculate to reserve a large financial and human resource to be able to review and adjust the system to operate in reality and can make the service provision progress of the credit institutions. It takes longer for credit institutions to reach customers due to the extra steps of operation.
Some provisions in Decree 13/2023/ND-CP are expressed in a vague and qualitative manner. In addition, the interpretation to implement these provisions encountered some difficulties, in too short a time (before July 1, 2023), the internal inspection and adjustment of organizations to meet regulations Decree 13/2023/ND-CP is not feasible and very difficult to implement.
If you have a need for civil legal advice, issues related to the National Security Law and the Cybersecurity Law, please contact Viet An Law Firm for the best support.
#3rd Floor, 125 Hoang Ngan, Hoang Ngan Plaza, Trung Hoa, Cau Giay, Hanoi, Vietnam