Drafting personal data protection policy in Vietnam

During operations, many businesses collect and process user data. This collection and processing requires compliance with legal regulations and user consent, which is reflected in the business’s personal data protection policy. However, in reality, many clients encounter many difficulties when not fully determining the contents of this policy. To answer clients’ questions, Viet An Law Firm would like to present the following article on drafting personal data protection policy in Vietnam.

Legal basis

• Civil Code 2015;
• Decree 13/2023/ND-CP on personal data protection.

What is personal data?

Personal data is understood as information in the form of symbols, letters, numbers, images, sounds, or similar forms in the electronic environment that are associated with a specific person or help identify a specific person. Personal data includes basic personal data and sensitive personal data.

Why must personal data be protected?

Personal data protection is the activity of preventing, detecting, stopping, and handling violations related to personal data according to the provisions of law.

The security of personal data is extremely important because if data is stolen it can cause serious financial losses, risk of blackmail, fraud, property appropriation, defamation, violating honor, dignity, and sexual abuse causing both material and mental consequences, directly affecting the legitimate rights and interests of agencies, organizations, businesses and each person.

Necessary content when drafting personal data protection policy in Vietnam

The personal data privacy policy describes the activities related to the processing of clients’ personal data.

Businesses have different policies to protect their clients’ personal data. However, the policy basically stipulates several contents:

Subjects and scope of application, for example:

• This policy governs the way in which the business collects, processes, and stores the personal data of Users who use or interact with the business’s products, websites, applications, or services;
• This data privacy policy applies only to individual users.

Interpretation

Enterprises provide definitions for clients to read and understand terms such as:

• User;
• Personal data, types of personal data (basic personal data and sensitive personal data);
• Users of personal data;
• Protection of personal data;
• Processing of personal data;
• Third-party person.

Purpose of personal data protection in Vietnam

Rights and obligations of the client regarding personal data

• Clients / Users are data owners, have the right to decide what data to provide, edit the data provided later, the right to know about the processing of their personal data, the right to consent or not agree to allow the processing of your personal data, unless otherwise prescribed by law, the right to withdraw your consent, the right to complain, and denounce according to the provisions of law, the right to request claim compensation for damages, the right to self-defense, and other rights as prescribed by law;
• Along with rights, clients also have the duty to comply with laws, regulations, and business instructions related to processing users’ personal data and providing complete, honest, and accurate information. confirm personal data and other information as requested, protect your personal data, proactively apply measures to protect your personal data, and take responsibility for the information, data, and consent that you create, and provide, respect for other people’s personal data, other obligations as prescribed by law.

Rights and obligations of businesses

Rights of the enterprise:

• Processing personal data according to the provisions of law: Processing personal data is one or more activities affecting personal data, such as: collecting, recording, analyzing, confirming, storing, editing edit, disclosing, combining, accessing, retrieving, retrieving, encrypting, decrypting, copying, sharing, transmitting, transferring, deleting, destroying personal data or other actions related;
• Amend this policy from time to time and ensure clients are notified before applying.
• Have the right to refuse clients’ illegal requests.
• Decide to apply appropriate measures to protect clients’ personal data.

Obligations of the enterprise:

• Comply with legal regulations in the process of processing clients’ personal data.
• Apply appropriate information security measures to avoid unauthorized access, change, use, and disclosure of clients’ personal data.
• Coordinate with competent state agencies and other relevant organizations and individuals to minimize damage when detecting legal violations of clients’ personal data.
• Other obligations are specified in the policy and according to the provisions of law.

Commitment to data storage and personal data processing

The obligation to secure consent and the data subject’s right to withdraw consent applies to all activities in the Data Processor’s processing of personal data. All processed data must be notified by the Data Processor to the data subject in a form and time limit in accordance with the law.

The Data User undertakes to store the User’s personal data only in connection with the purposes set out in this policy. Therefore, businesses may also need to store personal data for a period of time, such as where required by applicable law.

Remedies for violations

Any violation of personal data according to the provisions of the contract and the law must be handled in accordance with the law. The violation may come from the data owner, or the data processor/controller/storage party.

Principles for drafting personal data protection policy in Vietnam

To ensure the drafting of personal policies is carried out, drafters need to comply with the following principles:

• Users must ensure that they know, understand, and agree to the policy.
• The contents of the policy must comply with the provisions of the law.

Some questions are related to drafting personal data protection policy in Vietnam

What types of data are covered by basic personal data?

According to the law, basic personal data includes types of data about:

• Surname, middle name, birth name, other names (if any);
• Date of birth, date, month, year of death or disappearance;
• Gender, marital status, family relationship;
• Place of birth, place of birth registration, permanent residence, temporary residence, current residence, hometown, contact address;
• Nationality;
• Images of individuals;
• Phone number, ID card number, personal identification number, passport number, driver’s license number, license plate number, personal tax code number, social insurance number, health insurance card number ;
• Information about individual digital accounts; Personal data reflecting activities and history of activities in cyberspace;
• Other information that pertains to a specific person or helps identify a specific person is not considered sensitive personal data.

What types of data does sensitive personal data include?

According to the law, sensitive personal data includes:

• Political opinions, religious opinions;
• Health status and personal life are recorded in medical records, excluding information about blood type;
• Information related to racial origin and ethnic origin;
• Information about an individual’s inherited or acquired genetic characteristics;
• Information about physical attributes and biological characteristics of individuals;
• Information about the individual’s sex life and sexual orientation;
• Data on crimes and criminal acts are collected and stored by law enforcement agencies;
• Client information of credit institutions, foreign bank branches, payment intermediary service providers, and other authorized organizations;
• Data about the individual’s location determined through location services;
• Other personal data is regulated by law as specific and requires necessary security measures

Drafting a personal data protection policy is an important activity during business operations. If you need advice on drafting a personal data protection policy, please contact Viet An Law Firm for the best support.