Drafting personal data protection policy in Vietnam

During operation, many businesses collect and process customer data. This collection and processing requires compliance with the provisions of law and the consent of the user, which is reflected in the customer data protection policy of the company. However, in reality, many customers have many difficulties because they have not properly defined the contents of this policy.

To answer these questions, Viet An Law Firm would like to publish the following article drafting personal data protection policy.

Legal basis

• Civil Code 2015;
• Decree 13/2023/ND-CP on personal data protection.

What is personal data?

Personal data is understood as information in the form of symbols, scripts, digits, images, sounds or similar forms in the electronic environment that is associated with a specific person or helps identify a specific person. Personal data includes basic personal data and sensitive personal data.

Why is it necessary to protect personal data in Vietnam?

Personal data protection means the prevention, detection, prevention and handling of violations related to personal data in accordance with the provisions of law.

The security of personal data is very important because if the data is stolen, it can cause serious financial losses, the risk of extortion, fraud, asset misappropriation, libel, violation of honor, dignity, sexual abuse …,  causing both material and spiritual consequences, directly affecting the legitimate rights and interests of agencies, organizations, companies and individuals.

Which content is required when drafting a personal data protection policy in Vietnam?

The Personal Data Privacy Policy describes the activities related to the processing of customers’ personal data.

Businesses have different policies to protect their customers’ personal data. However, basically the policy stipulates some content about:

Subjects and scope of application, such as:

• This policy governs the way in which the business collects, processes and stores the personal data of users who use or interact with its products, websites, applications or services;
• This data privacy policy applies only to individual users.

Words definition:

Businesses provide definitions for customers to read and understand terms such as:

• User;
• Personal data, types of personal data (basic personal data and sensitive personal data);
• Users of personal data;
• Protection of personal data;
• Processing of personal data;
• Third party.

Purposes of personal data protection in Vietnam

Rights and obligations of customers with respect to personal data

• Customer/ User is data subject, has the right to decide what data to provide, to correct the data provided later, the right to know about the processing of his/her personal data, the right to consent or disagree to the processing of his/her personal data,  unless otherwise provided for by law, the right to withdraw their consent, the right to complain, denounce and initiate lawsuits in accordance with the provisions of law, the right to claim compensation for damages, the right to self-protection and other rights as prescribed by law;
• Along with the rights, customers are also obliged to comply with the provisions of laws, regulations, instructions of companies related to the processing of users’ Personal Data, provide complete, truthful and accurate Personal Data, other information as required,  protect their personal data, proactively apply measures to protect their Personal Data, take responsibility for the information, data, consent they create, provide, respect the personal data of others, other obligations as prescribed by law.

Rights and obligations of company

• Rights of company;
  • Personal data processing in accordance with the law: Personal data processing is one or more activities affecting personal data, such as: collection, recording, analysis, confirmation, storage, correction, publicity, combination, access, retrieval, withdrawal, encryption, decryption, etc  copy, share, transmit, provide, transfer, delete, destroy personal data or other related actions;
• Amend this Policy from time to time and ensure that customers are notified before applying.
• Have the right to refuse illegal requests of customers.
• Decide to take appropriate measures to protect customers’ personal data.
• Obligations of company:
• Comply with the provisions of the law in the processing of customers’ personal data.
• Apply appropriate information security measures to avoid unauthorized access, change, use or disclosure of customers’ personal data.
• Coordinate with competent state agencies and other relevant organizations and individuals to minimize losses when detecting violations of the law against customers’ Personal Data.
• Other obligations are set out in the Policy and as prescribed by law.

Commitment to data storage and processing of personal data

The obligation to secure consent and the right to withdraw consent of data subjects applies to all activities in the processing of personal data by Data Processor. All processed data must be notified to the data subject by the data processor in the form and time limit prescribed by law.

The commitment of the Data Controller to store the User’s personal data only in the case of the purposes set out in this Policy. Businesses may also need to store users’ personal data for a period of time, such as when required by applicable law.

Sanctions for violations

Any violation of personal data in accordance with the contract and in accordance with the law must be handled in accordance with the law. The breach may come from the data subject, or the Data Processor/Controller/Host.

Other general provisions related

Principles of drafting a personal data protection policy in Vietnam

To ensure that individual policy drafting is carried out, the draftsman should adhere to the following guidelines:

• Users must ensure that they know, understand and agree to this Policy.
• The contents of the policy must comply with the provisions of law.

Some questions are related to drafting a personal data protection policy

What types of data does basic personal data include?

In accordance with the law, basic personal data includes various types of data on:

• Full name, middle and birth name, other names (if any);
• Date, month, year of birth; date, month, year of death or disappearance;
• Gender, marital status, family relationships;
• Place of birth, place of birth registration, permanent residence, temporary residence, current residence, hometown, contact address;
• Nationality;
• Images of individuals;
• Phone number, identity card number, personal identification number, passport number, driver’s license number, license plate number, personal tax identification number, social insurance number, health insurance card number;
• Information about the individual’s digital account; personal data reflecting activities and history of activities in cyberspace;
• Other information that relates to a specific person or helps identify a specific person does not fall under sensitive personal data.

What types of sensitive personal data does it include?

In accordance with the law, sensitive personal data includes:

• Political views, religious views;
• Health and personal status are recorded in the medical record, which does not include information about blood type;
• Information related to racial and ethnic origin;
• Information about inherited or acquired genetic traits of the individual;
• Information about physical properties, individual biological characteristics;
• Information about the sex life, sexual orientation of the individual;
• Data on crimes and offenses collected and stored by law enforcement agencies;
• Customer information of credit institutions, foreign bank branches, payment intermediary service providers, other permitted organizations;
• Data about the individual’s location is determined through location services;
• Other personal data regulated by law are specific and require necessary security measures

Drafting a personal data protection policy is an important necessary activity in the operation of the business, if you need advice on drafting a personal data protection policy, consulting on drafting a contract, please contact Viet An Law Firm for the best support.