Protection of personal data in Vietnam

Protection of personal data in Vietnam is the activity of preventing, detecting, stopping, and handling violations related to personal data according to the provisions of the law. From July 1, 2023, Decree 13/2023/ND-CP of the Government on personal data protection will officially take effect. Accordingly, relevant agencies, organizations, and individuals are responsible for protecting personal data. In the following article, Viet An Law will present regulations related to the obligation to protect personal data when a violation occurs according to current Vietnamese law.

Legal basis

• Civil Code 2015.
• Decree 13/2023/ND-CP on the protection of personal data.
• Decree 98/2020/ND-CP regulates administrative sanctions for violations in commercial activities, production and trading of counterfeit and banned goods, and protection of consumer rights.

What is personal data?

According to Clause 1, Article 2 of Decree 13/2023/ND-CP, personal data is “information in the form of symbols, letters, numbers, images, sounds or similar forms on an attached electronic environment. with a particular person or helps to identify a particular person”. Personal data includes basic personal data and sensitive personal data.

What information does personal data include?

Basic personal data includes:

• Surname, middle name, birth name, other names (if any);
• Date of birth; date, month, year of death or disappearance;
• Sexuality;
• Place of birth, place of birth registration, permanent residence, temporary residence, current residence, hometown, contact address;
• Nationality;
• Images of individuals;
• Phone number, ID card number, personal identification number, passport number, driver’s license number, license plate number, personal tax code number, social insurance number, health insurance card number ;
• Marital status;
• Information about family relationships (parents, children);
• Information about individual digital accounts; Personal data reflecting activities and history of activities in cyberspace;
• Other information associated with a specific person or helping to identify a specific person is not specified in Clause 4 of this Article.

Sensitive personal data is personal data associated with an individual’s privacy rights that, when violated, will directly affect the individual’s legitimate rights and interests, including:

• Political opinions, religious opinions;
• Health status and personal life are recorded in medical records, excluding information about blood type;
• Information related to racial origin and ethnic origin;
• Information about an individual’s inherited or acquired genetic characteristics;
• Information about physical and biological characteristics of individuals;
• Information about individual’s sex life and sexual orientation;
• Data on criminal acts are collected and stored by law enforcement agencies;
• Customer information of credit institutions, foreign bank branches, payment intermediary service providers, and other authorized organizations, including: customer identification information according to the provisions of law, account information, deposit information, deposited assets information, transaction information, information about organizations and individuals that are guarantors at credit institutions, bank branches, organizations providing payment intermediary services;
• Data about the individual’s location determined through location services;
• Other personal data is regulated by law as specific and requires necessary security measures.

Regulations on protection of personal data in Vietnam in the event of a breach

Personal Data Controller, Personal Data Processor, Personal Data Joint-Controller, and Third Parties are the entities with the main obligations to participate in the data subject’s data information transfer network. The regulations of Decree 13/2023/ND-CP are built on the EU’s GDPR Policy with basically comprehensive obligations.

In this article, the centralized obligations of the above subjects are presented when taking measures to handle infringements that have taken place. Personal data will be protected by reporting violations to competent authorities. Specifically:

Obligation to notify violations

• In case a violation of personal data protection regulations is detected, the Personal Data Controller and the Personal Data Controller and Processor shall notify the Ministry of Public Security (Department of Cyber Security and High-Tech Crime Prevention and Control) no later than 72 hours after the violation occurs.
• The Personal Data Processor must notify the Personal Data Controller as quickly as possible after becoming aware of a violation of personal data protection regulations.
• Organizations and individuals notify the Ministry of Public Security (Department of Cyber Security and High-Tech Crime Prevention and Control) when detecting the following cases:
• Detect legal violations of personal data;
• Personal data is processed for the wrong purpose, not under the original agreement between the data subject and the Personal Data Controller, the Controller and Processing of Personal Data, or in violation of the law;
• The rights of data subjects are not guaranteed or are not implemented properly;
• Other cases as prescribed by law.
• According to the provisions of Decree 13/2023/ND-CP, the notification of personal data processing must be presented in a format that can be printed, and copied in writing, including in electronic form or verifiable format.

Content of notice of violation of regulations on personal data protection:

• Describe the nature of the violation of personal data protection regulations, including time, location, behavior, organization, individual, types of personal data, and quantity of data involved
• Contact details of the employee tasked with data protection or the organization or individual responsible for protecting personal data
• Describe the possible consequences and damages of violating personal data protection regulations
• Describe the measures put in place to resolve and minimize the harmful effects of violations of personal data protection regulations.

Exceptions do not require notification of the processing of personal data

According to Decree No. 13/2023/ND-CP, Personal Data Controllers and Personal Data Controllers and Processors do not need to implement regulations on personal data processing notices in the following cases :

• The data subject has known and fully agreed to the content of the provisions on the personal data processing notice before giving consent to the Personal Data Controller and the Personal Data Processing and Control Party to proceed. collect personal data, in accordance with the regulations on the right to consent of data subjects in Article 9 of Decree 13/2023/ND-CP .
• Personal data is processed by competent state agencies for the purpose of serving the activities of state agencies in accordance with the provisions of law.

Thus, in cases where it is necessary to process personal data to serve the effective operations of state agencies or in cases where the subject police clearly knows that his or her personal data is being processed, there is no need to must notify about the processing of personal data.

Obligation to handle violations

• The Personal Data Controller and the Personal Data Controller and Processor must make a Minutes confirming the occurrence of a violation of personal data protection regulations, in coordination with the Ministry of Public Security (Department of Cyber Security and High-tech Crime Prevention and Control) handle violations.

Sanctions for violations

Violations by subjects who infringe on the rights to personal data of others are subject to administrative sanctions and criminal sanctions for acts constituting crimes according to the provisions of law. The current basis for applying administrative sanctions is only scattered according to the management areas of the violated information. For example, for information in the field of security, order, and social safety, sanctions regulations are mentioned in Articles 22 and 54 of Decree 144/2021/ND-CP, or for information in the field of information technology and electronic transactions, Article 102 of Decree 15/2020/ND-CP and Articles 46, 63, 65 of Decree 98/2020/ND-CP have corresponding regulations on sanctions.

For entities with obligations to protect the personal data of customers and users as described above, the law currently does not specifically stipulate corresponding administrative sanctions when the Personal Data Controller, Processor, Joint-Controller, and related parties fail to fulfill their breach notification obligations as prescribed by Decree 13/2023/ND-CP. However, in some typical areas such as e-commerce, parties can rely on previous regulations to handle violations, such as sanctions for violations of information protection in e-commerce activities related to relevant regulations in personal data protection policy in Article 65 of Decree 98/2020/ND-CP.

Personal data protection policy drafting service of Viet An Law Firm

• Advising on legal regulations related to personal data protection;
• Advising on conditions for using personal data in accordance with the provisions of law;
• Guide enterprises to develop personal data protection policies according to regulations;
• Draft a personal data protection policy in accordance with the law;
• Advising on regulations related to violations of personal data of business;
• Guide and advise enterprises to disseminate personal data protection policies to employees in enterprises.

Above are some contents related to current laws on the protection of personal data in Vietnam. If you need further advice on the above topic, please contact Viet An Law for the most effective support.