Regulations on personal data protection policy

The Vietnamese Constitution 2013 affirms that individual privacy is inviolable. Personal data is an issue closely related to human rights, civil rights, safety, network security, information security, data security, information technology and the fourth industrial revolution, e-government, digital economy, and information technology. In the article below, Viet An Law will present regulations on personal data protection policy under the current Vietnamese law.

Legal basis

• Law on Cyber Information Security 2015;
• Decree 13/2023/ND–CP on protecting personal data.

What is personal data?

According to the provisions of Clause 1, Article 2 of Decree 13/2023/ND-CP, personal data is information in the form of symbols, letters, numbers, images, sounds, or similar forms in the electronic environment, which associated with a particular person or helping to identify a particular person.

Classification of personal data

According to Article 2 of Decree 13/2023/ND–CP personal data includes basic personal data and sensitive personal data.

• Basic personal data
• Sensitive personal data: Sensitive personal data is personal data associated with an individual’s privacy rights that, when violated, will directly affect the individual’s legitimate rights and interests.

Regulations on personal data protection policy

According to the provisions of the Law on Cyber Information Security, the principles of personal data protection are as follows:

• Individuals protect their personal information and comply with the law on providing personal information;
• Agencies, organizations and individuals handling personal information are responsible for ensuring network information security for the information they process;
• Organizations and individuals handling personal information must develop and publicly announce measures to handle and protect the personal information of their organizations and individuals;
• The protection of personal information is carried out by the provisions of the Law on Cyber Information Security and other relevant regulations;
• Processing of personal information to ensure national defense, national security, social order, and safety or for non-commercial purposes is carried out following other relevant laws.

Thus, the personal data protection policy is a protection measure prescribed under Decree 13/2023/ND-CP drafted and issued by individuals and organizations to apply internally to the collection of personal data, processes, and stores of personal information of users, employees, as well as customers and partners.

Law on Cyber Information Security stipulates that organizations and individuals handling personal information must apply appropriate management and technical measures to protect the personal information they collect and store; Comply with standards and technical regulations on ensuring network information security and have the following responsibilities:

• Collect personal information after obtaining the consent of the personal information subject about the scope and purpose of collecting and using that information;
• Only use collected personal information for purposes other than the original purpose after obtaining the consent of the personal information subject;
• Do not provide, share, or distribute personal information that you have collected, accessed, or controlled to third parties, except with the consent of the subject of that personal information or at the request of the competent state agency.

Measures to protect personal data

Protect personal data

According to Article 26 of Decree 13/2023/ND–CP, personal data protection measures are applied right from the beginning and throughout the personal data processing process. Personal data protection measures include:

• Management measures implemented by organizations and individuals involved in processing personal data;
• Technical measures implemented by organizations and individuals involved in processing personal data;
• Measures implemented by competent state management agencies according to the provisions of this Decree and relevant laws;
• Investigation and litigation measures are carried out by competent state agencies;
• Other measures as prescribed by law.

Basic personal data protection

In addition to the measures specified above, according to Article 27 of this Decree, the following protection measures can be applied:

• Develop and promulgate regulations on personal data protection, clearly stating what needs to be done according to the provisions of the Law;
• Encourage the application of personal data protection standards appropriate to the field, industry, and activities related to personal data processing.
• Check network security for systems and means and equipment serving personal data processing before processing, irreversibly deleting, or destroying devices containing personal data.

Protect sensitive personal data

In addition to applying the measures above, Article 28 of this Decree stipulates measures including:

• Designate a department with the function of protecting personal data, designate personnel in charge of protecting personal data, and exchange information about departments and individuals in charge of protecting personal data with the responsible agency. protect personal data. In case the Personal Data Controller, Personal Data Controller and Processor, Data Processor, and Third Party are individual, the information of the performing individual shall be exchanged.
• Notify the data subject that the data subject’s sensitive personal data is processed, except for the cases specified in Clause 4, Article 13, Article 17, and Article 18.

Agency in charge of personal data protection and National Information Portal on personal data protection

According to Decree 13/2023/ND-CP regulating specialized agencies for personal data protection and national information portals on personal data as follows:

• The agency in charge of protecting personal data is the Department of Cyber Security and High-Tech Crime Prevention – Ministry of Public Security, which is responsible for helping the Ministry of Public Security carry out state management of personal data protection.
• National information portal on personal data protection.

Personal data protection policy drafting service of Viet An Law

• Consulting and support osn personal data protection policies;
• Drafting personal data protection policy upon requests of clients;
• Consulting on handling regulations when violating personal data protection policies.

Clients who have questions or legal needs related to regulations on personal data protection policy, please contact Viet An Law Firm for the best advice and support!