The Vietnamese Constitution 2013 affirms that individual privacy is inviolable. Personal data is an issue closely related to human rights, civil rights, safety, network security, information security, data security, information technology and the fourth industrial revolution, e-government, digital economy, and information technology. In the article below, Viet An Law will present regulations on personal data protection policy under the current Vietnamese law.
Legal basis
Law on Cyber Information Security 2015;
Decree 13/2023/ND–CP on protecting personal data.
What is personal data?
According to the provisions of Clause 1, Article 2 of Decree 13/2023/ND-CP, personal data is information in the form of symbols, letters, numbers, images, sounds, or similar forms in the electronic environment, which associated with a particular person or helping to identify a particular person.
Classification of personal data
According to Article 2 of Decree 13/2023/ND–CP personal data includes basic personal data and sensitive personal data.
Basic personal data
Sensitive personal data: Sensitive personal data is personal data associated with an individual’s privacy rights that, when violated, will directly affect the individual’s legitimate rights and interests.
Regulations on personal data protection policy
According to the provisions of the Law on Cyber Information Security, the principles of personal data protection are as follows:
Individuals protect their personal information and comply with the law on providing personal information;
Agencies, organizations and individuals handling personal information are responsible for ensuring network information security for the information they process;
Organizations and individuals handling personal information must develop and publicly announce measures to handle and protect the personal information of their organizations and individuals;
The protection of personal information is carried out by the provisions of the Law on Cyber Information Security and other relevant regulations;
Processing of personal information to ensure national defense, national security, social order, and safety or for non-commercial purposes is carried out following other relevant laws.
Thus, the personal data protection policy is a protection measure prescribed under Decree 13/2023/ND-CP drafted and issued by individuals and organizations to apply internally to the collection of personal data, processes, and stores of personal information of users, employees, as well as customers and partners.
Law on Cyber Information Security stipulates that organizations and individuals handling personal information must apply appropriate management and technical measures to protect the personal information they collect and store; Comply with standards and technical regulations on ensuring network information security and have the following responsibilities:
Collect personal information after obtaining the consent of the personal information subject about the scope and purpose of collecting and using that information;
Only use collected personal information for purposes other than the original purpose after obtaining the consent of the personal information subject;
Do not provide, share, or distribute personal information that you have collected, accessed, or controlled to third parties, except with the consent of the subject of that personal information or at the request of the competent state agency.
Measures to protect personal data
Protect personal data
According to Article 26 of Decree 13/2023/ND–CP, personal data protection measures are applied right from the beginning and throughout the personal data processing process. Personal data protection measures include:
Management measures implemented by organizations and individuals involved in processing personal data;
Technical measures implemented by organizations and individuals involved in processing personal data;
Measures implemented by competent state management agencies according to the provisions of this Decree and relevant laws;
Investigation and litigation measures are carried out by competent state agencies;
Other measures as prescribed by law.
Basic personal data protection
In addition to the measures specified above, according to Article 27 of this Decree, the following protection measures can be applied:
Develop and promulgate regulations on personal data protection, clearly stating what needs to be done according to the provisions of the Law;
Encourage the application of personal data protection standards appropriate to the field, industry, and activities related to personal data processing.
Check network security for systems and means and equipment serving personal data processing before processing, irreversibly deleting, or destroying devices containing personal data.
Protect sensitive personal data
In addition to applying the measures above, Article 28 of this Decree stipulates measures including:
Designate a department with the function of protecting personal data, designate personnel in charge of protecting personal data, and exchange information about departments and individuals in charge of protecting personal data with the responsible agency. protect personal data. In case the Personal Data Controller, Personal Data Controller and Processor, Data Processor, and Third Party are individual, the information of the performing individual shall be exchanged.
Notify the data subject that the data subject’s sensitive personal data is processed, except for the cases specified in Clause 4, Article 13, Article 17, and Article 18.
Agency in charge of personal data protection and National Information Portal on personal data protection
According to Decree 13/2023/ND-CP regulating specialized agencies for personal data protection and national information portals on personal data as follows:
The agency in charge of protecting personal data is the Department of Cyber Security and High-Tech Crime Prevention – Ministry of Public Security, which is responsible for helping the Ministry of Public Security carry out state management of personal data protection.
National information portal on personal data protection.
Personal data protection policy drafting service of Viet An Law
Consulting and support osn personal data protection policies;
Drafting personal data protection policy upon requests of clients;
Consulting on handling regulations when violating personal data protection policies.
Clients who have questions or legal needs related to regulations on personal data protection policy, please contact Viet An Law Firm for the best advice and support!
The new regulations of the Law on Bidding, the Law on Construction, the Law on Investment, and other relevant legislation have provided opportunities for foreign contractors to participate in bidding…
Legal compliance and risk management are critical to any enterprise in an increasingly competitive and complex business environment. The in-house lawyer service for enterprises was created to meet this need…
The operation and organization of enterprises will be subject to the regulation of many different legal issues. To minimize risks as well as create a solid legal framework, as a…
Corporate and risk governance are two important factors and are closely related to each other in organizing and operating a business. Effective corporate governance cannot lack the identification, assessment, and…
Navigating the legal requirements for business suspension in Vietnam requires careful attention to regulatory compliance and procedural steps mandated by Vietnamese law. From submitting official notifications to tax authorities and…
