The Vietnamese Constitution 2013 affirms that individual privacy is inviolable. Personal data is an issue closely related to human rights, civil rights, safety, network security, information security, data security, information technology and the fourth industrial revolution, e-government, digital economy, and information technology. In the article below, Viet An Law will present regulations on personal data protection policy under the current Vietnamese law.
Legal basis
Law on Cyber Information Security 2015;
Decree 13/2023/ND–CP on protecting personal data.
What is personal data?
According to the provisions of Clause 1, Article 2 of Decree 13/2023/ND-CP, personal data is information in the form of symbols, letters, numbers, images, sounds, or similar forms in the electronic environment, which associated with a particular person or helping to identify a particular person.
Classification of personal data
According to Article 2 of Decree 13/2023/ND–CP personal data includes basic personal data and sensitive personal data.
Basic personal data
Sensitive personal data: Sensitive personal data is personal data associated with an individual’s privacy rights that, when violated, will directly affect the individual’s legitimate rights and interests.
Regulations on personal data protection policy
According to the provisions of the Law on Cyber Information Security, the principles of personal data protection are as follows:
Individuals protect their personal information and comply with the law on providing personal information;
Agencies, organizations and individuals handling personal information are responsible for ensuring network information security for the information they process;
Organizations and individuals handling personal information must develop and publicly announce measures to handle and protect the personal information of their organizations and individuals;
The protection of personal information is carried out by the provisions of the Law on Cyber Information Security and other relevant regulations;
Processing of personal information to ensure national defense, national security, social order, and safety or for non-commercial purposes is carried out following other relevant laws.
Thus, the personal data protection policy is a protection measure prescribed under Decree 13/2023/ND-CP drafted and issued by individuals and organizations to apply internally to the collection of personal data, processes, and stores of personal information of users, employees, as well as customers and partners.
Law on Cyber Information Security stipulates that organizations and individuals handling personal information must apply appropriate management and technical measures to protect the personal information they collect and store; Comply with standards and technical regulations on ensuring network information security and have the following responsibilities:
Collect personal information after obtaining the consent of the personal information subject about the scope and purpose of collecting and using that information;
Only use collected personal information for purposes other than the original purpose after obtaining the consent of the personal information subject;
Do not provide, share, or distribute personal information that you have collected, accessed, or controlled to third parties, except with the consent of the subject of that personal information or at the request of the competent state agency.
Measures to protect personal data
Protect personal data
According to Article 26 of Decree 13/2023/ND–CP, personal data protection measures are applied right from the beginning and throughout the personal data processing process. Personal data protection measures include:
Management measures implemented by organizations and individuals involved in processing personal data;
Technical measures implemented by organizations and individuals involved in processing personal data;
Measures implemented by competent state management agencies according to the provisions of this Decree and relevant laws;
Investigation and litigation measures are carried out by competent state agencies;
Other measures as prescribed by law.
Basic personal data protection
In addition to the measures specified above, according to Article 27 of this Decree, the following protection measures can be applied:
Develop and promulgate regulations on personal data protection, clearly stating what needs to be done according to the provisions of the Law;
Encourage the application of personal data protection standards appropriate to the field, industry, and activities related to personal data processing.
Check network security for systems and means and equipment serving personal data processing before processing, irreversibly deleting, or destroying devices containing personal data.
Protect sensitive personal data
In addition to applying the measures above, Article 28 of this Decree stipulates measures including:
Designate a department with the function of protecting personal data, designate personnel in charge of protecting personal data, and exchange information about departments and individuals in charge of protecting personal data with the responsible agency. protect personal data. In case the Personal Data Controller, Personal Data Controller and Processor, Data Processor, and Third Party are individual, the information of the performing individual shall be exchanged.
Notify the data subject that the data subject’s sensitive personal data is processed, except for the cases specified in Clause 4, Article 13, Article 17, and Article 18.
Agency in charge of personal data protection and National Information Portal on personal data protection
According to Decree 13/2023/ND-CP regulating specialized agencies for personal data protection and national information portals on personal data as follows:
The agency in charge of protecting personal data is the Department of Cyber Security and High-Tech Crime Prevention – Ministry of Public Security, which is responsible for helping the Ministry of Public Security carry out state management of personal data protection.
National information portal on personal data protection.
Personal data protection policy drafting service of Viet An Law
Consulting and support osn personal data protection policies;
Drafting personal data protection policy upon requests of clients;
Consulting on handling regulations when violating personal data protection policies.
Clients who have questions or legal needs related to regulations on personal data protection policy, please contact Viet An Law Firm for the best advice and support!
On December 23, 2024, the Ministry of Finance issued new regime on tax registration in Vietnam under Circular 86/2024/TT-BTC, which comes into force from February 6, 2025. This Circular replaces…
According to the Intellectual Property Office (IP Vietnam), from 2014 to 2023, the number of patent and utility solution applications in Vietnam increased by 9.8% annually. Currently, the demand for…
(under Decree 20/2025) On February 10, 2025, the Government issued Decree No. 20/2025/ND-CP amending and supplementing several articles of Decree No. 132/2020/ND-CP on tax for enterprises having related party transactions.…
Navigating the process of dissolving an enterprise in Vietnam requires careful attention to several mandatory procedural tasks that business owners must complete to ensure legal compliance with the country’s regulatory…
After the company is established, the company in the Philippines also needs to carry out a number of post-establishment tasks such as opening bank accounts, registering for social insurance, health…
