On 17 April 2023, the Government issued Decree 13/2023/ND-CP (“Decree 13/2023”) on personal data protection. This Decree is the latest legal framework on personal data protection and will greatly affect enterprises in need of collecting and processing personal data from customers or consumers. Decree 13/2023 applies to all Vietnamese or foreign individuals, agencies and organisations directly involved in or related to personal data processing activities in Vietnam and contains important details as follows:
1. Introducing new concepts on personal data for the first time
A special feature of Decree 13/2023 is that this Decree introduces many new legal concepts on personal data for the first time.
a. Personal data
Collectively, personal data (PD) is understood as information in the form of symbols, letters, numbers, images, sounds or the likes existing in the electronic environment and associated with a particular person or helping to identify a particular person. Further, Decree 13/2023 introduces two new concepts on the creation of PD, including basic PD and sensitive PD.
Basic PD include the last name, middle name and birth name, other name (if any); date of birth; date of a person’s death or missing; sex; place of birth, place of birth registration, permanent residence, temporary residence, current residence, hometown, contact address; nationality; image of an individual; phone number, identity card number, personal identification number, passport number, driver’s license number, license plate number, personal tax identification number, social insurance number, health insurance card number …
Sensitive PD mean PD associated with an individual’s privacy that, when violated, will directly affect such individual’s legitimate rights and interests, such as: political and religious viewpoints; health status and private life recorded in the medical records; information related to racial origin, genetic characteristics, sex life; location data determined via location services; customer information kept by credit institutions…
Thus, basic PD are close to the conventional understanding of personal information that directly identifies a person, while sensitive PD are a broader concept showing trends, opinions, habits, even geographical location, etc. which few enterprises consider as personal information and their legal aspect enterprises do not care much about when collecting, processing and using this information.
b. Data subject
Data subject is also a new concept introduced in Decree 13/2023. Data subject is defined as the individual referred to by the PD. As such, information about an enterprise will not be considered PD. In other words, only personal information is regulated and protected under Decree 13/2023.
As a data subject, an individual has 11 rights as provided for in Decree 13/2023, including: (1) Right to know; (2) Right to consent; (3) Right of access; (4) Right to withdraw consent; (5) Right to delete data; (6) Right to restrict data processing; (7) Right to provide data; (8) Right to object to data processing; (9) Right to complain, denounce and initiate lawsuits; (10) Right to claim damages; and (11) Right to self-defend. With specific rights as aforesaid, data subjects have more rights with respect to their PD, in the opposite direction, enterprises (regarded as the PD Controller and Processor) will find it much more difficult to collect, process and transfer PD. For example, the data subject may object to the PD Controller, the PD Controller and Processor’s processing of its PD in order to prevent or limit the disclosure of PD or the use of PD for advertising and marketing purposes, unless otherwise provided for by law. In that case, the PD Controller, or the PD Controller and Processor must fulfill the request of the data subject within 72 hours after receiving the request, unless otherwise provided for by law.
2. Measures to protect PD
PD protection means activities to prevent, detect, ward off and handle violations related to PD in accordance with law. Decree 13/2023 clearly states that PD protection measures are applied from the very beginning of and throughout the processing of PD, including the following 5 measures:
- Management measure taken by organisations and individuals involved in PD processing;
- Technical measure taken by organisations and individuals involved in PD processing;
- Measure taken by competent state management agencies in accordance with Decree 13/2023 and relevant laws;
- Investigative and procedural measure taken by competent State agencies; and
- Other measures as prescribed by law.
PD protection measures will be applied depending on whether the PD are of basic or sensitive nature. A national portal on protection of PD will be established, in addition to providing information on legal regulations on PD, the portal is also a place to receive reports of violations of the regulations on PD protection.
3. PD can only be used for marketing and advertising with the customer consent
According to Article 21 of Decree 13/2023, organisations and individuals providing marketing and advertising services are only allowed to use PD of customers that they collect through their business activities to provide marketing and advertising services after the data subject’s consent has been obtained. At the same time, the processing of customers’ PD to provide marketing and advertising services must also be conducted with the customer’s consent on the basis that the customer knows the content, method, form and frequency of product advertising.
4. It is illegal to collect, transfer, buy and sell PD without the consent of the data subject
Articles 3.4 and 22.2 of Decree 13/2023 do not allow organisations and individuals to buy and sell PD in any form. Therefore, it is illegal to set up software systems, technical measures or organise activities to collect, transfer, buy and sell PD without the consent of the data
subject. Depending on the severity of violation of PD protection, agencies, organisations and individuals may be subject to disciplinary actions, administrative or criminal sanctions in accordance with law.
5. Transferring PD abroad
PD of Vietnamese citizens can only be transferred abroad with the written consent of the data subject on the basis that the data subject clearly knows how to feedback and complain in case of incidents or claims. At the same time, there must be a document reflecting the responsibility of, and binding on, organisations and individuals who transfer and receive PD of Vietnamese citizens.
In order to transfer PD abroad, the data transfer party (including the PD Controller, the PD Controller and Processor, the PD Processor, the Third Parties) must prepare a document on evaluation of the impact of transferring PD abroad as required by law and send it to the Ministry of Public Security (Division of Cyber Security and High-Tech Crime Prevention and Control) within 60 days of processing PD. If the data transfer party is requested to update or supplement the dossier, it must fulfill it within 10 days of request.
After PD are transferred successfully, the data transfer party must notify the Ministry of Public Security in writing of the data transfer and contact details of the organisation or individual in charge.
Decree 13/2023 will take effect from 01 July 2023.