New regulations on personal data protection in Vietnam
On 17 April 2023, The Government issued the Decree No. 13/2023/ND-CP on Personal Date Protection (“Decree 13”), which took effect from 01 July 2023. Decree 13 provides more detailed data protection and cybersecurity obligations regarding personal data processing activities. Micro-enterprises, small enterprises, medium-sized enterprises, and startup companies have the right to opt for exemption from regulations on the appointment of individuals and departments to the protection of personal data for the first 2 years from the date of establishment
Table of contents:
- Who needs to comply?
- What is general personal data?
- What is the sensitive personal data?
- Rules for the Protection of Personal Data
- Data subject’s rights
- Responsibility of Personal Data Controllers
- Responsibility of Personal Data Processors
- Responsibility of Personal Data Controller-cum-Processors
- Responsibility of the Third Party
- Transferring personal data outside Vietnam
Who needs to comply?
This Decree applies to:
a) Vietnamese agencies, organizations, and individuals;
b) Foreign authorities, entities, and individuals in Vietnam;
c) Vietnamese agencies, organizations, and individuals that operate in foreign countries;
d) Foreign agencies, organizations, and individuals that directly process or are involved in processing personal data in Vietnam.
What is general personal data?
General personal data includes:
a) Last name, middle name, and first name, other names (if any);
b) Date of birth; date of death or going missing;
d) Place of birth, registered place of birth; place of permanent residence; place of temporary residence; current place of residence; hometown; contact address;
e) Personal image;
e) Phone number; ID Card number; personal identification number, passport number; driver’s license number; license plate, taxpayer identification number; social security number and health insurance card number;
h) Marital status;
i) Information about the individual’s family relationship (parents, children);
k) Digital account information; personal data that reflects activities and activity history in cyberspace;
l) Information associated with an individual or used to identify an individual other than that specified in Clause 4 of this Article.
What is the sensitive personal data?
“Sensitive personal data” refers to personal data in association with individual privacy which, when being infringed, will directly affect an individual's legal rights and interests, including:
a) Political and religious opinions;
b) Health condition and personal information stated in the health record, excluding information on blood group;
c) Information about racial or ethnic origin;
d) Information about genetic data related to an individual's inherited or acquired genetic characteristics;
dd) Information about an individual’s own biometric or biological characteristics;
e) Information about an individual’s sex life or sexual orientation.
g) Data on crimes and criminal activities collected and stored by law enforcement agencies;
h) Information on customers of credit institutions, foreign bank branches, payment service providers, and other licensed institutions, including customer identification as prescribed by law, accounts, deposits, deposited assets, transactions, organizations and individuals that are guarantors at credit institutions, bank branches, and payment service providers;
i) Personal location identified via location services;
k) Other specific personal data as prescribed by law that requires special protection.
Rules for the Protection of Personal Data
1. The personal data shall be processed as prescribed by law.
2. The data subject shall be entitled to receive information related to processing his/her personal data unless otherwise provided for by law.
3. The personal data shall be processed for the purposes that have been registered and declared by the Personal Data Controller, the Personal Data Processor, the Personal Data Controller-cum-Processor, and the Third Party.
4. The collected personal data shall be appropriate for the scope and purposes of processing. The purchase or sale of personal data shall be prohibited in any form unless otherwise provided for by law.
5. The personal data shall be updated and added for processing purposes.
6. The personal data shall be protected and secured throughout the processing. To be specific, the personal data shall be protected from violations against regulations on the protection of personal data and prevention of loss, destruction, or damage caused by incidents and the use of technical measures.
7. The personal data shall be stored within a period of time that is appropriate for processing purposes unless otherwise provided for by law.
8. The Personal Data Controller and the Personal Data Controller-cum-Processor shall comply with the rules for data processing specified in Clauses 1 through 7 of this Article and prove their compliance.
Data subject’s rights
1. Right to be informed
2. Right to give consent
3. Right to access personal data
4. Right to withdraw consent
5. Right to delete personal data
6. Right to obtain restriction on processing
7. Right to obtain personal data
8. Right to object to processing
9. Right to file complaints, denunciations and lawsuits
10. Right to claim damage
11. Right to self-protection
Identify role in processing personal data
Responsibility of Personal Data Controllers
1. Implement organizational and technical measures and appropriate safety and security measures to prove that the personal data is processed in accordance with regulations of the law on protection of personal data, review and update these measures when necessary.
2. Record and store log of the processing of personal data.
3. Notify violations against regulations on protection of personal data according to regulations in Article 23 of this Decree.
4. Select an appropriate Personal Data Processor with specific tasks and only work with the Personal Data Processor that has appropriate measures for protecting personal data.
5. Protect the rights of data subjects according to regulations in Article 9 of this Decree.
6. Be responsible to the data subject for damage caused by the processing of personal data.
7. Cooperate with the Ministry of Public Security and competent authorities in protecting personal data and providing information serving investigation and handling of violations against the law on protection of personal data.
Responsibility of Personal Data Processors
1. Only receive personal data after having a contract or agreement on the processing of personal data with the Personal Data Controller.
2. Process personal data under the contract or agreement concluded with the Personal Data Controller.
3. Fully implement measures for protecting personal data specified in this Decree and other relevant legal documents.
4. Be responsible to the data subject for damage caused by the processing of personal data.
5. Delete or return all personal data to the Personal Data Controller after completing the processing.
6. Cooperate with the Ministry of Public Security and competent authorities in protecting personal data and providing information serving investigation and handling of violations against the law on protection of personal data.
Responsibility of Personal Data Controller-cum-Processors
Comply with all regulations on responsibilities of the Personal Data Controller and the Personal Data Processor.
Responsibility of the Third Party
Comply with all regulations on responsibilities for processing personal data according to regulations in this Decree.
Transferring personal data outside Vietnam
A Vietnamese citizen’s personal data shall be transferred abroad in the case where the Sender makes a dossier on the assessment of impact of the outbound transfer of personal data and carries out the procedures specified in Clauses 3, 4, and 5 of Decree 13. The senders include the Personal Data Controller, the Personal Data Controller-cum-Processor, the Personal Data Processor, and the Third Party.
A dossier on assessment of impact of the outbound transfer of personal data includes:
a) Contact information and details of the Sender and the Receiver;
b) Full name and contact details of an organization or individual under the Sender involved in sending and receiving a Vietnamese citizen’s personal data;
c) Description and explanation of objectives of the processing of a Vietnamese Citizen’s personal data after the personal data is transferred abroad;
d) Description and clarification of the type of personal data to be transferred abroad;
d1) Description and explanation about the observance of regulations on the protection of personal data in this Decree, detailed measures for protecting personal data;
e) Assessment of the impact of personal data processing, undesirable consequences and damage that may occur, and measures for reducing or removing such consequences and damage.
g) Consent of the data subject according to regulations in Article 11 of this Decree when he/she is informed of the mechanism for feedback and complaint in case of arising problems or requests;
h) Document that shows obligations and responsibilities between the Senders and the Receivers for processing a Vietnamese Citizen’s personal data.
- Forms attached to Decree No. 152/2020/ND-CP and Degree 70/2023/ND-CP related to Foreigner Labour
- New Regulations on Work Permit in Vietnam Under Decree No. 70/2023/ND-CP
- List Of Facilities Under Police Management on Fire Protection
- List Of Facilities Requiring Fire Management
- List of countries exempted from visa when entering Vietnam
- Regulations on electronic money transfer transactions in anti-money laundering
- New Law On E-Transactions in Vietnam 2023
- New Regulations On Onshore Loans In Viet Nam 2023
- New Laws and Regulations on Immigration of Foreigners in Vietnam
- New Bidding Law In Viet Nam