Banner

New regulations on personal data protection in Vietnam

July 16, 2023 | Legal Updates

On 17 April 2023, The Government issued the Decree No. 13/2023/ND-CP on Personal Date Protection (“Decree 13”), which took effect from 01 July 2023. Decree 13 provides more detailed data protection and cybersecurity obligations regarding personal data processing activities. Micro-enterprises, small enterprises, medium-sized enterprises, and startup companies have the right to opt for exemption from regulations on the appointment of individuals and departments to the protection of personal data for the first 2 years from the date of establishment

Who needs to comply?

This Decree applies to:

a) Vietnamese agencies, organizations, and individuals;

b) Foreign authorities, entities, and individuals in Vietnam;

c) Vietnamese agencies, organizations, and individuals that operate in foreign countries;

d) Foreign agencies, organizations, and individuals that directly process or are involved in processing personal data in Vietnam.

What is general personal data?

General personal data includes:

a) Last name, middle name, and first name, other names (if any);

b) Date of birth; date of death or going missing;

c) Gender;

d) Place of birth, registered place of birth; place of permanent residence; place of temporary residence; current place of residence; hometown; contact address;

d1) Nationality;

e) Personal image;

e) Phone number; ID Card number; personal identification number, passport number; driver’s license number; license plate, taxpayer identification number; social security number and health insurance card number;

h) Marital status;

i) Information about the individual’s family relationship (parents, children);

k) Digital account information; personal data that reflects activities and activity history in cyberspace;

l) Information associated with an individual or used to identify an individual other than that specified in Clause 4 of this Article.

What is the sensitive personal data?

“Sensitive personal data” refers to personal data in association with individual privacy which, when being infringed, will directly affect an individual's legal rights and interests, including:

a) Political and religious opinions;

b) Health condition and personal information stated in the health record, excluding information on blood group;

c) Information about racial or ethnic origin;

d) Information about genetic data related to an individual's inherited or acquired genetic characteristics;

dd) Information about an individual’s own biometric or biological characteristics;

e) Information about an individual’s sex life or sexual orientation.

g) Data on crimes and criminal activities collected and stored by law enforcement agencies;

h) Information on customers of credit institutions, foreign bank branches, payment service providers, and other licensed institutions, including customer identification as prescribed by law, accounts, deposits, deposited assets, transactions, organizations and individuals that are guarantors at credit institutions, bank branches, and payment service providers;

i) Personal location identified via location services;

k) Other specific personal data as prescribed by law that requires special protection.

Rules for the Protection of Personal Data

1. The personal data shall be processed as prescribed by law.

2. The data subject shall be entitled to receive information related to processing his/her personal data unless otherwise provided for by law.

3. The personal data shall be processed for the purposes that have been registered and declared by the Personal Data Controller, the Personal Data Processor, the Personal Data Controller-cum-Processor, and the Third Party.

4. The collected personal data shall be appropriate for the scope and purposes of processing. The purchase or sale of personal data shall be prohibited in any form unless otherwise provided for by law.

5. The personal data shall be updated and added for processing purposes.

6. The personal data shall be protected and secured throughout the processing. To be specific, the personal data shall be protected from violations against regulations on the protection of personal data and prevention of loss, destruction, or damage caused by incidents and the use of technical measures.

7. The personal data shall be stored within a period of time that is appropriate for processing purposes unless otherwise provided for by law.

8. The Personal Data Controller and the Personal Data Controller-cum-Processor shall comply with the rules for data processing specified in Clauses 1 through 7 of this Article and prove their compliance.

Data subject’s rights

1. Right to be informed

2. Right to give consent

3. Right to access personal data

4. Right to withdraw consent

5. Right to delete personal data

6. Right to obtain restriction on processing

7. Right to obtain personal data

8. Right to object to processing

9. Right to file complaints, denunciations and lawsuits

10. Right to claim damage

11. Right to self-protection

Identify role in processing personal data

Responsibility of Personal Data Controllers

1. Implement organizational and technical measures and appropriate safety and security measures to prove that the personal data is processed in accordance with regulations of the law on protection of personal data, review and update these measures when necessary.

2. Record and store log of the processing of personal data.

3. Notify violations against regulations on protection of personal data according to regulations in Article 23 of this Decree.

4. Select an appropriate Personal Data Processor with specific tasks and only work with the Personal Data Processor that has appropriate measures for protecting personal data.

5. Protect the rights of data subjects according to regulations in Article 9 of this Decree.

6. Be responsible to the data subject for damage caused by the processing of personal data.

7. Cooperate with the Ministry of Public Security and competent authorities in protecting personal data and providing information serving investigation and handling of violations against the law on protection of personal data.

Responsibility of Personal Data Processors

1. Only receive personal data after having a contract or agreement on the processing of personal data with the Personal Data Controller.

2. Process personal data under the contract or agreement concluded with the Personal Data Controller.

3. Fully implement measures for protecting personal data specified in this Decree and other relevant legal documents.

4. Be responsible to the data subject for damage caused by the processing of personal data.

5. Delete or return all personal data to the Personal Data Controller after completing the processing.

6. Cooperate with the Ministry of Public Security and competent authorities in protecting personal data and providing information serving investigation and handling of violations against the law on protection of personal data.

Responsibility of Personal Data Controller-cum-Processors

Comply with all regulations on responsibilities of the Personal Data Controller and the Personal Data Processor.

Responsibility of the Third Party

Comply with all regulations on responsibilities for processing personal data according to regulations in this Decree.

Transferring personal data outside Vietnam

A Vietnamese citizen’s personal data shall be transferred abroad in the case where the Sender makes a dossier on the assessment of impact of the outbound transfer of personal data and carries out the procedures specified in Clauses 3, 4, and 5 of Decree 13. The senders include the Personal Data Controller, the Personal Data Controller-cum-Processor, the Personal Data Processor, and the Third Party.

A dossier on assessment of impact of the outbound transfer of personal data includes:

a) Contact information and details of the Sender and the Receiver;

b) Full name and contact details of an organization or individual under the Sender involved in sending and receiving a Vietnamese citizen’s personal data;

c) Description and explanation of objectives of the processing of a Vietnamese Citizen’s personal data after the personal data is transferred abroad;

d) Description and clarification of the type of personal data to be transferred abroad;

d1) Description and explanation about the observance of regulations on the protection of personal data in this Decree, detailed measures for protecting personal data;

e) Assessment of the impact of personal data processing, undesirable consequences and damage that may occur, and measures for reducing or removing such consequences and damage.

g) Consent of the data subject according to regulations in Article 11 of this Decree when he/she is informed of the mechanism for feedback and complaint in case of arising problems or requests;

h) Document that shows obligations and responsibilities between the Senders and the Receivers for processing a Vietnamese Citizen’s personal data.

For more information: Our Vietnamese social page or  English social page

Local Office Numbers:
Hotline/Whatsapp/Zalo: +84 357 466 579
Email: contact@dblegal.vn

Contact us

Add 1: 3rd Floor, Indochina Riverside Tower, 81 Tran Phu Street, Hai Chau District, Danang City, Vietnam

Add 2: 28 Thanh Luong 20, Hoa Xuan Ward, Cam Le District, Danang city, Vietnam

Hotline 1: (+84) 357 466 579

Hotline 2: (+84) 985 271 242

Phone: (+84) 236.366.4674
Email: contact@dblegal.vn

zalo
facebook