.png)
The Rights of Personal Data Subjects Under Vietnamese Law
In the digital era, personal data is considered an invaluable asset for every individual and a critical resource for economic development. However, this comes with inherent risks to information security and privacy. The introduction of the Law on Personal Data Protection No. 91/2025/QH15 marks a significant legal milestone, establishing a comprehensive legal framework to balance development interests with citizens' right to data protection, effectively ending the illicit trade and use of personal data.
Table of contents:
- I. The Rights of a Personal Data Subject
- II. Consent of the Data Subject for Personal Data Processing Activities
- III. Requesting Withdrawal of Consent and Restriction of Data Processing
- IV. Collection, Analysis, and Aggregation of Personal Data
- V. Encryption and Decryption of Personal Data
- VI. Rectification of Personal Data
- VII. Erasure, Destruction, and Anonymization of Personal Data
- VIII. Provision of Personal Data
- IX. Public Disclosure and Transfer of Personal Data
- X. Conclusion
I. The Rights of a Personal Data Subject
The rights of a personal data subject are stipulated in Clause 1, Article 4 of the Law on Personal Data Protection No. 91/2025/QH15 (hereinafter referred to as "LPDP"). Accordingly, the rights of a data subject include:
a) The right to be informed about their personal data processing activities. b) The right to consent or withhold consent, and to request the withdrawal of consent for personal data processing. c) The right to access, review, and request the rectification of their personal data. d) The right to request the provision, erasure, or restriction of the processing of their personal data; and to object to data processing. e) The right to file complaints, denunciations, and lawsuits, and to claim damages in accordance with the law. f) The right to request competent authorities or relevant organizations and individuals involved in data processing to implement measures and solutions to protect their personal data as prescribed by law.
II. Consent of the Data Subject for Personal Data Processing Activities
As stipulated in Article 9 of the LPDP, the consent of the data subject is defined as follows:
1. The consent of a data subject is the data subject's permission for the processing of their personal data, except where otherwise provided by law.
2. The consent of a data subject is valid only when it is given voluntarily and when the data subject is clearly informed of the following:
a) The type of personal data to be processed and the purpose of the processing.
b) The Data Controller or the Combined Data Controller and Processor.
c) The rights and obligations of the data subject.
3. The consent of a data subject must be expressed in a clear, specific format that can be printed or copied in writing, including in electronic or other verifiable forms.
4. The consent of a data subject must adhere to the following principles:
a) Consent must be given for each specific purpose.
b) Consent cannot be bundled with mandatory conditions for other purposes not agreed upon.
c) Consent is valid until the data subject withdraws it or as otherwise provided by law.
d) Silence or non-response shall not be considered as consent.
Thus, based on the above provisions, personal data processing activities may only be carried out after obtaining the data subject's consent. This consent must be expressed clearly in a verifiable format, whether written, electronic, or otherwise. Silence or a lack of response is not deemed valid consent.
III. Requesting Withdrawal of Consent and Restriction of Data Processing
1. A data subject has the right to request the withdrawal of their consent for personal data processing and to request the restriction of processing when there are doubts about the scope, purpose, or accuracy of the data, except for cases specified in Article 19 of this Law or as otherwise provided by law.
2. A request to withdraw consent or restrict processing must be made in writing, including in electronic or other verifiable forms, and sent to the Data Controller or the Combined Data Controller and Processor. Such requests shall be processed in accordance with the law and any agreement between the parties.
3. The Data Controller or the Combined Data Controller and Processor must receive, process, and instruct the Data Processor to fulfill the request to withdraw consent or restrict processing within the timeframe prescribed by law.
4. The withdrawal of consent or restriction of processing does not apply retroactively to data processing activities that occurred before the request was made.
In summary, this regulation empowers data subjects to control their information by withdrawing consent or restricting processing when the purpose or accuracy is in question. The request must be in a verifiable written format. Upon receipt, the data controller is obligated to comply and ensure related parties also adhere. However, it is crucial to note that withdrawing consent is not retroactive and only applies to processing activities that occur after the request is made. These provisions serve as a legal tool for individuals to protect their privacy while imposing a duty on businesses to establish transparent and lawful data processing procedures.
IV. Collection, Analysis, and Aggregation of Personal Data
1. Personal data must be collected with the prior consent of the data subject, except where otherwise provided by law.
2. Competent Party and State agencies are permitted to analyze and aggregate personal data from self-collected sources or from shared, provided, transferred, or exploited data sources to serve leadership, direction, state management, and socio-economic development in accordance with the law.
3. Organizations and individuals not specified in Clause 2 of this Article may analyze and aggregate personal data only from sources they are legally permitted to process.
As stipulated in Article 11 of the LPDP, the collection of personal data is founded on the core principle of prior consent, with limited exceptions. Party and State agencies have the authority to analyze and aggregate data from various sources for governance and socio-economic development. Other organizations and individuals are also allowed to analyze data, but are strictly limited to legally permissible data sources.
V. Encryption and Decryption of Personal Data
1. Encryption of personal data is the process of converting personal data into a form that cannot be identified without decryption; encrypted personal data remains personal data.
2. Personal data classified as state secrets must be encrypted and decrypted in accordance with the law on the protection of state secrets and the law on cryptography.
3. Organizations and individuals shall decide on the encryption and decryption of personal data in a manner suitable for their data processing activities.
In essence, while encryption is a technical security measure, it is important to note that encrypted data is still considered personal data and must comply with protection regulations. The law mandates encryption for personal data classified as state secrets under specific standards. For other types of data, the decision to apply encryption is discretionary, left to the organization based on risk assessment. These provisions create a flexible security mechanism, requiring the highest level of protection for critical data while granting organizations the autonomy to apply appropriate measures.
VI. Rectification of Personal Data
The rectification of personal data is regulated in Article 13 of the LPDP as follows:
1. A data subject may personally rectify their personal data for certain types of data as agreed with the Data Controller or the Combined Data Controller and Processor, or request them to rectify their personal data.
2. The Data Controller or the Combined Data Controller and Processor shall rectify the personal data upon the data subject's request or as required by law; and shall request the Data Processor and any third parties to rectify the data subject's personal data.
3. The rectification of personal data must ensure its accuracy. If rectification is not possible for a legitimate reason, the Data Controller or the Combined Data Controller and Processor must notify the requesting party.
Data subjects have the right to request the data controller to correct their personal information or to do so themselves if previously agreed. Upon receiving a valid request, the controller is obligated to perform the rectification and ensure that any relevant third parties also update the information. The core objective is to ensure accuracy. If correction is not possible for a valid reason, the controller must inform the requester. These regulations establish a comprehensive mechanism that empowers individuals to control the accuracy of their information while binding organizations to maintain reliable data systems.
VII. Erasure, Destruction, and Anonymization of Personal Data
1. The erasure or destruction of personal data shall be carried out in the following cases:
a) The data subject requests it and accepts the potential risks and damages. The request must comply with the principles in Clause 3, Article 4 of the LPDP.
b) The purpose of the data processing has been fulfilled.
c) The storage period prescribed by law has expired.
d) It is required by a decision of a competent state authority.
e) As agreed by the parties.
f) In other cases as provided by law.
2. A request for erasure or destruction shall not be granted in cases specified in Article 19 of this Law or if it violates the principles in Clause 3, Article 4 of this Law.
3. The Data Controller or the Combined Data Controller and Processor shall erase or destroy personal data in the cases specified in Clause 1 of this Article, or request the Data Processor and third parties to do so. The process must be conducted using secure measures that prevent unauthorized intrusion and recovery of the deleted data.
4. Organizations and individuals are prohibited from intentionally and unlawfully recovering erased or destroyed personal data.
5. The Data Controller, the Combined Data Controller and Processor, and the Data Processor are responsible for complying with this Law. If erasure is not possible for a legitimate reason after receiving a request, they must notify the data subject.
6. The anonymization of personal data is regulated as follows: a) The organization or individual performing anonymization is responsible for strictly controlling and supervising the process; preventing unauthorized access, copying, appropriation, disclosure, or loss during anonymization. b) Re-identification of anonymized data is prohibited, except where otherwise provided by law. c) The anonymization of personal data must comply with this Law and other relevant laws.
The law mandates that personal data be erased or destroyed in various scenarios, such as upon a data subject's request, upon completion of the processing purpose, expiration of the retention period, or by order of a state authority. The data controller is obligated to perform the erasure securely and completely. However, the right to request erasure is not absolute and may be denied for legitimate legal reasons. These regulations emphasize the permanence of erasure and anonymization, strictly prohibiting any attempt to unlawfully recover deleted data or re-identify anonymized data. In summary, these provisions create a complete data lifecycle, ensuring that personal information is stored only when necessary and permanently removed when it no longer serves a lawful purpose.
VIII. Provision of Personal Data
1. A data subject provides their personal data to organizations and individuals in accordance with the law or by agreement.
2. The Data Controller or the Combined Data Controller and Processor shall provide personal data in the following cases:
a) To the data subject upon their request, in compliance with the law and any agreements, unless such provision could harm national defense, national security, social order and safety, or infringe upon the life, health, or property of others.
b) To other organizations or individuals with the consent of the data subject, except where otherwise provided by law.
This regulation establishes that the initial provision of personal data originates from the data subject, based on legal requirements or voluntary agreements. Once collected, individuals have the right to access and receive their own data. For the provision of data to any third party, the core principle is to obtain the explicit consent of the data subject, unless the law specifies otherwise. Overall, these provisions grant control to the data subject, affirming that they are the initial decision-maker, have the right to access, and are the final authority in sharing their personal information.
IX. Public Disclosure and Transfer of Personal Data
The law strictly regulates two sensitive data processing activities: public disclosure and transfer, requiring a clear purpose and legal basis. Public disclosure of data is only permitted with consent or by law and must ensure accuracy without causing harm to the data subject. Forms of public disclosure include posting data on websites, information portals, mass media, and other forms as prescribed by law.
Similarly, transferring data to another party requires consent or must occur in specific contexts such as internal processing, corporate restructuring, or at the request of a state authority. A key legal point clarified is that these lawful transfers, whether for a fee or not, are not considered the buying or selling of personal data. Finally, in both scenarios, the organization performing the disclosure or transfer is responsible for strict oversight to ensure the data is protected and used for its intended purpose.
X. Conclusion
From the analysis above, it is clear that the Law on Personal Data Protection has firmly established the rights of individuals and the obligations of organizations in all data-related activities. From requiring consent for collection and purpose-limitation for processing to granting rights of access, rectification, and erasure, the Law empowers every citizen to control their own information. This is a significant legal advancement, harmonizing the legitimate protection of privacy with the promotion of socio-economic development in the digital age. Strict compliance with these regulations is a shared responsibility of all of society to move towards a secure and trustworthy digital future.
The information contained in this article is general and intended only to provide information on legal regulations. DB Legal will not be responsible for any use or application of this information for any business purpose. For in-depth advice on specific cases, please contact us.
For more information:
📞: +84 357 466 579
📧: contact@dblegal.vn
🌐Facebook: DB Legal Vietnamese Fanpage or DB Legal English Fanpage
Related posts:
- Procedure for Changing an Investment Project Location Not Subject to Investment Policy Approval Adjustment
- Setting up a company in Ho Chi Minh city, Vietnam
- Personal Data Protection in the Recruitment, Management, and Utilization of Employees in Vietnam
- Personal Data Protection in Vietnam: Regulations and Practice
- Da Nang Approves 'Basal Pay', Its First Sanctioned Blockchain Application for Crypto-Fiat Exchange
- MVNO Licensing in Vietnam (2025): A Detailed Guide to Conditions & Application Dossiers
- A Comparison of Regulations for Public, Domestic Private, and Foreign-Invested Schools in Vietnam
- Investment Incentive Policies in Da Nang Free Trade Zone
- Investing in Cloud Computing Services for Foreign Investors in Vietnam
- A Comprehensive Guide for Foreign Investors on Establishing a Data Center in Vietnam
