In the context of digital technology, electronic transactions are on the throne, our information, images, personal data more than ever, are always likely to be used and exploited for purposes that are inconsistent with our needs, leading to serious consequences. Therefore, the protection of personal data should be taken as high priority. However, Vietnam does not have a clear and specialized legal mechanism for personal data protection.
After a long wait, the Government recently issued Decree 13/2023/ND-CP on personal data protection ("Decree 13") for the first time. Mirroring the EU’s General Data Protection Regulation in different aspects, Decree 13 introduces various requirements to any organizations and individuals engaging in and/or related to personal data processing activities in Vietnam.
Decree 13 proposes numerous strict regulations to protect the rights of personal data owners, specifically as follows:
1. All acts of processing personal data require the consent of the data owner
Under Decree 13, the consent of personal data owner must be clearly and specifically expressed in writing, verbally, by ticking at the consent box, in agreeing syntax via message, by selecting consent technical settings or through another action that demonstrates this. At the same time, in case of processing personal data for multiple purposes, the purposes must be separated and the data owner shall have the right to choose or agree to each of them.
Decree 13 states that "The silence or non-response of the data owner shall not be considered consent".
2. The personal data processor is responsible for proving the consent of the personal data owner in case of dispute
This principle ensures the responsibility of the personal data processor, limiting the arbitrary use and exploitation of personal data.
3. Notification to the data owner is required before processing the personal data
The notification must be presented in a format that could be printed, reproduced in writing, including in electronic or verifiable format.
4. The Ministry of Public Security (Department of Cyber Security and Hi-tech Crime Prevention) shall be the unit receiving information on legal violations on protection of personal data
Department of Cyber Security and High-tech Crime Prevention – Ministry of Public Security is a specialized agency to protect personal data.
Organizations and individuals may notify specialized agencies in charge of personal data protection in the following cases:
- Detecting legal violations on personal data protection;
- Personal data is processed for inappropriate purposes, not in accordance with the original agreement or inconsistent with the provisions of law;
- Failure to guarantee the rights of data owners;
- Other cases as prescribed by law.
5. Organizations and individuals controlling personal data must apply strict protection measures corresponding to each type of personal data
Personal data is classified into basic personal data and sensitive personal data with different levels of management and protection. In which, sensitive personal data, in addition to protection measures for basic personal data, must also fulfill the following requirements:
- Appointing the department and personnel in charge of personal data protection, and exchanging information about the department and personnel in charge of personal data protection with the competent agency;
- Notifying the data owner of the sensitive personal data processing.
6. Processing personal data in some specific cases
- Personal data of persons declared missing or dead shall not be processed without the consent of the relatives: Under Decree 13, the processing of personal data of these people must obtain the consent of their spouse or adult children, or the consent of the father, mother, in cases of the absence of these persons. If there is no one as aforementioned, this case shall be considered without consent.
- Personal data of children aged 7 years and older shall only be processed upon their own consent and the consent of their parent or guardian. Data processor must verify the age of the child before processing.
- Organizations or individuals providing marketing services and introducing advertising products shall only use and process personal data upon the agreement of the customers on the basis of a clear understanding of the contents and methods of product introduction. At the same time, business organizations and individuals must be responsible for proving their compliance with the above regulations.
Decree 13 takes effect from July 1, 2023. Micro, small, medium, start-up enterprises are entitled to choose to exempt from regulations on the appointment of individuals and departments in charge of personal data protection for the first 02 years from the establishment date.
Comment: