Back
On April 17, 2023, the Government issued Decree No. 13/2023/ND-CP on the protection of personal data (“Decree”) and will officially take effect on July 1, 2023. This is a document that has a great influence on many different businesses, agencies and organizations that require the units to promptly review and evaluate the response of the current personal data security work to the requirements. of the Decree.
GOVERNMENT ISSUES DECREE ON PROTECTION OF PERSONAL DATA
GOVERNMENT ISSUES DECREE ON PROTECTION OF PERSONAL DATA
On April 17, 2023, the Government issued Decree No. 13/2023/ND-CP on the protection of personal data (“Decree”) and will officially take effect on July 1, 2023. This is a document that has a great influence on many different businesses, agencies and organizations that require the units to promptly review and evaluate the response of the current personal data security work to the requirements. of the Decree.
Regarding the content of the Decree, there are a number of points to be noted as follows:
1. What is Personal Data?
According to the Decree, personal data refers to electronic information in the form of symbols, letters, numbers, images, sounds, or equivalences associated with an individual or used to identify an individual. The personal data includes general personal data and sensitive personal data, specifically:
- General personal data including Last name, middle name, and first name, other names (if any); Date of birth; date of death or going missing; Gender; Place of birth, registered place of birth; place of permanent residence; place of temporary residence; current place of residence; hometown; contact address; Nationality; Personal image; Phone number; ID Card number, personal identification number, passport number, driver’s license number, license plate, taxpayer identification number, social security number, and health insurance card number…
- Sensitive personal data refers to personal data in association with individual privacy which, when being infringed, will directly affect an individual's legal rights and interests. For example, Political and religious opinions; Health conditions; Information about racial or ethnic origin; Information about an individual’s sex life or sexual orientation; Personal location identified; Information on customers of credit institutions, etc.
2. Scope of application
This Decree provides for personal data protection and responsibilities of relevant agencies, organizations and individuals for protection of personal data, and applies to: Vietnamese agencies, organizations and individuals; Foreign authorities, entities, and individuals in Vietnam; Vietnamese agencies, organizations and individuals that operate in foreign countries; Foreign agencies, organizations and individuals that directly process or are involved in processing personal data in Vietnam, even though they do not operate in Vietnam.
3. Data subject rights
The Data subject’s rights are a collection of many personal freedoms in respect of data in Article 9 of the Decree including the Right to be informed; Right to give consent; Right to access personal data; Right to withdraw consent; Right to delete personal data; Right to obtain restriction on processing; Right to obtain personal data; Right to object to processing; Right to file complaints, denunciations, and lawsuits; Right to claim damages; Right to self-protection. The rights of data subjects are clearly defined, in order to support people's self-protection of personal data, notably the right to claim damages when they believe that their personal data has been compromised offense.
In addition, individuals have the right to consent and withdraw consent to the processing of personal data by another party, but personal data will be limited in cases where Personal data processing without the consent of the data subject specified in Article 17 of the Decree as follows:
- The personal data shall be processed to protect the life and health of the data subject or others in an emergency situation. The Personal Data Controller, the Personal Data Controller-cum-Processor, the Personal Data Processor and the Third Party shall be responsible for proving such situation.
- Disclosure of personal data in accordance with the law;
- Processing of personal data by competent regulatory authorities in the event of a state of emergency regarding national defense, security, social order and safety, major disasters, or dangerous epidemics; when there is a threat to security and national defense but not to the extent of declaring a state of emergency; to prevent and fight riots and terrorism, crimes and law violations according to the provisions of law;
- The personal data shall be processed to fulfill obligations under contracts the data subjects with relevant agencies, organizations and individuals as prescribed by law;
- The personal data shall be processed to serve operations by regulatory authorities as prescribed by relevant laws.
4. Personal data processing activities
According to the Decree, personal data processing refers to one or multiple activities that impact on personal data, including collection, recording, analysis, confirmation, storage, rectification, disclosure, combination, access, traceability, retrieval, encryption, decryption, copying, sharing, transmission, provision, transfer, deletion, destruction or other relevant activities.
5. Responsibilities of the parties
The Decree applies to entities and organizations related to personal data, not only referring to data subjects, but also covering data controllers, data processors, and third parties. related to data. All parties have the same responsibility to ensure compliance with the law and standardize technology for data processing, data security, and transfer of personal data abroad. Agencies, organizations and individuals that violate regulations on protection of personal data, depending on the severity, may be disciplined, administratively sanctioned or criminally handled according to regulations.
In particular, in order to ensure data security, the Decree stipulates a series of responsibilities that the subject of personal data must perform in activities related to this field, such as requirements on the consent of the data subject, especially in the case of audio and video recording in public places or for the data of the deceased/missing person; responsibility for notification before processing; store, correct or delete personal data; manage the outbound transfer of personal data.
6. Prohibited acts
- Processing person data in contravention of regulations of law on protection of personal data.
- Processing personal data in order to provide information and data against regulations of the Socialist Republic of Vietnam
- Processing personal data in order to provide information and data that affect national security, social order and safety, and legitimate rights and interests of other organizations and individuals.
- Obstructing protection of personal data by competent authorities.
- Taking advantage of protection of personal data to commit volitions of law.
7. Personal data protection measures
Personal data protection refers to an act of preventing, detecting and handling violations related to personal data in accordance with the law. The Decree requires the Personal Data Processor to apply safeguards and security measures at the outset and throughout the processing of personal data, including protection against malicious actions violations of regulations on protection of personal data and prevention of loss, destruction or damage due to incidents, using technical measures.
Measures to protect personal data, including:
- Management measure adopted by an organization or individual related to processing of personal data;
- Technical measure adopted by an organization or individual related to processing of personal data;
- Measure adopted by a competent authority according to regulations in this Decree and relevant law;
- Investigation and procedure measures adopted by a competent authority;
- Other measures as prescribed by law.
In addition, for each type of data (general or sensitive), a number of other specialized protections are applied.
Above are some notes on the newly issued Decree No. 13/2023/ND-CP on the protection of personal data. This Decree comprehensively recognizes the basic rights of individuals as data subjects, sets technical and legal requirements for enterprises to process and control data of Vietnamese citizens. and create a legal corridor that contributes to changing the data processing of enterprises in the future.
8. Gattaca Law's services on personal data
(i) Administration work
a. Analyze and assess the appropriateness of the organization's collection of personal data;
b. Drafting regulations and procedures for handling personal data;
c. Drafting the post-inspection process, controlling the use of personal data;
d. Zoning of personal data processed outside the territory of Vietnam; Procedures for transferring personal data of Vietnamese citizens out of Vietnam's territorial borders
D. Develop a sample contract and related documents during the collection of personal data; including:
+ Develop a text template to inform data subjects about the processing of personal data
+ Process of updating data (in case there are changes)
- Prepare for the implementation of registration of sensitive personal data processing with the Personal Data Protection Commission
e. Other related works.
(ii) Incident management, dispute resolution
a. Analyze risks, evaluate the effectiveness of the security system
b. Perform security incident resolution including working with data subjects, relevant agencies, media agencies; settlement of arising disputes (if any).
(iii) Training work
a. Training and disseminating provisions of the decree on personal data protection and other relevant legal documents;
b. Skills training for staff in implementing and complying with laws and internal regulations regarding personal data; handle situations when encountering security problems.
Khanh Linh
1. What is Personal Data?
According to the Decree, personal data refers to electronic information in the form of symbols, letters, numbers, images, sounds, or equivalences associated with an individual or used to identify an individual. The personal data includes general personal data and sensitive personal data, specifically:
- General personal data including Last name, middle name, and first name, other names (if any); Date of birth; date of death or going missing; Gender; Place of birth, registered place of birth; place of permanent residence; place of temporary residence; current place of residence; hometown; contact address; Nationality; Personal image; Phone number; ID Card number, personal identification number, passport number, driver’s license number, license plate, taxpayer identification number, social security number, and health insurance card number…
- Sensitive personal data refers to personal data in association with individual privacy which, when being infringed, will directly affect an individual's legal rights and interests. For example, Political and religious opinions; Health conditions; Information about racial or ethnic origin; Information about an individual’s sex life or sexual orientation; Personal location identified; Information on customers of credit institutions, etc.
2. Scope of application
This Decree provides for personal data protection and responsibilities of relevant agencies, organizations and individuals for protection of personal data, and applies to: Vietnamese agencies, organizations and individuals; Foreign authorities, entities, and individuals in Vietnam; Vietnamese agencies, organizations and individuals that operate in foreign countries; Foreign agencies, organizations and individuals that directly process or are involved in processing personal data in Vietnam, even though they do not operate in Vietnam.
3. Data subject rights
The Data subject’s rights are a collection of many personal freedoms in respect of data in Article 9 of the Decree including the Right to be informed; Right to give consent; Right to access personal data; Right to withdraw consent; Right to delete personal data; Right to obtain restriction on processing; Right to obtain personal data; Right to object to processing; Right to file complaints, denunciations, and lawsuits; Right to claim damages; Right to self-protection. The rights of data subjects are clearly defined, in order to support people's self-protection of personal data, notably the right to claim damages when they believe that their personal data has been compromised offense.
In addition, individuals have the right to consent and withdraw consent to the processing of personal data by another party, but personal data will be limited in cases where Personal data processing without the consent of the data subject specified in Article 17 of the Decree as follows:
- The personal data shall be processed to protect the life and health of the data subject or others in an emergency situation. The Personal Data Controller, the Personal Data Controller-cum-Processor, the Personal Data Processor and the Third Party shall be responsible for proving such situation.
- Disclosure of personal data in accordance with the law;
- Processing of personal data by competent regulatory authorities in the event of a state of emergency regarding national defense, security, social order and safety, major disasters, or dangerous epidemics; when there is a threat to security and national defense but not to the extent of declaring a state of emergency; to prevent and fight riots and terrorism, crimes and law violations according to the provisions of law;
- The personal data shall be processed to fulfill obligations under contracts the data subjects with relevant agencies, organizations and individuals as prescribed by law;
- The personal data shall be processed to serve operations by regulatory authorities as prescribed by relevant laws.
4. Personal data processing activities
According to the Decree, personal data processing refers to one or multiple activities that impact on personal data, including collection, recording, analysis, confirmation, storage, rectification, disclosure, combination, access, traceability, retrieval, encryption, decryption, copying, sharing, transmission, provision, transfer, deletion, destruction or other relevant activities.
5. Responsibilities of the parties
The Decree applies to entities and organizations related to personal data, not only referring to data subjects, but also covering data controllers, data processors, and third parties. related to data. All parties have the same responsibility to ensure compliance with the law and standardize technology for data processing, data security, and transfer of personal data abroad. Agencies, organizations and individuals that violate regulations on protection of personal data, depending on the severity, may be disciplined, administratively sanctioned or criminally handled according to regulations.
In particular, in order to ensure data security, the Decree stipulates a series of responsibilities that the subject of personal data must perform in activities related to this field, such as requirements on the consent of the data subject, especially in the case of audio and video recording in public places or for the data of the deceased/missing person; responsibility for notification before processing; store, correct or delete personal data; manage the outbound transfer of personal data.
6. Prohibited acts
- Processing person data in contravention of regulations of law on protection of personal data.
- Processing personal data in order to provide information and data against regulations of the Socialist Republic of Vietnam
- Processing personal data in order to provide information and data that affect national security, social order and safety, and legitimate rights and interests of other organizations and individuals.
- Obstructing protection of personal data by competent authorities.
- Taking advantage of protection of personal data to commit volitions of law.
7. Personal data protection measures
Personal data protection refers to an act of preventing, detecting and handling violations related to personal data in accordance with the law. The Decree requires the Personal Data Processor to apply safeguards and security measures at the outset and throughout the processing of personal data, including protection against malicious actions violations of regulations on protection of personal data and prevention of loss, destruction or damage due to incidents, using technical measures.
Measures to protect personal data, including:
- Management measure adopted by an organization or individual related to processing of personal data;
- Technical measure adopted by an organization or individual related to processing of personal data;
- Measure adopted by a competent authority according to regulations in this Decree and relevant law;
- Investigation and procedure measures adopted by a competent authority;
- Other measures as prescribed by law.
In addition, for each type of data (general or sensitive), a number of other specialized protections are applied.
Above are some notes on the newly issued Decree No. 13/2023/ND-CP on the protection of personal data. This Decree comprehensively recognizes the basic rights of individuals as data subjects, sets technical and legal requirements for enterprises to process and control data of Vietnamese citizens. and create a legal corridor that contributes to changing the data processing of enterprises in the future.
8. Gattaca Law's services on personal data
(i) Administration work
a. Analyze and assess the appropriateness of the organization's collection of personal data;
b. Drafting regulations and procedures for handling personal data;
c. Drafting the post-inspection process, controlling the use of personal data;
d. Zoning of personal data processed outside the territory of Vietnam; Procedures for transferring personal data of Vietnamese citizens out of Vietnam's territorial borders
D. Develop a sample contract and related documents during the collection of personal data; including:
+ Develop a text template to inform data subjects about the processing of personal data
+ Process of updating data (in case there are changes)
- Prepare for the implementation of registration of sensitive personal data processing with the Personal Data Protection Commission
e. Other related works.
(ii) Incident management, dispute resolution
a. Analyze risks, evaluate the effectiveness of the security system
b. Perform security incident resolution including working with data subjects, relevant agencies, media agencies; settlement of arising disputes (if any).
(iii) Training work
a. Training and disseminating provisions of the decree on personal data protection and other relevant legal documents;
b. Skills training for staff in implementing and complying with laws and internal regulations regarding personal data; handle situations when encountering security problems.
Khanh Linh
Email
Facebook