On April 17, 2023, the Government issued Decree No. 13/2023/ND-CP on the Protection of Personal Data (“PDPD”).
Coming into force on July 1, 2023, the Decree provides for a more comprehensive and protective framework regulating the processing of personal data of organizations and individuals.
What is meant by personal data and the processing of such data?
Personal data includes all types of information in the form of symbols, letters, numbers, images, sounds or the like on an associated electronic medium that relate to an individual and which makes it possible to identify and distinguish them, directly or indirectly, from a group of people. It can be identity characteristics, whether physical, social, or economic but also information that could be considered as common such as a name, date of birth, photo, or e-mail address.
Some of that information can be highly sensitive such as the ones revealing political opinions, racial and ethnic origins, or religious beliefs.
Personal data protection means activities to prevent, detect, and handle violations related to personal data in accordance with the law.
The processing of such data refers to one or more activities such as the collection, recording, analysis, confirmation, storage, correction, disclosure, combination, share, recover, sorting, consultation, dissemination, deletion, or destruction of information, or other related activities.
In recent years, new computer tools, such as social media or cloud computing, and more recently Artificial Intelligence (AI) have made even more frequent the processing of personal data. It is now part of our day-to-day life as we can see with cookies, those small text files present whenever you are entering a website and requiring you to accept the collection of your data.
Why is the protection and regulation of personal data essential?
The protection of personal data stands as a safeguard for ensuring that individuals’ rights and freedoms are not being violated. It helps reduce the risks of wrongful use of personal data such as identity theft or manipulation through such data.
As personal data are used by companies for targeted marketing strategies, ensuring their protection is key for fair commerce.
Regulation on personal data processing is essential. Hence, the promulgation of the Decree on Personal Data Protection is a much-welcome new legal instrument.
What are the key contributions of the Decree?
The Decree sets out several principles and rights constituting the milestone for the effective protection of personal data.
The personal data collected must be accurate and not excessive in relation to the purpose of their processing and that purpose must also be limited. It must be collected in a lawful manner and be subject to a certain level of security.
Concerning the rights given to individuals implemented through this Decree, they appear similar to the EU’s General Data Protection Regulation (GDPR). It implies the right to access their personal data, the right to object to data processing under certain circumstances, the right to consent and to withdraw consent but also the right to delete data.
The Decree enacted rules and requirements on the processing of data from specific individuals such as missing or deceased persons and children.
Organizations and individuals involved in the processing of data are usually referred to as data controllers. The Decree puts liability on those data controllers for the protection of the personal data they are processing.
As such, it will now be required from them to engage in protective measures for personal data such as data protection impact assessments. These allow to determine the level of risk of a project for individuals, for example, if the processing involves sensitive data. It might also be required to assign a data protection officer in specific cases such as those involving the processing of sensitive personal data.
In principle, in order to be collected, the Decree provides that the processing of personal data must obtain the consent of the person concerned. However, it is important to highlight that, under some circumstances, the processing of personal data can be carried out without consent. This will be the case when the processing is necessary to protect the life and health of the person concerned when the disclosure of personal data is in accordance with the law or in the event of a state of emergency on national defense for example.
The new Decree will also require data controllers to satisfy certain requirements when transferring personal data cross-border.
It appears evident that this Decree will have a strong impact on business operations in Vietnam as companies will need to align on those requirements and set up their strategy on compliance.
The article is based on applicable law at the time noted as above and may no longer be appropriate at the time the reader approaches this article as the applicable law has changed and the specific case that the reader wishes to apply. Therefore, the article is only for reference.