The protection of personal data is becoming one of the top priorities as Vietnam further integrates into the digital economy. Although the legal framework for personal data protection is still being developed, it has made significant progress in ensuring privacy and information security and enhancing the responsibility of organizations and individuals involved in data collection and processing. This article provides an overview of the current legal provisions related to personal data protection in relevant legislation, such as the 2006 Law on Information Technology, the 2015 Civil Code, and the 2018 Law on Cybersecurity, Decree No. 13/2023/ND-CP and the 2023 Law on Consumer Protection.
1. Law on Information Technology 2006
Article 21 of the Law on Information Technology 2006 regulates the collection, processing, and use of “personal information” in the online environment. Specifically, the collection, processing, and use of personal information must be based on the consent of the person whose information is collected, processed, or used, except as otherwise provided by law. The organization or individual collecting, processing, or using the information must notify the data subject of the purpose, scope, and duration of information use, and must implement security measures for the collected, processed, and used personal information. In certain cases, such as contract performance, fee calculation, or legal obligations, the consent of the person whose information is collected, processed, or used may not be required.
The provision in Article 21 of the Law on Information Technology 2006 marks the first time personal information protection was regulated in Vietnamese law, serving as a crucial foundation for the development of future regulations on personal data protection.
2. Civil Code 2015
The term “personal data” is not explicitly defined in the Civil Code 2015. However, the Civil Code 2015 addresses the protection of “private life, personal secrets, and family secrets” under Article 38, which provides as follows:
Article 38. Right to Private Life, Personal Secrets, and Family Secrets
- Private life, personal secrets, and family secrets are inviolable and protected by law.
- The collection, retention, use, and disclosure of information relating to private life and personal secrets must be consented to by the individual concerned. The collection, retention, use, and disclosure of information relating to family secrets must be consented to by all family members, except as otherwise provided by law.
- Correspondence, telephone conversations, telegrams, electronic data, and other private communications of individuals are protected and kept confidential.
- The parties to a contract must not disclose information about the private life, personal secrets, and family secrets of each other that they have learned during the process of establishing and executing the contract, unless otherwise agreed.
The Civil Code 2015 establishes that “private life,” “personal secrets,” and “family secrets” are inviolable and protected by law. Similar to the approach in Article 21 of the Law on Information Technology 2006, the collection, use, and disclosure of private information require the consent of the individual or family members involved, unless otherwise provided by law. Certain forms of private information, such as correspondence and telephone conversations, are protected, and any control or seizure of this information must comply with legal requirements. In the context of contract performance, the Civil Code prohibits the disclosure of private information between contracting parties unless otherwise agreed.
3. Cybersecurity Law 2018
The Law on Cybersecurity 2018 provides more detailed regulations on the protection of “personal secrets,” “family secrets,” and “private life” in cyberspace under Article 17. Issues related to “personal data” are addressed in Article 26.3, and “user information data” is regulated under Article 41 of this law.
Specifically, Article 17 of the Law on Cybersecurity 2018 requires organizations, individuals, and enterprises to protect confidential information (state secrets, personal secrets, family secrets) and personal data in cyberspace. The unauthorized seizure, disclosure, alteration, or deletion of information is prohibited and subject to legal sanctions. In addition, telecommunications and internet service providers in Vietnam are required by Article 26.3 to store personal data and user information in Vietnam for a duration specified by the government. These providers are also responsible for implementing technical measures to ensure the security of personal data during collection and processing. In the event of a data breach or potential data loss, service providers must promptly notify users and report the incident to the authorities as required by Article 41.3.c of the Law on Cybersecurity 2018.
Overall, the provisions related to “personal data protection” through the safeguarding of “personal secrets,” “family secrets,” and “private life” in the Law on Cybersecurity 2018 establish an important legal framework for addressing violations of personal, family, and private information in cyberspace.
4. Decree 13/2023/ND-CP
Decree No. 13/2023/ND-CP on the protection of personal data, issued on April 17, 2023, and effective from July 1, 2023, is the first legal document in Vietnam to directly regulate the protection of “personal data.” According to Article 2.1 of Decree No. 13/2023/ND-CP, personal data is defined as information in the form of symbols, letters, numbers, images, sounds, or other similar formats in an electronic environment associated with a specific individual or that can identify a specific individual. Personal data includes both basic and sensitive personal data. The processing of personal data requires the consent of the data subject, except in certain special cases, such as the protection of life, health, or national security (Article 3.2 and Article 17). Data subjects have important rights, including the right to know, the right to access, correct, delete data, and the right to withdraw consent (Article 9). The collection and processing of personal data must comply with security measures and be used only for registered purposes (Article 3.6). Regarding the responsibilities of data controllers and processors, the decree mandates the implementation of safety and security measures and requires timely notification to the authorities in the event of a violation (Articles 38 and 39). Cross-border data transfers are subject to impact assessments and must comply with strict procedures (Article 25). Violations will be subject to legal penalties, ranging from administrative sanctions to criminal prosecution (Article 4).
In summary, Decree No. 13/2023/ND-CP marks a significant step forward in personal data protection in Vietnam. It clearly defines the rights of data subjects, such as the right to access, correct, withdraw consent, and request data deletion, while also detailing violations, including the unauthorized collection or sale of data. The decree also strengthens the responsibilities of data controllers and processors, requiring the implementation of stringent security measures and timely reporting of breaches.
5. Law on Consumer Protection 2023
Article 3.3 of the 2023 Law on Consumer Protection defines consumer information as including personal data, information related to the purchase and use of products, goods, and services by consumers, and other information related to transactions between consumers and business organizations or individuals.
Regarding prohibited acts in the protection of consumer rights, Article 10.1.m of the 2023 Law on Consumer Protection prohibits business organizations and individuals from collecting, storing, using, modifying, updating, or deleting consumer information in violation of the law. In addition, the 2023 Law on Consumer Protection provides detailed regulations on protecting consumer information in Article 15. Specifically, economic organizations and individuals have the right to collect, store, use, modify, and delete consumer information within their scope of operations, either directly or through authorized third parties. The processing of consumer information must ensure safety and security. Consumers must be fully informed when activities such as collecting, storing, and using information occur, including the purpose, scope, duration of use, and the security measures in place to protect the information.
Overall, these regulations in the 2023 Law on Consumer Protection are closely aligned with the regulations on personal data processing in Decree No. 13/2023/ND-CP, contributing to consistency and facilitating the application of laws related to consumer information.
Conclusion
Vietnamese law on personal data protection, particularly Decree No. 13/2023/ND-CP, has established an important legal framework to protect privacy and ensure the accountability of relevant parties in data processing. These regulations not only protect personal information but also contribute to building a secure and transparent digital environment in the context of Vietnam’s growing digital economy.
See more:
-
Navigating Consent Requirements in Data Privacy Regulations: A Guide for Businesses in Viet Nam
-
E-commerce in Vietnam: The responsibilities of foreign companies for data privacy
Disclaimers:
This article is for general information purposes only and is not intended to provide any legal advice for any particular case. The legal provisions referenced in the content are in effect at the time of publication but may have expired at the time you read the content. We therefore advise that you always consult a professional consultant before applying any content.
For issues related to the content or intellectual property rights of the article, please email cs@apolatlegal.vn.
Apolat Legal is a law firm in Vietnam with experience and capacity to provide consulting services related to Intellectual Property Rights and contact our team of lawyers in Vietnam via email info@apolatlegal.com.
