1. What information is considered personal data?
In accordance with clause 1 Article 2 Decree 13/2023/ND-CP, personal data means information in the form of symbol, script, digit, image, or sound or in a similar form in the electronic environment that is affiliated to a specific person or helps identify a specific person. Personal data includes basic personal data and sensitive personal data.
- In accordance with Clause 3, Article 2 of Decree 13/2023/ND-CP, basic personal data includes:
– Family name, middle name, and first name shown in birth registration certificate, and other names (if any);
– Day, month, and year of birth; day, month, year of death or missing;
– Gender;
– Place of birth, place of birth registration, place of permanent residence, place of temporary residence, current place of residence, native place, and contact address;
– Citizenship;
– Image;
– Phone number, people’s identity card number, personal identification number, passport number, driver’s license number, license plate number, personal tax identification number, social insurance number, and health insurance card number;
– Marital status;
– Information on family relationships (parents, children);
– Information on the digital account of the individual; personal data reflecting activities and history of activities of the individual in cyberspace;
– Other information affiliated with a specific person or helping identify a specific person that is not mentioned in Clause 4, Article 2 of Decree 13/2023/ND-CP.
- Sensitive personal data means personal data associated with the privacy of an individual that, once infringed upon, will directly affect the lawful rights and interests of such individual, including:
– Political views and religious views;
– Information on health status and privacy as stated in medical records, excluding information on blood type;
– Information relating to racial origin and ethnic origin;
– Information on inherited or acquired genetic characteristics of the individual;
– Information on physical attributes and biological characteristics of the individual;
– Information on the sex life and sexual orientation of the individual;
– Data on crimes and criminal acts that are collected and stored by law enforcement agencies;
– customer information of credit institutions, foreign bank branches, intermediary payment service providers, and other licensed organizations, including:
Know-your-customer information as specified by law, information on accounts, information on deposits, information on deposited assets, information on transactions, and information on securing parties at credit institutions, foreign bank branches, and intermediary payment service providers;
– Data on the individual’s position determined through positioning services;
– Other personal data that are defined by law as specific data and need the application of necessary confidentiality measures.
2. Principles of personal data protection
In accordance with Article 3 of Decree 13/2023/ND-CP providing for the “Principles of personal data protection” as follows:
“Article 3. Principles of personal data protection
- Personal data shall be processed in accordance with law.
- Data subjects are entitled to be informed of activities related to the processing of their personal data unless otherwise provided for by law.
- Personal data shall be processed only for purposes registered or declared by personal data controllers, personal data processors, personal data controlling and processing parties, or third parties concerning personal data processing.
- Collected personal data must be appropriate and limited to the data processing scope and purposes. Personal data may not be purchased or sold in any form unless otherwise provided for by law.
- Personal data shall be updated and added in conformity with data processing purposes.
- Personal data are eligible for the application of protection and confidentiality measures during data processing, including also protection against violations of regulations on personal data protection and prevention and combat of data loss, destruction, or damage caused by incidents or use of technical measures.
- Personal data may only be stored for a period of time suitable to data processing purposes unless otherwise provided for by law.
- Personal data controllers or personal data controlling and processing parties shall adhere to the data processing principles specified in Clauses 1 through 7 of this Article and prove their adherence to such principles.”
3. Individual rights to their own data
In accordance with Article 9 Decree 13/2023/ND-CP provides for the “Rights of data subjects” as follows:
“Article 9. Rights of data subjects
- The right to know
Data subjects are entitled to know information on the processing of their personal data unless otherwise provided for by law.
- The right to consent
Data subjects are entitled to consent or refuse to consent to the processing of their personal data, except in the case specified in Article 17 of this Decree.
- The right to access
Data subjects are entitled to access for viewing, modifying, or requesting modification of their personal data unless otherwise provided for by law.
- The right to withdraw consent
Data subjects are entitled to withdraw their consent unless otherwise provided for by law.
- The right to data deletion
Data subjects are entitled to delete or request the deletion of their personal data unless otherwise provided for by law.
- The right to restriction of data processing
a/ Data subjects are entitled to request restriction of the processing of their personal data unless otherwise provided for by law;
b/ The restriction of data processing shall be imposed within 72 hours after it is requested by a data subject, for all personal data for which the data subject requests processing restriction, unless otherwise provided for by law.
- The right to data provision
Data subjects are entitled to request personal data controllers or personal data controlling and processing parties to provide the former with their personal data unless otherwise provided for by law.
- The right to object to data processing
a/ Data subjects are entitled to object to the processing of their personal data by personal data controllers or personal data controlling and processing parties in order to stop or restrict disclosure of personal data or use of personal data for advertising or marketing purposes unless otherwise provided for by law;
b/ Personal data controllers or personal data controlling and processing parties shall comply with a request of data subjects within 72 hours after receiving such request unless otherwise provided for by law.
- The right to file complaints or denunciations and initiate lawsuits
Data subjects are entitled to file complaints or denunciations or initiate lawsuits in accordance with law.
- The right to claim compensation for damage
Data subjects are entitled to claim compensation for damage in accordance with law upon the occurrence of a violation of regulations on the protection of their personal data unless otherwise agreed upon by the parties or otherwise provided for by law.
- The right to self-protection
Data subjects are entitled to self-protection in accordance with the Civil Code, other relevant laws, and this Decree, or request competent agencies or organizations to take measures to protect their civil rights in accordance with Article 11 of the Civil Code.”
4. Enterprises must obtain consent from customers who are individuals with data
In accordance with Article 9 of Decree 13/2023/ND-CP, data subjects are entitled to know information on the processing of their personal data, unless otherwise provided for by law. Additionally, the data subject may provide consent or withhold consent for the processing of their personal data, except in cases where consent is not required as specified in Article 17 of this Decree.
Therefore, when an enterprise processes personal data collected from customers, it must obtain consent from the customers who possess that data.
5. Enterprises are required to provide notification of personal data processing
In accordance with Article 13 of Decree 13/2023/ND-CP, the notification of personal data processing is regulated as follows:
“Article 13. Notification of personal data processing
- The notification of personal data processing shall be made once before personal data processing activities are carried out.
- Contents of the notification of personal data processing to a data subject:
a/ Purpose of data processing;
b/ Type of used personal data that are related to the data processing purpose specified at Point a, Clause 2 of this Article;
c/ Method of data processing;
d/ Information on other organizations and individuals related to the data processing purpose specified at Point a, Clause 2 of this Article;
dd/ Possible undesirable consequences and damage;
e/ Times of data processing commencement and completion.
- The notification of personal data processing to data subjects shall be made in a format that can be printed or copied in written form, including in electronic form or verifiable format.
- The personal data controller or personal data controlling and processing party is not required to comply with Clause 1 of this Article in the following cases:
a/ The data subject is explicitly aware of and gives full consent to the contents specified in Clauses 1 and 2 of this Article before permitting the personal data controller or personal data controlling and processing party to collect personal data in accordance with Article 9 of this Decree;
b/ Personal data are processed by competent state agencies for the purpose of serving the operation of state agencies in accordance with law.”
Thus, enterprises will need to carry out notifications when processing personal data of customers who possess such data or process customer information, as considered above.
6. Cases of personal data processing without the consent of the data subject
In accordance with Article 17 of Decree 13/2023/ND-CP, the cases of personal data processing without the consent of the data subject are regulated as follows:
“Article 17. Processing of personal data without requiring the consent of data subjects
- In case of emergency relevant personal data should be immediately processed to protect the life and health of data subjects or others. Personal data controllers, personal data processors, personal data controlling and processing parties, and third parties shall prove this case.
- Disclosure of personal data as prescribed by law.
- Data processing by competent state agencies in the state of emergency of national defense and security, social order and safety, catastrophes or dangerous epidemics; occurrence of a threat to security or national defense which is not serious to the extent of requiring the declaration of a state of emergency, or for preventing and combating riots, terrorism, crimes and violations in accordance with law.
- For the performance of contractual obligations of data subjects toward related agencies, organizations, and individuals in accordance with law.
- To serve the operation of state agencies in accordance with specialized laws.”
7. Processing of personal data of children
Children are always a subject of protection by the state and society in all aspects to ensure the development of the country’s youngest generation. The protection of information as well as the personal data of children is also a concern and is safeguarded by the law.
In accordance with Article 20 of Decree No. 13/2023/NĐ-CP regulates the processing of personal data of children as follows:
“Article 20. Processing of personal data of children
- The processing of the personal data of children must always adhere to the principle of protecting the rights and the best interests of children.
- For the processing of personal data of a child, it is required to obtain the consent of such child, in case the child is full 7 years old or older, and the consent of the child’s parent or guardian under regulations, except the cases specified in Article 17 of this Decree. The personal data controller, personal data processor, personal data controlling and processing party, or third party shall verify the age of children before processing their personal data.
- The processing, permanent deletion, or destruction of the personal data of a child shall be stopped in the following cases:
a/ Data are processed for improper purposes or the purpose of processing personal data has been accomplished as consented to by the data subject unless otherwise provided for by law;
b/ The child’s parent or guardian withdraws the consent to the processing of the child’s personal data unless otherwise provided for by law;
c/ The stoppage is requested by a competent authority when there are sufficient grounds to prove that the processing of the child’s personal data affects his/her lawful rights and interests unless otherwise provided for by law.”
8. Processing of personal data of children
Apolat Legal advises on the compliance of the process of collecting and processing the personal data of customers.
Apolat Legal commits to adhering to the process of collecting and processing customers’ personal data while providing legal advisory services. We prioritize protecting our customer’s personal information and complying with relevant legal regulations.
- Collection of personal data: We only collect necessary personal information to provide legal services to our customers and uphold principles of transparency. We collect information from customers through official channels, such as online forms, contracts, or direct meetings.
- Purpose of personal data usage: We use customers’ personal data to fulfill legal advisory requests and provide related services. We do not disclose personal information to third parties without the customer’s consent.
- Personal Data Security: We implement appropriate security measures to ensure the safety of customers’ personal data. We adhere to the standards and regulations for personal data protection as stipulated by the current laws.
- Retention Period: We store customers’ personal data for the necessary period to fulfill the intended purposes and comply with legal regulations. Once no longer necessary, we will delete or deactivate the personal data.
- customer Rights: We respect the privacy and rights of customers to control their personal data. If customers wish to access, modify, or delete their personal data, we will assist with their request.
We hope that the article above has provided you with the necessary information regarding personal data processing, personal information processing, and customer information processing based on laws. However, we also acknowledge that there may still be some questions or a need for clarification regarding legal issues related to personal data.
Please do not hesitate to contact Apolat Legal if you have any questions or issues that require consultation. We will provide the best support to address your concerns. Let Apolat Legal be your reliable partner in resolving legal matters
Disclaimers:
This article is for general information purposes only and is not intended to provide any legal advice for any particular case. The legal provisions referenced in the content are in effect at the time of publication but may have expired at the time you read the content. We therefore advise that you always consult a professional consultant before applying any content.
For issues related to the content or intellectual property rights of the article, please email cs@apolatlegal.vn.
Apolat Legal is a law firm in Vietnam with experience and capacity to provide consulting services related to Data Processing And Security and contact our team of lawyers in Vietnam via email info@apolatlegal.com.
