In the context of the rapidly evolving digital economy, the processing and protection of personal data has become a matter of paramount importance. The draft Personal Data Protection Law of Vietnam has set forth detailed provisions regarding data processing activities in digital business sectors, with the objective of ensuring privacy rights and information security for users.
This article analyzes critical regulations concerning personal data protection across five key areas of digital business: marketing services, behavioral advertising, big data processing, cloud computing, and social networks. Through this analysis, we aim to provide a comprehensive understanding of the legal framework and specific requirements that businesses must comply with in their processing of users’ personal data.
1. Personal data protection in marketing services
Personal data protection in digital marketing activities is a crucial matter strictly regulated under the draft Personal Data Protection Law. Accordingly, organizations and individuals engaged in marketing services are only permitted to use personal data directly collected through their own business operations. This measure aims to restrict unauthorized trading and exchange of personal data between entities.
A fundamental principle is that personal data processing must be conducted on the basis of transparency and consent. Specifically, customers must be fully and clearly informed about the content, methods, forms, and frequency of marketing activities before consenting to the use of their data. Furthermore, all data usage activities must strictly comply with legal regulations regarding spam and spam SIM prevention.
To protect user rights, the law clearly stipulates that data subjects have the right to request cessation of marketing communications at any time, and business organizations and individuals must implement this request immediately. Additionally, marketing entities are not permitted to hire or enter into agreements for another organization to perform or support marketing activities, ensuring transparency and accountability in personal data processing.
2. Personal data protection in behavioral and targeted advertising services
In the field of behavioral and targeted advertising, personal data protection is strictly regulated to ensure user privacy. The core principle is that all data collection activities through website and application tracking must be conducted based on the clear consent of the data subject. This demonstrates respect for users’ right to self-determination regarding their personal information in the digital environment.
To enhance transparency and protect user rights, organizations and individuals involved in behavioral or targeted advertising services must develop and implement mechanisms allowing data subjects to opt out of data sharing in various contexts. This regulation ensures users maintain control over their personal data and can make decisions about allowing or refusing data usage in specific instances.
Furthermore, the draft law also clearly defines the scope of data usage in advertising activities. Marketing service organizations and individuals are only permitted to use personal data directly collected through their own business operations to conduct behavioral or targeted advertising campaigns, while ensuring transparency in data collection and processing.
3. Personal data protection in big data processing
In the context of Big Data processing, the draft Personal Data Protection Law has established specific regulations regarding the rights and obligations of relevant parties. Accordingly, organizations and individuals are permitted to extract personal data from platforms where data subjects have proactively disclosed their information without any restrictions. However, such extraction must be conducted in a responsible manner and in compliance with personal data protection principles.
To enhance supervision and management, the draft law requires all companies acting as Personal Data Processors to register and be subject to oversight by the competent authority for personal data protection.
4. Personal data protection in cloud computing
In the field of cloud computing, personal data protection necessitates a comprehensive system of technical and organizational measures to prevent unauthorized access. When entering into contracts with cloud service providers, organizations and individuals must ensure compliance with stringent data protection requirements.
Contractual terms must explicitly stipulate compliance with Vietnamese law on personal data protection, including provisions for information regarding departments and personnel responsible for data protection, particularly in cases involving sensitive data processing. Service providers are only permitted to process data for the benefit of customers, must implement specific security measures, and are obligated to provide immediate notification of any changes that may affect personal data. They are also liable for damages if applicable, must provide audit reports and delete data upon request, and must comply with regulations regarding the establishment of personal data processing impact assessment documentation as prescribed by law.
For enterprises providing cloud computing services, they must strictly comply with Vietnamese personal data protection regulations, ensure subcontractors fully implement data protection obligations, and apply technical measures appropriate to their scale and level of data processing. These requirements aim to create a secure and reliable ecosystem for personal data processing on cloud computing platforms.
5. Social networks and communication services provided directly to viewers through cyberspace
In the domain of social networks and Over-The-Top (OTT) communication services, organizations and individuals providing services must ensure the protection of Vietnamese citizens’ personal data when operating in the Vietnamese market or being present on domestic mobile application stores. They have an obligation to provide clear notification regarding personal data collection when users install and use the service, and are prohibited from unauthorized data collection or exceeding agreed-upon scope.
Platforms must provide options allowing users to reject cookie collection and sharing, as well as “do not track” options for service usage activities. Notably, platforms are prohibited from requiring citizen identification card or national identity card images as account verification factors. When conducting advertising and marketing activities based on personal data, entities must provide specific and clear written notification regarding data sharing and applied security measures.
A crucial point to note is that personal data used for social network and OTT service account registration is not considered public data and cannot be processed without the data subject’s consent. Furthermore, activities such as eavesdropping, call recording, or reading text messages without user consent are considered violations of law.
See more:
1/ New legal framework for data management in Vietnam
2/ Shape Personal data protection organization services under the draft law on personal data protection
3/ Legal framework for ESG assessment and sustainable business practices in Vietnam
Disclaimers:
This article is for general information purposes only and is not intended to provide any legal advice for any particular case. The legal provisions referenced in the content are in effect at the time of publication but may have expired at the time you read the content. We therefore advise that you always consult a professional consultant before applying any content.
For issues related to the content or intellectual property rights of the article, please email cs@apolatlegal.vn.
Apolat Legal is a law firm in Vietnam with experience and capacity to provide consulting services related to Data and contact our team of lawyers in Vietnam via email info@apolatlegal.com.
