1. What is personal data and why it should be protected?
According to clause 1 Article 2 Decree 13/2023/ND-CP, personal data is information in the form of symbol, script, digit, image, or sound or in a similar form in the electronic environment that is affiliated to a specific person or helps identify a specific person. Personal data includes basic personal data and sensitive personal data. Personal data including basic personal data and sensitive personal data.
Personal data processing should be in accordance with the law and personal data protection is essential as if the data is stolen it can cause serious financial losses, risk of extortion, fraud, appropriation of property, libel, infringing upon honor, dignity, sexual abuse…, causing material and spiritual, directly affecting the legitimate rights and interests of the data owner.
Additionally, several negative situations relate to personal data:
- Taking advantage of subjectivity, neglect, and “mercy” psychology, offering to provide information and then appropriating it under promotions, lucky draws, online purchases, mini-games with prizes…
- Individual, enterprises actively collect customers’ personal data, establish personal data libraries, analyze, and process types of data to conduct their business,… Even to sell to their enemy, steal account passwords for the purpose of embezzling money…
- In the technology era, more and more apps require the user to provide some rights such as a monitor camera, contacts, memory access, etc. for the collecting personal data of the user to commit crimes such as obtaining property by fraud …
Currently, due to the development of digital technology, personal data can be easily stolen. In some developed country, personal data be considered an asset. Vietnam there are also gradually strict measures and regulations in personal data protection, increasing the importance of personal data protection.
2. Personal data protection measures
Personal data protection measures are immediately adopted at the beginning and throughout personal data processing.
According to Article 26 Decree 13/2023/ND-CP, personal data protection measures including:
- Management measures performed by organizations and individuals involved in personal data processing;
- Technical measures performed by organizations and individuals involved in personal data processing;
- Measures performed by competent state management agencies in accordance with this Decree and relevant laws;
- Investigation and procedural measures performed by competent state agencies;
- Other measures as prescribed by law.
Therefore, personal data owners can adopt the above measures to protect their personal data.
3. Protect basic personal data
The protection of basic personal data is prescribed in Article 27 of Decree 13/2023/ND-CP. Accordingly, the protection of basic personal data can adopt the measures specified in clause 2, Article 26 of Decree 13/2023/ND-CP such as:
- Management measures performed by organizations and individuals involved in personal data processing;
- Technical measures performed by organizations and individuals involved in personal data processing;
- Measures performed by competent state management agencies in accordance with this Decree and relevant laws;
- Investigation and procedural measures performed by competent state agencies;
- Other measures as prescribed by law.
Besides the above measures, the basic personal data owner needs:
- Formulate and promulgate regulations on personal data protection, clarifying to-be-performed tasks under Decree 13/2023/ND-CP.
- Encourage the application of personal data protection standards suitable to the fields, business lines, and activities related to personal data processing.
- Inspect the cyber security of systems, means, and equipment serving personal data processing before data processing or permanently deleting personal data or destroying personal data-containing devices.
4. Protect sensitive personal data
Protect sensitive personal data prescribed in Article 28 Decree 13/2023/ND-CP. Accordingly, the protection of sensitive personal data can adopt measures prescribed in Clause 2 Article 26 and Article 27 Decree 13/2023/ND-CP. The reader please refer to sections 2 and 3 of this Article.
Additionally, the sensitive personal date can:
- Designate functional divisions for personal data protection or designate staff in charge of personal data protection, and exchange information about such divisions and staff with the Specialized Agency for Personal Data Protection. In case the personal data controller, personal data controlling and processing party, personal data processor, or third party is an individual, to exchange information about such individual.
- Notify data subjects of the processing of their sensitive personal data, except in the cases specified in Clause 4, Article 13, and Articles 17 and 18, of this Decree 13/2023/ND-CP.
5. Specialized Agency for Personal Data Protection and National Portal on Personal Data Protection
Specialized Agency for Personal Data Protection and National Portal on Personal Data Protection prescribed in Article 29 Decree 13/2023/ND-CP, specifically:
- The Specialized Agency for Personal Data Protection is the Department of Cyber Security and Hi-Tech Crime Prevention and Control of the Ministry of Public Security, which shall assist the Ministry of Public Security in performing the state management of personal data protection.
- The National Portal on Personal Data Protection is functioned to:
-
- Provide information on the Party’s viewpoints, guidelines, and policies and the State’s laws on personal data protection;
- Carry out public communications about and disseminate policies and laws on personal data protection;
- Update information and situation on personal data protection;
- Receive information, dossiers, and data on personal data protection activities via cyberspace;
- Provide information on the evaluation results of the personal data protection work of related agencies, organizations, and individuals;
- Receive notices of violations of regulations on personal data protection;
- Provide warnings, and coordinate in the provision of warnings about the risks and acts of infringing upon personal data in accordance with law;
- Handle violations of regulations on personal data protection in accordance with law;
- Carry out other activities in accordance with the law on personal data protection.
Sanctions on Illegal Personal Data Processing
Agencies, organizations, and individuals that violate regulations on the protection of personal data, depending on the severity, may be disciplined, administratively sanctioned, or criminally sanctioned according to regulations.
Regard to the violation against regulations on retention, leasing, transmission, provision, access, collection, processing, exchange, and utilization of information be sanctioned according to Article 102 Decree 15/2020/ND-CP:
“1. A fine ranging from VND 2,000,000 to VND 5,000,000 shall be imposed for storing personal information of others collected in cyberspace for a period exceeding the retention period prescribed by law or agreed upon by two parties.
2. A fine ranging from VND 5,000,000 to VND 10,000,000 shall be imposed for the commission of one of the following violations:
a) Failing to terminate the leasing of digital information storage space in case information is stored in violation of law upon detection by the lessor or notification by a competent authority;
b) Failing to terminate the provision of tools for finding sources of digital information to organizations/individuals in case such sources of digital information are found to violate the law upon detection by the service provider or notification by a competent authority;
c) Failing to review and correct or remove the others’ personal information stored in cyberspace in course of information collection, processing and utilization upon request of owners of such information;
d) Providing or using personal information which is not yet corrected at the request for information correction of the owner of such information;
dd) Providing or using personal information when the owner of such information has sent request for removal of such information.
3. A fine ranging from VND 10,000,000 to VND 20,000,000 shall be imposed for the commission of one of the following violations:
a) Illegally accessing, using, disclosing, interrupting, altering or destroying information/information systems;
b) Failing to implement necessary measures for preventing access to or removing violating information at the request of a competent authority when transmitting or leasing of space for storing digital information;
c) Failing to comply with the request of a competent authority for determination of the list of owners who lease space for storage of digital information;
d) Failing to keep confidentiality of information of organizations/individuals leasing space for storing digital information, unless the information must be provided at the request of a competent authority;
dd) Failing to implement necessary managerial/technical measures for protecting personal information from loss, theft, disclosure, change, or removal when collecting, processing, and using the personal information of other persons in cyberspace;
e) Collecting, processing, and using the information of other organizations/individuals without their consent or for serving purposes other than the prescribed ones;
g) Providing, exchanging, transmitting or storing and using digital information in order to threaten, disturb, distort, slander, or damage the prestige, honor, and dignity of other organizations or individuals;
h) Providing, exchanging, transmitting or storing and using digital information for advertising or promotion of prohibited goods/services;
i) Illegally obstructing the transmission of information online, intervening, accessing, damaging, removing, altering, duplicating, and falsifying information in cyberspace;
k) Failing to monitor or supervise digital information of other organizations/individuals at the request of a competent authority;
l) Failing to cooperate in an investigation of violations against the law in the course of transmission or storage of digital information of other organizations/individuals at the request of a competent authority;
m) Disclosing information classified as state secrets, personal and family secrets if not liable to criminal prosecution;
n) Impersonating other organizations/individuals and disseminating fake or false information that infringes upon legitimate rights and benefits of other organizations/individuals;
o) Appropriating another person’s mails, telegraphs, telexes, faxes, or other documents that are transmitted in cyberspace in any form;
p) Deliberately obtaining information/contents of another person’s mails, telegraphs, telexes, faxes, or other documents that are transmitted in cyberspace;
q) Listening or recording conversations against the law;
r) Confiscating mails or telegraphs against the law.
4. A fine ranging from VND 30,000,000 to VND 50,000,000 shall be imposed for the commission of one of the following violations:
a) Failing to keep confidentiality of private information transmitted on public telecommunications networks or disclosing private information relating to telecommunications service users;
b) Providing, exchanging, transmitting, storing, or using information/services related to gambling or serving gambling activities, pornography, debauchery, superstitions, or which are contrary to national good traditions and customs.
5. A fine ranging from VND 50,000,000 to VND 70,000,000 shall be imposed for the commission of one of the following violations:
a) Illegally trading or exchanging private information of telecommunications service users;
b) Hiding name or electronic address or forging another person’s name or electronic address when sending emails/messages.
6. A fine ranging from VND 70,000,000 to VND 100,000,000 shall be imposed for providing, exchanging, transmitting, or storing and using digital information and disseminating wrong facts about the sovereignty of Vietnam.
7. A fine ranging from VND 50,000,000 to VND 70,000,000 shall be imposed for the commission of one of the following violations:
a) Disseminating/inciting violence; disseminating reactionary information if not liable to criminal prosecution;
b) Providing information/images infringing upon national sovereignty; distorting history, denying revolutionary achievements; offending the nation, famous persons, or national heroes if not liable to criminal prosecutions.
8. Additional penalties:
a) The license to establish a social networking site shall be suspended for a fixed period of 22 – 24 months in case of commission of any of the violations in Clauses 5, 6, and 7 of this Article;
b) The exhibits and instrumentalities used for committing any of the violations in Points b, g, h, and q Clause 3, Point a Clause 4, and Clause 7 of this Article shall be confiscated.
9. Remedial measures:
a) Enforced return of benefits illegally obtained from the commission of the violation in Point b Clause 4 or Point a Clause 5 of this Article;
b) Enforced revocation of prefixes/ telecommunications numbers in case of commission of the violation in Point b Clause 4 of this Article;
c) Enforced revocation of domain names in case of commission of the violation in Point b Clause 3 of this Article;
Besides the administrative sanctions mentioned above, illegal personal data processing may also face criminal prosecution for crimes in the field of information technology and telecommunications networks specified in Section 2 of Chapter 2. XXI Penal Code 2015 was amended and supplemented in 2017.
Following is the article about personal data protection measures. We hope to help you with useful legal knowledge. If you still have questions, need answers, especially personal data issues, do not hesitate to contact Apolat Legal immediately for the best advice and support.
Disclaimers:
This article is for general information purposes only and is not intended to provide any legal advice for any particular case. The legal provisions referenced in the content are in effect at the time of publication but may have expired at the time you read the content. We therefore advise that you always consult a professional consultant before applying any content.
For issues related to the content or intellectual property rights of the article, please email cs@apolatlegal.vn.
Apolat Legal is a law firm in Vietnam with experience and capacity to provide consulting services related to Data Processing And Security and contact our team of lawyers in Vietnam via email info@apolatlegal.com.