Prohibited acts when processing personal data

Author: Apolat
Update: 12/07/2023
Theo dõi Apolat trên

Each individual’s personal data needs to be kept confidential to ensure each person’s interests. Violating personal data when processing data that affects individuals’ lives will be sanctioned. So what is the prohibited act when processing personal data?

1. Distinguish normal personal data and sensitive personal data

Clause 3, Clause 4, Article 2 of Decree 13/2023/ND-CP stipulates general personal data and sensitive personal data as follows:

3. Basic personal data includes:

  1. a) Family name, middle name, and first name as stated in a birth certificate, other name (if any);
  2. b) Date of birth; date of death or missing;
  3. c) Gender;
  4. d) Place of birth, place of birth registration, place of permanent residence, place of temporary residence, current place of residence, native place, contact address;
  5. dd) Nationality;
  6. e) Image of the individual;
  7. g) Telephone numbers, people’s identity card numbers, personal identification numbers, passport numbers, driver’s license numbers, numbers on vehicles’ number plates, personal tax identification numbers, social insurance numbers, health insurance card numbers;
  8. h) Marital status;
  9. i) Information about family relationships (parents, children);
  10. k) Information about the digital account of the individual; personal data on activities, history of activities in cyberspace;
  11. l) Other information associated with a particular person or leading to the identification of a particular person, other than those specified in Clause 4 of this Article.
  12. Sensitive personal data means any personal data associated with an individual’s privacy rights of which the violation directly affects his/her lawful rights and interests, including:
  13. a) Political opinions, religious opinions;
  14. b) Health status and private information recorded in the health record, excluding the information about blood type;
  15. c) Information relating to racial origin, ethnic origin;
  16. d) Information about the inherited or acquired genetic characteristics of the individual
  1. dd) Information about physical characteristics, and unique biological characteristics of the individual;
  2. e) Information about the sex life, and sexual orientation of the individual;
  3. g) Data on crimes and offenses are collected and stored by law enforcement authorities;
  4. h) Client information of credit institutions, foreign bank branches, intermediary payment service providers, and other authorized organizations, including client identification information prescribed by law provisions, information on accounts, deposits, deposited assets, transactions, organizations and individuals being securing parties at credit institutions, bank branches, intermediary payment service providers;
  5. i) Location data of the individual identified through location services;
  6. k) Other personal data being particular and requiring necessary security measures under law provisions.

From the above regulations, it can be acknowledged that personal data is usually data that can be known by particular objects, often used to identify and perform procedures in life. Sensitive data is personal data associated with an individual’s privacy that, when violated, will directly impact an individual’s legitimate rights and interests.

2. Principles of handling personal data

Personal data is the vital information of each person, which needs to be kept safe so that their legitimate rights and interests are not infringed. Therefore, Article 3 of Decree 13/2023/ND-CP stipulates the principles to be ensured when processing personal data as follows:

“ Article 3. Principles for personal data protection

  1. Personal data shall be processed in accordance with law.
  2. The data subject has the right to be informed about activities relating to his/her personal data processing unless otherwise provided by law.
  3. Personal data is processed only for the purposes of personal data processing that have been registered and declared by the controller, processor, controlling and processing entity, or third party.
  4. Collected personal data must be appropriate and within the scope and purposes of processing. Purchase and sale of personal data in any form shall not be permitted unless otherwise provided by law.
  5. Personal data shall be updated and supplemented in conformity with the processing purposes.
  6. Measures for protection and security shall be applied to personal data during the processing, including the protection against breaches of personal data protection regulation prevention and control of loss, destruction, or damage due to incidents, and use of technical measures.
  7. Personal data shall be only stored for a period suitable for the purposes of data processing unless otherwise provided by law.
  8. Controller, controlling, and processing entity shall be responsible for complying with the data processing principles specified in Clauses 1 to 7 of this Article and demonstrating their observance of such principles.

3. Prohibited acts when processing personal data

Article 8 of Decree 13/2023/ND-CP stipulates prohibited acts in the processing of personal data.

Article 8. Prohibited acts

  1. Processing personal data contrary to the law on personal data protection.
  2. Processing personal data to create information and data to act against the State of the Socialist Republic of Vietnam.
  3. Processing personal data to create information and data that affect national security, social order and safety, and legitimate rights and interests of other organizations and individuals.
  4. Obstructing competent agencies’ personal data protection activities.
  5. Abuse of personal data protection to breach the law.

The above acts not only infringe on personal data but also affect many other issues such as national security, social order, activities of competent authorities, etc., so they are strictly prohibited, and violators may be subject to corresponding sanctions.

4. Notice of violation of personal data processing

When there is a breach of a person’s data, it can have serious consequences for their interests. Therefore, notification of violations is essential and needs to be done quickly. The notification of violation of regulations on the protection of personal data shall comply with the principles in Article 23 of Decree 13/2023/ND-CP:

Article 23. Notification of a breach of personal data protection regulation

1. In case of detecting a breach of personal data protection regulation, the controller, controlling and processing entity shall, not later than 72 hours after the breach is committed, notify the Ministry of Public Security (the Department of Cyber ​​Security and Hi-tech Crime Prevention) according to Form No. 03 in the Appendix to this Decree. Where the notification is not made within 72 hours, it shall be accompanied by reasons for the delay.

2. The processor shall notify the controller without undue delay after becoming aware of a breach of personal data protection regulation.

3. The notification shall at least:

a) Describe the nature of the breach, including time, location, acts, organizations, individuals, the categories and number of data concerned;

b) Provide contact details of the officer assigned to the task of data protection or an organization or individual in charge of protecting personal data;

c) Describe the likely consequences and damages of the breach of personal data protection regulation;

d) Describe the proposed measures to address and mitigate the effects of the breach of personal data protection regulation.

4. Where it is not possible to notify sufficient information prescribed in Clause 3 of this Article, the information may be provided in phases.

5. The controller, controlling, and processing entity shall make records confirming breaches of personal data protection regulation, and coordinate with the Ministry of Public Security (the Department of Cyber Security and Hi-tech Crime Prevention) to handle such breaches.

6. Organizations and individuals shall notify the Ministry of Public Security (the Department of Cyber Security and Hi-tech Crime Prevention) when:

a) Detecting a breach of the law on personal data;

b) Personal data is processed for wrong purposes, not in accordance with the original agreement between the data subject and the controller, controlling and processing entity, or is processed contrary to the law.

c) Failing to guarantee the rights of the data subject or such rights are improperly implemented;

d) Other cases as prescribed by law.

The prompt, timely, and proper notification can minimize the loss for the individual whose data is breached.

5. Sanctions for handling violations of personal data according to the law

Depending on the nature and level of danger, the breach of personal data can be handled under criminal, civil, or administrative sanctions.

5.1. Criminal sanctions

With criminal sanctions, violations of personal data can be criminally handled for the crimes specified in the Criminal Code 2015 (amended and supplemented 2017):

  • Article 159. Infringement upon secret information, mail, telephone, telegraph privacy, or other means of private information exchange.
  • Article 288. Illegal provision or use of information on computer networks or telecommunications networks.

Acts constituting the above offenses may be subject to fines, community sentences (non-custodial), or term imprisonment. However, it is difficult to determine the actual personal data violations that constitute crimes.

5.2. Civil sanctions

The right to protected personal data is also a civil right and is protected by civil civil law under Clause 1, Article 2 of the Civil Code 2015:

Article 2. Recognition, respect for, protection, and guarantee of civil rights

  1. In the Socialist Republic of Vietnam, all civil rights shall be recognized, respected, protected, and guaranteed in accordance with the Constitution and law. ”

Acts of infringing upon personal data will be subject to the corresponding sanctions specified in Article 11 of the 2015 Civil Code:

Article 11. Methods of protection of civil rights

When the civil rights of an individual or a legal person are infringed upon, he/she/it has the right to protect such rights by himself/herself/itself in accordance with this Code and other relevant laws or to request a competent agency or organization to:

  1. Recognize, respect, protect and ensure his/her/its civil rights;
  2. Order termination of the act of violation;
  3. Order a public apology and/or rectification;
  4. Order the performance of obligations;
  5. Order compensation for damage.
  6. Cancel an illegal specific decision of a competent agency, organization or individual;
  7. Other requests as prescribed by law.

5.3. Administrative sanctions

With the level of violations lighter than criminal sanctions, administrative sanctions are applied to warn, fines, additional sanctions as well as remedial measures for violations. A number of acts of infringing upon personal data are regulated to sanction administrative violations in Decree 15/2020/ND-CP. However, these administrative sanctions are still limited when applied only to violations of personal data in the fields of post, telecommunications, radio frequencies, information technology, and electronic transactions.

Handling prohibited acts when processing personal data helps deter subjects from having bad acts or intentions with respect to other people’s personal information and protects the interests of each individual. For other related information, please read other articles by Apolat.

 

Disclaimers:

This article is for general information purposes only and is not intended to provide any legal advice for any particular case. The legal provisions referenced in the content are in effect at the time of publication but may have expired at the time you read the content. We therefore advise that you always consult a professional consultant before applying any content.

For issues related to the content or intellectual property rights of the article, please email cs@apolatlegal.vn.

Apolat Legal is a law firm in Vietnam with experience and capacity to provide consulting services related to Data Processing And Security and contact our team of lawyers in Vietnam via email info@apolatlegal.com.

Share: share facebook share twitter share linkedin share instagram

Related posts

Prerequisites For Registration Of Industrial Design Right in Viet Nam

New regulations on supporting small and medium enterprises

Apolat Legal_Legal retainer service

Related Legal news

Vietnam passes law on digital technology industry

Announcement of electronic identification for foreigners at the immigration office of HCMC

Regulations on tax administration for households and individuals doing business on e-commerce platforms

Announcement Of electronic identification for agencies, organizations

Important notes for businesses when state agencies rearrange administrative units

Proposal for Licensing and operations of microfinance institutions

The Ministry of Public Security proposes the development of a Law on Personal Data Protection

Revocation of Certificate of Food Safety Compliance for Establishments

Find out how we can help your business

Legal Retainer

Intellectual Property

Business and Investment

SEND AN ENQUIRY



     Send Contact
    Call Us
    Zalo
    dau tu nuoc ngoai vao vietnam

    Contact Us

    If you are a client, please get in touch with your Apolat Legal contact directly.



      dau tu nuoc ngoai vao viet nam

      Contact Us

      If you need to update the latest legal newsletter, please leave us an email.