1. What is personal data?
According to Clause 1 of Article 2 of Decree 13/2023/NĐ-CP, “Personal data means any information in the forms of symbols, letters, figures, images, sounds or similar forms in the electronic environment that is associated with a particular person or may lead to the identification of a particular person. Personal data includes basic personal data and sensitive personal data”.
In simple terms, personal data refers to information related to a specific individual that allows for direct or indirect identification of that person. This information can pertain to an individual’s name, addresses, telephone numbers, date of birth, identity card number, financial and medical information, personal images, online account profiles, online activities, and any other information that can be used to identify a specific individual.
2. Why is it important to care about personal data rights?
Caring about personal data rights is extremely important in the current digital era for several significant reasons:
– Privacy Protection: Personal data includes sensitive information about individuals, such as names, addresses, phone numbers, financial and medical information. Personal data rights ensure that this information is not used or disclosed unlawfully. This helps protect individuals’ privacy and ensures that they have the right to control their own information.
– Preventing Data Abuse: Personal data rights help prevent the abuse of personal information. When personal data is collected and used inappropriately, it can lead to unauthorized access, fraud, privacy infringements, or discrimination. Personal data rights ensure that data is only used within defined boundaries and for specific purposes.
– Building Trust and Confidence: Caring about personal data rights helps build trust and confidence among users. When users know that their personal information is protected and used appropriately, they will feel more comfortable sharing information and engaging in online activities.
– Compliance with Laws: Personal data rights are an essential part of a modern legal system. Compliance with regulations of personal data rights ensures that organizations and individuals operate in accordance with the law and avoid potential legal consequences.
– Promoting Digital Economic Development: Personal data rights play a crucial role in promoting digital economic development. When users trust that their personal data is protected, they are more likely to engage in online activities, participate in e-commerce transactions, and share personal information with digital services. This fosters a favorable environment for digital economic growth and creates new business opportunities.
In conclusion, caring about personal data rights not only protects individuals’ privacy and security but also contributes to the sustainable development of society and the digital economy.
3. Principles of personal data protection
According to Article 3 of Decree 13/2023/ND-CP, the principles of personal data protection include:
– Personal data is processed in accordance with the law.
– Data subjects are informed about their related activities regarding the processing of their personal data unless otherwise provided by law.
– Personal data is only processed for the purposes specified by the Controller, the Processor, the controlling and processing entity, or the third party registered declared about the processing of personal data.
– The collection of personal data must be appropriate and limited to the scope and purpose of the processing. Personal data must not be bought or sold under any circumstances unless otherwise provided by law.
– Personal data is updated and supplemented appropriately for processing purposes.
– Personal data is subject to protection and security measures during the processing, including measures to prevent violations of regulations on personal data protection and to prevent loss, destruction, or damage caused by incidents, using technical measures.
– Personal data is only stored for a period that is appropriate for the purposes of data processing unless otherwise provided by law.
– According to clause 1 to clause 7 of this Article, the Controller and the controlling and processing entity must be responsible for complying with the principles of data processing and demonstrate their compliance with these data processing principles.
For more information, please refer to the official regulations of the Government on personal data protection here.
4. Rights of the data subject
According to Article 9 of Decree 13/2023/ND-CP, the rights of data subjects include:
– Right to be informed: The data subject has the right to be informed about activities relating to the processing of his/her personal data unless otherwise provided by law.
– Right to consent: The data subject has the right to agree or not agree to the processing of his/her personal data unless cases are specified in Article 17 of this Decree.
– Right of access: The data subject shall have the right to access his/her personal data for viewing, rectifying, or requesting rectification of such data unless otherwise provided by law.
– Right to withdrawal of consent: The data subject shall have the right to withdraw his/her consent unless otherwise provided by law.
– Right to erasure of personal data: The data subject shall have the right to erase or request the erasure of his/her personal data unless otherwise provided by law.
– Right to restriction of data processing:
+ The data subject shall have the right to request the restriction of processing of his/her personal data unless otherwise provided by law;
+ Restriction of data processing shall be carried out within 72 hours after the request of the data subject, with all personal data under the data subject’s restriction request, unless otherwise provided by law.
– Right to provision of data: The data subject shall have the right to request the controller, controlling, and processing entity to provide his/her own personal data for him/her, unless otherwise provided by law.
– Right to object:
+ The data subject shall have the right to object to the processing of his/her personal data by the controller, controlling, and processing entity for the purposes of preventing or limiting the disclosure of personal data or its use for advertising or marketing unless otherwise provided by law;
+ The controller, controlling, and processing entity shall act on the request of the data subject within 72 hours after receiving the request unless otherwise provided by law.
– Right to complaint, denunciation, and initiation of lawsuits: The data subject shall have the right to complain, denunciation, and initiation of lawsuits in accordance with the law.
– Right to request for compensation for damage: The data subject has the right to request compensation for damage in accordance with the law upon breaches of his/her personal data protection unless otherwise agreed upon by the parties or provided by law.
– Right to self-defense: The data subject shall have the right to protect himself/herself in accordance with the Civil Code, other relevant laws, and this Decree, or request competent agencies or organizations to implement methods of protection of civil rights prescribed in Article 11 of the Civil Code.
5. Cases of processing of personal data without the consent of data subjects
According to Article 17 of Decree 13/2023/ND-CP, the cases in which personal data can be processed without the consent of the data subject are as follows:
– In urgent cases, it is necessary to immediately process relevant personal data to protect the life and health of the data subject or others. The controller, processor, controlling and processing entity, and the third party shall be responsible for proving this case.
– The disclosure of personal data shall comply with the law.
– The processing of data of the competent state agencies in case of emergency on national defense, national security, social order and safety, major disasters, dangerous epidemics; or when there is a risk of threatening security and national defense but not to the extent of declaring a state of emergency; or in case of preventing and combating riots and terrorism, preventing and combating crimes and law violations in accordance with law.
– To fulfill the contractual obligations of the data subject with relevant agencies, organizations, and individuals as prescribed by law.
– To serve the activities of state agencies prescribed by specialized laws.
In the context of rapid technological advancements and the increasing scale of data collection, the right to personal data has become a pressing issue for society and the legal system. Vietnamese law has responded with clear directions on protecting the right to personal data, ensuring safety, and compliance with regulations in processing personal information. The establishment and implementation of regulations on the right to personal data in Viet Nam are not only a significant step to safeguard the privacy and security of individual’s personal information but also a demonstration of the willingness to meet the demands of the technological revolution. Complying with and enforcing regulations on the right to personal data will create a trustworthy online environment, promote sustainable development of the digital economy, and ensure the rights and interests of both users and organizations.
Disclaimers:
This article is for general information purposes only and is not intended to provide any legal advice for any particular case. The legal provisions referenced in the content are in effect at the time of publication but may have expired at the time you read the content. We therefore advise that you always consult a professional consultant before applying any content.
For issues related to the content or intellectual property rights of the article, please email cs@apolatlegal.vn.
Apolat Legal is a law firm in Vietnam with experience and capacity to provide consulting services related to Intellectual Property Rights and contact our team of lawyers in Vietnam via email info@apolatlegal.com.
