What is sensitive data and how to handle it according to the law?

Especially, sensitive personal data refers to personal data in association with individual privacy which, when being infringed, will directly affect an individual’s legal rights and interests. In this article, let’s learn about issues such as personal data, sensitive personal data, protection of personal data, personal data processing, and infringement of personal data with Apolat Legal.

1. Significance of the birth of Decree 13/2023/ND-CP on the protection of personal data.

The promulgation of Decree No. 13/2023/ND-CP meets the requirements of protecting personal data rights and preventing the infringement of personal data in order to protect the rights and interests of individuals and organizations. Personal data is closely related to human rights, citizenship, safety, cyber security, information security, data security, information technology, the fourth industrial revolution, e-government, digital government, digital economy, and information technology.

In recent times, Viet Nam Government has issued many guiding documents on personal data protection. Nevertheless, there are currently 68 legal documents directly related to personal data protection in Vietnam, but there is no consensus on the concept and content of personal data and personal data protection. The current Vietnamese legal system does not use the phrase “personal data” and does not have a definition of personal data and personal data protection.

There are more than 10 concepts and terms related to personal information that are interpreted differently. Particularly, the concept of “personal information” is considered the closest to the concept of “personal data”. However, there are only 7 legal documents that have the definition or interpretation of personal information, meanwhile, other documents only refer to personal information without explanation or reference to other legal documents.

The inconsistency and asynchronous interpretation of personal information protection has caused great difficulties in the formulation of a Decree regulating personal data protection, ensuring compatibility and synchronization with the entire content of existing legal documents. For this reason, Decree No. 13/2023/ND-CP was issued, which regulates the principles of personal data protection and abolishes regulations that are inconsistent with the principles of personal data protection in other documents. The application of the abolished regulation will be referred to the Protection of Personal Data’s Decree. 

2. How to define personal data?

Decree No. 13/2023/ND-CP stated in Clause 1, Article 2: “Personal data refers to electronic information in the form of symbols, letters, numbers, images, sounds, or equivalences associated with an individual or used to identify an individual. The personal data includes general personal data and sensitive personal data.”

3. Types of personal data

3.1 Normal personal data: 

Based on Article 2 of Decree No. 13/2023/ND-CP, normal personal data or as know as general personal data, including: 

• Last name, middle name and first name, other names (if any);
• Date of birth; 
• Date of death or going missing;
• Gender;
• Place of birth, registered place of birth; place of permanent residence; place of temporary residence; current place of residence; hometown; contact address;
• Nationality;
• Personal image;
• Phone number; ID Card number, personal identification number, passport number, driver’s license number, license plate, taxpayer identification number, social security number and health insurance card number;
• Marital status;
• Information about the individual’s family relationship (parents, children);
• Digital account information; personal data that reflects activities and activity history in cyberspace;
• Information associated with an individual

3.2 Sensitive data

Based on Article 2 of Decree No. 13/2023/ND-CP, sensitive personal data is refers to personal data in association with individual privacy which, when being infringed, will directly affect an individual’s legal rights and interests, including:

• Political and religious opinions;
• Health condition and personal information stated in health record, excluding information on blood group;
• Information about racial or ethnic origin;
• Information about genetic data related to an individual’s inherited or acquired genetic characteristics;
• Information about an individual’s own biometric or biological characteristics;
• Information about an individual’s sex life or sexual orientation.
• Data on crimes and criminal activities collected and stored by law enforcement agencies;
• Information on customers of credit institutions, foreign bank branches, payment service providers, and other licensed institutions, including customer identification as prescribed by law, accounts, deposits, deposited assets, transactions, organizations, and individuals that are guarantors at credit institutions, bank branches, and payment service providers;
• Personal location identified via location services;
• Other specific personal data as prescribed by law that requires special protection.

4. Rules for the protection of personal data

Article 3 of Decree No. 13/2023/ND-CP stipulates the “Principles of personal data protection” as follows:

“Article 3. Principles of personal data protection

1. The personal data shall be processed as prescribed by law.
2. The data subject shall be entitled to receive information related to the processing of his/her personal data unless otherwise provided for by law.
3. The personal data shall be processed for the purposes that have been registered and declared by the Personal Data Controller, the Personal Data Processor, the Personal Data Controller-cum-Processor, and the Third Party.
4. The collected personal data shall be appropriate for the scope and purposes of processing. The purchase or sale of personal data shall be prohibited in any form unless otherwise provided for by law.
5. The personal data shall be updated and added for processing purposes.
6. The personal data shall be protected and secured throughout the processing. To be specific, personal data shall be protected from violations against regulations on the protection of personal data and prevention of loss, destruction, or damage caused by incidents and the use of technical measures.
7. The personal data shall be stored within a period of time that is appropriate for processing purposes unless otherwise provided for by law.
8. The Personal Data Controller and the Personal Data Controller-cum-Processor shall comply with the rules for data processing specified in Clauses 1 through 7 of this Article and prove their compliance.”

Processing sensitive personal data

In case of processing sensitive personal data, the provisions of Article 11 of Decree 13/2023/ND-CP are as follows:

“The consent of a data subject

1. The consent of the data subject shall be granted to all activities in the processing of his/her personal data unless otherwise provided for by law.
2. The consent is only valid when the data subject voluntarily consents and clearly knows the following contents:

a) Type of personal data;

b) Purposes;

c) Organization or individual permitted to process personal data;

d) Rights and obligations of the data subject.

3. The consent of the data subject shall be expressed in a clear and specific manner in writing, by voice, by ticking the consent box, by consent syntax via message, by selecting consent settings, or by other forms.
4. The consent must be bound to the same purpose. In case of multiple purposes, the Personal Data Controller and the Personal Data Controller-cum-Processor shall list these purposes so that the data subject consents to one or several purposes that have been set out.
5. The consent of the data subject shall be expressed in a format that can be printed and reproduced in writing, including in electronic or verifiable format.
6. Silence or non-response is not considered as consent.
7. The data subject may give partial or conditional consent.
8. In case of the processing of sensitive personal data, the data subject shall receive notification of thereof.
9. The consent of the data subject is valid until the data subject has other decisions or the competent authority makes a written request.
10. In case of a dispute, the Personal Data Controller and the Personal Data Controller-cum-Processor shall prove consent of the data subject.
11. Via the authorization in accordance with regulations of the Civil Code, an organization or individual may act on behalf of the data subject to carry out procedures related to the processing of his/her personal data with the Personal Data Controller and the Personal Data Controller-cum-Processor in case the data subject knows and consents as prescribed in Clause 3 of this Article unless otherwise provided for by law.”

According to the above regulation in the case of processing sensitive personal data, the data subject must be informed that the data to be processed is sensitive personal data.

6. Illegally collecting, transferring, purchasing, and selling personal data

The acts of illegally collecting, transferring, buying, and selling personal data are considered to be infringing personal information. Article 22 of Decree 13/2023/ND-CP stipulates on “Illegal collection, transfer, purchase and sale of personal data” as follows:

“Article 22. Illegally collecting, transferring, purchasing, and selling personal data

1. Organizations and individuals related to the processing of personal data shall adopt measures for protecting personal data in order to prevent illegal collection of personal data from their systems and service equipment.
2. Installation of software systems, implementation of technical measures, or organization of collection, transfer, purchase or sale of personal data without the consent of the data subject is a violation of law.”

7. Notification of violations against regulations on the protection of personal data

Article 23 of Decree 13/2023/ND-CP stipulates a “Notice of violation of regulations on personal data protection” as follows:

“Article 23: Notification of violations against regulations on the protection of personal data

1. In case of detection of a violation against regulations on the protection of personal data, the Personal Data Controller or the Personal Data Controller-cum-Processor shall notify the Ministry of Public Security (Department of Cyber​​security and Hi-tech Crime Prevention) within 72 hours after such violation is committed according to Form No. 03 in the Appendix to this Decree. If the notification is given after 72 hours, the reason for the late notification shall be provided.
2. The Personal Data Processor shall notify the Personal Data Controller as quickly as possible after detecting the violation against regulations on the protection of personal data.
3. Notification contents:

a) Description of the nature of the violation, including time, place, violation, organization, individual, types of personal data, and the amount of relevant data;

b) Contact details of the employee (s) assigned to protect the data or organizations or individuals that are responsible for protecting personal data;

c) Description of consequences and damage that may occur;

d) Description of measures for handling and minimizing the harm caused by the violation.

4. If it is impossible to notify all the information specified in Clause 3 of this Article, the notification may be given every time a piece of information is available.
5. The Personal Data Controller, the Personal Data Controller-cum-Processor shall make a written confirmation of the violation against regulations on the protection of personal data, and cooperate with the Ministry of Public Security (Department of Cyber​​security and Hi-tech Crime Prevention) in handling such violation.
6. Organizations and individuals shall notify the Ministry of Public Security (Department of Cybersecurity and Hi-tech Crime Prevention) when detecting the following cases:

a) Violations are detected;

b) Personal data is processed for unintended purposes or against the original agreement between the data subject and the Personal Data Controller, the Personal Data Controller-cum-Processor, or in contravention of regulations of law;

c) The data subject’s rights are not protected or not properly exercised;

d) Other cases as prescribed by law”

8. Consulting on the protection of personal data rights

Apolat Legal is a Law firm providing multidisciplinary legal consulting services. In which, we provide in-depth consulting services on the protection of personal data rights. We clearly understand that the issue of personal data protection is becoming more and more important and complex for individuals and organizations in the digital age.

With a team of experienced lawyers and a deep understanding of personal data rights, Apolat Legal provides comprehensive and professional consulting solutions to help clients meet their requirements and needs for personal data protection.

We put our customers first and customize solutions based on their specific needs. Apolat Legal is committed to providing high-quality and reliable consulting services.

At the same time, ensure strict compliance with legal regulations related to the protection of personal data.

We hope that the above article has provided you with the necessary information about personal data, sensitive data, personal data protection, personal data processing, and personal information infringement based on applicable laws. However, we are also aware that there may still be some questions or needs answered regarding legal issues related to personal data. Do not hesitate to contact Apolat Legal immediately if you have any questions or problems that need advice. Let Apolat Legal be your trusted partner in solving legal problems.

Share: