Apolat Legal

Decree No. 13/2023/ND-CP on the protection of personal data will help create a legal framework so that the competent authorities can manage and review compliance with regulations on personal data protection, and increase the rights of data subjects and other provisions detailed in the Decree.

Personal data is one of the issues that attracts a lot of attention in today’s modern society, there have been acts of stealing/selling personal data to infringe upon the individual rights, using sophisticated scripts to defraud appropriate property,.. Therefore, the Government’s promulgation of Decree No. 13/2023/ND-CP on the protection of personal data is considered essential in the current situation, this Decree will help create a legal framework so that the competent authorities can manage and review compliance with regulations on personal data protection, all parties must be jointly responsible for personal data protection, increase the rights of data subjects and other provisions detailed in the Decree. The Decree will take effect from July 1st, 2023.

1. How does Decree No. 13/2023/ND-CP regulate personal data and protection measures?

Personal data is information in the form of symbols, letters, numbers, images, sounds or the like on an electronic medium that is associated with a particular person or helps to identify a particular person. Personal data includes basic personal data and sensitive personal data.

Basic personal date include:

  1. Full name, middle name and birth name, other name (if any);
  2. Date, month and year of birth; date, month, year dead or missing;
  3. Gender;
  4. Place of birth, place of birth registration, place of permanent residence, place of temporary residence, current residence, hometown, contact address;
  5. Nationality;
  6. Pictures of individuals;
  7. Phone number, identity card number, personal identification number, passport number, driver’s license number, license plate number, personal tax identification number, social insurance number, health insurance card number;
  8. Marital status;
  9. Information about family relationships (parents, children);
  10. Information about the individual’s digital account; personal data reflecting activities, history of activities on cyberspace;
  11. Other information associated with a specific person or helping to identify a specific person.

Sensitive personal data is personal data associated with an individual’s privacy that, when violated, will directly affect an individual’s legitimate rights and interests, including:

  1. Political views, religious views;
  2. Health status and private life are recorded in the medical record, excluding information about blood type;
  3. Information related to racial or ethnic origin;
  4. Information about inherited or acquired genetic characteristics of the individual;
  5. Information about the individual’s physical attributes and biological characteristics;
  6. Information about an individual’s sex life and sexual orientation;
  7. Data on crimes and offenses are collected and stored by law enforcement agencies;
  8. Customer information of credit institutions, foreign bank branches, payment intermediary service providers, and other authorized organizations, including: customer identification information as prescribed by law, information on accounts, information on deposits, information on deposited assets, information on transactions, information on organizations and individuals as guarantors at credit institutions, bank branches, payment intermediary service providers;
  9. Personal location data identified through location services;
  10. Other personal data required by law is specific and requires necessary security measures. 

Measures to protect personal data will be applied from the beginning and throughout the processing of personal data, including:

  1. Management measures taken by organizations and individuals related to personal data processing;
  2. Technical measures taken by organizations or individuals related to personal data processing;
  3. Measures were taken by competent state management agencies in accordance with this Decree and relevant laws;
  4. Investigation and procedural measures taken by competent state agencies; other measures as prescribed by law.

Protection of personal data is applying the protection measures mentioned above, developing and promulgating regulations on personal data protection, stating what needs to be done according to the Decree, encouraging the application of personal data protection standards appropriate to each field, industry, and activity related to personal data processing; and check the network security of the system and the means and equipment for personal data processing before processing, irrecoverable deletion or destruction of the devices containing personal data.

The protection of sensitive personal data also applies the protections outlined above and the basic personal data protection measures; appoint a department with the function of protecting personal data, appoint personnel in charge of personal data protection, and exchange information about the department and individual in charge of personal data protection with the specialized agency protect personal data. If the subject’s sensitive personal data is processed, they must be notified that subject, except in cases prescribed by law.

2. Data subject’s rights

First, the right to know:

Data subjects are made aware of their personal data processing activities, unless otherwise provided by law.

Second, the right to consent:

Data subjects may or may not agree to allow the processing of their personal data, except for the case specified in Article 17 of Decree 13/2023/ND-CP.

Third, access rights:

Data subjects are entitled to access to view, correct or request correction of their personal data, unless otherwise provided by law.

Fourth, the right to withdraw consent:

The data subject is entitled to withdraw his or her consent, unless otherwise provided by law.

Fifth, the right to delete data:

The data subject is deleted or requested to have his/her personal data deleted, unless otherwise provided by law.

Sixth, the right to restrict data processing:

Data subjects are required to limit the processing of their personal data, unless otherwise provided by law.

Restriction of data processing is carried out within 72 hours after the request of the data subject, with all personal data that the data subject requests to restrict, unless otherwise provided for by law.

Seventh, the right to provide data:

The data subject is requested by the Personal Data Controller, Personal Data Controller and Processor to provide themselves with their personal data, unless otherwise provided by law.

Eighth, the right to object to data processing: 

+ The data subject can object to the Personal Data Controller, the Personal Data Controller and Processor processing its personal data in order to prevent or limit the disclosure of personal data or its use for advertising and marketing purposes, unless otherwise provided for by law.

+ The Controller of personal data, the Controller and the processor of personal data shall fulfill the request of the data subject within 72 hours after receiving the request, unless otherwise provided for by law.

Ninth, the right to complain, denounce and initiate lawsuits:

The data subject has the right to complain, denounce or initiate a lawsuit in accordance with the law.

Tenth, the right to claim damages:

The data subject has the right to claim damages in accordance with the law when a violation of the regulations on the protection of his or her personal data occurs, unless otherwise agreed by the parties or otherwise provided for by law.

Lastly, the right to self-defense:

Data subjects have the right to protect themselves according to the provisions of the Civil Code, other relevant laws and Decree 13/2023/ND-CP, or request competent agencies and organizations to implement methods to protect civil rights as prescribed in Article 11 of the Civil Code 2015.

Please Login or Register for Free now to view all updates and articles

In addition to free-to-view updates and articles, you can also subscribe to the full Legal Centrix Vietnam Service including access to:

  • Overview notes on the law
  • Thousands of high quality translations of legislation covering all key business areas
  • Legal and tax updates
  • Articles on important legal and tax issues
  • Weekly email alerts
  • Sophisticated web platform and search

Legal Centrix is trusted by top law and accounting firms.

Apolat Legal

Established in 2014, Apolat Legal is a licensed law firm providing a board range of legal services in multiple practice areas for domestic and international clients. The firm commits resolving legal issues regarding businesses thoroughly and in the most beneficial way for various clients in Vietnam.

Apolat Legal is also honored to receive numerous recognitions and/or articles posted by world-leading and local organizations and publications including: The Law Association for Asia and the Pacific (LawAsia, 1966), The Legal500, IP Link, AIPPI, IP Coster, Lexology, Global Trade Review (GTR), The Saigon Times, etc.

Apolat Legal lawyers have long been recognized for their legal expertise and paid attention to their dedication in work as well as the capacity to take advantages from their relationship to maximize the interests of clients. The lawyers will be grouped into specialized teams, directly participate in each case to provide advices and close support to customers, thereby quickly completing the assigned work in the most effective way.

APOLAT LEGAL’s reputation and the quality of its services are reflected by its clients. We are serving nearly 1,000 clients both local and foreign clients. Some past and current long-term clients which the firm worked with such as: LG Electronics, Coastal Living Land Joint Stock Company, Wall Street English, Hochiki Asia Pacific Pte.Ltd, Asus Technology (Vietnam) Company Limited, AEON Mall Vietnam, Baskin Robbin, Citigym, Woori Bank Vietnam Limited, Central Group, CJ Gemadept Logistics Holdings Company Limited, K Group Company Limited, Digiworld Corp., Yellow Cab Pizza, Bamboo Capital Joint Stock Company, Sinobright Pharma Co. Limited, Mayekawa, Sky Music Jsc, Oxalis Holiday Company Limited, PGT Holdings, Vinacapital, Capitaland, Donghyup,...

Click here to view the author's profile

Author

Tags

  • Vietnam
  • Legal Updates
  • Data Protection & Privacy

Related Content

Recent updates

Cookies On
Our Website
We use cookies on our website. To learn more about cookies, how we use them on our site and how to change your cookie settings please click here to view our cookie policy. By continuing to use this site without changing your settings you consent to our use of cookies in accordance with our cookie policy.