Personal data is one of the issues that attracts a lot of attention in today’s modern society, there have been acts of stealing/selling personal data to infringe upon the individual rights, using sophisticated scripts to defraud appropriate property,.. Therefore, the Government’s promulgation of Decree No. 13/2023/ND-CP on the protection of personal data is considered essential in the current situation, this Decree will help create a legal framework so that the competent authorities can manage and review compliance with regulations on personal data protection, all parties must be jointly responsible for personal data protection, increase the rights of data subjects and other provisions detailed in the Decree. The Decree will take effect from July 1^st, 2023.

1. How does Decree No. 13/2023/ND-CP regulate personal data and protection measures?

Personal data is information in the form of symbols, letters, numbers, images, sounds or the like on an electronic medium that is associated with a particular person or helps to identify a particular person. Personal data includes basic personal data and sensitive personal data.

Basic personal date include:

1. Full name, middle name and birth name, other name (if any);
2. Date, month and year of birth; date, month, year dead or missing;
3. Gender;
4. Place of birth, place of birth registration, place of permanent residence, place of temporary residence, current residence, hometown, contact address;
5. Nationality;
6. Pictures of individuals;
7. Phone number, identity card number, personal identification number, passport number, driver’s license number, license plate number, personal tax identification number, social insurance number, health insurance card number;
8. Marital status;
9. Information about family relationships (parents, children);
10. Information about the individual’s digital account; personal data reflecting activities, history of activities on cyberspace;
11. Other information associated with a specific person or helping to identify a specific person.

Sensitive personal data is personal data associated with an individual’s privacy that, when violated, will directly affect an individual’s legitimate rights and interests, including:

1. Political views, religious views;
2. Health status and private life are recorded in the medical record, excluding information about blood type;
3. Information related to racial or ethnic origin;
4. Information about inherited or acquired genetic characteristics of the individual;
5. Information about the individual’s physical attributes and biological characteristics;
6. Information about an individual’s sex life and sexual orientation;
7. Data on crimes and offenses are collected and stored by law enforcement agencies;
8. Customer information of credit institutions, foreign bank branches, payment intermediary service providers, and other authorized organizations, including: customer identification information as prescribed by law, information on accounts, information on deposits, information on deposited assets, information on transactions, information on organizations and individuals as guarantors at credit institutions, bank branches, payment intermediary service providers;
9. Personal location data identified through location services;
10. Other personal data required by law is specific and requires necessary security measures. 

Measures to protect personal data will be applied from the beginning and throughout the processing of personal data, including:

1. Management measures taken by organizations and individuals related to personal data processing;
2. Technical measures taken by organizations or individuals related to personal data processing;
3. Measures were taken by competent state management agencies in accordance with this Decree and relevant laws;
4. Investigation and procedural measures taken by competent state agencies; other measures as prescribed by law.

Protection of personal data is applying the protection measures mentioned above, developing and promulgating regulations on personal data protection, stating what needs to be done according to the Decree, encouraging the application of personal data protection standards appropriate to each field, industry, and activity related to personal data processing; and check the network security of the system and the means and equipment for personal data processing before processing, irrecoverable deletion or destruction of the devices containing personal data.

The protection of sensitive personal data also applies the protections outlined above and the basic personal data protection measures; appoint a department with the function of protecting personal data, appoint personnel in charge of personal data protection, and exchange information about the department and individual in charge of personal data protection with the specialized agency protect personal data. If the subject’s sensitive personal data is processed, they must be notified that subject, except in cases prescribed by law.

2. Data subject’s rights

First, the right to know:

Data subjects are made aware of their personal data processing activities, unless otherwise provided by law.

Second, the right to consent:

Data subjects may or may not agree to allow the processing of their personal data, except for the case specified in Article 17 of Decree 13/2023/ND-CP.

Third, access rights:

Data subjects are entitled to access to view, correct or request correction of their personal data, unless otherwise provided by law.

Fourth, the right to withdraw consent:

The data subject is entitled to withdraw his or her consent, unless otherwise provided by law.

Fifth, the right to delete data:

The data subject is deleted or requested to have his/her personal data deleted, unless otherwise provided by law.

Sixth, the right to restrict data processing:

Data subjects are required to limit the processing of their personal data, unless otherwise provided by law.

Restriction of data processing is carried out within 72 hours after the request of the data subject, with all personal data that the data subject requests to restrict, unless otherwise provided for by law.

Seventh, the right to provide data:

The data subject is requested by the Personal Data Controller, Personal Data Controller and Processor to provide themselves with their personal data, unless otherwise provided by law.

Eighth, the right to object to data processing: 

+ The data subject can object to the Personal Data Controller, the Personal Data Controller and Processor processing its personal data in order to prevent or limit the disclosure of personal data or its use for advertising and marketing purposes, unless otherwise provided for by law.

+ The Controller of personal data, the Controller and the processor of personal data shall fulfill the request of the data subject within 72 hours after receiving the request, unless otherwise provided for by law.

Ninth, the right to complain, denounce and initiate lawsuits:

The data subject has the right to complain, denounce or initiate a lawsuit in accordance with the law.

Tenth, the right to claim damages:

The data subject has the right to claim damages in accordance with the law when a violation of the regulations on the protection of his or her personal data occurs, unless otherwise agreed by the parties or otherwise provided for by law.

Lastly, the right to self-defense:

Data subjects have the right to protect themselves according to the provisions of the Civil Code, other relevant laws and Decree 13/2023/ND-CP, or request competent agencies and organizations to implement methods to protect civil rights as prescribed in Article 11 of the Civil Code 2015.