Issue of May 2023 – Decree No.13/2023/ND-CP on protection of personal data

Dear Valued Clients,

In recent years, the situation of purchasing and disclosing personal data has been becoming more common in cyberspace, seriously affecting the freedom and privacy of users. Therefore, on April 17, 2023, the Government issued Decree No. 13/2023/ND-CP on the protection of personal data (“Decree 13”), effective from July 1, 2023. This Decree is considered the first comprehensive legal document regulating the protection of personal data in Vietnam.

In order to better understand the regulations on personal data protection as well as the responsibilities of relevant organizations and individuals according to Decree 13, please read our below article.

1. Subjects of application

Article 1.2 of Decree 13 has clarified the subjects that must comply with Decree 13 as follows:

(i)       Vietnamese agencies, organizations and individuals;

(ii)       Foreign authorities, entities and individuals in Vietnam;

(iii)      Vietnamese agencies, organizations and individuals that operate in foreign countries;

(iv)      Foreign agencies, organizations and individuals that directly process or are involved in processing personal data in Vietnam.

Thus, in general, Decree 13 applies to all domestic or foreign organizations and individuals that are involved in the processing of personal data in Vietnam (e.g. employees, clients, suppliers, users or other individuals), even if the processing of the personal data is done outside of Vietnam.

Micro-enterprises, small enterprises, medium-sized enterprises[1] and startup companies[2] have the right to opt for exemption from regulations on the appointment of individuals and departments to the protection of personal data for the first 2 years from the date of establishment. In contrast, micro-enterprises, small enterprises, medium-sized enterprises, and startup companies directly engaging in the business of processing of personal data shall not be governed by Decree 13[3].

2. Personal data and sensitive personal data

If in the past, the Vietnamese legal system did not provide a specific definition of personal data, then in Decree 13, for the first time, the concept of personal data is defined comprehensively. Accordingly, personal data is understood as electronic information in the form of symbols, letters, numbers, images, sounds, or equivalences associated with an individual or used to identify an individual[4]. The appearance of the term personal data has contributed to forming a common understanding among similar terms (nearly 10 terms) existing in different legal documents.

Decree 13 categorizes personal data into 2 categories, i.e. general personal data and sensitive personal data. In which, general personal data includes: Last name, middle name and first name, other names (if any); Date of birth; date of death or going missing; Gender; Place of birth, registered place of birth; place of permanent residence; place of temporary residence; current place of residence; hometown; contact address; Nationality; Personal image; Phone number; ID Card number, personal identification number, passport number, driver’s license number, license plate, taxpayer identification number, social security number, and health insurance card number; Marital status; Information about the individual’s family relationship (parents, children); Digital account information; personal data that reflects activities and activity history in cyberspace; Other information associated with a person that can or helps identify a possible person that is not part of sensitive personal data[5].

In order to distinguish sensitive personal data from general personal data, Decree 13 has also recognized the concept of “sensitive personal data” for the first time. Specifically, Article 2.4 Decree 13 stipulates:

“4. “Sensitive personal data” refers to personal data in association with individual privacy which, when being infringed, will directly affect an individual’s legal rights and interests, including:

a) Political and religious opinions;

b) Health condition and personal information stated in the health record, excluding information on blood group;

c) Information about racial or ethnic origin;

d) Information about genetic data related to an individual’s inherited or acquired genetic characteristics;

dd) Information about an individual’s own biometric or biological characteristics;

e) Information about an individual’s sex life or sexual orientation.

g) Data on crimes and criminal activities collected and stored by law enforcement agencies;

h) Information on customers of credit institutions, foreign bank branches, payment service providers, and other licensed institutions, including customer identification as prescribed by law, accounts, deposits, deposited assets, transactions, organizations and individuals that are guarantors at credit institutions, bank branches, and payment service providers;

i) Personal location identified via location services;

k) Other specific personal data as prescribed by law that requires special protection.”

This recognition reflects the compatibility of Vietnam’s law with other laws on the protection of personal data in the world, thereby creating a premise to set a high level of legal requirements to protect sensitive personal data. Notably, the concept of sensitive personal data mentioned here is related to the right to privacy of individuals. Therefore, the regulations on data protection are aimed at the security of personal information, especially sensitive information likely to harm an individual’s private life.

3. Processing of personal data of data subject

In addition to the concept of personal data and sensitive personal data, “data subject” is also a new concept mentioned in Decree 13. A data subject is defined as an individual to whom the data relates[6]. Thus, information about the enterprise shall not be considered as personal data. In other words, only personal information shall be governed and protected under Decree 13.

In general, the consent of the data subject is an important basis for ensuring the legality of the processing of personal data. Similar to the laws on the protection of personal data in the world, Decree 13 stipulates that the consent of the data subject shall be applied to all activities in the processing of personal data. The consent is only valid when the data subject voluntarily consents and clearly knows the following contents: (i) Type of personal data to be processed; (ii) Purposes of processing personal data; (iii) Organizations and individuals that are permitted to process personal data; (iv) Rights and obligations of data subjects. In addition, according to Article 11 Decree 13, the consent of the data subject shall:

(i)       be expressed in a clear and specific manner in writing, by voice, by ticking the consent box, by consent syntax via message, by selecting consent settings or by other forms.

(ii)      be bound to the same purpose. In case of multiple purposes, the Personal Data Controller and the Personal Data Controller-cum-Processor shall list these purposes so that the data subject consents to one or several purposes that have been set out.

(iii)      be expressed in a format that can be printed and reproduced in writing, including in electronic or verifiable format.

In particular, the silence or non-response of the data subject is not considered consent. In case of the processing of sensitive personal data, the data subject shall be received notification of thereof. The data subject shall have the right to withdraw his/her consent at any time[7].

In addition, Decree 13 also stipulates the processing of personal data in some special circumstances, such as the processing of personal data without the consent of the data subjects[8], processing of data obtained from audio and video recording activities in public places[9], processing personal data of people who are declared missing or dead[10], processing of children’s personal data[11], protecting personal data upon provision of marketing and advertising services[12]. The data subject shall have the right to claim damages in accordance with the law when there is any violation against his/her personal data protection regulations unless otherwise agreed by the parties or otherwise stipulated by law[13].

4. Outbound transfer of personal data

A Vietnamese citizen’s personal data shall be transferred abroad under the consent of the data subject in writing on the basis of being informed of the mechanism for feedback and complaint in case of arising problems or requests. At the same time, there must be a document showing the binding and responsibilities between organizations and individuals that transfer and receive personal data of Vietnamese citizens regarding the processing of personal data.

In order to outbound transfer the personal data of Vietnamese citizens, according to Article 25 Decree 13, the Senders (consist of the Personal Data Controller[14], the Personal Data Controller-cum-Processor[15], the Personal Data Processor[16] and the Third Party[17]) shall prepare a dossier on assessment of the impact of the outbound transfer of personal data[18] according to regulations and send it to the Ministry of Public Security (Department of Cybersecurity and High-Tech Crime Prevention) under Form No. 06 in the Appendix to Decree 13 within 60 days from the date of processing of personal data. If there is any request to update or supplement the dossier, the Senders shall complete it within 10 days from the date of request. The Sender shall notify the Ministry of Public Security (Department of Cyber​​Security and Hi-tech Crime Prevention) of information about the data transfer and contact details of the organization or individual in charge of such transfer in writing after the personal data is successfully transferred.

The Ministry of Public Security shall have the right to inspect the outbound transfer of data and may issue a decision to stop the transfer of data abroad in case of failure to comply with the regulations of the Decree[19].

5. Personal data protection measures

According to the provisions of Article 2.5 Decree 13, personal data protection refers to an act of preventing, detecting, and handling violations related to personal data in accordance with the law. In the process of processing personal data, relevant organizations and individuals are required to apply personal data protection measures to prevent the unauthorized collection of personal data from the system and its service equipment.

Personal data protection measures shall be adopted from the beginning of and throughout the processing of personal data, including 5 measures as follows[20]:

(i)      Management measures adopted by an organization or individual related to the processing of personal data;

(ii)      The technical measure adopted by an organization or individual related to the processing of personal data;

(iii)      The measure adopted by a competent authority according to regulations in this Decree and relevant law;

(iv)      Investigation and procedure measures adopted by a competent authority;

(v)       Other measures as prescribed by law.

Personal data protection measures will be applied depending on whether the personal data is general personal data or sensitive personal data[21]. Therefore, all enterprises and organizations need to quickly issue an internal process on personal data protection in accordance with the provisions of this Decree.

6. Notification obligation in case of violation of regulations on personal data protection

Article 3.4 and Article 22.2 Decree 13 do not allow organizations and individuals to purchase, or sell personal data in any form. Therefore, the installation of software systems, implementation of technical measures, or organization of collection, transfer, purchase, or sale of personal data without the consent of the data subject is a violation of the law.

In case of detection of a violation against regulations on the protection of personal data, the Personal Data Controller or the Personal Data Controller-cum-Processor shall notify the Ministry of Public Security (Department of Cyber​​Security and Hi-tech Crime Prevention) within 72 hours after the such violation is committed according to Form No. 03 in the Appendix to this Decree. If the notification is given after 72 hours, the reason for the late notification shall be provided. At the same time, The Personal Data Processor shall notify the Personal Data Controller as quickly as possible after detecting the violation against regulations on the protection of personal data.

The Personal Data Controller, the Personal Data Controller-cum-Processor shall make a written confirmation of the violation against regulations on protection of personal data, and cooperate with the Ministry of Public Security (Department of Cyber​​Security and Hi-tech Crime Prevention) in handling such violation.

Agencies, organizations, and individuals that commit violations against regulations on the protection of personal data, depending on the severity of their violations, may be disciplined, or face administrative penalties or criminal prosecution according to regulations[22]. In addition, this agency, organization, or individual is also suspended from certain activities, such as deciding to stop outbound transferring data.

7. Personal data protection authority

According to Article 29 Decree 13, the Department of  Cybersecurity and High-Tech Crime Prevention under the Ministry of Public Security (A05) will act as the personal data protection authority. Therefore, this agency has the authority to review, evaluate, inspect, and examine the compliance of enterprises and other organizations and individuals with regulations on the protection of personal data.

As usual, we hope you find this Legal Update helpful and look forward to working with you in the upcoming time.

Kind regards,

ENT Law LLC

The full version of this Legal Update can be found here.

————————–

[1] Article 4.1, Article 4.2 Law on Provision of Assistance for Small and Medium-Sized Enterprises No. 04/2017/QH14 of the National Assembly dated June 12, 2017 (“Law on Provision of Assistance for Small and Medium-Sized Enterprises 2017”) [Criteria for identification of Small and Medium-Sized Enterprises]

“1. A Small and Medium-Sized Enterprise includes a micro-enterprise, small enterprise or medium-sized enterprise whose annual average number of employees who participate in social insurance does not exceed 200 and satisfies one of the following criteria:

a) The total capital does not exceed 100 billion dong;

b) The total revenue of the previous year does not exceed 300 billion dong.

c) The Micro-enterprise, small enterprise, or medium-sized enterprise are identified by industries including agriculture, forestry, aquaculture; industry and construction; and trade and services”.

[2] Article 3.2 Law on Provision of Assistance for Small and Medium-Sized Enterprises 2017: “Startup” means a Small and Medium-Sized Enterprise that is established to implement its business ideas based on the exploitation of intellectual property, technology, and new business models and is able to grow quickly.”

[3] Article 42.2, Article 43.3 Decree 13.

[4] Article 2.1 Decree 13.

[5] Article 2.3 Decree 13.

[6] Article 2.6 Decree 13.

[7] Article 12 Decree 13.

[8] Article 17 Decree 13.

[9] Article 18 Decree 13.

[10] Article 19 Decree 13.

[11] Article 20 Decree 13.

[12] Article 21 Decree 13.

[13] Article 9.10 Decree 13.

[14] Article 2.9 Decree 13: “Personal Data Controller refers to an organization or individual that decides purposes and means of processing personal data”.

[15] Article 2.11 Decree 13: “Personal Data Controller-cum-Processor refers to an organization or individual that jointly decides purposes and means, and directly processes personal data”.

[16] Article 2.10 Decree 13: “Personal Data Processor refers to an organization or individual that processes data on behalf of the Personal Data Controller via a contract or agreement with the Personal Data Controller”.

[17] Article 2.12 Decree 13: “Third Party refers to an organization or individual other than the data subject, Personal Data Controller, Personal Data Processor, Personal Data Controller-cum-Processor that is permitted to process personal data”.

[18] Article 25.2 Decree 13.

[19] Article 25.8 Decree 13.

[20] Article 26.2 Decree 13.

[21] Article 27, Article 28 Decree 13.

[22] Article 4 Decree 13.