Consent Rights And Cases Where Consent Of The Data Subject Is Not Required

Individuals have rights and are ensured of their rights in the Era of the Fourth Industrial Revolution. The issuance of Decree No. 13/2023/ND-CP on personal data protection demonstrates the remarkable efforts of the Vietnamese legislators, marking a leap forward in the legal framework and the completion of the legal system, stricter obligations on data protection, creating a legal shield to protect the rights of data subjects. Data subjects have rights over their own personal information. They have the right to decide and consent to the processing of their own personal data. Unauthorized use of personal data without the consent of the data subject regarding the scope and purpose of the collection and use of that information is a violation of the law. The consent right of the data subject has firmly been established and respected by law.

 

Rights of the Data Subject as stipulated by law

According to Article 6, Clause 2, the Data Subject is an individual whose personal data is protected. The individual data subject has rights over their own information and is recognized by law under Article 9 of Decree No. 13/2023/ND-CP. When the rights of the data subject are infringed, the data subject has the right to self-protection or to request competent authorities or organizations for protection according to the provisions of the Civil Code or other relevant laws. The rights of the data subject include:

Right to be informed: The data subject is informed about the processing of their personal data, except as otherwise provided by law.

Right to consent: The data subject has the right to consent or not consent to the processing of their personal data, except as provided in Article 17 of Decree No. 13/2023/ND-CP.

Right to access: The data subject has the right to access, view, modify, or request the modification of their personal data, except as otherwise provided by law.

Right to withdraw consent: The data subject has the right to withdraw their consent, except as otherwise provided by law.

Right to erasure: The data subject has the right to erase or request the erasure of their personal data, except as otherwise provided by law.

Right to restrict processing: The data subject may request the restriction of the processing of their personal data, except as otherwise provided by law. The restriction of data processing shall be carried out within 72 hours after the data subject’s request, for all personal data requested to be restricted, except as otherwise provided by law.

Right to data portability: The data subject may request the Data Controller, Processor, and Controller of personal data to provide their own personal data, except as otherwise provided by law.

Right to object to data processing: The data subject may object to the Controller of personal data, Processor, and Controller processing their personal data to prevent or restrict the disclosure or use of personal data for advertising or marketing purposes, except as otherwise provided by law. The Controller of personal data, Processor, and Controller of personal data shall comply with the data subject’s request within 72 hours of receiving the request, except as otherwise provided by law.

Right to complaint, denounce, and initiate lawsuits: The data subject has the right to complain, denounce, or initiate lawsuits as provided by law.

Right to claim compensation for damages: The data subject has the right to claim compensation for damages as provided by law in case of violation of the provisions on the protection of their personal data, except as otherwise agreed by the parties or provided by law.

Right to self-protection: The data subject has the right to self-protection as provided by the Civil Code, other relevant laws, and Decree No. 13/2023/ND-CP, or to request competent authorities and organizations to implement civil rights protection measures as provided in Article 11 of the Civil Code. When the civil rights of individuals, legal entities are infringed, they have the right to self-protection as provided by the Civil Code, other relevant laws, or request competent authorities and organizations to recognize, respect, protect, and ensure their civil rights, terminate infringement acts, compel apologies, make corrections publicly, perform obligations, and compensate for damages.

 

Why are the rights of the data subject established and respected by law?

Data protection activities are extremely important in today’s digital age. Personal data rights are important factors to promote and improve data protection activities. The purpose of establishing and respecting the rights of the data subject is to:

Protect privacy: Personal data includes sensitive information about individuals such as names, addresses, phone numbers, financial and medical information. The rights of the data subject ensure that this information is not used or disclosed unlawfully. This helps protect privacy and ensure that individuals have control over their information.

Prevent data misuse: The rights of the data subject help prevent the misuse of personal information. When personal data is collected and used improperly, it can lead to unauthorized access, fraud, privacy breaches, or discrimination. The rights of the data subject ensure that the data is identified and used only within the scope and purpose.

Build trust and confidence of users: Caring about the rights of the data subject helps build trust and confidence of users. When users know that their personal information is protected and used properly, they will feel more comfortable sharing information and participating in online activities.

Ensure legal compliance: The rights of the data subject are an important part of the legal system. Compliance with the regulations on the rights of the data subject helps ensure that organizations and individuals operate in accordance with the law and avoid potential legal consequences.

Promote digital economic development: The rights of the data subject are important factors for promoting digital economic development. When users have confidence in the protection of their personal data, they will easily participate in online activities, e-commerce transactions, and share personal information with digital services. This can create a favorable environment for the development of the digital economy and create new business opportunities.

 

Consent right of the data subject

The consent right of the data subject is mentioned in Article 11 of Decree No. 13/2023/ND-CP once again affirming the legal respect for the data subject. The consent of the data subject is the clear expression of their own opinion allowing the processing of personal data. The data subject has the right to consent or not consent to the processing of their personal data. The consent of the data subject applies to all activities in the personal data processing process, except as otherwise provided.

The consent of the data subject is only valid when the data subject voluntary submits their consent and understands the following contents: Types of personal data being processed, purpose of processing personal data, organizations or individuals processing personal data, and rights and obligations of the data subject.

The consent of the data subject must be expressed clearly, specifically in writing, orally, marked in the consent box, consent syntax through messages, selecting consent technical settings, or through another action that demonstrates this.

Consent must be given for the same purpose. When there are multiple purposes, the Data Controller, Processor, and Controller of personal data list the purposes for the data subject to agree to one or more stated purposes.

The consent of the data subject must be expressed in a format that can be printed, copied in writing, including electronically, or in a verifiable format. Silence or lack of response from the data subject shall not be considered as consent. The data subject may consent in part or be subject to conditions. For sensitive personal data processing, the data subject must be informed that the data to be processed is sensitive personal data. The consent of the data subject shall remain valid until the data subject makes another decision or until the competent state authority requests it in writing.

In case of dispute, the responsibility to prove the consent of the data subject belongs to the Personal Data Controller, Personal Data Controller, and Processor.

Through delegation as provided by the Civil Code, organizations and individuals may act on behalf of the data subject to carry out procedures related to the processing of personal data of the data subject with the Personal Data Controller, Personal Data Controller, and Processor, provided that the data subject is fully aware of and agrees to the provisions under Clause 3, Article 11 of Decree 13/2023/NĐ-CP, unless otherwise provided by law.

Cases where the consent of the data subject is not required.

The consent of the individual data subject is highly regarded and respected by law. However, the law also stipulates in certain cases where the permission and consent of the data subject is not required, the processing of personal data shall still be carried out. According to Article 17 of Decree 13/2023/NĐ-CP, there are 05 cases of processing personal data that do not require the consent of the data subject:

  • In urgent cases, it is necessary to immediately process the related personal data to protect the life, health of the data subject, or others. The Personal Data Controller, Personal Data Processor, Personal Data Controller and Processor, and Third Party shall be responsible for proving this case.
  • Disclosure of personal data as prescribed by law.
  • Processing of data by state agencies with jurisdiction in cases of urgent situations regarding national defense, national security, social order and safety, major disasters, dangerous epidemics; when there is a risk of threatening national security, national defense, but not to the extent of declaring a state of emergency; prevention, control of riots, terrorism, prevention, and control of crimes and violations of the law as prescribed by law.
  • To fulfill obligations under contracts of the data subject with related agencies, organizations, and individuals as prescribed by law.
  • To serve the activities of state agencies as stipulated by specialized laws.

Personal data has been protected by law through the rights of the data subject regarding data. The right to consent determines the information of their personal data except in cases of exceptions as prescribed by law.