Practical Issues Regarding Personal Data Protection
Vietnam is one of the distinguished countries with a high rate of development and internet application, with nearly 80% of the population using the internet. Therefore, the safety of personal data is a pressing issue, closely related to human rights, civil rights, cybersecurity, information security, data security, information technology, and the Fourth Industrial Revolution, electronic government, digital government, digital economy, information technology, etc. Decree 13/2023/ND-CP on personal data protection is considered an effective tool to address the issues mentioned above. The decree is developed in accordance with the spirit of the Constitution, suitable for the practical development of the socio-economic current circumstances, ensuring consistency and unity with all existing legal documents, while also demonstrating harmony with international norms and regulations, all the while, helping to protect the safety of personal data. Here are some practical issues and guidelines from the Ministry of Public Security for individuals, agencies, organizations, and enterprises in applying and implementing Decree 13/2023/ND-CP.
- Does personal data collected and processed before the effective date of Decree 13/2023/ND-CP need to comply with Decree 13/2023/ND-CP?
Personal data collected before July 1, 2023, the effective date of Decree 13/2023/ND-CP, still falls within the scope of regulation of the Decree. In this case, related organizations and individuals do not need to re-obtain the consent of the data subjects for the data already provided. However, other obligations, such as those related to the collection of personal data, still apply according to the provisions of Decree 13/2023/ND-CP.
- Can the procedures for reporting the assessment of personal data processing impacts and reporting the impacts when transferring personal data abroad be combined into a single annual report? Is it necessary to use an automated system to report the results of data transfers abroad?
There are five administrative procedures related to personal data protection, including: Notification of violations of regulations on personal data protection, preparation and submission of files for assessing the impacts of personal data processing, notification of changes in the content of files for assessing the impacts of personal data processing, preparation and submission of files for assessing the impacts of transferring personal data abroad, notification of changes in the content of files for assessing the impacts of transferring personal data abroad. Therefore, the first consideration, regarding administrative procedure implementation, follows. The file for reporting the assessment of personal data processing impacts and reporting the impacts when transferring personal data abroad are two separate procedures, with different forms and documents, thus they cannot be performed within the same reporting form. Secondly, regarding the reporting frequency, the file for assessing the impacts of personal data processing is done once for a single case, one type of personal data transfer of Vietnamese citizens abroad, until there is a change.In case of a change in type or contract, organizations and individuals must update and supplement the information according to the file template.. There is no need to declare, nor assess the impact if there is no change compared to the previous file. Third, regarding reporting the results of data transfer abroad through an automated system. Decree 13/2023/ND-CP only stipulates that transferring personal data abroad must undergo an impact assessment file. The decree does not specify forms of transferring personal data abroad. Therefore, whether transferring personal data automatically or manually, the process does not affect the company’s file construction.
- According to Decree 13/2023/ND-CP, the file for assessing the impacts of personal data processing must be submitted to the Ministry of Public Security in one original file within 60 days from the date of processing personal data. Accordingly, is it necessary to report to the Ministry of Public Security for data processed or transferred abroad before the effective date of the Decree? What is the prescribed time limit?
The file preparation is carried out from the date Decree 13/2023/ND-CP takes effect, which is within 60 days from the date Decree 13/2023/ND-CP takes effect. Organizations and individuals who have transferred personal data of Vietnamese citizens abroad when Decree 13/2023/ND-CP takes effect for business purposes must continue to report.
- According to Decree 13/2023/ND-CP, the Data Controller, Data Controller, and Processor must comply with the data subject’s requests within 72 hours of receiving the request, except as otherwise provided by law. Could you clarify the 72-hour time frame?
The time frame under Decree 13/2023/ND-CP that the Data Controller and Processor must adhere to is 72 consecutive hours, not working hours. To reiterate, the decree clearly states the time frame of 72 hours from receiving the request, meaning 72 consecutive hours, not working hours.
- If there is a contractual relationship between the data subject and the data controller, where the data subject has the obligation to provide data to the data controller to fulfill the contract, can the right to amend, request amendment, or delete data be restricted?
When signing a civil contract according to the provisions of the Civil Procedure Code, the parties involved have clear rights, obligations, and responsibilities. In this case, the information provided by the data subject to the Data Controller and Processor serves the purpose of fulfilling the rights and obligations in the contract. The customer has the right to amend, request amendments to their data, especially in cases where some information of the customer changes, such as issuing a citizen’s identity card. However, the right to amend, request amendments, or delete data cannot be legally restricted. When the request for amendment exceeds the contractual obligation limit, the Data Controller and Processor may notify the customer. In that case, there will be three legal sequential actions: First, terminate the contract. Second, the Data Controller and Processor agree to amend. Third, the data subject withdraws the request for amendment.
- Is the Data Controller allowed to assess the trustworthiness of the data subject based on lawfully generated data during the data provision process to the data subject and share this assessment with other organizations with the full consent of the data subject?
The Ministry of Public Security has assessed the establishment of technical systems by organizations and individuals aimed at collecting personal data for business and profit-making purposes. If personal data used in this activity is with the consent of the data subject and within the scope of service provision, it complies with legal regulations. However, most of these systems automatically collect data from the internet or from various sources, then provide assessments and judgments about a specific individual, and sell them to related parties for profit. This behavior is contrary to the provisions of Article 3 of Decree 13/2023/ND-CP. Therefore, any buying, selling, transferring of personal data, i.e., generating benefits, violates legal regulations, except as otherwise provided by law. Article 2, Article 22 of the Decree clearly stipulates that establishing software systems, technical measures, or organizing activities to collect and transfer, buy or sell personal data without the consent of the data subject violates the law. In practice, it is very difficult for the data subject to agree to allow the Data Controller and Processor to process their personal data for assessing their own trustworthiness, as well as to agree to provide it to a third party for the third party to assess the level of trustworthiness of the individual data subject.
- What constitutes the activity of buying and selling personal data? Is the buying and selling of personal data completely prohibited? Is it permissible to buy and sell data if the data subject agrees?
The activity of buying and selling personal data is understood as the purchase and sale of assets within civil relationships, primarily aimed at profit-making. The main purpose of such transactions is not necessarily for business purposes but can serve other purposes such as consumption, gifting, etc. Any party involved in such transactions must have the need and legal capacity to act according to the provisions of the law. The buying and selling of personal data is not completely prohibited, provided that specific cases allowing such transactions are specified by the law. The consent of the data subject is not the sole basis for determining the permissibility of buying and selling. In this regard, only the law can stipulate the cases where such transactions are permitted.
- Can the Personal Data Processing Impact Assessment dossier and the notification of changes to the content of the Personal Data Processing Impact Assessment dossier be conducted in English?
According to the administrative procedure regulations, all forms of the dossier for Personal Data Processing Impact Assessment must be prepared in Vietnamese. Individuals and organizations cannot submit dossiers in English or translate them into Vietnamese. Instead, they must directly complete the dossier form on the National Portal for Personal Data Protection or download the form and submit it directly to the Cybersecurity and High-Tech Crime Prevention Department.
- Is the “Processing of Personal Data in Vietnam” understood to only include processing activities conducted within the territory of Vietnam? In cases where foreign organizations or enterprises collect personal data of Vietnamese citizens in Vietnam but immediately transfer it abroad, and all data processing activities occur overseas, does it fall within the scope of regulation of Decree 13/2023/ND-CP?
Foreign organizations and enterprises that collect data of Vietnamese citizens, transfer such data abroad, or receive data of Vietnamese citizens fall within the scope of regulation of Decree 13/2023/ND-CP, regardless of whether the data processing activities occur within the territory of Vietnam or not. Therefore, organizations and enterprises should pay attention to the factor of processing personal data of Vietnamese citizens, rather than the location where such data processing occurs.
- According to Article 9(1) of Decree 13/2023/ND-CP, data subjects have the right to obtain knowledge about the processing of their personal data. Therefore, does an organization processing personal data have to notify the data subject beforehand? Is data deletion required upon the request of the data subject? Is there an agreement with the former data subject regarding notification?
As per the regulation, notification should be carried out once before commencing any personal data processing activity. The content of the notification includes informing the data subject of the purpose of processing, the types of data, processing methods, information about relevant organizations or individuals involved in the processing purpose, possible consequences, potential damages, and the start and end time of processing. Notification is not required in the following cases: when the data subject is already aware of and agrees to the collection of data by the Controller and Processor, or when the data is processed by state agencies in accordance with legal regulations.
Data deletion is required in the following cases: when the data is no longer necessary, is not suitable for the agreed-upon purpose of data collection, must be deleted according to legal regulations, the data subject withdraws consent, objects to data processing, or data processing violates legal provisions. However, in some cases specified by the decree, data deletion may not be performed even upon the data subject’s request, such as when the law prohibits deletion, the personal data has been publicly disclosed according to legal regulations, the personal data is processed by state agencies authorized to serve the activities of the state, or in response to urgent situations threatening the life, health, or safety of the data subject or others, or in emergency situations related to national defense, national security, social order, and safety.
Regarding notification to former data subjects, the decree clearly stipulates that it will take effect from 01/07/2023. If the data has been collected in compliance with legal regulations, it is not necessary to seek consent again to achieve the consent of the data subject. Other obligations continue to be fulfilled as usual if organizations and enterprises continue to process personal data of former individual subjects that have been collected.
Fully understanding the importance and significance of personal data, requires recognizing the protection of personal data as not the sole responsibility of state agencies but additionally as the obligation of every individual, organization, and institution. Practical issues addressed by the Ministry of Public Security and their guidance partly help people comprehend and apply Decree 13/2023/ND-CP.
Let’s delve deeper into the topic in upcoming articles. Please don’t forget to follow and stay updated with more useful information on our website. Feel free to contact us for further detailed guidance: info@letranlaw.com