The Government on April 17, 2023 issued Decree 13/2023/ND-CP on protecting personal data to help build a legal corridor for the national digital transformation, aiming at achieving information security and development of the digital society
This decree recognizes all basic rights of individuals as data subjects, and sets forth technical and legal requirements for businesses in processing and controlling data of Vietnamese citizens. The decree also specifies the function and authority of agencies entrusted to protect personal data in Vietnam, and provides special requirements on processing cross-border personal data.
Concept and recognition of the right to personal data and privacy
It is noteworthy that this decree provides a full-fledged concept on personal data comprising symbols, writings, numbers, images, and sounds identifiable in the traditional physical environment as well as in the electronic environment. The term “personal data” thus has created a common perception for similar terms (nearly ten terms) being used in different legal documents.
At the same time, the decree has also for the first time given the concept of “sensitive personal data” to distinguish it from ordinary personal data.
Specifically, Item 4 of Article 2 of the decree specifies: “Sensitive personal data refer to those data associated with personal privacy… comprising political viewpoint, religious viewpoint; health and private conditions stated in medical records, excluding information on the blood type; information related to biometrics, physique, biology, sexual life and sexual inclination, racial origin, national origin of an individual; data on criminal offenses and criminal behaviors; client information at a credit organization or a foreign bank branch or an intermediary settlement organization; data on an individual’s location via GPS…”
This legal recognition reflects the alignment of Vietnam’s laws with other jurisdictions in the world regarding personal data protection, and sets out the prerequisite for higher legal requirements to protect sensitive personal data.
It is noted that the concept of sensitive personal data contained therein is associated with personal privacy – highlighting an approach that personal data protection is built upon the protection of personal privacy. Simply put, all people have the right to privacy, including all personal information; therefore, legal provisions on data protection are designed to safeguard personal information, especially sensitive information that could be detrimental to one’s privacy.
Data subject’s rights – agreement and exceptions
The data subject’s rights encompass multiple rights to personal freedom over data such as the access right, the agreement or disagreement over the processing of personal data, the right to be informed and the right to demand data erasure, etc. Moreover, the data subject also has the right to self-protection to ensure that other subjects do not infringe on the personal data, especially the right to demand compensation when the personal data are violated.
Basically, an individual has the right to agree and withdraw the agreement over another party’s processing his or her data. But these rights will be restricted under circumstances wherein an individual’s agreement is invalidated, such as in emergency cases to protect the life or health of that very individual or others; in national defense or security or social safety emergencies; in case to perform contractual obligations as established, or to enable operations of State agencies as provided for in other special laws (Article 19).
The provision of exceptions is aimed to balance benefits of different subjects in society, between the data subject’s freedom rights and the legitimate rights and interests of other subjects, and for the sake of national security, interests and public welfare.
Enterprises’ responsibility over data control and processing
The decree covers all entities related to personal data, as it not only deals with data subjects, but also governs data controlling and processing parties and third parties related to data as well. All relevant parties have the responsibility to abide by legal regulations and standardize technology regarding data processing, data protection, and cross-border data transmission. Violators, be it agencies, entities or individuals, are subject to heavy financial sanctions.
Specifically, enterprises need to conduct overall assessment of risks related to personal data processing, introducing technical solutions to allow users to access, view, change and erase their personal data on networks; reviewing and updating procedures for processing personal data in accordance with new regulations; and establishing and maintaining the administration mechanism with high compliance throughout the process of operation.
For large enterprises with networks already complying to common regulations of Europe or other countries, it is not difficult to abide by this decree, because regulations in the decree for data processing entities are fairly harmonious with the legal corridors of other international trade regions. For small and medium enterprises, however, if they do not establish proactive compliance procedures, they will run into problems when facing sudden demands from customers or upon inspections from State agencies.
Despite all such positive points, the decree still holds ambiguity in certain provisions, which can cause difficulties for enterprises. For example, Item 2 of Article 14 specifies that the data subject when having any request will have to come to the head office of the related party and fill out the request form. Can an automatic procedure apply to allow the data subject to make a request at home and fill out a form online?
Personal data watchdog
The decree specifies the Department of Cyber Security and High-Tech Crime Prevention under the Ministry of Public Security to be the watchdog protecting personal data. This agency has the authority to review, appraise, check and inspect enterprises, organizations and individuals over compliance to personal data protection regulations.
That means enterprises when controlling and processing personal data are obliged to conduct appraisal and inspection, and report directly to this State agency. Upon any violation on data processing, enterprises will have to instantly report to the Department and to share information and dossiers (articles 23, 24 and 25). The exchange of information and communications between the Department and relevant subjects will be conducted via the National Portal on Personal Data Protection (Item 2, Article 29).
Many are of the opinion that given the mandate to inspect and appraise the compliance to regulations on personal data controlling and processing, the Department of Cyber Security and High-Tech Crime Prevention needs to maintain independence and objectivity in its performance. However, under the new decree, parties subject to the Department’s inspection can also include other State administration agencies that control and process personal data (Article 1). Therefore, one of the major challenges when implementing this decree is to ensure objectivity in the acts of inspection and appraisal by this Department. If justice and objectivity can be ensured, the new decree will help improve rule of the law, protection of human rights and citizen right in a digital society.
(*) Lecturer of Law Faculty, University of Economics and Law, National University HCMC
(**) Lecturer of Law Faculty, School of Economics, Law and State Administration, HCMC University of Economics
