Personal Data and the Necessity of Personal Data Protection Law
Digital transformation, digital economic development, and the creation of a digital society are the defining trends of the era. Vietnam is accelerating this process to take the lead in the Fourth Industrial Revolution. Personal data is one of the key resources for driving digital transformation, developing the digital economy, and building a digital society.
Personal data is information presented in various formats, including text, digits, images, audio, etc. According to Clause 1, Article 2 of Decree No. 13/2023/ND-CP, personal data is categorised into basic and sensitive personal data. The level of security associated with each type of information determines the specific regulations and protection measures applicable to individuals and organisations that utilise this data for various purposes.
Notably, apart from Decree No. 13/2023/ND-CP, there is no official legal document governing the use and protective measures for these types of data, which the Government issued on 17 April 2024.
In practice, there are significant concerns regarding the frequency of data leakage and unauthorised trading of personal data in cyberspace today. Many organisations and businesses tend to collect more data than necessary but lack adequate data collection mechanisms, and have unclear protocols for processing, using, and transferring data.
In response to this situation, the Ministry of Public Security in coordination with other concerned ministries is working closely to introduce the Law on Protection of Personal Data, addressing the current circumstances and the pressing needs of society. The draft law is tentatively expected to be discussed for the first time in a National Assembly session in October 2024, with the approval planned in May 2025 and implementation starting on 01 January 2026.
Rights and Obligations of Data Subjects
One of the primary objectives of the Personal Data Protection Law (PDPL) is to prevent data subject violations. Therefore, the drafting of PDPL specifies the rights and obligations of data subjects concerning the processing of their personal data. A data subject includes individuals, children, and persons declared missing or deceased.
Specifically, data subjects have the right to know their data processing activities, and the right to access, correct, store or erase data upon request. Most importantly, they have the discretion to grant or withdraw consent for the processing of their personal data. In the event of a violation, the subjects have the right to complain, compensate, denounce or initiate a lawsuit in accordance with the relevant Law.
Additionally, data subjects must proactively protect their personal data and require similar responsibilities from related organisations and individuals. They are also accountable for adhering to PDPL, participating in propaganda to prevent violations, respecting the personal data of others, and only providing accurate and full data when agreeing to allow the processing of personal information.
Scope of regulation and Subjects of application
The scope of application of this new law is considered extensive, covering both domestic and foreign entities that are required to comply, including:
- Vietnamese agencies, organisations and individuals;
- Foreign agencies, organisations and individuals in Vietnam;
- Vietnamese agencies, organisations and individuals operating abroad;
- Foreign agencies, organisations and individuals directly involved in or related to personal data processing activities in Vietnam;
- Agencies, organisations and individuals that collect and process personal data of foreigners within the territory of the Socialist Republic of Vietnam.
To establish a legal framework for personal data business activities while ensuring compliance with domestic and international regulations, the draft law also includes measures to protect personal data across various fields of operation, such as:
- In the advertising services business;
- In labour monitoring and recruitment;
- In finance, banking, credit and credit information activities;
- In the fields of healthcare and insurance;
- In big data processing, artificial intelligence, or in the cloud, etc.
The above organisations and individuals must implement measures to protect personal data within their service systems and equipment. The draft law also explicitly prohibits the illegal purchase, sale, and transfer of data between organisations and individuals without the consent of the data subjects.
Responsibilities of Agencies, Organisations and Individuals
To effectively implement and apply the PDPL, the Ministries, Government agencies, organisations, and individuals should cooperate closely and take responsibility from different aspects.
The Department of Cyber Security and High-Tech Crime Prevention and Control – Ministry of Public Security will assist the Government in managing data protection, guide the implementation of protection activities, and evaluate the results. They will also receive information, cooperate in research with the Ministry of Science and Technology, and investigate and resolve complaints on personal data protection.
The Personal Data Controller is responsible for implementing appropriate data protection measures, storing the entire processing, notifying any breaches and ensuring the rights of the data subject, as well as being responsible for the damage caused by the processing of data. The Personal Data Processor only receives and processes data following the contract with the Controller, commits to protecting the data and must delete or return all personal data upon completion of the processing.
Third parties and other government agencies must comply with data protection regulations. The People’s Committees of provinces and centrally-run cities are responsible for state management of personal data protection within their areas of jurisdiction and must allocate funding for related activities.
In general, all organisations and individuals must adopt measures to safeguard personal data and promptly inform the Ministry of Public Security of any violations.
Personal Data Protection Organization and Professional
According to the draft, organizations protecting personal data must have sufficient technological and legal capacity and at least one certified professional. Small, medium-sized, or start-up enterprises are exempt from these requirements during the first two years, except for those directly involved in personal data processing. These organizations must achieve the required credit rating and be granted an operating license valid for 5 years, which can be extended upon expiration.
The credit rating for personal data protection will be assessed based on risk factors to classify businesses, allowing those meeting the necessary capacity and staffing requirements to receive certification to operate in the personal data protection field.
Consequence for breach of PDPL
According to the recent Draft Law, depending on the breaching level, organisations and individuals might face disciplinary measures, administrative punishment or even criminal penalties.
By Pham Phuong Thao
Paralegal
Midland & Partners Law Firm
Related Post
-
How to calculate the latest corporate income tax
-
Update and change the new citizen identification information of the legal representative
-
Key Highlights of Amendments to the Social Insurance and Health Insurance Laws
-
Law on inheritance of property in accordance with current law
-
Vietnam’s Fintech Sandbox: Toward a Regulatory Framework for Innovation
-
Industry with conditional market access