Back to news listing DECREE NO. 13/2023/ND-CP ON PERSONAL DATA PROTECTION
News
On 17 April 2023, the Government has officially issued Decree No. 13/2023/ND-CP on Personal data protection (“Decree 13”). Effective from 01 Jul 2023, Decree 13 is influenced by European General Data Protection Regulations (GDPR) and systematized the data protection regulations in one unified document for the first time. The issuance of Decree 13 after years of discussion has caught the utmost attention of companies relating to the procession of personal data in Vietnam, especially in the insurance industry.
These are some new key points in Decree 13:
1. Scope of application:
Decree 13 applies to particular organizations, individuals both in Vietnam and outside of Vietnam. Specifically, Decree 13 shall apply to: (i) Agencies, organizations, individuals in Vietnam; (ii) Vietnamese agencies, organizations, individuals operating outside of Vietnam; and (iii) Foreign agencies, organizations, individuals directly processing or involved in the processing of personal data in Vietnam.
2. Categories of personal data: Personal data shall be categorized into 2 types as follows:
General personal data: means information associated with or used to identify a specific individual, including:
- Last name, middle name and first name, other names (if any);
- Date of birth; date of death or going missing;
- Gender;
- Place of birth, registered place of birth; place of permanent residence; place of temporary residence; current place of residence; hometown; contact address;
- Nationality;
- Personal image;
- Phone number; ID Card number, personal identification number, passport number, driver’s license number, license plate, taxpayer identification number, social security number and health insurance card number;
- Information about the individual’s family relationship (parents, children);
- Digital account information; personal data that reflects activities and activity history in cyberspace;
- …
Sensitive personal data: means personal data associated with individual privacy which, when being infringed, will directly affect an individual's legal rights and interests, including:
- Political and religious opinions;
- Health condition and personal information stated in health record, excluding information on blood group;
- Information about genetic data related to an individual's inherited or acquired genetic characteristics;
- Information about an individual’s own biometric or biological characteristics;
- Information about an individual’s sex life or sexual orientation.
- Data on crimes and criminal activities collected and stored by law enforcement agencies;
- Information on customers of credit institutions, payment service providers,…;
- Personal location identified via location services;
- …
Protection of sensitive personal data: Decree 13 stipulated that sensitive personal data shall be protected more strictly than general personal data. When processing sensitive personal data, there are some following important points which data processors must take note:
- Data subjects must be notified that the processed data is categorized as sensitive personal data;
- The enterprises must appoint a department which functions to protect personal data, appoint personnels who are responsible for personal data protection and inform the Department of Cybersecurity and Hi-tech Crime Prevention of Ministry of Public Security (“Department of Cyber security”).
3. Some measures to protect personal data:
Generally, Decree 13 requests the parties participating in and/or relating to the processing of personal data apply necessary and legally proper measures to protect personal data. Specifically, this Decree shows some compulsory measures to apply as follows:
- Building and issuing regulations on personal data protection, which clearly list required works to comply with Decree 13.
- Inspecting the cyber security for systems, means and equipment which serve to process personal data before processing, permanently deleting or destroying devices containing personal data.
4. Consent of data subject:
Except in some cases, the processing of personal data must be subjected to the data subject’s consent.
a. Contents: The data subject’s consent shall only be valid if the data subject voluntarily provides such consent and clearly understands the following contents:
- Type of personal data;
- Purposes;
- Organization or individual permitted to process personal data;
- Rights and obligations of the data subject.
b. Format of consent:
The provided consent must be expressed in a clear and specific manner, in writing, by voice, by ticking the consent box, by consent syntax via message, by selecting consent settings or by other forms.
The data subject’s consent shall be expressed in a format that can be printed and reproduced in writing, including in electronic or verifiable format. Silence or non-response is not considered as consent.
c. Exceptions according to Decree 13:
- The personal data shall be processed to protect the life and health of the data subject or others in an emergency.
- Publication of personal data in accordance with the law;
- Processing of personal data by competent regulatory authorities when there is a state of emergency regarding national defense, security, social order and safety, major disasters, or dangerous epidemics; when there is a threat to security and national defense but not to the extent of declaring a state of emergency; to prevent and fight riots and terrorism, crimes and law violations according to the provisions of law;
- The personal data shall be processed to fulfill obligations under contracts between the data subjects and relevant agencies, organizations and individuals as prescribed by law;
- The personal data shall be processed to serve operations by regulatory authorities as prescribed by relevant laws.
5. Notification of violation:
Decree 13 shows a mechanism for the relevant parties to notify the violation against personal data protection regulations to regulatory authorities. Accordingly:
a. When detecting a violation against personal data protection regulations, The Personal Data Controller/Personal Data Controller-cum-Processor shall notify the Department of Cybersecurity within 72 hours after such violation is committed; in case of late notification, the reason of such late notification must be provided.
b. Relevant organizations, individuals shall notify the Department of Cybersecurity in the following cases:
- Violations are detected;
- Personal data is processed for unintended purposes or against the original agreement between the data subject and the Personal Data Controller, the Personal Data Controller-cum-Processor or in violation against the laws;
- The data subject's rights are not protected or not properly exercised;
- Other cases as prescribed by law.
6. Assessment of impact of personal data processing:
Decree 13 also added the Personal Data Controller and Personal Data Processor’ obligations in creating and storing dossiers for the assessment of impact of personal data processing. Such dossiers must be submitted to the Department of Cybersecurity within 60 days after processing the personal data and must always be stored.
7. Transfer of personal data abroad:
Decree 13 shall allow the Vietnamese citizen’s personal data to be transferred abroad if the Data Transferor creates, stores and sends the dossier for the assessment of impact of personal data processing as mentioned in Section 6. The Ministry of Public Security shall check the transfer of personal data abroad once a year, except when detecting violations against the laws or there are leaks or losses of data.
These are some new key points in Decree 13:
1. Scope of application:
Decree 13 applies to particular organizations, individuals both in Vietnam and outside of Vietnam. Specifically, Decree 13 shall apply to: (i) Agencies, organizations, individuals in Vietnam; (ii) Vietnamese agencies, organizations, individuals operating outside of Vietnam; and (iii) Foreign agencies, organizations, individuals directly processing or involved in the processing of personal data in Vietnam.
2. Categories of personal data: Personal data shall be categorized into 2 types as follows:
General personal data: means information associated with or used to identify a specific individual, including:
- Last name, middle name and first name, other names (if any);
- Date of birth; date of death or going missing;
- Gender;
- Place of birth, registered place of birth; place of permanent residence; place of temporary residence; current place of residence; hometown; contact address;
- Nationality;
- Personal image;
- Phone number; ID Card number, personal identification number, passport number, driver’s license number, license plate, taxpayer identification number, social security number and health insurance card number;
- Information about the individual’s family relationship (parents, children);
- Digital account information; personal data that reflects activities and activity history in cyberspace;
- …
Sensitive personal data: means personal data associated with individual privacy which, when being infringed, will directly affect an individual's legal rights and interests, including:
- Political and religious opinions;
- Health condition and personal information stated in health record, excluding information on blood group;
- Information about genetic data related to an individual's inherited or acquired genetic characteristics;
- Information about an individual’s own biometric or biological characteristics;
- Information about an individual’s sex life or sexual orientation.
- Data on crimes and criminal activities collected and stored by law enforcement agencies;
- Information on customers of credit institutions, payment service providers,…;
- Personal location identified via location services;
- …
Protection of sensitive personal data: Decree 13 stipulated that sensitive personal data shall be protected more strictly than general personal data. When processing sensitive personal data, there are some following important points which data processors must take note:
- Data subjects must be notified that the processed data is categorized as sensitive personal data;
- The enterprises must appoint a department which functions to protect personal data, appoint personnels who are responsible for personal data protection and inform the Department of Cybersecurity and Hi-tech Crime Prevention of Ministry of Public Security (“Department of Cyber security”).
3. Some measures to protect personal data:
Generally, Decree 13 requests the parties participating in and/or relating to the processing of personal data apply necessary and legally proper measures to protect personal data. Specifically, this Decree shows some compulsory measures to apply as follows:
- Building and issuing regulations on personal data protection, which clearly list required works to comply with Decree 13.
- Inspecting the cyber security for systems, means and equipment which serve to process personal data before processing, permanently deleting or destroying devices containing personal data.
4. Consent of data subject:
Except in some cases, the processing of personal data must be subjected to the data subject’s consent.
a. Contents: The data subject’s consent shall only be valid if the data subject voluntarily provides such consent and clearly understands the following contents:
- Type of personal data;
- Purposes;
- Organization or individual permitted to process personal data;
- Rights and obligations of the data subject.
b. Format of consent:
The provided consent must be expressed in a clear and specific manner, in writing, by voice, by ticking the consent box, by consent syntax via message, by selecting consent settings or by other forms.
The data subject’s consent shall be expressed in a format that can be printed and reproduced in writing, including in electronic or verifiable format. Silence or non-response is not considered as consent.
c. Exceptions according to Decree 13:
- The personal data shall be processed to protect the life and health of the data subject or others in an emergency.
- Publication of personal data in accordance with the law;
- Processing of personal data by competent regulatory authorities when there is a state of emergency regarding national defense, security, social order and safety, major disasters, or dangerous epidemics; when there is a threat to security and national defense but not to the extent of declaring a state of emergency; to prevent and fight riots and terrorism, crimes and law violations according to the provisions of law;
- The personal data shall be processed to fulfill obligations under contracts between the data subjects and relevant agencies, organizations and individuals as prescribed by law;
- The personal data shall be processed to serve operations by regulatory authorities as prescribed by relevant laws.
5. Notification of violation:
Decree 13 shows a mechanism for the relevant parties to notify the violation against personal data protection regulations to regulatory authorities. Accordingly:
a. When detecting a violation against personal data protection regulations, The Personal Data Controller/Personal Data Controller-cum-Processor shall notify the Department of Cybersecurity within 72 hours after such violation is committed; in case of late notification, the reason of such late notification must be provided.
b. Relevant organizations, individuals shall notify the Department of Cybersecurity in the following cases:
- Violations are detected;
- Personal data is processed for unintended purposes or against the original agreement between the data subject and the Personal Data Controller, the Personal Data Controller-cum-Processor or in violation against the laws;
- The data subject's rights are not protected or not properly exercised;
- Other cases as prescribed by law.
6. Assessment of impact of personal data processing:
Decree 13 also added the Personal Data Controller and Personal Data Processor’ obligations in creating and storing dossiers for the assessment of impact of personal data processing. Such dossiers must be submitted to the Department of Cybersecurity within 60 days after processing the personal data and must always be stored.
7. Transfer of personal data abroad:
Decree 13 shall allow the Vietnamese citizen’s personal data to be transferred abroad if the Data Transferor creates, stores and sends the dossier for the assessment of impact of personal data processing as mentioned in Section 6. The Ministry of Public Security shall check the transfer of personal data abroad once a year, except when detecting violations against the laws or there are leaks or losses of data.
