Tiếng Việt
中文 (中国)
日本語
On the morning of June 29, 2023, ASL LAW conducted an online seminar in the form of a webinar with the theme: Personal Data Protection Decree in Vietnam and Cross-Border Transactions.
The purpose of this online seminar was to introduce and analyze the legal framework related to personal data protection and the difficulties and considerations to be taken into account when Decree No. 13/2023/NĐ-CP (“Decree No. 13“) on personal data protection takes effect from July 1, 2023. It aimed to provide practical guidance for individuals, businesses, and organizations operating in fields related to the collection and processing of personal information and data in Vietnam to pay attention to before the decree takes effect, to avoid unforeseen impacts that may arise when not fully aware of the decree’s information and to avoid affecting their operational and business models.
Speakers at the Seminar
- Lawyer Pham Duy Khuong, Managing partner of ASL LAW.
- Lawyer Nguyen Thi Thuy Chung, Senior Partner of ASL LAW.
Main Content of the Online Seminar on the Personal Data Protection Decree in Vietnam and Cross-Border Transactions
The Decree on Personal Data Protection in Vietnam will take effect from July 1, 2023. This is expected to significantly impact the collection, transfer, storage, and processing of personal data in Vietnam.
In this online seminar, ASL LAW lawyers provided the latest information on the new conditions and measures that businesses should apply to operate legally in Vietnam.
Types of Personal Data
To start the seminar, Lawyer Khuong introduced the classification of types of information and personal data, which are newly regulated in Vietnam. Personal data includes basic personal data and sensitive personal data.
Clause 3 and Clause 4, Article 2 of Decree No. 13 provide detailed provisions on the types of basic personal data and sensitive personal data. Specifically:
Basic personal data includes full name, date of birth, date of death, gender, place of birth, permanent address, temporary address, current address, nationality, personal image, phone number, identity card number or personal identification number, passport number, driver’s license, vehicle registration number, personal tax code, social insurance code, health insurance code, marital status, family relationship.
Sensitive personal data is personal data related to an individual’s privacy, the infringement of which directly affects the rights and interests of that individual. It includes political opinions, religious beliefs, health status, private life recorded in medical records, origin or ethnicity, genetic characteristics, special characteristics, sexual life and orientation, evidence of criminal behavior collected or stored by law enforcement agencies, customer information of banks such as identity, accounts, deposits, entrusted assets, transactions, and personally identifiable location through positioning services.
Data Subjects and Consent of Data Subjects
In the next part, Lawyer Khuong and Lawyer Chung shared about the entities regulated in Decree No. 13, including the Personal Data Controller, Personal Data Processor, Personal Data Controller and Processor, and Third Party.
Furthermore, Lawyer Chung shared about the consent requirement of data subjects applicable to all activities in the personal data processing process as stipulated in Article 11 of Decree No. 13.
Some notable provisions include:
- The consent of the data subject must be expressed clearly and specifically in writing, orally, marked in the consent box, consent syntax via messages, selecting consent technical settings, or through another action that demonstrates this.
- Silence or lack of response from the data subject does not constitute consent.
- The data subject may partially consent or consent with conditions.
- For the processing of sensitive personal data, the data subject must be informed that the data to be processed is sensitive personal data.
Cases where consent of the data subject is not required
According to Lawyer Chung, based on the provisions of Article 17 of Decree No. 13, the following cases allow the processing of personal data without the consent of the data subject:
- In cases of emergency.
- In cases of national emergency.
- The public disclosure of personal data as prescribed by law.
- In cases of urgent national defense and security.
- To fulfill obligations under contracts between the data subject and relevant agencies, organizations, or individuals as prescribed by law.
- To serve the activities of state agencies as regulated by specialized laws.
Assessing the impact of personal data processing
The process of assessing the impact of personal data processing will involve 9 steps, including:
The sample notification sent to the Ministry of Public Security, which is attached in the presentation, is displayed along with the sending process, estimated processing time, and other notes:
Cross-border transactions
Next, Lawyer Khuong explains the topic of cross-border transactions, including the fundamental stages and important considerations when carrying out activities related to the processing of personal data.
Addressing violations and actively implementing protective measures
When there are infringements, the data subject should contact and report the infringements to the competent authorities for handling and resolving the incident.
To avoid reactive coping, parties should proactively implement personal data protection measures in advance:
Consequences of personal data breaches
According to Decree No. 13, there are two penalties for personal data breaches: administrative fines and criminal prosecution.
Article 30, Section 1 of Decree No. 14/2022/NĐ-CP stipulates that the party committing the act of personal data breach may be fined up to 70 million VND.
In particularly serious cases, the violator may be criminally prosecuted under Article 159, Article 288 of the Criminal Code 2015 No. 100/2015/QH13 for the offenses of infringing secrecy or safety of correspondence, telephone, telegram, or other forms of exchanging private information of others, or the offense of unlawfully providing or using information on computer networks, telecommunications networks. The maximum penalty is up to 7 years of imprisonment.
Points for businesses to note about Decree No. 13
When Decree No. 13 on personal data protection in Vietnam and cross-border transactions takes effect, businesses currently operating or planning to operate in Vietnam should take note of the following factors:
- Conditions regarding the business entity: 6 conditions.
- Preparation of internal procedures: 4 steps.
- Drafting contracts specifying details of personal data: 7 main contents.
At the end of the online seminar, Lawyer Pham Duy Khuong expresses gratitude to all the attendees and assures that ASL LAW will commit to providing the latest information on the Personal Data Protection Decree in Vietnam and Cross-border Transactions to the attendees via email, especially the necessary official document templates when authorized agencies issue them.
Attendees of the program can also send any questions related to the seminar topic to the email: [email protected], and the legal team of ASL LAW will prepare detailed answers to address the attendees’ inquiries.
ASL LAW is the top-tier Vietnam law firm for in-depth legal advice in Vietnam and internationally. If you need any advice, please contact us for further information or collaboration.
