On April 17, 2023, the Government of Vietnam issued Decree No. 13/2023/NĐ-CP on Personal Data Protection effective from July 2023. The Decree details the rights of data subjects in personal data protection activities.
Key points in the Personal Data Protection Decree include:
Data subject rights
The data subject has a total of 11 rights, including:
1. Right to know: Data subjects have the right to know about their personal data processing activities, unless otherwise provided for by law.
2. The right to consent: The data subject may or may not agree to allow the processing of his/her personal data, except for the case specified in Article 17 of Decree No. 13.
3. Right of access: The data subject is entitled to access to view, correct or request correction of his/her personal data, unless otherwise provided for by law.
4. Right to withdraw consent: Data subject has the right to withdraw his/her consent, unless otherwise provided by law.
5. Right to data erasure: The data subject may have his or her personal data deleted or requested to delete such data, unless otherwise provided for by law.
6. Right to restrict data processing:
a) Data subjects may require to limit the processing of their personal data, unless otherwise provided by law;
b) Restriction of data processing is carried out within 72 hours after the request of the data subject, with all personal data that the data subject requests to limit, unless otherwise provided for by law. other.
7. Right to provide data: Data subject is required by Personal Data Controller, Personal Data Controller and Processor to provide himself/her own personal data, unless otherwise stated by other laws.
8. Right to object to data processing:
a) The data subject has the right to object the Personal Data Controller, the Personal Data Controller and Processor on the processing of their personal data in order to prevent or limit the disclosure of personal data or the use of those data for advertising and marketing purposes, unless otherwise provided by law;
b) The Controller of personal data, the Controller and the processor of personal data shall fulfill the request of the data subject within 72 hours after receiving the request, unless otherwise provided for by law.
9. Right to complain, denounce and initiate lawsuits: Data subjects have the right to complain, denounce or initiate lawsuits in accordance with the law.
10. Right to claim for damages: Data subjects have the right to claim damages in accordance with the law when a breach of regulations on the protection of their personal data occurs, unless the parties otherwise agreed or otherwise provided by law.
11. Right to self-protection: Data subjects have the right to protect themselves according to the provisions of the Civil Code, other relevant laws and this Decree, or request competent agencies or organizations to implement measures related to civil rights protection in accordance with Article 11 of the Civil Code.
Obligations of data subjects
The data subject has the following obligations:
1. Protect their own personal data; request other relevant organizations and individuals to protect their personal data.
2. Respect and protect the personal data of others.
3. Provide complete and accurate personal data when agreeing to allow the processing of personal data.
4. Participate in propaganda and dissemination of personal data protection skills.
5. Comply with the provisions of the law on protection of personal data and participate in the prevention and combat of violations of regulations on protection of personal data.
Classification of personal data
Personal data is divided into two categories, basic and sensitive.
Basic personal data includes full name; Date of birth; date of death or disappearance; sex; place of birth, place of permanent residence, temporary residence, current place of residence; nationality; personal image; phone number; identification number or personal identification number, passport number; driver’s license, license plate; Personal tax code; social insurance, health insurance number; marital status; family relationship.
Sensitive personal data is personal data associated with an individual’s privacy that, if violated, will directly affect an individual’s rights and interests, including: Political views, religion; health status and private life recorded in the medical record; racial or ethnic origin; genetic traits; unique biological characteristics; sexual life and orientation; offenses collected or stored by law enforcement; bank customer information such as identity, account, deposit, deposited assets, transactions; Personal location is determined via location services.
Prohibited conduct regarding personal data
Prohibited conduct regarding personal data includes:
1. Processing personal data contrary to the provisions of the law on protection of personal data.
2. Processing personal data to create information and data to fight against the State of the Socialist Republic of Vietnam.
3. Processing personal data to create information and data that affect national security, social order and safety, and legitimate rights and interests of other organizations and individuals.
4. Obstructing personal data protection activities of competent authorities.
5. Taking advantage of personal data protection activities to violate the law.
ASL LAW is the top tier Litigation and Dispute Resolution law firm in Vietnam. If you need any advice, please contact us for further information or collaboration.