Decree nº 13/2023/ND-CP, Hanoi April 17, 2023. Personal Data Protection
DECREE PERSONAL DATA PROTECTION
Pursuant to the Law on Organization of the Government dated June 19, 2015; Law amending and supplementing a number of articles of the Law on Organization of the Government and the Law on Organization of Local Government dated November 22, 2019;
Pursuant to the Civil Code dated November 24, 2015;
Pursuant to the Law on National Security dated December 3, 2004;
Pursuant to the Law on Cyber Security dated June 12, 2018;
At the request of the Minister of Public Security;
The Government issued a Decree on personal data protection.
Chapter I.- GENERAL PROVISIONS
Article 1. Scope of regulation and applicable subjects
1. This Decree provides for the protection of personal data and the responsibility of relevant agencies, organizations and individuals to protect personal data.
2. This Decree applies to:
a) Vietnamese agencies, organizations and individuals;
b) Foreign agencies, organizations and individuals in Vietnam;
c) Vietnamese agencies, organizations and individuals operating abroad;
d) Foreign agencies, organizations and individuals directly involved in or related to personal data processing activities in Vietnam.
Article 2. Interpretation of terms
In this Decree, the following terms are construed as follows:
1. Personal data is information in the form of symbols, letters, numbers, images, sounds or similar forms in an electronic environment that is associated with a specific person or helps to identify a specific person. Personal data includes basic personal data and sensitive personal data.
2. Information that helps identify a specific person is information generated from an individual’s activities that, when combined with other stored data and information, can identify a specific person.
3. Basic personal data includes:
a) Surname, middle name, birth name, other names (if any);
b) Date of birth; date of death or disappearance;
c) Gender;
d) Place of birth, place of birth registration, permanent residence, temporary residence, current residence, hometown, contact address;
d) Nationality;
e) Personal image;
g) Telephone number, identity card number, personal identification number, passport number, driver’s license number, vehicle license plate number, personal tax code number, social insurance number, health insurance card number;
h ) Marital status;
i) Information about family relationships (parents, children);
k) Information about individual digital accounts; personal data reflecting activities and history of activities in cyberspace;
l) Other information associated with a specific person or helping to identify a specific person not covered by Clause 4 of this Article.
4. Sensitive personal data is personal data associated with an individual’s privacy that, when violated, will directly affect the individual’s legitimate rights and interests, including:
a) Political views, religious views;
b) Health status and personal information recorded in medical records, excluding blood type information;
c) Information related to racial origin, ethnic origin;
d) Information on inherited or acquired genetic characteristics of an individual;
d) Information on individual physical attributes and biological characteristics;
e) Information about an individual’s sexual life and sexual orientation;
g) Data on crimes and criminal acts collected and stored by law enforcement agencies;
h) Customer information of credit institutions, foreign bank branches, payment intermediary service providers, and other licensed organizations, including: customer identification information as prescribed by law, account information, deposit information, deposited assets information, transaction information, information about organizations and individuals that are guarantors at credit institutions, bank branches, and payment intermediary service providers;
i) Data on the location of an individual determined through location services;
k) Other personal data that is specified by law as specific and requires necessary security measures.
5. Personal data protection is the activity of preventing, detecting, stopping and handling violations related to personal data according to the provisions of law.
6. Data subject is the individual about whom the personal data is reflected.
7. Processing of personal data is one or more activities affecting personal data, such as: collecting, recording, analyzing, validating, storing, editing, publishing, combining, accessing, retrieving, withdrawing, encrypting, decrypting, copying, sharing, transmitting, providing, transferring, deleting, destroying personal data or other related actions.
8. Consent of the data subject is the clear, voluntary, affirmative expression of permission for the processing of the data subject’s personal data.
9. The Personal Data Controller is the organization or individual that decides the purposes and means of processing personal data.
10. The Personal Data Processor is an organization or individual that processes data on behalf of the Data Controller, through a contract or agreement with the Data Controller.
11. The Controller and Processor of Personal Data is the organization or individual that simultaneously decides the purpose, means and directly processes personal data.
12. Third party is an organization or individual other than the Data Subject, Personal Data Controller, Personal Data Processor, Personal Data Controller and Processor authorized to process personal data.
13. Automated personal data processing is a form of personal data processing carried out by electronic means to evaluate, analyze, and predict the activities of a specific person, such as: habits, preferences, trust level, behavior, location, trends, capacity and other cases.
14. Transferring personal data abroad is the activity of using cyberspace, devices, electronic means or other forms to transfer personal data of Vietnamese citizens to a location outside the territory of the Socialist Republic of Vietnam or using a location outside the territory of the Socialist Republic of Vietnam to process personal data of Vietnamese citizens, including:
a) Organizations, enterprises and individuals transfer personal data of Vietnamese citizens to organizations, enterprises and management departments abroad for processing in accordance with the purposes agreed to by the data subject;
b) Processing personal data of Vietnamese citizens by automated systems located outside the territory of the Socialist Republic of Vietnam by the Personal Data Controller, the Personal Data Controller and Processor, and the Personal Data Processor in accordance with the purposes agreed to by the data subject.
Article 3. Principles of personal data protection
1. Personal data is processed in accordance with the provisions of law.
2. The data subject is informed about the activities related to the processing of his/her personal data, unless otherwise provided by law.
3. Personal data shall only be processed for the purposes specified in the Personal Data Controller, Personal Data Processor, Personal Data Controller and Processor, and Third Party registration or declaration on personal data processing.
4. Personal data collected must be appropriate and limited to the scope and purpose of processing. Personal data may not be bought or sold in any form, unless otherwise provided by law.
5. Personal data is updated and supplemented in accordance with the processing purpose.
6. Personal data is protected and secured during processing, including protection against violations of personal data protection regulations and prevention of loss, destruction or damage due to incidents, using technical measures.
7. Personal data shall only be stored for the period relevant to the purposes for which the data is processed, unless otherwise provided by law.
8. The Data Controller, the Controller and the Personal Data Processor shall be responsible for complying with the data processing principles set out in Clauses 1 to 7 of this Article and demonstrating its compliance with such data processing principles.
Article 4. Handling of violations of personal data protection regulations
Agencies, organizations and individuals violating regulations on personal data protection, depending on the severity, may be subject to disciplinary action, administrative sanctions or criminal prosecution in accordance with regulations.
Article 5. State management of personal data protection
The Government unifies state management of personal data protection.
State management contents on personal data protection include:
1. Submit to competent state agencies for promulgation or promulgate under their authority legal documents and direct and organize the implementation of legal documents on personal data protection.
2. Develop and organize the implementation of strategies, policies, projects, programs, and plans on personal data protection.
3. Provide guidance to agencies, organizations and individuals on measures, processes and standards for protecting personal data in accordance with the provisions of law.
4. Propagating and educating about the law on personal data protection; communicating and disseminating knowledge and skills on personal data protection.
5. Develop, train and foster cadres, civil servants, public employees and those assigned to work on personal data protection.
6. Inspect and examine the implementation of legal provisions on personal data protection; resolve complaints and denunciations and handle violations of the law on personal data protection in accordance with the law.
7. Statistics, information, reports on the situation of personal data protection and implementation of laws on personal data protection to competent state agencies.
8. International cooperation on personal data protection.
Article 6. Application of the Decree on Personal Data Protection, relevant laws and international treaties
Personal data protection is implemented in accordance with the provisions of international treaties to which the Socialist Republic of Vietnam is a member, other provisions of relevant Laws and this Decree.
Article 7. International cooperation on personal data protection
1. Develop an international cooperation mechanism to facilitate effective enforcement of laws on personal data protection.
2. Provide mutual legal assistance on personal data protection with other countries, including notification, request for complaint, assistance in investigation and exchange of information, with appropriate safeguards to protect personal data.
3. Organize conferences, seminars, scientific research and promote international cooperation activities in law enforcement to protect personal data.
4. Organize bilateral and multilateral meetings to exchange experiences in law-making and practices in personal data protection.
5. Technology transfer to serve personal data protection.
Article 8. Prohibited acts
1. Processing personal data contrary to the provisions of law on personal data protection.
2. Processing personal data to create information and data aimed at opposing the Socialist Republic of Vietnam.
3. Processing personal data to create information and data that affect national security, social order and safety, and the legitimate rights and interests of other organizations and individuals.
4. Obstructing the personal data protection activities of competent authorities.
5. Taking advantage of personal data protection activities to violate the law.
Chapter II.- PERSONAL DATA PROTECTION ACTIVITIES
Section 1. RIGHTS AND OBLIGATIONS OF DATA SUBJECTS
Article 9. Rights of data subjects
1. Right to know
The data subject is informed about the processing of his personal data, unless otherwise provided by law.
2. Right to consent
Data subjects may consent or not consent to the processing of their personal data, except in the cases provided for in Article 17 of this Decree .
3. Access Rights
Data subjects have access to view, correct or request correction of their personal data, unless otherwise provided by law.
4. Right to withdraw consent
The data subject has the right to withdraw his or her consent, unless otherwise provided by law.
5. Right to data erasure
Data subjects have the right to delete or request deletion of their personal data, unless otherwise provided by law.
6. Right to restriction of data processing
a) Data subjects are required to restrict the processing of their personal data, unless otherwise provided by law;
b) Restriction of data processing is carried out within 72 hours of the data subject’s request, with respect to all personal data that the data subject requests restriction, unless otherwise provided by law.
7. Right to data portability
The data subject is required to provide his/her personal data to the Personal Data Controller, the Personal Data Controller and the Personal Data Processor, unless otherwise provided by law.
8. Right to object to data processing
a) The data subject may object to the Personal Data Controller, the Personal Data Controller and Processor processing his/her personal data in order to prevent or restrict the disclosure of personal data or its use for advertising or marketing purposes, unless otherwise provided by law;
b) The Personal Data Controller and the Personal Data Controller and Processor shall execute the request of the data subject within 72 hours of receipt of the request, unless otherwise provided by law.
9. Right to complain, denounce, and sue
Data subjects have the right to complain, denounce or file a lawsuit in accordance with the provisions of law.
10. Right to claim damages
Data subjects have the right to request compensation for damages in accordance with the law when there is a violation of the regulations on the protection of their personal data, unless the parties have agreed otherwise or the law provides otherwise.
11. Right to self-defense
Data subjects have the right to self-protection in accordance with the provisions of the Civil Code , other relevant laws and this Decree, or request competent agencies and organizations to implement methods to protect civil rights in accordance with the provisions of Article 11 of the Civil Code .
Article 10. Obligations of data subjects
1. Protect your personal data yourself; request other relevant organizations and individuals to protect your personal data.
2. Respect and protect the personal data of others.
3. Provide complete and accurate personal data when agreeing to allow the processing of personal data.
4. Participate in promoting and disseminating personal data protection skills.
5. Comply with legal regulations on personal data protection and participate in preventing and combating violations of regulations on personal data protection.
Section 2. PROTECTION OF PERSONAL DATA DURING PERSONAL DATA PROCESSING
Article 11. Consent of the data subject
1. The consent of the data subject applies to all operations in the processing of personal data, unless otherwise provided by law.
2. The data subject’s consent is only valid when the data subject voluntarily and clearly knows the following contents:
a) The type of personal data processed;
b) Purpose of processing personal data;
c) Organizations and individuals whose personal data is processed;
d) Rights and obligations of data subjects.
3. The data subject’s consent must be clearly and specifically expressed in writing, by voice, by checking a consent box, by text message consent syntax, by selecting technical consent settings or by another action that demonstrates this.
4. Consent must be given for the same purpose. Where there are multiple purposes, the Personal Data Controller, the Personal Data Controller and the Personal Data Processor shall list the purposes for which the data subject consents to one or more of the stated purposes.
5. The data subject’s consent must be expressed in a format that can be printed, reproduced in writing, including in electronic form or in a verifiable format.
6. Silence or non-response of the data subject shall not be considered as consent.
7. The data subject may give consent in part or with conditions attached.
8. For the processing of sensitive personal data, the data subject must be informed that the data to be processed is sensitive personal data.
9. The data subject’s consent is valid until the data subject decides otherwise or until a competent state authority requests it in writing.
10. In the event of a dispute, the burden of proving the data subject’s consent lies with the Personal Data Controller, the Personal Data Controller and the Personal Data Processor.
11. Through authorization as prescribed by the Civil Code , organizations and individuals may, on behalf of data subjects, carry out procedures related to the processing of personal data of data subjects with the Personal Data Controller, the Personal Data Controller and Processor in cases where the data subject has clearly known and agreed as prescribed in Clause 3 of this Article, unless otherwise provided by law.
Article 12. Withdrawal of consent
1. Withdrawal of consent does not affect the lawfulness of the processing of data that was consented to before the withdrawal of consent.
2. The withdrawal of consent must be in a format that can be printed, reproduced in writing, including in electronic form or in a verifiable format.
3. Upon receiving a request to withdraw consent from a data subject, the Personal Data Controller and the Personal Data Controller and Processor shall notify the data subject of the consequences and possible damages of withdrawing consent.
4. After implementing the provisions of Clause 2 of this Article, the Data Controller, Data Processor, Data Controller and Processor, and Third Party must stop and request relevant organizations and individuals to stop processing the data of the data subject who has withdrawn consent.
Article 13. Notification of personal data processing
1. Notification shall be made once before proceeding with any personal data processing activity.
2. Content of notification to data subjects about personal data processing:
a) Purpose of processing;
b) The type of personal data used is relevant to the processing purposes specified in Point a, Clause 2 of this Article;
c) Processing method;
d) Information about other organizations and individuals related to the processing purposes specified in Point a, Clause 2 of this Article;
d) Unwanted consequences and damages that may occur;
e) Start time, end time of data processing.
3. The notice to the data subject shall be in a format that can be printed, reproduced in writing, including in electronic form or in a verifiable format.
4. The Personal Data Controller and the Personal Data Controller and Processor are not required to comply with the provisions of Clause 1 of this Article in the following cases:
a) The data subject has clearly known and fully agreed to the contents specified in Clause 1 and Clause 2 of this Article before agreeing to let the Personal Data Controller and the Personal Data Controller and Processor collect personal data, in accordance with the provisions of Article 9 of this Decree ;
b) Personal data is processed by competent state agencies for the purpose of serving the activities of state agencies in accordance with the provisions of law.
Article 14. Provision of personal data
1. The data subject is required to provide his/her personal data to the Personal Data Controller, the Personal Data Controller and Processor.
2. Personal Data Controller, Personal Data Controller and Processor:
a) Provide personal data of data subjects to other organizations and individuals with the consent of the data subject, except where otherwise provided by law;
b) On behalf of the data subject, provide the data subject’s personal data to another organization or individual when the data subject agrees to allow representation and authorization, unless otherwise provided by law.
3. The provision of personal data by the data subject is carried out by the Personal Data Controller, the Personal Data Controller and Processor within 72 hours of the request of the data subject, unless otherwise provided by law.
4. The Personal Data Controller, the Personal Data Controller and Processor shall not provide personal data in the following cases:
a) Causing harm to national defense, national security, and social order and safety;
b) The provision of personal data by the data subject may affect the safety, physical or mental health of another person;
c) The data subject does not agree to provide, allow a representative or proxy to receive personal data.
5. Form of request for provision of personal data:
a) The data subject directly or authorizes another person to come to the headquarters of the Personal Data Controller, the Personal Data Controller and Processor to request the provision of personal data.
The request recipient is responsible for guiding the requesting organization or individual to fill in the Personal Data Request Form.
In case the organization or individual requesting information is illiterate or disabled and cannot write the request, the person receiving the request for information is responsible for helping to fill in the contents of the Personal Data Request Form;
b) Send the Request for providing personal data according to Form No. 01 , 02 in the Appendix of this Decree via electronic network, postal service, fax to the Personal Data Controller, Personal Data Controller and Processor.
6. The request form for providing personal data must be presented in Vietnamese and include the following main contents:
a) Full name; place of residence, address; identity card number, citizen identification card number or passport number of the requester; fax number, telephone number, email address (if any);
b) Personal data requested to be provided, specifying the name of the document, file, or material;
c) Form of providing personal data;
d) Reason and purpose of requesting personal data.
7. In case of request for provision of personal data as prescribed in Clause 2 of this Article, it must be accompanied by written consent of the relevant individual or organization.
8. Receiving requests for personal data
a) The Personal Data Controller, the Personal Data Controller and Processor are responsible for receiving requests for personal data provision and monitoring the process and list of personal data provision upon request;
b) In case the requested personal data is not within the authority, the Personal Data Controller and the Personal Data Controller and Processor receiving the request must notify and guide the requesting organization or individual to the competent authority or clearly notify that the personal data cannot be provided.
9. Handling requests for personal data
Upon receiving a valid request for personal data provision, the Personal Data Controller and the Personal Data Controller and Processor shall be responsible for providing personal data, notifying the deadline, location, and form of personal data provision; actual costs for printing, copying, photographing, sending information via postal service, fax (if any) and payment method and deadline; and providing personal data in accordance with the order and procedures prescribed in this Article.
Article 15. Correction of personal data
1. Data subject:
a) To access, view and edit one’s personal data after it has been collected by the Personal Data Controller, the Personal Data Controller and Processor with consent, unless otherwise provided by law;
b) Where direct correction is not possible for technical or other reasons, the data subject requests the Personal Data Controller, the Personal Data Controller and Processor to correct his/her personal data.
2. The Personal Data Controller and the Personal Data Controller and Processor shall correct the personal data of the data subject after obtaining the consent of the personal data subject as soon as possible or as prescribed by specialized laws. In case it is not possible to do so, the data subject shall be notified within 72 hours of receiving the request to correct the personal data of the data subject.
3. The Personal Data Processor, Third Party may edit the personal data of the data subject after obtaining the written consent of the Personal Data Controller, the Personal Data Controller and Processor and knowing that the consent of the data subject has been obtained.
Article 16. Storage, deletion and destruction of personal data
1. The data subject is entitled to request the Personal Data Controller, the Personal Data Controller and Processor to delete his/her personal data in the following cases:
a) Realizing that it is no longer necessary for the purpose of collection has agreed and accepting the possible damages when requesting data deletion;
b) Withdrawal of consent;
c) Object to the processing of data and the Personal Data Controller, the Personal Data Controller and Processor have no legitimate reasons to continue processing;
d) Personal data is processed in a manner inconsistent with the agreed purpose or the processing of personal data is in violation of the provisions of law;
d) Personal data must be deleted according to the provisions of law.
2. Data deletion will not be applied upon request of the data subject in the following cases:
a) The law does not allow data deletion;
b) Personal data is processed by competent state agencies for the purpose of serving the activities of state agencies in accordance with the provisions of law;
c) Personal data has been made public in accordance with the provisions of law;
d) Personal data is processed to serve legal requirements, scientific research, and statistics as prescribed by law;
d) In case of emergency regarding national defense, security, social order and safety, major disasters, dangerous epidemics; when there is a threat to national security and defense but not to the extent of declaring a state of emergency; preventing and combating riots, terrorism, preventing and combating crimes and violations of the law;
e) Respond to an emergency situation that threatens the life, health or safety of a data subject or other individual.
3. In case of division, separation, merger, consolidation or dissolution of an enterprise, personal data will be transferred in accordance with the provisions of law.
4. In case of division, separation, merger of agencies, organizations, administrative units and reorganization, conversion of ownership form of state-owned enterprises, personal data shall be transferred in accordance with the provisions of law.
5. Data deletion is performed within 72 hours of the data subject’s request for all personal data collected by the Personal Data Controller, the Personal Data Controller and Processor, unless otherwise provided by law.
6. The Personal Data Controller, the Personal Data Controller and Processor, the Personal Data Processor, and the Third Party shall store personal data in a form appropriate to their operations and take measures to protect personal data in accordance with the provisions of law.
7. The Personal Data Controller, Personal Data Controller and Processor, Personal Data Processor, Third Party shall irreversibly delete in the event of:
a) Processing data for purposes other than those for which the data subject has consented or for which the purpose of processing personal data has been fulfilled;
b) The storage of personal data is no longer necessary for the operations of the Personal Data Controller, Personal Data Controller and Processor, Personal Data Processor, or Third Party;
c) The Personal Data Controller, the Personal Data Controller and Processor, the Personal Data Processor, the Third Party is dissolved or no longer operating or declares bankruptcy or terminates its business operations in accordance with the law.
Article 17. Processing of personal data without the consent of the data subject
1. In case of emergency, it is necessary to immediately process relevant personal data to protect the life or health of the data subject or other persons. The Personal Data Controller, Personal Data Processor, Personal Data Controller and Processor, and Third Party shall have the responsibility to prove this case.
2. Disclosure of personal data as prescribed by law.
3. Data processing by competent state agencies in case of emergency regarding national defense, national security, social order and safety, major disasters, dangerous epidemics; when there is a threat to national security and defense but not to the extent of declaring a state of emergency; preventing and combating riots, terrorism, preventing and combating crimes and violations of the law as prescribed by law.
4. To perform the data subject’s contractual obligations with relevant agencies, organizations and individuals as prescribed by law.
5. Serving the activities of state agencies as prescribed by specialized laws.
Article 18. Processing of personal data collected from recording and filming activities in public places
Competent agencies and organizations are authorized to record audio, video and process personal data obtained from recording and video recording activities in public places for the purpose of protecting national security, social order and safety, and the legitimate rights and interests of organizations and individuals in accordance with the provisions of law without the consent of the subject. When recording and video recording, competent agencies and organizations are responsible for notifying the subject so that he or she understands that he or she is being recorded and video recorded, unless otherwise provided by law.
Article 19. Processing of personal data of persons declared missing or dead
1. The processing of personal data relating to the personal data of a person declared missing or deceased must have the consent of that person’s spouse or adult child. In the absence of such persons, the consent of the parent of the person declared missing or deceased must be obtained, except in the cases specified in Articles 17 and 18 of this Decree .
2. In case all the persons mentioned in Clause 1 of this Article are not present, it is considered that there is no consent.
Article 20. Processing of children’s personal data
1. Processing of children’s personal data is always carried out in accordance with the principle of protecting the rights and in the best interests of the child.
2. The processing of children’s personal data must have the consent of the child in cases where the child is 7 years of age or older and has the consent of the parent or guardian as prescribed, except in cases specified in Article 17 of this Decree . The Personal Data Controller, the Personal Data Processor, the Personal Data Controller and Processor, and the Third Party must verify the age of the child before processing the child’s personal data.
3. Stop processing children’s personal data, irreversibly delete or destroy children’s personal data in case of:
a) Processing data for purposes other than those for which the data subject has consented or for which the purpose of processing personal data has been fulfilled, unless otherwise provided by law;
b) The child’s parent or guardian withdraws consent to the processing of the child’s personal data, unless otherwise provided by law;
c) At the request of competent authorities when there is sufficient evidence to prove that the processing of personal data affects the rights and legitimate interests of children, unless otherwise provided by law.
Article 21. Protection of personal data in marketing services and advertising product introduction
1. Organizations and individuals providing marketing services and advertising product introduction may only use customers’ personal data collected through their business activities to provide marketing services and advertising product introduction with the consent of the data subject.
2. Processing of customers’ personal data for marketing services and advertising product introduction must have the customer’s consent, on the basis that the customer clearly knows the content, method, form, and frequency of product introduction.
3. Organizations and individuals providing marketing services and introducing advertising products are responsible for proving that the use of personal data of customers whose products are introduced is in accordance with the provisions of Clause 1 and Clause 2 of this Article.
Article 22. Illegal collection, transfer, purchase and sale of personal data
1. Organizations and individuals involved in processing personal data must apply personal data protection measures to prevent unauthorized collection of personal data from their systems and service equipment.
2. Establishing software systems, technical measures or organizing activities to collect, transfer, buy and sell personal data without the consent of the data subject is a violation of the law.
Article 23. Notification of violations of regulations on personal data protection
1. In case of detecting a violation of personal data protection regulations, the Personal Data Controller and the Personal Data Controller and Processor shall notify the Ministry of Public Security (Department of Cyber Security and High-Tech Crime Prevention and Control) no later than 72 hours after the violation occurs according to Form No. 03 in the Appendix of this Decree. In case of notification after 72 hours, the reason for the late notification must be included.
2. The Personal Data Processor must notify the Personal Data Controller as soon as possible after becoming aware of a breach of the personal data protection regulations.
3. Content of notification of violation of regulations on personal data protection:
a) Describe the nature of the violation of personal data protection regulations, including: time, location, behavior, organization, individual, types of personal data and quantity of data involved;
b) Contact details of the employee assigned to protect data or the organization or individual responsible for protecting personal data;
c) Describe the consequences and possible damages of violating personal data protection regulations;
d) Describe the measures taken to address and mitigate the harm caused by breaches of personal data protection regulations.
4. In case it is not possible to fully notify the contents specified in Clause 3 of this Article, the notification may be made in batches and stages.
5. The Personal Data Controller and the Personal Data Controller and Processor must make a Record of Confirmation of the occurrence of a violation of personal data protection regulations and coordinate with the Ministry of Public Security (Department of Cyber Security and High-Tech Crime Prevention) to handle the violation.
6. Organizations and individuals shall notify the Ministry of Public Security (Department of Cyber Security and High-Tech Crime Prevention) when discovering the following cases:
a) Detecting violations of the law on personal data;
b) Personal data is processed for the wrong purpose, not in accordance with the original agreement between the data subject and the Personal Data Controller, the Personal Data Controller and Processor or in violation of the provisions of law;
c) The rights of data subjects are not guaranteed or not properly exercised;
d) Other cases as prescribed by law.
Section 3. IMPACT ASSESSMENT AND TRANSFER OF PERSONAL DATA ABROAD
Article 24. Assessment of the impact of personal data processing
1. The Personal Data Controller, the Personal Data Controller and the Personal Data Processor shall establish and maintain a Personal Data Impact Assessment Record from the moment the Personal Data Processing commences.
Personal data processing impact assessment dossier of the Personal Data Controller, Personal Data Controller and Processor, including:
a) Information and contact details of the Personal Data Controller, the Personal Data Controller and Processor;
b) Full name and contact details of the organization assigned to perform the task of protecting personal data and the personal data protection officer of the Personal Data Controller, the Personal Data Controller and Processor;
c) Purpose of processing personal data;
d) Types of personal data processed;
d) Organizations and individuals receiving personal data, including organizations and individuals outside the territory of Vietnam;
e) In case of transferring personal data abroad;
g) Time for processing personal data; expected time for deleting or destroying personal data (if any);
h) Description of the personal data protection measures applied;
i) Assess the level of impact of personal data processing; consequences, unexpected damages that may occur, measures to minimize or eliminate such risks and harms.
2. The Personal Data Processor shall prepare and maintain a Personal Data Processing Impact Assessment Record in the event of performing a contract with the Personal Data Controller. The Personal Data Processor’s Personal Data Processing Impact Assessment Record shall include:
a) Information and contact details of the Personal Data Processor;
b) Full name and contact details of the organization assigned to process personal data and the employees of the Personal Data Processor performing the personal data processing;
c) Description of the processing activities and types of personal data processed under the contract with the Personal Data Controller;
d) Time for processing personal data; expected time for deleting or destroying personal data (if any);
d) In case of transferring personal data abroad;
e) General description of the personal data protection measures applied;
g) Possible undesirable consequences and damages, measures to minimize or eliminate such risks and damages.
3. The personal data processing impact assessment records specified in Clauses 1 and 2 of this Article shall be established in a legally valid document of the Personal Data Controller, the Personal Data Controller and Processor or the Personal Data Processor.
4. The dossier assessing the impact of personal data processing must always be available to serve the inspection and assessment activities of the Ministry of Public Security and send 01 original copy to the Ministry of Public Security (Department of Cyber Security and High-Tech Crime Prevention and Control) according to Form No. 04 in the Appendix of this Decree within 60 days from the date of processing personal data.
5. The Ministry of Public Security (Department of Cyber Security and High-Tech Crime Prevention) shall assess and request the Personal Data Controller, Personal Data Controller and Processor, and Personal Data Processor to complete the Personal Data Processing Impact Assessment File in case the file is incomplete and not in accordance with regulations.
6. The Personal Data Controller, the Personal Data Controller and Processor, and the Personal Data Processor shall update and supplement the Personal Data Processing Impact Assessment File when there is a change in the content of the file sent to the Ministry of Public Security (Department of Cyber Security and High-Tech Crime Prevention and Control) according to Form No. 05 in the Appendix of this Decree.
Article 25. Transfer of personal data abroad
1. Personal data of Vietnamese citizens is transferred abroad in case the Party transferring data abroad prepares a dossier to assess the impact of transferring personal data abroad and carries out the procedures prescribed in Clauses 3, 4 and 5 of this Article. The Party transferring data abroad includes the Personal Data Controller, the Personal Data Controller and Processor, the Personal Data Processor, and the Third Party.
2. Profile of impact assessment of transferring personal data abroad, including:
a) Information and contact details of the Data Transfer Party and the Data Recipient of the personal data of Vietnamese citizens;
b) Full name and contact details of the organization or individual in charge of the Data Transfer Party related to the transfer and receipt of personal data of Vietnamese citizens;
c) Describe and explain the objectives of the activities of processing personal data of Vietnamese citizens after being transferred abroad;
d) Describe and clarify the type of personal data transferred abroad;
d) Describe and clearly state the compliance with the personal data protection regulations in this Decree, detailing the personal data protection measures applied;
e) Assess the level of impact of personal data processing; consequences, unexpected damages that may occur, measures to minimize or eliminate such risks and harms;
g) Consent of the data subject as prescribed in Article 11 of this Decree on the basis of clearly knowing the feedback and complaint mechanism when an incident or request arises;
h) There is a document showing the binding and responsibility between organizations and individuals transferring and receiving personal data of Vietnamese citizens regarding the processing of personal data.
3. Records of the assessment of the impact of transferring personal data abroad must always be available to serve the inspection and assessment activities of the Ministry of Public Security.
The party transferring data abroad shall send 01 original copy of the dossier to the Ministry of Public Security (Department of Cyber Security and High-Tech Crime Prevention and Control) according to Form No. 06 in the Appendix of this Decree within 60 days from the date of processing personal data.
4. The data transferor shall notify the Ministry of Public Security (Department of Cyber Security and High-Tech Crime Prevention) of information about the data transfer and contact details of the responsible organization or individual in writing after the data transfer is successful.
5. The Ministry of Public Security (Department of Cyber Security and High-Tech Crime Prevention) shall assess and request the Party transferring data abroad to complete the Dossier on assessing the impact of transferring personal data abroad in case the dossier is not complete and in accordance with regulations.
6. The Party transferring data abroad shall update and supplement the Dossier on the assessment of the impact of transferring personal data abroad when there is a change in the content of the dossier sent to the Ministry of Public Security (Department of Cyber Security and High-Tech Crime Prevention and Control) according to Form No. 05 in the Appendix of this Decree. The time limit for completing the dossier for the Party transferring data abroad is 10 days from the date of request.
7. Based on the specific situation, the Ministry of Public Security shall decide to inspect the transfer of personal data abroad once a year, except in cases where violations of the provisions of the law on personal data protection in this Decree are discovered or incidents of disclosure or loss of personal data of Vietnamese citizens occur.
8. The Ministry of Public Security decides to request the Party transferring data abroad to stop transferring personal data abroad in the following cases:
a) When it is discovered that the transferred personal data is used for activities that violate the interests and national security of the Socialist Republic of Vietnam;
b) The party transferring data abroad does not comply with the provisions in Clause 5 and Clause 6 of this Article;
c) Allowing incidents of personal data of Vietnamese citizens to be disclosed or lost.
Section 4. MEASURES AND CONDITIONS TO ENSURE PERSONAL DATA PROTECTION
Article 26. Measures to protect personal data
1. Personal data protection measures are applied from the beginning and throughout the processing of personal data.
2. Measures to protect personal data, including:
a) Management measures implemented by organizations and individuals involved in processing personal data;
b) Technical measures implemented by organizations and individuals involved in processing personal data;
c) Measures taken by competent state management agencies in accordance with the provisions of this Decree and relevant laws;
d) Investigation and prosecution measures implemented by competent state agencies;
d) Other measures as prescribed by law.
Article 27. Protection of basic personal data
1. Apply the measures prescribed in Clause 2, Article 26 of this Decree .
2. Develop and promulgate regulations on personal data protection, clearly stating the tasks to be performed according to the provisions of this Decree.
3. Encourage the application of personal data protection standards appropriate to the fields, professions and activities related to the processing of personal data.
4. Check the network security of the system and means, equipment serving the processing of personal data before processing, delete irrecoverably or destroy devices containing personal data.
Article 28. Protection of sensitive personal data
1. Apply the measures prescribed in Clause 2, Article 26 and Article 27 of this Decree .
2. Designate a department responsible for protecting personal data, designate personnel responsible for protecting personal data and exchange information about the department and individuals responsible for protecting personal data with the Personal Data Protection Authority. In case the Personal Data Controller, Personal Data Controller and Processor, Data Processor, or Third Party is an individual, the information of the individual performing the task shall be exchanged.
3. Notify the data subject that his/her sensitive personal data is being processed, except in the cases specified in Clause 4, Article 13, Article 17 and Article 18 of this Decree .
Article 29. Specialized agency for personal data protection and National Portal on personal data protection
1. The agency responsible for protecting personal data is the Department of Cyber Security and High-Tech Crime Prevention and Control – Ministry of Public Security, responsible for assisting the Ministry of Public Security in performing state management of personal data protection.
2. National portal on personal data protection:
a) Provide information on the Party’s guidelines, policies, and State laws on personal data protection;
b) Disseminate and popularize policies and laws on personal data protection;
c) Update information and status of personal data protection;
d) Receive information, records, and data on personal data protection activities via cyberspace;
d) Provide information on the results of the assessment of personal data protection work of relevant agencies, organizations and individuals;
e) Receiving notices of violations of regulations on personal data protection;
g) Warn and coordinate warnings about risks and acts of personal data infringement according to the provisions of law;
h) Handling violations of personal data protection according to the provisions of law;
i) Carry out other activities as prescribed by law on personal data protection.
Article 30. Conditions for ensuring personal data protection activities
1. Personal data protection force:
a) The task force responsible for protecting personal data is arranged at the Personal Data Protection Agency;
b) Departments and personnel with the function of protecting personal data are designated in agencies, organizations and enterprises to ensure compliance with regulations on personal data protection;
c) Organizations and individuals are mobilized to participate in protecting personal data;
d) The Ministry of Public Security shall develop specific programs and plans to develop human resources for personal data protection.
2. Agencies, organizations and individuals are responsible for disseminating knowledge and skills, and raising awareness of personal data protection for agencies, organizations and individuals.
3. Ensure facilities and operating conditions for the Agency specializing in personal data protection.
Article 31. Funding for ensuring personal data protection activities
1. Financial sources for personal data protection include the state budget; support from domestic and foreign agencies, organizations and individuals; revenue from providing personal data protection services; international aid and other legal sources of revenue.
2. The budget for personal data protection of state agencies is guaranteed by the state budget and is arranged in the annual state budget estimate. The management and use of state budget funds are implemented in accordance with the provisions of the law on state budget.
3. The budget for protecting personal data of organizations and enterprises shall be arranged and implemented by organizations and enterprises themselves according to regulations.
Chapter III.- RESPONSIBILITIES OF AGENCIES, ORGANIZATIONS AND INDIVIDUALS
Article 32. Responsibilities of the Ministry of Public Security
1. Assist the Government in implementing unified state management of personal data protection.
2. Guide and implement activities to protect personal data, protect the rights of data subjects against violations of the law on personal data protection, propose the promulgation of Personal Data Protection Standards and recommendations for application.
3. Build, manage and operate the National Portal on personal data protection.
4. Evaluate the results of personal data protection work of relevant agencies, organizations and individuals.
5. Receive documents, forms, and information on personal data protection as prescribed in this Decree.
6. Promote measures and conduct research to innovate in the field of personal data protection, and implement international cooperation on personal data protection.
7. Inspect, examine, resolve complaints, denunciations, and handle violations of regulations on personal data protection according to the provisions of law.
Article 33. Responsibilities of the Ministry of Information and Communications
1. Direct media agencies, press, organizations and enterprises in the management field to implement personal data protection according to the provisions of this Decree.
2. Develop, guide and implement measures to protect personal data and ensure network information security for personal data in information and communication activities according to assigned functions and tasks.
3. Coordinate with the Ministry of Public Security in inspecting, examining and handling violations of the law on personal data protection.
Article 34. Responsibilities of the Ministry of National Defense
Manage, inspect, examine, supervise, handle violations and apply regulations on personal data protection to agencies, organizations and individuals under the management of the Ministry of National Defense according to legal regulations and assigned functions and tasks.
Article 35. Responsibilities of the Ministry of Science and Technology
1. Coordinate with the Ministry of Public Security in developing Personal Data Protection Standards and recommendations for applying Personal Data Protection Standards.
2. Research and discuss with the Ministry of Public Security on measures to protect personal data in line with the development of science and technology.
Article 36. Responsibilities of ministries, ministerial-level agencies, and government agencies
1. Implement state management of personal data protection for sectors and fields under management according to the provisions of law on personal data protection.
2. Develop and implement the contents and tasks of personal data protection in this Decree.
3. Supplement regulations on personal data protection in the development and implementation of tasks of ministries and branches.
4. Arrange funding for personal data protection activities according to current budget management hierarchy.
5. Issue an Open Data Catalog in compliance with personal data protection regulations.
Article 37. Responsibilities of People’s Committees of provinces and centrally run cities
1. Implement state management of personal data protection for sectors and fields under management according to the provisions of law on personal data protection.
2. Implement the provisions on personal data protection in this Decree.
3. Arrange funding for personal data protection activities according to current budget management hierarchy.
4. Issue an Open Data Catalog in compliance with personal data protection regulations.
Article 38. Responsibilities of the Personal Data Controller
1. Implement appropriate organizational and technical measures and safety and security measures to demonstrate that data processing activities have been carried out in accordance with the provisions of the law on personal data protection, review and update these measures as necessary.
2. Record and store system logs of personal data processing.
3. Notification of violations of regulations on personal data protection as prescribed in Article 23 of this Decree .
4. Select a Personal Data Processor that is suitable for a clear mandate and only work with Personal Data Processors that have appropriate safeguards in place.
5. Ensure the rights of data subjects as prescribed in Article 9 of this Decree .
6. The Personal Data Controller is responsible to the data subject for damages caused by the processing of personal data.
7. Coordinate with the Ministry of Public Security and competent state agencies in protecting personal data, providing information to serve the investigation and handling of violations of the law on personal data protection.
Article 39. Responsibilities of the Personal Data Processor
1. Personal data shall only be received after a contract or agreement on data processing has been entered into with the Personal Data Controller.
2. Process personal data in accordance with the contract or agreement concluded with the Personal Data Controller.
3. Fully implement personal data protection measures prescribed in this Decree and other relevant legal documents.
4. The Personal Data Processor is responsible to the data subject for damages caused by the processing of personal data.
5. Delete and return all personal data to the Personal Data Controller after the data processing is completed.
6. Coordinate with the Ministry of Public Security and competent state agencies in protecting personal data, providing information to serve the investigation and handling of violations of the law on personal data protection.
Article 40. Responsibilities of the Data Controller and Processor
Fully comply with the provisions on the responsibilities of the Personal Data Controller and the Personal Data Processor.
Article 41. Third Party Liability
Fully comply with the provisions on responsibility for handling personal data as prescribed in this Decree.
Article 42. Responsibilities of relevant organizations and individuals
1. Take measures to protect your personal data and be responsible for the accuracy of the personal data you provide.
2. Implement the provisions on personal data protection in this Decree.
3. Promptly notify the Ministry of Public Security of violations related to personal data protection activities.
4. Coordinate with the Ministry of Public Security in handling violations related to personal data protection activities.
Chapter IV.- TERMS OF IMPLEMENTATION
Article 43. Entry into force
1. This Decree comes into force from July 1, 2023.
2. Micro-enterprises, small enterprises, medium-sized enterprises, and startups have the right to choose to be exempted from the regulations on the appointment of individuals and personal data protection departments for the first 02 years from the date of establishment of the enterprise.
3. Micro-enterprises, small enterprises, medium-sized enterprises, and start-ups directly engaged in personal data processing activities are not subject to the provisions of Clause 2 of this Article.
Article 44. Responsibility for implementation
1. The Minister of Public Security shall urge, inspect and guide the implementation of this Decree.
2. Ministers, Heads of ministerial-level agencies, Heads of Government agencies, Chairmen of People’s Committees of provinces and centrally run cities are responsible for implementing this Decree./.
For the Prime Minister, the Prime Minister, Deputy Prime Minister, Tran Luu Quang