Decree on Personal Data Protection
Đối tượng áp dụng
Domestic and international agencies, organizations, and individuals related to the processing of personal data.
Các điểm cốt lõi
- Detailed regulations on protecting personal information
- Responsibilities of parties involved in the process of processing personal data
- Guidelines for state management in personal data protection
- Implementation clauses and effectiveness of the Decree
- Exemptions for micro, small, and medium-sized enterprises during the initial period of operation
🌐 Tác động xã hội từ văn bản này
- Enhancing the security of personal information
- Developing a safer business environment
- Increasing public awareness of privacy rights
❓ Câu hỏi thường gặp
Must small businesses comply with the designation of a personal data protection officer from the time of establishment?
No, micro, small, medium-sized enterprises, and startups are exempted for the first two years from the date of establishment.
When does this Decree take effect?
This Decree takes effect from July 1, 2023.
Toàn văn
DECREE
Protection of personal data
Pursuant to the Law on Organization of the Government dated June 19, 2015; the Law Amending and Supplementing Certain Provisions of the Law on Organization of the Government and the Law on Organization of Local Administration dated November 22, 2019;
Pursuant to the Civil Code on November 24, 2015;
Pursuant to the National Security Law dated December 3, 2004;
||| Pursuant to the Cyber Security Law dated June 12, 2018;
The Government promulgates this Decree on regulations regarding entry, exit, and residence policies for foreigners at the International Financial Center in Vietnam.
The Government promulgates the Decree on personal data protection.
PART I
GENERAL PROVISIONS
Article 1. Scope of Regulation and Applicability
1. This Decree stipulates the protection of personal data and the responsibility for protecting personal data of agencies, organizations, and individuals related to such protection.
2. This Decree applies to:
a) Agencies, organizations, and individuals of Vietnam;
b) Agencies, organizations, and individuals from foreign countries operating in Vietnam;
c) Vietnamese agencies, organizations, and individuals operating abroad;
d) Foreign agencies, organizations, and individuals directly participating or being involved in activities processing personal data in Vietnam.
Article 2. Interpretation of Terms
In this Decree, the following terms are understood as follows:
1. Personal data is information in the form of symbols, writing, numerals, images, sounds, or similar forms in an electronic environment that is linked to a specific individual or helps identify a specific individual. Personal data includes basic personal data and sensitive personal data.
2. Information that helps identify a specific individual is information formed from the activities of an individual that, when combined with other stored data and information, can identify a specific individual.
3. Basic personal data includes:
a) Surname, middle name, and given name at birth, other names (if any);
b) Date, month, year of birth; date, month, year of death or disappearance;
c) Gender;
d) Place of birth, place of registration of birth, place of permanent residence, place of temporary residence, current place of residence, place of origin, contact address;
đ) Nationality;
e) Images of the individual;
g) Telephone number, national identity card number, individual identification number, passport number, driver's license number, vehicle license plate number, personal tax code, social insurance number, health insurance card number;
h) Marital status;
i) Information about family relationships (parents, children);
k) Information about the individual's account number; personal data reflecting activities and activity history in cyberspace;
l) Other information linked to a specific individual or helping to identify a specific individual not covered under Clause 4 of this Article.
4. Sensitive personal data is personal data linked to the privacy of an individual that, when breached, will directly affect the rights and legitimate interests of the individual, including:
a) Political views, religious views;
b) Health status and private life recorded in medical records, excluding blood group information;
c) Information related to racial or ethnic origins;
d) Information about genetic characteristics inherited or acquired by the individual;
đ) Information about physical attributes, unique biological characteristics of the individual;
e) Information about sexual life, sexual orientation of the individual;
g) Data on criminal offenses, criminal acts collected and stored by law enforcement agencies;
h) Customer information of credit institutions, foreign bank branches, service providers of payment intermediation, and other authorized organizations, including: customer identification information according to the law, account information, deposit information, asset deposit information, transaction information, information about organizations and individuals who are guarantors at credit institutions, bank branches, and service providers of payment intermediation;
i) Data on the location of the individual determined through positioning services;
k) Other personal data specified by law as special and requiring necessary security measures.
5. Personal data protection is the activity of preventing, detecting, blocking, and handling violations related to personal data as prescribed by law.
6. Data subject is the individual reflected in personal data.
7. Processing personal data is one or more actions affecting personal data, such as: collecting, recording, analyzing, confirming, storing, editing, disclosing, combining, accessing, retrieving, recovering, encrypting, decrypting, copying, sharing, transmitting, providing, transferring, deleting, destroying personal data or other related actions.
8. Consent of the data subject is the clear, voluntary expression of permission for the processing of personal data by the data subject.
9. Data Controller is an organization or individual deciding the purpose and means of processing personal data.
10. Data Processor is an organization or individual performing the processing of data on behalf of the Data Controller, through a contract or agreement with the Data Controller.
11. Joint Controller and Processor is an organization or individual simultaneously deciding the purpose, means, and directly processing personal data.
12. Third party is an organization or individual outside the Data Subject, Data Controller, Data Processor, and Joint Controller and Processor permitted to process personal data.
13. Automated processing of personal data is a form of processing personal data carried out by electronic means aimed at evaluating, analyzing, and predicting the activities of a specific individual, such as: habits, preferences, reliability level, behavior, location, trends, capabilities, and other cases.
14. Transferring personal data abroad is the activity of using cyberspace, equipment, electronic means, or other methods to transfer personal data of Vietnamese citizens to a location outside the territory of the Socialist Republic of Vietnam or using a location outside the territory of the Socialist Republic of Vietnam to process personal data of Vietnamese citizens, including:
a) Organizations, businesses, and individuals transferring personal data of Vietnamese citizens to organizations, businesses, and management units abroad for processing in accordance with the purposes agreed upon by the data subject;
b) Processing personal data of Vietnamese citizens by automated systems located outside the territory of the Socialist Republic of Vietnam by the Data Controller, Joint Controller and Processor, and Data Processor in accordance with the purposes agreed upon by the data subject.
Article 3. Principles for the protection of personal data
1. Personal data shall be processed in accordance with the provisions of the law.
2. The data subject shall be informed of activities related to the processing of their personal data, except where otherwise provided by law.
3. Personal data may only be processed in accordance with the purposes registered and declared by the Data Controller, Data Processor, Joint Controller and Processor, and Third Party for the processing of personal data.
4. Personal data collected must be relevant and limited to the scope and purpose required for processing. Personal data may not be bought or sold in any form, except where otherwise provided by law.
5. Personal data shall be updated and supplemented in accordance with the purpose of processing.
6. Personal data shall be subject to measures for protection and security during processing, including protection against violations of personal data protection regulations and prevention of loss, destruction, or damage due to incidents, using technical measures.
7. Personal data shall only be stored for a period appropriate to the purpose of processing the data, unless otherwise provided by law.
8. The Data Controller and the Data Controller and Processor shall be responsible for complying with the principles of data processing set forth in Clauses 1 through 7 of this Article and demonstrating their compliance with those principles.
Article 4. Handling Violations of Personal Data Protection Regulations
Agencies, organizations, and individuals violating personal data protection regulations may be subject to disciplinary action, administrative penalties, or criminal proceedings depending on the severity, as prescribed by law.
Article 5. State Management of Personal Data Protection
The Government shall uniformly manage state affairs concerning personal data protection. The content of state management of personal data protection includes:
1. Submitting to competent state agencies for approval or issuing within its authority normative legal documents and directing, organizing the implementation of normative legal documents on personal data protection.
2. Developing and implementing strategies, policies, projects, programs, and plans on personal data protection.
3. Guiding agencies, organizations, and individuals on measures, procedures, and standards for protecting personal data as prescribed by law.
4. Promoting legal education on personal data protection; disseminating knowledge and skills for protecting personal data.
5. Building, training, and enhancing officials, civil servants, employees, and persons assigned to work on personal data protection.
6. Inspecting and supervising the implementation of legal provisions on personal data protection; resolving complaints and accusations and handling violations of personal data protection laws as prescribed by law.
7. Statistics, information, and reporting on the situation of personal data protection and the enforcement of personal data protection laws to competent state agencies.
8. International cooperation on personal data protection.
Article 6. Application of the Personal Data Protection Decree, Related Laws, and International Treaties
The protection of personal data shall be carried out in accordance with the provisions of international treaties to which the Socialist Republic of Vietnam is a party, other provisions of related laws, and this Decree.
Article 7. International Cooperation on Personal Data Protection
1. Establishing mechanisms for international cooperation to facilitate effective enforcement of laws on personal data protection.
2. Participating in judicial assistance regarding personal data protection of other countries, including notification, complaint referral, investigative assistance, and information exchange, with appropriate protective measures to safeguard personal data.
3. Organizing conferences, seminars, scientific research, and promoting international cooperative activities in enforcing laws to protect personal data.
4. Organizing bilateral and multilateral meetings, exchanging experiences in drafting laws and practical personal data protection.
5. Transferring technology to serve personal data protection.
Article 8. Prohibited Acts
1. Processing personal data contrary to the provisions of laws on personal data protection.
2. Processing personal data to create information and data aimed at opposing the Socialist Republic of Vietnam.
3. Processing personal data to create information and data affecting national security, public order, and safety, as well as the lawful rights and interests of other organizations and individuals.
4. Obstructing the activities of competent authorities in protecting personal data.
5. Exploiting personal data protection activities to violate the law.
Chapter II
PERSONAL DATA PROTECTION ACTIVITIES
Section 1
RIGHTS AND OBLIGATIONS OF DATA SUBJECTS
Article 9. Rights of Data Subjects
1. Right to be informed The data subject has the right to be informed about their personal data processing activities, except where otherwise provided by law.
2. Right to consent The data subject has the right to agree or disagree with the processing of their personal data, except as provided for in Article 17 of this Decree.
3. Right of access The data subject has the right to access, view, modify, or request modification of their personal data, except where otherwise provided by law.
4. Right to withdraw consent The data subject has the right to withdraw their consent, except where otherwise provided by law.
5. Right to have personal data erased The data subject has the right to erase or request the erasure of their personal data, except where otherwise provided by law.
6. Right to restrict processing
a) The data subject has the right to request the restriction of processing of their personal data, except where otherwise provided by law;
b) The restriction of processing shall be implemented within 72 hours from the date of the data subject's request, concerning all personal data that the data subject requests to be restricted, except where otherwise provided by law.
7. Right to data portability The data subject has the right to request the data controller, the data controller and processor to provide them with their personal data, except where otherwise provided by law.
8. Right to object to processing
a) The data subject has the right to object to the data controller, the data controller and processor processing their personal data to prevent or limit the disclosure of personal data or its use for advertising purposes, except where otherwise provided by law;
b) The data controller, the data controller and processor shall implement the data subject's request within 72 hours from receipt of the request, except where otherwise provided by law.
9. Right to lodge complaints, report violations, and initiate legal proceedings The data subject has the right to lodge complaints, report violations, or initiate legal proceedings in accordance with the law.
10. Right to claim compensation The data subject has the right to claim compensation in accordance with the law when there is a violation of the provisions on personal data protection, except where the parties have agreed otherwise or where otherwise provided by law.
11. Right to self-protection The data subject has the right to self-protection in accordance with the Civil Code, other related laws, and this Decree, or to request competent authorities to implement civil rights protection measures as stipulated in Article 11 of the Civil Code.
Article 10. Obligations of Data Subjects
1. Protecting their own personal data; requesting other organizations and individuals to protect their personal data.
2. Respecting and protecting the personal data of others.
3. Providing complete and accurate personal data when agreeing to allow the processing of personal data.
4. Participating in promoting and disseminating skills for personal data protection.
5. Implementing the provisions of laws on personal data protection and participating in preventing and combating acts violating the provisions on personal data protection.
Section 2
PROTECTION OF PERSONAL DATA
IN THE PROCESS OF PROCESSING PERSONAL DATA
Article 11. Consent of the Data Subject
1. The consent of the data subject shall apply to all activities within the personal data processing procedure, except where otherwise provided by law.
2. The consent of the data subject shall only be effective when the data subject consents voluntarily and is fully aware of the following contents:
a) The type of personal data being processed;
b) The purpose of processing personal data;
c) Organizations or individuals processing personal data;
d) The rights and obligations of the data subject.
3. The consent of the data subject must be clearly and specifically expressed in writing, through voice, ticking a consent box, syntax consent via message, selecting technical settings for consent, or through another action that demonstrates this.
4. Consent must be obtained for the same purpose. When there are multiple purposes, the Personal Data Controller, Joint Controller and Processor shall list the purposes so that the data subject can consent to one or more of the stated purposes.
5. The consent of the data subject must be in a format that can be printed or copied in writing, including electronic or verifiable formats.
6. Silence or lack of response from the data subject shall not be considered as consent.
7. The data subject may give partial consent or with conditions attached.
8. For processing sensitive personal data, the data subject must be informed that the data to be processed is sensitive personal data.
9. The consent of the data subject shall be valid until the data subject makes a different decision or until a competent state agency requests it in writing.
10. In case of dispute, the responsibility to prove the consent of the data subject lies with the Personal Data Controller, Joint Controller and Processor.
11. Through authorization under the Civil Code, organizations or individuals may act on behalf of the data subject to carry out procedures related to the processing of the data subject's personal data with the Personal Data Controller, Joint Controller and Processor, provided that the data subject has been fully aware and given consent as stipulated in Clause 3 of this Article, except where otherwise provided by law.
Article 12. Withdrawal of Consent
1. The withdrawal of consent shall not affect the legality of the processing of personal data that was consented to prior to the withdrawal of consent.
2. The withdrawal of consent must be in a format that can be printed or copied in writing, including electronic or verifiable formats.
3. Upon receiving a request to withdraw consent from the data subject, the Personal Data Controller, Joint Controller and Processor shall notify the data subject about the possible consequences and damages resulting from the withdrawal of consent.
4. After complying with the provisions of Clause 2 of this Article, the Personal Data Controller, Data Processor, Joint Controller and Processor, and third parties must cease and require relevant organizations and individuals to stop processing the data of the data subject who has withdrawn consent.
Article 13. Notification of Personal Data Processing
1. The notification shall be made once before proceeding with the activity of personal data processing.
2. Contents of the notification to the data subject regarding personal data processing:
a) Purpose of processing;
b) Type of personal data used related to the purpose of processing specified in point a, Clause 2 of this Article;
c) Method of processing;
d) Information about other organizations or individuals related to the purpose of processing specified in point a, Clause 2 of this Article;
đ) Unwanted consequences and damages that may occur;
e) Start time and end time of data processing.
3. The notification to the data subject must be in a format that can be printed or copied in writing, including electronic or verifiable formats.
4. The Personal Data Controller, Joint Controller and Processor need not comply again with the provisions of Clause 1 of this Article in the following cases:
a) The data subject has been fully aware and agreed entirely with the contents stipulated in Clauses 1 and 2 of this Article before giving consent to the Personal Data Controller, Joint Controller and Processor to collect personal data, in accordance with the provisions of Article 9 of this Decree;
b) Personal data is processed by a competent state agency for the purpose of serving the activities of the state agency as prescribed by law.
Article 14. Provision of Personal Data
1. The data subject shall be required to request the Personal Data Controller, the Controller and Processor of personal data to provide their own personal data.
2. The Personal Data Controller, the Controller and Processor of personal data:
a) Shall provide the personal data of the data subject to other organizations or individuals when the data subject consents, except where otherwise provided by law;
b) Shall act on behalf of the data subject to provide the personal data of the data subject to other organizations or individuals when the data subject agrees to permit representation and authorization, except where otherwise provided by law.
3. The provision of personal data of the data subject by the Personal Data Controller, the Controller and Processor of personal data shall be carried out within 72 hours after the request of the data subject, except where otherwise provided by law.
4. The Personal Data Controller, the Controller and Processor of personal data shall not provide personal data in the following cases:
a) Causing harm to national defense, national security, social order, and safety;
b) The provision of personal data of the data subject may affect the safety, physical or mental health of others;
c) The data subject does not agree to provide, permit representation, or authorize receipt of personal data.
5. Forms of Request for Provision of Personal Data:
a) The data subject directly or through an authorized person goes to the office of the Personal Data Controller, the Controller and Processor of personal data to request the provision of personal data. The person receiving the request is responsible for guiding the organization or individual requesting to fill in the contents of the Personal Data Provision Request Form. In case the organization or individual requesting information does not know how to write or has disabilities preventing them from writing the request, the person receiving the request for information is responsible for helping to fill in the contents of the Personal Data Provision Request Form;
b) Sending the Personal Data Provision Request Form according to Model No. 01, 02 in the Appendix of this Decree via electronic network, postal service, fax to the Personal Data Controller, the Controller and Processor of personal data.
6. The Personal Data Provision Request Form must be in Vietnamese and include the following main contents:
a) Surname, name; place of residence, address; citizen identification number, identity card number, or passport number of the requester; fax number, telephone number, email address (if available);
b) The personal data requested to be provided, specifying the name of the document, file, or record;
c) The form of provision of personal data;
d) Reason and purpose for requesting the provision of personal data.
7. Where the request for provision of personal data is made under Clause 2 of this Article, it must be accompanied by a consent document from the relevant individual or organization.
8. Receiving Requests for Provision of Personal Data
a) The Personal Data Controller, the Controller and Processor of personal data shall be responsible for receiving requests for provision of personal data and monitoring the process and list of provision of personal data according to the request;
b) If the personal data requested is outside the jurisdiction, the Personal Data Controller, the Controller and Processor of personal data receiving the request shall notify and guide the organization or individual requesting to go to the competent authority or clearly inform that the personal data cannot be provided.
9. Handling Requests for Provision of Personal Data Upon receipt of a valid request for provision of personal data, the Personal Data Controller, the Controller and Processor of personal data shall be responsible for providing personal data, informing about the deadline, location, form of provision of personal data; actual costs for printing, copying, photographing, sending information through postal services, fax (if applicable) and payment method, deadline; implementing the provision of personal data according to the procedures and formalities stipulated in this Article.
Article 15. Amending Personal Data
1. Data Subject:
a) Has the right to access and view, amend their personal data after it has been collected by the Personal Data Controller, Joint Controller and Processor upon consent, except where otherwise provided by law;
b) In cases where direct amendment is not possible due to technical reasons or other reasons, the Data Subject may request the Personal Data Controller, Joint Controller and Processor to amend their personal data.
2. The Personal Data Controller, Joint Controller and Processor shall amend the personal data of the Data Subject upon the latter's consent immediately or as prescribed by specialized laws. If this cannot be done, they must notify the Data Subject within 72 hours from the time of receiving the request for amendment of personal data.
3. The Personal Data Processor, Third Party may amend the personal data of the Data Subject after obtaining written approval from the Personal Data Controller, Joint Controller and Processor and being informed that the Data Subject has given consent.
Article 16. Storing, Deleting, Destroying Personal Data
1. The Data Subject may request the Personal Data Controller, Joint Controller and Processor to delete their personal data in the following cases:
a) When it is deemed unnecessary for the purpose of collection previously agreed upon and accepts potential damages resulting from the deletion request;
b) Withdrawal of consent;
c) Opposition to the processing of data and the Personal Data Controller, Joint Controller and Processor have no legitimate grounds to continue processing;
d) Processing of personal data does not comply with the agreed purpose or the processing of personal data violates legal provisions;
đ) Personal data must be deleted according to legal provisions.
2. Deletion of data will not apply when requested by the Data Subject in the following cases:
a) Law prohibits the deletion of data;
b) Personal data is processed by authorized state agencies for the purpose of serving state agency activities as prescribed by law;
c) Personal data has been disclosed in accordance with legal provisions;
d) Personal data is processed to serve legal requirements, scientific research, statistics as prescribed by law;
đ) In cases of emergency situations concerning national defense, national security, public order, major disasters, dangerous epidemics; when there is a threat to national security and defense but not yet at the level of declaring a state of emergency; preventing riots, terrorism, crime prevention and law violations;
e) Responding to urgent situations threatening the life, health, or safety of the Data Subject or another individual.
3. In cases of corporate division, separation, merger, consolidation, dissolution, personal data shall be transferred in accordance with legal provisions.
4. In cases of division, separation, merger of agencies, organizations, administrative units, and restructuring, changing the form of state-owned enterprises, personal data shall be transferred in accordance with legal provisions.
5. Deletion of data shall be carried out within 72 hours after the request of the Data Subject for all personal data collected by the Personal Data Controller, Joint Controller and Processor, except where otherwise provided by law.
6. The Personal Data Controller, Joint Controller and Processor, Personal Data Processor, Third Party shall store personal data in a manner appropriate to their operations and take measures to protect personal data in accordance with legal provisions.
7. The Personal Data Controller, Joint Controller and Processor, Personal Data Processor, Third Party shall irreversibly delete personal data in the following cases:
a) Processing data not in accordance with the purpose or completion of the purpose of processing personal data agreed upon by the Data Subject;
b) Storage of personal data is no longer necessary for the operations of the Personal Data Controller, Joint Controller and Processor, Personal Data Processor, Third Party;
c) The Personal Data Controller, Joint Controller and Processor, Personal Data Processor, Third Party are dissolved, cease operations, declare bankruptcy, or terminate business operations in accordance with legal provisions.
Article 17. Processing of personal data without the consent of the data subject
1. In cases of emergency, where immediate processing of relevant personal data is necessary to protect the life or health of the data subject or another person, the Data Controller, Data Processor, Joint Controller and Processor, and Third Party shall be responsible for proving such circumstances.
2. Public disclosure of personal data in accordance with the provisions of the law.
3. Processing of personal data by competent state agencies in cases of national defense, national security, public order and safety, major disasters, dangerous epidemics; when there is a threat to national security and defense but not yet at the level of declaring a state of emergency; preventing riots, terrorism, crime prevention and law violation in accordance with the provisions of the law.
4. To fulfill contractual obligations of the data subject with related authorities, organizations, or individuals as provided by law.
5. For the operation of state agencies as specified by specialized laws.
Article 18. Processing of personal data obtained from audio and video recording activities in public places
Competent authorities and organizations may record audio and video and process personal data obtained from such activities in public places for the purpose of protecting national security, public order and safety, and the legitimate rights and interests of organizations and individuals in accordance with the law, without the need for the consent of the data subject. When conducting recordings, competent authorities and organizations have the responsibility to notify the data subject that they are being recorded, except in cases where the law provides otherwise.
Article 19. Processing of personal data of missing persons or deceased individuals
1. Processing of personal data related to the personal data of missing persons or deceased individuals must be done with the consent of the spouse, children aged eighteen years or older, or if none of these individuals exist, with the consent of the parents of the missing person or deceased individual, except in cases stipulated in Articles 17 and 18 of this Decree.
2. If none of the individuals mentioned in Clause 1 of this Article exist, it shall be considered as lacking consent.
Article 20. Processing of personal data of children
1. Processing of personal data of children must always be carried out in accordance with the principle of protecting the rights and best interests of children.
2. Processing of personal data of children requires the consent of the child if the child is seven years old or older and the consent of the parent or guardian as prescribed, except in cases stipulated in Article 17 of this Decree. The Data Controller, Data Processor, Joint Controller and Processor, and Third Party must verify the age of the child before processing the personal data of the child.
3. Cease processing personal data of children, irreversibly delete or destroy personal data of children in the following cases:
a) Processing data is not in accordance with the purpose or has completed the purpose of processing personal data agreed upon by the data subject, except where the law provides otherwise;
b) The parent or guardian of the child withdraws their consent for the processing of the child's personal data, except where the law provides otherwise;
c) At the request of a competent authority when there is sufficient evidence to prove that the processing of personal data affects the rights and legitimate interests of the child, except where the law provides otherwise.
Article 21. Protection of personal data in marketing services and product advertising
1. Organizations and individuals engaged in marketing services and product advertising may only use personal data of customers collected through their business activities for marketing services and product advertising with the consent of the data subject.
2. Processing personal data of customers for marketing services and product advertising must be done with the consent of the customer, based on the customer's clear understanding of the content, method, form, and frequency of product promotion.
3. Organizations and individuals engaged in marketing services and product advertising have the responsibility to prove that the use of personal data of customers for product promotion complies with the provisions of Clause 1 and Clause 2 of this Article.
Article 22. Collection, Transfer, Purchase, and Sale of Personal Data Without Authorization
1. Organizations and individuals involved in processing personal data must apply measures to protect personal data to prevent unauthorized collection of personal data from their systems and service equipment.
2. Establishing software systems, technical measures, or organizing activities to collect, transfer, purchase, or sell personal data without the consent of the data subject constitutes a violation of the law.
Article 23. Notification of Violations of Personal Data Protection Regulations
1. In case of discovering a violation of the regulations on protecting personal data, the Data Controller and the Data Controller and Processor shall notify the Ministry of Public Security (Cybersecurity Agency and High-Tech Crime Prevention Bureau) within the latest 72 hours after the violation occurs using Form No. 03 attached to this Decree. If notification is made later than 72 hours, it must include reasons for the delay.
2. The Data Processor must promptly notify the Data Controller upon recognizing a violation of the regulations on protecting personal data.
3. Contents of the notification regarding violations of the regulations on protecting personal data:
a) Description of the nature of the violation of the regulations on protecting personal data, including: time, location, actions, organizations or individuals, types of personal data, and the quantity of related data;
b) Contact details of the employee responsible for data protection or the organization or individual responsible for protecting personal data;
c) Description of potential consequences and damages resulting from the violation of the regulations on protecting personal data;
d) Description of measures taken to address and mitigate the harm caused by the violation of the regulations on protecting personal data.
4. In cases where it is not possible to provide all the contents stipulated in Clause 3 of this Article, the notification may be carried out in phases or stages.
5. The Data Controller and the Data Controller and Processor must prepare a Record confirming the occurrence of the violation of the regulations on protecting personal data, and cooperate with the Ministry of Public Security (Cybersecurity Agency and High-Tech Crime Prevention Bureau) to handle the violation.
6. Organizations and individuals must report to the Ministry of Public Security (Cybersecurity Agency and High-Tech Crime Prevention Bureau) when they discover the following situations:
a) Discovery of illegal acts against personal data;
b) Personal data being processed for purposes other than those agreed upon initially between the data subject and the Data Controller, or in violation of the law;
c) Failure to ensure the rights of the data subject or failure to comply with the agreement.
d) Other cases as prescribed by law.
Section 3 ASSESSMENT OF IMPACT AND TRANSFER OF PERSONAL DATA OUTSIDE THE COUNTRY
Article 24. Assessment of impact on processing personal data
1. The Personal Data Controller and the Controller and Processor shall establish and retain their personal data processing impact assessment records from the time of commencement of personal data processing. The personal data processing impact assessment record of the Personal Data Controller and the Controller and Processor includes:
a) Information and contact details of the Personal Data Controller and the Controller and Processor;
b) Names and contact details of organizations assigned to perform data protection tasks and personal data protection staff of the Personal Data Controller and the Controller and Processor;
c) Purpose of personal data processing;
d) Types of personal data processed;
đ) Organizations and individuals receiving personal data, including those outside the territory of Vietnam;
e) Cases of transferring personal data abroad;
g) Time period for processing personal data; estimated time for deleting or destroying personal data (if applicable);
h) Description of measures applied to protect personal data;
i) Assessment of the degree of impact of personal data processing; potential adverse consequences and damages, measures to mitigate or eliminate such risks and harms.
2. The Processor shall establish and retain personal data processing impact assessment records when performing contracts with the Personal Data Controller. The personal data processing impact assessment record of the Processor includes:
a) Information and contact details of the Processor;
b) Names and contact details of organizations assigned to perform data processing tasks and data processing staff of the Processor;
c) Description of processing activities and types of personal data processed under the contract with the Personal Data Controller;
d) Time period for processing personal data; estimated time for deleting or destroying personal data (if applicable);
đ) Cases of transferring personal data abroad;
e) General description of measures applied to protect personal data;
g) Potential adverse consequences and damages, measures to mitigate or eliminate such risks and harms.
3. The personal data processing impact assessment records established under Clause 1 and Clause 2 of this Article shall be documented in writing with legal validity by the Personal Data Controller, the Controller and Processor, or the Processor.
4. The personal data processing impact assessment records must always be available for inspection and evaluation by the Ministry of Public Security and submitted to the Ministry of Public Security (Cybersecurity Agency and High-Tech Crime Prevention Bureau) one original copy according to Model No. 04 in the Appendix of this Decree within sixty days from the date of commencement of personal data processing.
5. The Ministry of Public Security (Cybersecurity Agency and High-Tech Crime Prevention Bureau) shall evaluate and request the Personal Data Controller, the Controller and Processor, and the Processor to complete the personal data processing impact assessment records in cases where the records are incomplete or non-compliant.
6. The Personal Data Controller, the Controller and Processor, and the Processor shall update and supplement the personal data processing impact assessment records when there are changes to the contents already submitted to the Ministry of Public Security (Cybersecurity Agency and High-Tech Crime Prevention Bureau) according to Model No. 05 in the Appendix of this Decree.
Article 25. Transfer of Personal Data Abroad
1. Personal data of Vietnamese citizens may be transferred abroad if the party transferring personal data abroad establishes a Data Impact Assessment File for the transfer of personal data abroad and complies with the procedures stipulated in Clauses 3, 4, and 5 of this Article. The party transferring personal data abroad includes the Data Controller, the Controller and Processor of Personal Data, the Personal Data Processor, and the Third Party.
2. The Data Impact Assessment File for the transfer of personal data abroad shall include:
a) Information and contact details of the party transferring data and the party receiving personal data of Vietnamese citizens;
b) Names and contact details of organizations and individuals responsible for the transfer and receipt of personal data of Vietnamese citizens on the part of the party transferring data;
c) Description and explanation of the objectives of activities processing personal data of Vietnamese citizens after being transferred abroad;
d) Description and clarification of the type of personal data being transferred abroad;
đ) Description and clear statement of compliance with the provisions on personal data protection under this Decree, including detailed measures for protecting personal data applied;
e) Evaluation of the degree of impact of processing personal data; potential adverse consequences and damages, and measures to mitigate or eliminate such risks and harms;
g) Consent of the data subject in accordance with Article 11 of this Decree based on knowledge of the complaint mechanism when incidents occur or additional requests arise;
h) Documentation showing the binding obligations and responsibilities between organizations and individuals transferring and receiving personal data of Vietnamese citizens regarding the processing of personal data.
3. The Data Impact Assessment File for the transfer of personal data abroad must always be available for inspection and evaluation by the Ministry of Public Security. The party transferring data abroad shall submit one original copy of the file to the Ministry of Public Security (Cybersecurity Agency and High-Tech Crime Prevention Department) according to Model No. 06 in the Appendix of this Decree within sixty days from the date of processing personal data.
4. The party transferring data shall notify the Ministry of Public Security (Cybersecurity Agency and High-Tech Crime Prevention Department) in writing about the transfer of data and the contact details of the organization or individual responsible for it after the successful completion of the data transfer.
5. The Ministry of Public Security (Cybersecurity Agency and High-Tech Crime Prevention Department) shall assess and require the party transferring data abroad to complete the Data Impact Assessment File for the transfer of personal data abroad if the file is incomplete or non-compliant with regulations.
6. The party transferring data abroad shall update and supplement the Data Impact Assessment File for the transfer of personal data abroad when there are changes to the content of the file already submitted to the Ministry of Public Security (Cybersecurity Agency and High-Tech Crime Prevention Department) according to Model No. 05 in the Appendix of this Decree. The time limit for completing the file for the party transferring data abroad is ten days from the date of request.
7. Based on specific circumstances, the Ministry of Public Security decides to inspect the transfer of personal data abroad once a year, except in cases where violations of laws on personal data protection under this Decree are discovered or incidents involving the leakage or loss of personal data of Vietnamese citizens occur.
8. The Ministry of Public Security may require the party transferring data abroad to cease transferring personal data abroad in the following cases:
a) When it is found that personal data transferred is used in activities violating the interests and national security of the Socialist Republic of Vietnam;
b) The party transferring data abroad does not comply with the provisions of Clauses 5 and 6 of this Article;
c) Incidents involving the leakage or loss of personal data of Vietnamese citizens occur.
Section 4 MEASURES AND CONDITIONS FOR PROTECTING PERSONAL DATA
Article 26. Measures for protecting personal data
1. Measures for protecting personal data shall be applied from the outset and throughout the entire process of processing personal data.
2. Measures for protecting personal data include:
a) Management measures implemented by organizations and individuals related to the processing of personal data;
b) Technical measures implemented by organizations and individuals related to the processing of personal data;
c) Measures implemented by state management agencies with competent authority pursuant to this Decree and relevant laws;
d) Investigation and litigation measures implemented by state agencies with competent authority;
đ) Other measures prescribed by law.
Article 27. Protection of basic personal data
1. Apply the measures prescribed in Clause 2 of Article 26 of this Decree.
2. Develop and promulgate regulations on the protection of personal data, clearly stating the actions required under this Decree.
3. Encourage the application of appropriate personal data protection standards in accordance with the field, industry, or activity related to the processing of personal data.
4. Conduct cybersecurity checks on systems and equipment serving the processing of personal data before processing, irreversibly delete or destroy devices containing personal data.
Article 28. Protection of sensitive personal data
1. Apply the measures prescribed in Clause 2 of Article 26 and Article 27 of this Decree.
2. Designate a department responsible for protecting personal data, appoint personnel responsible for protecting personal data, and exchange information about the department and individuals responsible for protecting personal data with the Personal Data Protection Authority. In cases where the Data Controller, the Controller and Processor, the Processor, and the third party is an individual, exchange information about the individual.
3. Notify the data subject of the processing of their sensitive personal data, except in cases provided for in Clause 4 of Article 13, Article 17, and Article 18 of this Decree.
Article 29. The Personal Data Protection Authority and the National Portal on Personal Data Protection
1. The Personal Data Protection Authority is the Cybersecurity and High-Tech Crime Prevention Bureau of the Ministry of Public Security, which is responsible for assisting the Ministry of Public Security in managing the protection of personal data.
2. The National Portal on Personal Data Protection:
a) Provides information on the Party's policies, guidelines, and State laws on personal data protection;
b) Promotes and disseminates policies and laws on personal data protection;
c) Updates information on the situation of personal data protection;
d) Receives information, files, and data on personal data protection activities through cyberspace;
đ) Provides information on the results of personal data protection work of relevant agencies, organizations, and individuals;
e) Receives notifications of violations of personal data protection regulations;
g) Issues warnings and coordinates warnings about risks and acts of infringing upon personal data according to the law;
h) Handles violations of personal data protection according to the law;
i) Performs other activities as prescribed by law on personal data protection.
Article 30. Conditions for Ensuring Personal Data Protection Activities
1. Personal data protection forces:
a) Specialized forces responsible for personal data protection assigned to the specialized personal data protection agency;
b) Departments and personnel with functions to protect personal data designated within agencies, organizations, and enterprises to ensure compliance with personal data protection regulations;
c) Organizations and individuals mobilized to participate in personal data protection;
d) The Ministry of Public Security shall develop specific programs and plans to develop human resources for personal data protection.
2. Agencies, organizations, and individuals have the responsibility to promote knowledge dissemination, skills enhancement, and raise awareness about personal data protection among agencies, organizations, and individuals.
3. Ensure material conditions and operational conditions for the specialized personal data protection agency.
Article 31. Funding for Personal Data Protection Activities
1. Financial sources for implementing personal data protection include state budget; support from domestic and foreign agencies, organizations, and individuals; revenue from personal data protection service provision activities; international aid, and other lawful revenues.
2. Funding for personal data protection of state agencies is guaranteed by the state budget, allocated in the annual state budget estimate. Management and utilization of funding from the state budget shall be carried out in accordance with the State Budget Law.
3. Funding for personal data protection of organizations and enterprises is arranged and implemented by these organizations and enterprises according to regulations.
Chapter III RESPONSIBILITIES OF AGENCIES, ORGANIZATIONS, AND INDIVIDUALS
Article 32. Responsibilities of the Ministry of Public Security
1. Assist the Government in uniformly managing state administration over personal data protection.
2. Guide and implement personal data protection activities, protect the rights of data subjects against violations of personal data protection laws, propose the issuance of personal data protection standards and recommendations for application.
3. Develop, manage, and operate the National Portal on Personal Data Protection.
4. Evaluate the results of personal data protection work of relevant agencies, organizations, and individuals.
5. Receive files, forms, and information on personal data protection as prescribed in this Decree.
6. Promote measures and conduct research to innovate in the field of personal data protection, implement international cooperation in personal data protection.
7. Conduct inspections, audits, handle complaints and denunciations, and address violations of personal data protection regulations in accordance with the law.
Article 33. Responsibilities of the Ministry of Information and Communications
1. Direct media agencies, press, organizations, and enterprises under its management to implement personal data protection as prescribed in this Decree.
2. Develop, guide, and implement measures for personal data protection, ensuring cybersecurity for personal data in information and communication activities according to assigned functions and tasks.
3. Coordinate with the Ministry of Public Security in inspections, audits, and handling of violations of personal data protection laws.
Article 34. Responsibilities of the Ministry of Defense
Manage, inspect, audit, supervise, handle violations, and apply personal data protection regulations for agencies, organizations, and individuals under the Ministry of Defense's jurisdiction in accordance with the law and assigned functions and tasks.
Article 35. Responsibilities of the Ministry of Science and Technology
1. Coordinate with the Ministry of Public Security in developing Personal Data Protection Standards and recommendations for applying Personal Data Protection Standards.
2. Study and exchange with the Ministry of Public Security on measures to protect personal data in line with the development of science and technology.
Article 36. Responsibilities of ministries, ministerial-level agencies, and government agencies
1. Implement state management over the protection of personal data in accordance with the laws on personal data protection for their respective sectors and fields.
2. Develop and implement the contents and tasks related to the protection of personal data as stipulated in this Decree.
3. Supplement provisions on the protection of personal data in the development and implementation of tasks of ministries and sectors.
4. Allocate funds for activities related to the protection of personal data according to the current budget management hierarchy.
5. Issue a list of open data consistent with the regulations on the protection of personal data.
Article 37. Responsibilities of People's Committees of provinces and centrally governed cities
1. Implement state management over the protection of personal data in accordance with the laws on personal data protection for their respective sectors and fields.
2. Implement the provisions on the protection of personal data as stipulated in this Decree.
3. Allocate funds for activities related to the protection of personal data according to the current budget management hierarchy.
4. Issue a list of open data consistent with the regulations on the protection of personal data.
Article 38. Responsibilities of the Personal Data Controller
1. Implement organizational and technical measures, as well as appropriate safety and security measures, to demonstrate that data processing activities have been carried out in accordance with the laws on personal data protection, and review and update these measures when necessary.
2. Record and store system logs during the process of handling personal data.
3. Report violations of the regulations on the protection of personal data as stipulated in Article 23 of this Decree.
4. Select a Personal Data Processor suitable for the specific task and only work with a Personal Data Processor that has appropriate protective measures.
5. Ensure the rights of the data subject as stipulated in Article 9 of this Decree.
6. The Personal Data Controller shall be liable to the data subject for damages caused by the processing of personal data.
7. Cooperate with the Ministry of Public Security and competent state agencies in protecting personal data, providing information to serve investigations and handling violations of the laws on personal data protection.
Article 39. Responsibilities of the Personal Data Processor
1. Only accept personal data after signing a contract or agreement with the Personal Data Controller regarding the processing of data.
2. Process personal data in accordance with the signed contract or agreement with the Personal Data Controller.
3. Fully implement the personal data protection measures prescribed in this Decree and other relevant legal documents.
4. The Personal Data Processor shall be liable to the data subject for damages caused by the processing of personal data.
5. Delete or return all personal data to the Personal Data Controller after completing the data processing.
6. Cooperate with the Ministry of Public Security and competent state agencies in protecting personal data, providing information to serve investigations and handling violations of the laws on personal data protection.
Article 40. Responsibilities of the Data Controller and Processor
Fully implement the provisions on the responsibilities of the Personal Data Controller and the Personal Data Processor.
Article 41. Responsibilities of Third Parties
Fully implement the provisions on the responsibilities for processing personal data as stipulated in this Decree.
Article 42. Responsibilities of Organizations and Individuals Related to Personal Data Protection
1. Take measures to protect their personal data, and be responsible for the accuracy of the personal data they provide.
2. Implement the provisions on personal data protection as stipulated in this Decree.
3. Timely notify the Ministry of Public Security about violations related to personal data protection activities.
4. Cooperate with the Ministry of Public Security in handling violations related to personal data protection activities.
Chapter IV
IMPLEMENTING PROVISIONS
Article 43. Effective Date
1. This Decree takes effect from July 1, 2023.
2. Micro-enterprises, small enterprises, medium-sized enterprises, and start-up enterprises have the right to choose exemption from the provisions on designation of individuals and personal data protection departments for the first two years from the date of establishment of the enterprise.
3. Micro-enterprises, small enterprises, medium-sized enterprises, and start-up enterprises directly engaged in personal data processing business shall not apply the provisions of Clause 2 of this Article.
Article 44. Responsibility for Implementation
1. The Minister of Public Security shall urge, inspect, and guide the implementation of this Decree.
2. The Ministers, Heads of ministerial-level agencies, Heads of government-affiliated agencies, Chairpersons of provincial and centrally-administered city People's Committees shall be responsible for implementing this Decree.
|
PRIME MINISTER
DEPUTY PRIME MINISTER DEPUTY PRIME MINISTER
Tran Luu Quang
|
Bản đồ quan hệ
Bấm vào một văn bản để mở. Viền đỏ = quan hệ làm thay đổi hiệu lực.
Bản dịch
Văn bản này có sẵn ở các ngôn ngữ sau: