Decree No. 13/2023/ND-CP is the first legal document in Vietnam to officially use the concept of personal data, regulating the obligation to protect personal data for entities that collect and process personal data. (Illustration photo: Reuters)

Today (July 1), Decree No. 13/2023/ND-CP of the Government on personal data protection officially took effect, creating a legal corridor to effectively protect personal data in Vietnam, minimizing the risks and consequences of personal data infringements.

The Decree was issued by the Government on April 17, 2023 with many strict regulations on data protection and the responsibility to protect personal data of relevant agencies, organizations and individuals.

What does personal data include?

The Decree clearly states that personal data is information in the form of symbols, letters, numbers, images, sounds or similar forms in the electronic environment associated with a specific person or helping to identify a specific person.

Personal data includes basic personal data and sensitive personal data.

Basic personal data includes: surname, middle name and birth name, other names (if any); date of birth; date of death or disappearance; gender; place of birth, place of birth registration, permanent residence, temporary residence, current residence, hometown, contact address; nationality; personal image; phone number, identity card number, personal identification number, passport number, driver's license number, license plate number, personal tax code number, social insurance number, health insurance card number; marital status; information about family relationships (parents, children); information about personal digital accounts; personal data reflecting activities and history of activities on cyberspace...

Sensitive personal data is closely related to the privacy of individuals, which, when violated, will directly affect the legitimate rights and interests of that person. For example, political views, religious views; health status; racial origin, ethnic origin; genetic characteristics; unique biological characteristics; sexual life; location data; data on crimes and criminal acts collected and stored by law enforcement agencies; customer information of credit institutions...

Prohibited acts

Personal data protection is the activity of preventing, detecting, stopping and handling violations related to personal data according to the provisions of law.

Article 8 of the Decree stipulates prohibited acts, including: processing personal data contrary to the provisions of law on personal data protection; processing personal data to create information and data against the Socialist Republic of Vietnam; processing personal data to create information and data affecting national security, social order and safety, and the legitimate rights and interests of other organizations and individuals.

The Decree also prohibits acts of obstructing the personal data protection activities of competent authorities, as well as taking advantage of personal data protection activities to violate the law.

Cases of processing personal data without the consent of the data subject

Article 17 of the Decree stipulates cases of personal data processing without the consent of the data subject, including: emergency cases, where it is necessary to immediately process relevant personal data to protect the life and health of the data subject or others; and the disclosure of personal data in accordance with the provisions of law.

Along with that is the case of data processing by competent state agencies in a state of emergency regarding national defense, national security, social order and safety, major disasters, dangerous epidemics; when there is a threat to national security and defense but not to the extent of declaring a state of emergency; preventing and combating riots, terrorism, preventing and combating crimes and violations of the law according to the provisions of law.

In addition, the personal data controller and processor may also process personal data without the consent of the data subject to perform the data subject's contractual obligations with relevant agencies, organizations and individuals as prescribed by law; as well as in the case of serving the activities of state agencies as prescribed by specialized laws.

Children's age must be verified before processing children's personal data

The Decree states that the processing of children's personal data is always carried out in accordance with the principle of protecting the rights and in the best interests of the child.

Accordingly, the processing of children's personal data must have the consent of the child in cases where the child is 7 years of age or older and has the consent of the parent or guardian as prescribed, except in the case specified in Article 17.

Personal data controllers, personal data processors, personal data controllers and processors, and third parties must verify the age of children before processing children's personal data.

The Decree also provides for a number of cases in which parties must stop processing children's personal data, irreversibly delete or destroy children's personal data (except where otherwise provided by law).

Specifically, in cases where data processing is not for the intended purpose or has completed the purpose of processing personal data with the consent of the data subject; the child's parent or guardian withdraws consent to the processing of the child's personal data; or at the request of a competent authority when there is sufficient evidence to prove that the processing of personal data affects the rights and legitimate interests of the child.