THE GOVERNMENT _______ No. 13/2023/ND-CP | THE SOCIALIST REPUBLIC OF VIETNAM Independence - Freedom - Happiness ________________________ Hanoi, April 17, 2023 |
Decree
On personal data protection
_____________
Pursuant to the Law on Organization of the Government dated June 19, 2015; Law on Amending and Supplementing a Number of Articles of the Law on Organization of the Government and the Law on Organization of Local Administration dated November 22, 2019;
Pursuant to the Civil Code dated November 24, 2015;
Pursuant to the Law on National Security dated December 03, 2004;
Pursuant to the Law on Cyber Security dated June 12, 2018;
At the request of Minister of Public Security;
The Government promulgates the Decree on personal data protection.
Chapter I
GENERAL PROVISIONS
Article 1. Scope of regulation and subjects of application
1. This Decree provides for personal data protection and responsibilities for personal data protection of relevant agencies, organizations and individuals.
2. This Decree shall apply to:
a) Vietnamese agencies, organizations and individuals;
b) Foreign agencies, organizations and individuals in Vietnam;
c) Vietnamese agencies, organizations and individuals operating overseas;
d) Foreign agencies, organizations and individuals directly engaged in or related to the processing of personal data in Vietnam.
Article 2. Interpretation of terms
In this Decree, the terms below are construed as follows:
1. Personal data means any information in the forms of symbols, letters, figures, images, sounds or similar forms in the electronic environment that is associated with a particular person or may lead to the identification of a particular person. Personal data includes basic personal data and sensitive personal data.
2. Information for identification of a particular person means the information formed from an individual’s activities combined with other stored information and data leading to the identification of a particular person.
3. Basic personal data includes:
a) Family name, middle name and first name as stated in a birth certificate, other name (if any);
b) Date of birth; date of death or missing;
c) Gender;
d) Place of birth, place of birth registration, place of permanent residence, place of temporary residence, current place of residence, native place, contact address;
dd) Nationality;
e) Image of the individual;
g) Telephone numbers, people’s identity card number, personal identification number, passport number, driver’s license numbers, numbers in vehicles’ number plates, personal tax identification number, social insurance number, health insurance card number;
h) Marital status;
i) Information about family relationships (parents, children);
k) Information about digital account of the individual; personal data on activities, history of activities in cyberspace;
l) Other information associated with a particular person or leading to the identification of a particular person, other than those specified in Clause 4 of this Article.
4. Sensitive personal data means any personal data associated with an individual’s privacy rights of which the violation directly affects his/her lawful rights and interests, including:
a) Political opinions, religious opinions;
b) Health status and private information recorded in the health record, excluding the information about blood type;
c) Information relating to racial origin, ethnic origin;
d) Information about the inherited or acquired genetic characteristics of the individual;
dd) Information about physical characteristics, unique biological characteristics of the individual;
e) Information about sex life, sexual orientation of the individual;
g) Data on crimes and offenses are collected and stored by law enforcement authorities;
h) Client information of credit institutions, foreign bank branches, intermediary payment service providers, and other authorized organizations, including: client identification information prescribed by law provisions, information on accounts, deposits, deposited assets, transactions, organizations and individuals being securing parties at credit institutions, bank branches, intermediary payment service providers;
i) Location data of the individual identified through location services;
k) Other personal data being particular and requiring necessary security measures under law provisions.
5. Personal data protection means activities to prevent, detect and handle breaches related to personal data in accordance with law.
6. Data subject means an individual reflected by the personal data.
7. Personal data processing means one or more operations which are performed on personal data, such as: collection, recording, analysis, confirmation, storage, rectification, disclosure, combination, access, retrieval, withdrawal, encryption, decryption, copy, sharing, transmission, provision, transfer, erasure, destruction of personal data or other relevant operations.
8. Consent of the data subject means any freely given and unambiguous indication of the data subject, signifies agreement to the processing of personal data relating to him or her.
9. Controller means an organization or individual which decides the purposes and means of personal data processing.
10. Processor means an organization or individual which processes personal data on behalf of the controller, via a contract or agreement with the controller.
11. Controlling and processing entity means an organization or individual which simultaneously decides the purposes and means of, and directly implement, the processing of personal data.
12. Third party means an organization or individual other than the data subject, controller, processor, controlling and processing entity who is authorized to process personal data.
13. Automated processing of personal data means any form of personal data processing by electronic means for the purpose of evaluating, analyzing or predicting a particular person’s activities, such as habit, interests, reliability, behaviour, location, trends, capacity and others.
14. International transfer of personal data means an activity using cyberspace, equipment, electronic means or other forms to transfer Vietnamese citizens’ personal data to a location outside the territory of the Socialist Republic of Vietnam or process Vietnamese citizens’ personal data at a location outside the territory of the Socialist Republic of Vietnam, including:
a) Organizations, enterprises and individuals transfer Vietnamese citizens’ personal data to overseas organizations, enterprises or management departments for processing in conformity with the purposes agreed upon by the data subject;
b) Processing of Vietnamese citizens’ personal data, using automated systems located outside the territory of the Socialist Republic of Vietnam, by the controller, controlling and processing entity, and processor in conformity with the purposes agreed upon by the data subject.
Article 3. Principles for personal data protection
1. Personal data shall be processed in accordance with law.
2. The data subject have the right to be informed about activities relating to his/her personal data processing, unless otherwise provided by law.
3. Personal data is processed only for the purposes of personal data processing that have been registered and declared by controller, processor, controlling and processing entity, or third party.
4. Collected personal data must be appropriate and within the scope and purposes of processing. Purchase and sale of personal data in any form shall be not permitted, unless otherwise provided by law.
5. Personal data shall be updated and supplemented in conformity with the processing purposes.
6. Measures for protection and security shall be applied to personal data during the processing, including the protection against breaches of personal data protection regulation and prevention and control of loss, destruction or damage due to incidents, use of technical measures.
7. Personal data shall be only stored for a period suitable for the purposes of data processing, unless otherwise provided by law.
8. Controller, controlling and processing entity shall be responsible for complying with the data processing principles specified in Clauses 1 to 7 of this Article and demonstrating their observance of such principles.
Article 4. Handling of breach of personal data protection regulation
Agencies, organizations and individuals breaching the personal data protection regulation shall, depending on the seriousness of their breaches, be disciplined, administratively or criminally handled in accordance with regulations.
Article 5. State management of personal data protection
The Government shall perform the uniform state management of personal data protection.
The state management of personal data protection includes contents as follows:
1. Submit to state agencies with competence of promulgation, or promulgate according to its competence, legal documents and direct and organize the implementation of legal documents on personal data protection.
2. Develop and organize the implementation of strategies, policies, schemes, projects, programs and plans for personal data protection.
3. Provide agencies, organizations and individuals with guidance on measures, processes and standards for personal data protection in accordance with law.
4. Propagate and educate on the law on personal data protection; make communications, dissemination of knowledge and skills in personal data protection.
5. Arrange, train and foster cadres, civil servants, public employees and persons assigned to perform the personal data protection.
6. Inspect and examine the implementation of the law on personal data protection; settle complaints, denunciations and handle breaches of the law on personal data protection in accordance with the law.
7. Make statistics, inform, report on the personal data protection and implementation of the law on personal data protection to competent state agencies.
8. Perform the international cooperation relating to personal data protection.
Article 6. Application of Decree on personal data protection, relevant laws and treaties
The personal data protection is carried out in accordance with the treaties to which the Socialist Republic of Vietnam is a contracting party, other provisions of relevant Laws and this Decree.
Article 7. International cooperation relating to personal data protection
1. Development of an international cooperation mechanism to facilitate the effective enforcement of law on personal data protection.
2. Participation in legal assistance relating to personal data protection of other countries, including notification, proposal of complaint, assistance relating to investigation and information exchange, with appropriate measures for personal data protection.
3. Organization of conferences, seminars, scientific research and promote international cooperation activities in enforcement of law for personal data protection.
4. Organization of bilateral and multilateral meetings, exchange of experiences of law-making and personal data protection practices.
5. Technology transfer for personal data protection.
Article 8. Prohibited acts
1. Processing personal data contrary to the law on personal data protection.
2. Processing personal data to create information and data to act against the State of the Socialist Republic of Vietnam.
3. Processing personal data to create information and data that affect national security, social order and safety, and legitimate rights and interests of other organizations and individuals.
4. Obstructing competent agencies’ personal data protection activities.
5. Abuse of personal data protection to breach the law.
Chapter II
PERSONAL DATA PROTECTION
Section 1
RIGHTS AND OBLIGATIONS OF THE DATA SUBJECT
Article 9. Rights of the data subject
1. Right to be informed
The data subject have the right to be informed about activities relating to the processing of his/her personal data, unless otherwise provided by law.
2. Right to consent
The data subject have the right to agree or not agree to the processing of his/her personal data, unless cases specified in Article 17 of this Decree.
3. Right of access by the data subject
The data subject shall have the right to access his/her personal data for viewing, rectifying or requesting rectification of such data, unless otherwise provided by law.
4. Right to withdrawal of consent
The data subject shall have the right to withdraw his/her consent, unless otherwise provided by law.
5. Right to erasure of personal data
The data subject shall have the right to erase or request the erasure of his/her personal data, unless otherwise provided by law.
6. Right to restriction of data processing
a) The data subject shall have the right to request the restriction of processing of his/her personal data, unless otherwise provided by law;
b) Restriction of data processing shall be carried out within 72 hours after request of the data subject, with all personal data under the data subject’s restriction request, unless otherwise provided by law.
7. Right to provision of data
The data subject shall have the right to request the controller, controlling and processing entity to provide his/her own personal data for him/her, unless otherwise provided by law.
8. Right to object
a) The data subject shall have the right to object to processing of his/her personal data by the controller, controlling and processing entity for the purposes of preventing or limiting the disclosure of personal data or its use for advertising or marketing, unless otherwise provided by law;
b) The controller, controlling and processing entity shall act on the request of the data subject within 72 hours after receiving the request, unless otherwise provided by law.
9. Right to complaint, denunciation and initiation of lawsuits
The data subject shall have the right to complaint, denunciation and initiation of lawsuits in accordance with the law.
10. Right to request for compensation for damage
The data subject have the right to request compensation for damage in accordance with the law upon breaches of his/her personal data protection, unless otherwise agreed upon by the parties or provided by law.
11. Right to self-defense
The data subject shall have the right to protect by himself/herself in accordance with the Civil Code, other relevant laws and this Decree, or request competent agencies or organizations to implement methods of protection of civil rights prescribed in Article 11 of the Civil Code.
Article 10. Obligations of the data subject
1. Protect his/her personal data by himself/herself; request other relevant organizations and individuals to protect his/her personal data.
2. Respect and protect others’ personal data.
3. Provide complete and accurate personal data upon consent to the personal data processing.
4. Participate in propaganda and dissemination of personal data protection skills.
5. Comply with the law on personal data protection and participate in the prevention and fighting of breaches of personal data protection regulation.
Section 2
PERSONAL DATA PROTECTION DURING THE PROCESSING OF PERSONAL DATA
Article 11. Consent of the data subject
1. Consent of the data subject shall apply to all activities of the personal data processing procedure, unless otherwise provided by law.
2. The data subject’s consent is only valid when the data subject voluntarily consents and becomes acutely conscious of the following contents:
a) Categories of personal data to be processed;
b) Purposes of personal data processing;
c) Organizations, individuals allowed to process personal data;
d) Rights and obligations of the data subject.
3. The data subject’s consent must be expressed clearly, specifically in writing, by voice, by checking the consent box, sending the consent syntax, selecting consent technical settings or another action demonstrating such consent.
4. Consent must be made for the same purpose. In cases of multiple purposes, the controller, controlling and processing entity shall list the purposes in order that the data subject agrees to the stated purpose(s).
5. The data subject’s consent must be expressed in a format that can be printed, reproduced in writing, including electronic or verifiable formats.
6. The silence or non-response from the data subject is not considered consent.
7. The data subject may give a partial consent or a conditional consent.
8. In cases of processing of sensitive personal data, the data subject must be informed that the data to be processed is sensitive personal data.
9. The data subject’s consent shall be valid until the data subject makes a different decision or until the competent agency makes a request in writing.
10. In the event of a dispute, the responsibility for proving the data subject’s consent shall be borne by the controller, controlling and processing entity.
11. Organizations and individuals may, by the authorization under the Civil Code, on behalf of the data subject, carry out procedures related to the processing of personal data of the data subject with the controller, controlling and processing entity, in case the data subject knows and consents to it as prescribed in Clause 3 of this Article, unless otherwise provided by law.
Article 12. Withdrawal of consent
1. Withdrawal of consent does not affect the legality of the data processing that was agreed prior to the withdrawal of consent.
2. Withdrawal of consent must be expressed in a format that can be printed, reproduced in writing, including electronic or verifiable formats.
3. In case of receiving the data subject’s request for withdrawal of consent, the controller, controlling and processing entity shall notify the data subject of potential consequences and damages upon withdrawal of consent.
4. After Clause 2 of this Article is observed, the controller, processor, controlling and processing entity, and the third party must cease and request relevant organizations and individuals to cease processing data of the data subject who has withdrawn his/her consent.
Article 13. Notification of processing personal data
1. A notification shall be sent once before processing personal data.
2. A notification sent to the data subject of the processing of personal data must include:
a) Processing purposes;
b) To-be-used personal data categories relating to the processing purposes specified at Point a, Clause 2 of this Article;
c) Means of processing;
d) Information about other organizations or individuals related to the processing purposes specified at Point a, Clause 2 of this Article;
dd) Unexpected consequences and damages likely to occur;
e) Time for starting and completing the processing of data.
3. The notification to the data subject must be presented in a format that can be printed, reproduced in writing, including in electronic or verifiable format.
4. The controller, controlling and processing entity are not required to comply with the provisions of Clause 1 of this Article in the following cases:
a) The data subject knows and fully agrees with the contents specified in Clauses 1 and 2 of this Article before giving consents to the controller, the controlling and the processing party collect personal data in accordance with Article 9 of this Decree;
b) Personal data is processed by a competent state agency for the purpose of serving the operation of the state agency in accordance with the law.
Article 14. Provision of personal data
1. The data subject may request the controller, controlling and processing entity to provide his/her own personal data.
2. The controller, controlling and processing entity may:
a) Provide personal data of the data subject to other organizations and individuals with the consent of the data subject, unless otherwise provided by law;
b) Provide personal data of the data subject on behalf of the data subject to another organization or individual when the data subject allows the representation and authorization, unless otherwise provided by law.
3. Personal data of the data subject shall be provided by the controller, controlling and processing entity within 72 hours after the request of the data subject, except unless otherwise provided by law.
4. The controller, controlling and processing entity shall not provide personal data in the following cases:
a) Causing harm to national defense, security, social order and safety;
b) The provision of personal data of the data subject may affect the safety, physical or mental health of others;
c) The data subject does not agree to provide, represent or authorize the receipt of personal data.
5. Forms of request to provide personal data:
a) The data subject shall directly or authorizes another person to the head office of the controller, controlling and processing entity to request the provision of personal data.
The person receiving the request shall instruct the requester to fill in the request for provision of personal data.
If the requester is illiterate or has a disability and cannot write the request, the person receiving the request shall fill in the request for provision of personal data;
d) The request for provision of personal data, made according to Forms No. 01, 02 in Appendix to this Decree, shall be sent online, or by postal service or fax to the controller, the controlling and processing entity.
6. The request for provision of personal data must be written in Vietnamese, including the following main contents:
a) Full name; place of residence, address; people’s identity card, citizen identity card number or passport number of the requester; fax number, telephone, email address (if any);
b) Personal data to be provided, specifying the name of the document, dossier, document;
c) Form of providing personal data;
d) Reasons and purposes for requesting the provision of personal data.
7. In case of requesting the provision of personal data specified in Clause 2 of this Article, the written consents of concerned individuals and organizations are required.
8. Receiving requests for provision of personal data
a) The controller, controlling and processing entity shall receive requests for provision of personal data, and monitor the process and the list of personal data provided at request;
b) In case the requested personal data does not fall under the competence, the controller, controlling and processing entity receiving the request must notify and guide the requester to the competent authority or explicitly notify the inability to provide personal data.
9. Handling requests for provision of personal data
Upon receiving a valid request for provision of personal data, the controller, controlling and processing entity in charge of providing personal data shall notify the time limit, location and form of providing personal data; actual expenses for printing, copying, photographing and sending information via postal and fax services (if any) and the payment method and time limit; provide personal data according to the order and procedures specified in this Article.
Article 15. Rectification of personal data
1. The data subject may:
a) Access to view and rectify his/her personal data that has been collected with consent by the controller, controlling and processing entity, unless otherwise provided by law;
b) In case it is not possible to rectify directly due to technical reasons or other reasons, the data subject may request the controller, controlling and processing entity to rectify his/her personal data.
2. The controller, controlling and processing entity shall rectify the personal data of the data subject after obtaining the consent of the personal data subject as soon as possible or in accordance with specialized law. In case of impossibility, the controller, the controlling and processing entity shall notify the data subject after 72 hours from the time of receiving the data subject's request to rectify personal data.
3. The processor and the third party may rectify the data subject's personal data after obtaining written consent from the controller, controlling and processing entity and after being aware of the data subject’s consent.
Article 16. Storage, erasure and destruction of personal data
1. The data subject may request the controller, controlling and processing entity to erase his/her own personal data in the following cases:
a) He/she finds it is no longer necessary for the agreed purpose of data collection and accepts possible damages upon request for data erasure;
b) He/she withdraws the consent;
c) He/she objects to the processing of data and the controller, the controlling and processing entity do not have any legitimate reason to continue processing;
d) Personal data is processed not in accordance with the agreed purpose or the processing of personal data is in violation of the law;
d) Personal data must be erased in accordance with the law.
2. Data shall not be erased at the request of the data subject in the following cases:
a) The law does not allow the erasure of data;
b) Personal data is processed by a competent state agency for the purpose of serving the operation of the state agency in accordance with the law.
c) Personal data has been disclosed in accordance with the law;
d) Personal data is processed to serve legal requirements, scientific research and statistics in accordance with the law;
dd) In case of emergency on national defense, national security, social order and safety, major disasters, dangerous epidemics; or when there is a risk of threatening security and national defense but not to the extent of declaring a state of emergency; or in case of preventing and combating riots and terrorism, preventing and combating crimes and law violations;
e) Response to an emergency that threatens the life, health or safety of data subjects or other individuals.
3. In case an enterprise divides, separates, merges, consolidates or dissolves, personal data shall be transferred in accordance with law.
4. In case of division, separation or merger of agencies, organizations or administrative units, and reorganization or transformation of ownership form of state enterprises, personal data shall be transferred in accordance with law.
5. All personal data collected by the controller, controlling and processing entity shall be erased within 72 hours after receiving the data subject’s request, unless otherwise provided by law.
6. The controller, controlling and processing entity, processor and the third party shall store personal data in a form suitable for their operations and take measures to protect personal data in accordance with the law.
7. The controller, controlling and processing entity, processor and the third party shall permanently erase personal data in the following cases:
a) The processing of data is for improper purposes or the purpose of processing personal data has been completed with the consent of the data subject;
b) The storage of personal data is no longer necessary for the operation of the controller, controlling and processing entity, processor, and the third party;
c) The controller, controlling and processing entity, processor or the third party is dissolved or no longer operates or declares bankruptcy or has its business activities terminated in accordance with the law.
Article 17. Processing of personal data without consents of data subjects
1. In urgent cases, it is necessary to immediately process relevant personal data to protect the life and health of the data subject or others. The controller, processor, controlling and processing entity and the third party shall be responsible for proving this case.
2. The disclosure of personal data shall comply with the law.
3. The processing of data of the competent state agencies in case of emergency on national defense, national security, social order and safety, major disasters, dangerous epidemics; or when there is a risk of threatening security and national defense but not to the extent of declaring a state of emergency; or in case of preventing and combating riots and terrorism, preventing and combating crimes and law violations in accordance with law.
4. To fulfill the contractual obligations of the data subject with relevant agencies, organizations and individuals as prescribed by law.
5. To serve the activities of state agencies prescribed by specialized laws.
Article 18. Processing of personal data obtained from audio and video recording in public places
Competent agencies and organizations may record audio or video and process personal data obtained from audio or video recording activities in public places for the purpose of protecting national security, social order and safety, legitimate rights and interests of organizations and individuals as prescribed by law without the consent of data subjects. When making audio or video recordings, competent agencies and organizations shall notify data subjects to understand that they are being recorded or videotaped, unless otherwise provided by law.
Article 19. Processing of personal data of persons declared missing or deceased
1. The processing of personal data related to personal data of a person who is declared missing or deceased must be consented to by his/her wife, husband or child aged 18 years or older, in case he/she has no wife, husband or child aged 18 years or older, the consent of his/her parent is required, except for the cases specified in Articles 17 and 18 of this Decree.
2. In the absence of all the persons mentioned in Clause 1 of this Article, it is considered that there is no consent.
Article 20. Processing of children's personal data
1. Children's personal data shall always be processed in accordance with the principle of protecting the rights and in the best interests of children.
2. The processing of a child’s personal data must have the consent of the child aged full 7 years or older, and the consent of his/her parent or guardian as prescribed, except for the cases specified in Article 17 of this Decree. The controller, processor, controlling and processing entity and the third party must verify the age of the child before processing his/her personal data.
3. A child’s personal data shall be stopped from processing, permanently erased or destroyed in the following cases:
a) The processing of data is for improper purposes or the purpose of processing personal data has been completed with the consent of the data subject, unless otherwise provided by law;
b) The child's parent or guardian withdraws his/her consent for the processing of the child's personal data, unless otherwise provided by law;
c) At the request of a competent authority when there are sufficient grounds to prove that the processing of personal data affects the child’s legitimate rights and interests, unless otherwise provided by law.
Article 21. Protection of personal data in the business of marketing services, introducing advertising products
1. Organizations and individuals providing marketing services and introducing advertising products may only use personal data of clients collected through their business activities to provide marketing services and introduce advertising products with the consent of the data subjects.
2. The processing of personal data of clients to provide marketing services and introduce advertising products must be consented to by the clients, on the basis that the clients know the contents, methods, forms and frequency of product introduction.
3. Organizations and individuals providing marketing services and introducing advertising products shall be responsible for proving the use of personal data of clients who are introduced products in accordance with Clauses 1 and 2 of this Article.
Article 22. Unauthorized collection, transfer, and trading of personal data
1. Organizations and individuals involved in personal data processing must apply personal data protection measures to prevent unauthorized collection of personal data from their service equipment and systems.
2. It is illegal to set up software systems, technical measures or organize activities of collecting, transferring, buying and selling personal data without the consent of data subjects.
Article 23. Notification of a breach of personal data protection regulation
1. In case of detecting a breach of personal data protection regulation, the controller, controlling and processing entity shall, not later than 72 hours after the breach is committed, notify the Ministry of Public Security (the Department of Cyber Security and Hi-tech Crime Prevention) according to Form No. 03 in the Appendix to this Decree. Where the notification is not made within 72 hours, it shall be accompanied by reasons for the delay.
2. The processor shall notify the controller without undue delay after becoming aware of a breach of personal data protection regulation.
3. The notification shall at least:
a) Describe the nature of the breach, including time, location, acts, organizations, individuals, the categories and number of data concerned;
b) Provide contact details of the officer assigned to the task of data protection or an organization or individual in charge of protecting personal data;
c) Describe the likely consequences and damages of the breach of personal data protection regulation;
d) Describe the proposed measures to address and mitigate effects of the breach of personal data protection regulation.
4. Where it is not possible to notify sufficient information prescribed in Clause 3 of this Article, the information may be provided in phases.
5. The controller, controlling and processing entity shall make records confirming breaches of personal data protection regulation, and coordinate with the Ministry of Public Security (the Department of Cyber Security and Hi-tech Crime Prevention) to handle such breaches.
6. Organizations and individuals shall notify the Ministry of Public Security (the Department of Cyber Security and Hi-tech Crime Prevention) when:
a) Detecting a breach of the law on personal data;
b) Personal data is processed for wrong purposes, not in accordance with the original agreement between the data subject and the controller, controlling and processing entity or is processed contrary to the law.
c) Failing to guarantee the rights of the data subject or such rights are improperly implemented;
d) Other cases as prescribed by law.
Section 3
IMPACT ASSESSMENT AND INTERNATIONAL TRANSFER OF PERSONAL DATA
Article 24. Personal data processing impact assessment
1. The controller, controlling and processing entity shall compile and maintain dossiers for assessment of impacts of personal data processing from the time of starting processing personal data.
Such a dossier shall contain the following information:
a) Contact details and information of the controller and, controlling and processing entity;
b) Full name and contact details of the organization assigned to protect personal data, and data protection officers of the controller, controlling and processing entity;
c) The purposes of the personal data processing;
d) The categories of personal data to be processed;
dd) Recipients to whom the personal data have been or will be disclosed, including recipients in other countries;
e) The case of international transfer of personal data;
g) The time limits for processing personal data; envisaged time limits for erasure of personal data (if any);
h) A description of the personal data protection measures taken;
i) An assessment of the impact of personal data processing; unexpected consequences and damages likely to occur and measures to address and mitigate such risks or damages.
2. The processor shall compile and maintain dossiers for assessment of impacts of personal data processing when performing contracts with the controller. Such a dossier shall contain the following information:
a) Contact details and information of the processor;
b) Full name and contact details of the organization assigned to process personal data, and officers processing personal data of the processor;
c) A description of the processing activities and categories of data to be processed under contracts signed with the controller;
d) The time limits for processing personal data; envisaged time limits for erasure of personal data (if any);
dd) The case of international transfer of personal data;
h) A general description of the personal data protection measures taken;
g) Unexpected consequences and damages likely to occur and measures to address and mitigate such risks or damages.
3. The dossier for assessment of impacts of personal data processing referred to in Clauses 1 and 2 of this Article shall be in writing, and legally binding to the controller, controlling and processing entity or the processor.
4. An original dossier for assessment of impacts of personal data processing, made according to Form No. 04 in the Appendix to this Decree, must be available within 60 days, from the date of starting processing personal data, to serve the inspection and assessment of the Ministry of Public Security (the Department of Cyber Security and Hi-tech Crime Prevention).
5. The Ministry of Public Security (the Department of Cyber Security and Hi-tech Crime Prevention) shall assess and request the controller, controlling and processing entity and processor to complete the dossier for assessment of impacts of personal data processing that is incomplete as prescribed.
6. The controller, controlling and processing entity and processor shall update and supplement the dossier for assessment of impacts of personal data processing upon changing contents of the dossier submitted to the Ministry of Public Security (the Department of Cyber Security and Hi-tech Crime Prevention) according to Form No. 05 in the Appendix to this Decree.
Article 25. International transfer of personal data
1. Personal data of a Vietnamese citizen shall be transferred to another country if the transferor has compiled a dossier for assessment of impact of international transfer of personal data and carried out procedures specified in Clauses 3, 4 and 5 of this Article. The transferor may be the controller, controlling and processing entity, processor or the third party.
2. A dossier for assessing impact of international transfer of personal data shall comprise:
a) Contact details and information of the transferor and recipient who receives personal data of a Vietnamese citizen;
b) Full name and contact details of an organization or individual in charge of the transferor, involved in the transfer and receipt of the Vietnamese citizen's personal data;
c) A description and explanation of objectives of the processing of a Vietnamese citizen's personal data after being transferred to another country;
d) A description and clarification of categories of personal data to be internationally transferred;
dd) A description and clarification of the compliance with regulations on personal data protection provided in this Decree, details of personal data protection measures taken;
e) An assessment of the impact of personal data processing; unexpected consequences and damages likely to occur and measures to address and mitigate such risks or damages;
g) The consent of the data subject as prescribed in Article 11 of this Decree, on the basis of awareness of the mechanism for response and complaint when arising an incident or request;
b) A document showing the bind and responsibility among Vietnamese citizens’ personal data transferor and recipient in processing personal data.
3. Dossiers for assessment of impact of international transfer of personal data must be available to serve the inspection and assessment of the Ministry of Public Security.
The transferor shall send an original dossier, made according to Form No. 06 in the Appendix to this Decree, within 60 days, from the date of starting processing personal data to the Ministry of Public Security (the Department of Cyber Security and Hi-tech Crime Prevention).
4. The transferor shall send a written notification to the Ministry of Public Security (the Department of Cyber Security and Hi-tech Crime Prevention) of the transfer of data and contact details of the organization or individual in charge after data is successfully transferred.
5. The Ministry of Public Security (the Department of Cyber Security and Hi-tech Crime Prevention) shall assess and request the transferor to complete the dossier for assessment of impacts of international transfer of personal data that is incomplete as prescribed.
6. The transferor shall update and supplement the dossier for assessment of impacts of international transfer of personal data upon changing contents of the dossier submitted to the Ministry of Public Security (the Department of Cyber Security and Hi-tech Crime Prevention) according to Form No. 05 in the Appendix to this Decree. Time limit for the transferor to complete the dossier is 10 days from the date of request.
7. Based on actual situation, the Ministry of Public Security shall decide on examining the international transfer of personal data once a year, except for the case of detecting a breach of personal data protection regulation provided in this Decree, or an incident of leak or loss of personal data of Vietnamese citizens.
8. The Ministry of Public Security shall decide on requesting the transferor to stop transferring personal data to other countries when:
a) Detecting that the transferred personal data is used for activities that violate the interests and national security of the Socialist Republic of Vietnam;
b) The transferor fails to comply with the provisions of Clauses 5 and 6 of this Article;
c) Causing an incident of leak or loss of personal data of Vietnamese citizens.
Section 4
MEASURES, CONDITIONS FOR PROTECTION OF PERSONAL DATA
Article 26. Personal data protection measures
1. Personal data protection measures are taken from the very beginning and throughout the processing of personal data.
2. Measures to protect personal data include:
a) Management measures taken by organizations and individuals involved in personal data processing;
b) Technical measures taken by organizations or individuals involved in personal data processing;
c) Measures taken by competent state management agencies in accordance with this Decree and relevant laws;
d) Investigation and procedural measures taken by competent state agencies;
dd) Other measures as prescribed by law.
Article 27. Basic personal data protection
1. To apply measures specified in Clause 2, Article 26 of this Decree.
2. To develop and promulgate regulations on personal data protection, clearly stating requirements to be followed in accordance with this Decree.
3. To encourage the application of personal data protection standards appropriate to the fields, industries and activities related to personal data processing.
4. To check the cybersecurity for the system, means and equipment for personal data processing before processing, permanently erase or destroying the devices containing personal data.
Article 28. Protection of sensitive personal data
1. To apply measures specified in Clause 2, Article 26 and Article 27 of this Decree.
2. To designate a department with the function of protecting personal data, appoint personnel in charge of personal data protection and exchange information about the department and person in charge of personal data protection with the agency in charge of personal data protection The controller, controlling and processing entity, processor and the third party are individuals, the exchange of information about persons protecting personal data shall be carried out.
3. To notify the data subject of the processing of his/her sensitive personal data, except for the cases specified in Clause 4, Article 13, Article 17 and Article 18 of this Decree.
Article 29. Agencies in charge of personal data protection and the national portal on personal data protection
1. The Department of Cyber Security and Hi-tech Crime Prevention under the Ministry of Public Security, shall act as an agency in charge of personal data protection, assisting the Ministry of Public Security in performing the state management of personal data protection.
2. The national portal on personal data protection shall:
a) Provide information on the guidelines and policies of the Party and the State's laws on protection of personal data;
b) Propagate and disseminate policies and laws on protection of personal data;
c) Update information and status of personal data protection;
d) Receive information, dossiers and data on personal data protection activities through cyberspace;
dd) Provide information on assessment results of personal data protection by relevant agencies, organizations and individuals;
e) Receive notifications of breaches of personal data protection regulations;
g) Give warnings and coordinate in warning about risks and acts of infringing personal data in accordance with the law;
h) Handle violations of personal data protection in accordance with the law;
i) Perform other activities in accordance with the law on personal data protection.
Article 30. Conditions for ensuring the protection of personal data
1. Personal data protection force:
a) The agency in charge of personal data protection shall arrange a personal data protection task force;
b) Agencies, organizations and enterprises shall appoint departments and personnel with the function of protecting personal data to ensure compliance with regulations on personal data protection;
c) Organizations and individuals shall be mobilized to participate in the protection of personal data;
d) The Ministry of Public Security shall formulate a specific program or plan to develop the human resources for personal data protection.
2. Agencies, organizations and individuals shall be responsible for propagating and disseminating knowledge and skills, raising awareness of personal data protection for agencies, organizations and individuals.
3. The agency in charge of personal data protection shall be provided with physical foundations and conditions for operations.
Article 31. Funding for personal data protection
1. Financial sources for personal data protection include the state budget; support from domestic and foreign agencies, organizations and individuals; revenues from the provision of personal data protection services; international aid and other legitimate sources of revenues.
2. Funds for personal data protection of state agencies shall be guaranteed by the state budget and shall be included in the annual state budget estimates. The management and use of funds shall comply with the law on the state budget.
3. Funds for personal data protection of organizations and enterprises shall be allocated by themselves in accordance with regulations.
Chapter III
RESPONSIBILITIES OF AGENCIES, ORGANIZATIONS AND INDIVIDUALS
Article 32. Responsibility of the Ministry of Public Security
1. To assist the Government perform unified state management of personal data protection.
2. To guide and implement personal data protection activities, protect the rights of data subjects against breaches of the law on personal data protection, propose the promulgation of standards for personal data protection and applicable recommendations.
3. To build, manage and operate the national portal on personal data protection.
4. To evaluate results of personal data protection by relevant agencies, organizations and individuals.
5. To receive dossiers, forms and information on personal data protection in accordance with this Decree.
6. To promote measures and conduct research to innovate in the field of personal data protection, implement international cooperation on personal data protection.
7. To conduct inspection, examination and settle complaints and denunciations, handle breaches of personal protection regulation in accordance with the law.
Article 33. Responsibility of the Ministry of Information and Communications
1. To direct media and press agencies, organizations and enterprises under the management to protect personal data in accordance with this Decree.
2. To develop, guide and implement measures to protect personal data, ensure cyberinformation security for personal data in information and communication activities according to the assigned functions and tasks.
3. To cooperate with the Ministry of Public Security in inspecting, examining and handling breaches of the law on personal data protection.
Article 34. Responsibility of the Ministry of National Defence
To manage, inspect, examine, supervise, handle violations and apply regulations on personal data protection to agencies, organizations and individuals under its management according to regulations and assigned functions and tasks.
Article 35. Responsibility of the Ministry of Science and Technology
1. To coordinate with the Ministry of Public Security in developing the standards on personal data protection and recommendations to apply such standards.
2. To study and discuss with the Ministry of Public Security on measures to protect personal data to keep up with the development of science and technology.
Article 36. Responsibility of ministries, ministerial-level agencies, and government-attached agencies
1. To perform state management of personal data protection for management sectors and fields according to the law on personal data protection.
2. To develop and implement the contents and tasks of personal data protection specified in this Decree.
3. To additionally provide regulations on personal data protection in the formulation and implementation of tasks of ministries and branches.
4. To allocate funds for personal data protection activities according to the current budget management decentralization.
5. To promulgate the list of open data in accordance with regulations on personal data protection.
Article 37. Responsibility of People’s Committees of provinces and centrally-run cities
1. To perform state management of personal data protection for management sectors and fields according to the law on personal data protection.
2. To implement regulations on personal data protection specified in this Decree.
3. To allocate funds for personal data protection activities according to the current budget management decentralization.
4. To promulgate the list of open data in accordance with regulations on personal data protection.
Article 38. Responsibility of the controller
1. To implement appropriate technical and organizational measures, associated with appropriate safety and security measures to demonstrate that data processing is performed in accordance with the law on personal data protection. Those measures shall be reviewed and updated where necessary.
2. To record and store system log of personal data processing.
3. To notify breaches of personal data protection regulations in accordance with Article 23 of this Decree.
4. To select an appropriate processor with a clear task, and work only with a processor that has appropriate measures.
5. To ensure the rights of data subjects as prescribed in Article 9 of this Decree.
6. The controller shall take responsibility before the data subject for damages caused by the processing of personal data.
7. To cooperate with the Ministry of Public Security and competent state agencies in protecting personal data, providing information for investigation and handling of breaches of the law on personal data protection.
Article 39. Responsibility of the processor
1. To receive personal data only reaching an agreement or signing a contract on data processing with the controller.
2. To process personal data in accordance with the contract or agreement signed with the controller.
3. To fully implement measures to protect personal data specified in this Decree and relevant laws.
4. The processor shall take responsibility before the data subject for damages caused by the processing of personal data.
5. To erase or return all personal data to the controller after completing the data processing.
6. To cooperate with the Ministry of Public Security and competent state agencies in protecting personal data, providing information for investigation and handling of breaches of the law on personal data protection.
Article 40. Responsibility of the controlling and processing entity
To fully implement regulations on responsibilities of the controller and processor.
Article 41. Responsibility of the third party
To fully implement regulations on responsibility for processing personal data in accordance with this Decree.
Article 42. Responsibility of related institutions and individuals
1. To take measures to protect their personal data, take responsibility for the accuracy of personal data provided by them.
2. To follow regulations on personal data protection specified in this Decree.
3. To timely notify the Ministry of Public Security of breaches relating to the protection of personal data.
4. To coordinate with the Ministry of Public Security in handling breaches relating to the protection of personal data.
Chapter IV
IMPLEMENTATION PROVISIONS
Article 43. Effect
1. This Decree takes effect from July 1, 2023.
2. Micro-enterprises, small-size enterprises, medium-size enterprises and start-ups may choose to be exempted from regulations on designating personal data protection officers and departments for the first 02 years after establishment.
3. Micro-enterprises, small-size enterprises, medium-size enterprises and start-ups directly engaged in personal data processing activities shall not apply the provisions of Clause 2 of this Article.
Article 44. Implementation responsibility
1. The Minister of Public Security shall urge, inspect and guide the implementation of this Decree.
2. Ministers, heads of ministerial-level agencies, heads of government-attached agencies, and chairpersons of provincial-level People’s Committees shall implement this Decree./.
ON BEHALF OF THE GOVERNMENT FOR THE PRIME MINISTER THE DEPUTY PRIME MINISTER Tran Luu Quang |
* All Appendices are not translated herein.