On April 17, 2023, the Government issued Decree No. 13/2023/ND-CP on the Protection of Personal Data. Accordingly, the Decree stipulates the following notable contents:
First, the concept of Personal Data
The Decree stipulates that “Personal data” refers to electronic information in the form of symbols, letters, numbers, images, sounds, or equivalences associated with an individual or used to identify an individual. The personal data includes general personal data and sensitive personal data.
Second, 05 cases of Personal data processing without the consent of the data subject
– The personal data shall be processed to protect the life and health of the data subject or others in an emergency situation. The Personal Data Controller, the Personal Data Controller-cum-Processor, the Personal Data Processor and the Third Party shall be responsible for proving such situation.
– Disclosure of personal data in accordance with the law;
– Processing of personal data by competent regulatory authorities in the event of a state of emergency regarding national defense, security, social order and safety, major disasters, or dangerous epidemics; when there is a threat to security and national defense but not to the extent of declaring a state of emergency; to prevent and fight riots and terrorism, crimes and law violations according to the provisions of law;
– The personal data shall be processed to fulfill obligations under contracts the data subjects with relevant agencies, organizations and individuals as prescribed by law;
– The personal data shall be processed to serve operations by regulatory authorities as prescribed by relevant laws.
Third, Personal data protection measures
Measures for protecting personal data shall be adopted from the beginning of and throughout the processing of personal data. Measures for protecting personal data include:
– Management measure adopted by an organization or individual related to processing of personal data;
– Technical measure adopted by an organization or individual related to processing of personal data;
– Measure adopted by a competent authority according to regulations in this Decree and relevant law;
– Investigation and procedure measures adopted by a competent authority;
– Other measures as prescribed by law.
Fourth, Personal data protection authority
The personal data protection authority is the Department of Cybersecurity and Hi-tech Crime Prevention under Ministry of Public Security that assists the Ministry of Public Security in performing state management of personal data protection.
Fifth, conditions for assurance about protection of personal data
– Personal data protecting forces include:
+ Personal data protecting forces that are allocated in the personal data protection authority.
+ Departments and personnel in charge of protection of personal data that are appointed in agencies, organizations and enterprise in order to comply with regulations on protection of personal data;
+ Organizations and individuals that are encouraged to protect personal data;
+ The Ministry of Public Security shall develop specific programs and plans to develop human resources for protection of personal data.
– Agencies, organizations and individuals shall be responsible for disseminating knowledge and skills in order to raise awareness of protection of personal data for agencies, organizations and individuals.
– Facilities and conditions for operation by the personal data protection authority shall be ensured.
Sixth, handling violations against regulations on protection of personal data
Agencies, organizations and individuals that commit violations against regulations on protection of personal data, depending on the severity of their violations, may be disciplined, or face administrative penalties or criminal prosecution according to regulations.
This Decree comes into effect from July 01, 2023.