REGULATIONS ON PERSONAL DATA PROTECTION IN VIETNAM

Personal data is information in the form of symbols, scripts, digits, images, sounds or the like in the electronic environment that is associated with a specific person or helps identify a specific person. Personal data includes basic personal data and sensitive personal data (Clause 1 Article 2 of Decree 13/2023).

I. Personal data protection measures

Pursuant to the provisions of Clause 2, Article 26 of Decree 13/2023, personal data protection measures specified in include:

- Management measures taken by organizations and individuals involved in personal data processing;

- Technical measures taken by organizations and individuals involved in personal data processing;

- Measures taken by competent state management agencies in accordance with the provisions of this Decree and relevant laws;

- Measures for investigation and proceedings taken by competent state agencies;

- Other personal data protection measures.

Basic personal data protection measures are specified in Article 27 of Decree 13/2023 as follows:

- Application of 5 groups of measures in Clause 2, Article 26;

- Formulate and promulgate regulations on personal data protection, clearly stating what needs to be done in accordance with this Decree;

- Encourage the application of personal data protection standards suitable to the domains, industries and activities related to personal data processing;

- Check network security for systems and devices and devices serving personal data processing before processing, irreversibly delete or destroy devices containing personal data.

Measures to protect sensitive personal data Article 28 of Decree 13/2023 is as follows:

- Application of 5 groups of measures in Clause 2, Article 26 and measures specified in Article 27;

- Appoint a department in charge of personal data protection, appoint personnel in charge of personal data protection and exchange information about the department and individual in charge of personal data protection with the specialized personal data protection authority. In case the Personal Data Controller, the Personal Data Controller and Processor, the Data Processor, the Third Party being an individual, the individual's information shall be exchanged, unless otherwise provided for by law.

Note: Personal data protection measures are applied from the very beginning and throughout the processing of personal data (Clause 1 Article 26 of Decree 13/2023). 

II. Prohibited acts

The prohibited acts in processing personal data are specified in Article 8 of Decree 13/2023 as follows:

- Acts of processing personal data in contravention of the law on personal data protection;

- Acts of processing personal data to create information and data against the State;

- Acts of processing personal data to create information and data that affect national security, social order and safety, legitimate rights and interests of other organizations and individuals;

- Acts that obstruct personal data protection activities of competent authorities;

- An act of abusing personal data protection activities to violate the law.

III. Specialized agency for personal data protection (Clause 1 Article 29)

Pursuant to the provisions of Clause 1 Article 29 of Decree 13/2023, the specialized agency for personal data protection is the Department of Cyber Security and High-tech Crime Prevention and Control under the Ministry of Public Security. Accordingly, this agency is responsible for assisting the Ministry of Public Security in performing the state management of personal data protection.

The above is an overview of regulations on personal data protection specified in Decree 13/2023/ND-CP.