The Decree on personal data protection officially takes effect

 According to the Government's Decree, agencies, organizations and individuals that violate personal data protection regulations, depending on the severity, may be disciplined, administratively fined and even prosecuted. criminal justice.

Decree No.13/2023/ND-CP of the Government on personal data protection officially takes effect, creating a legal corridor to protect personal data in Vietnam. effectively, minimizing the risks and consequences of personal data breaches.

The Decree was issued by the Government on April 17, 2023 with many strict regulations on data protection and personal data protection responsibilities of relevant agencies, organizations and individuals.

What does personal data include?

The Decree clearly states that personal data is information in the form of symbols, letters, numbers, images, sounds or similar forms in the electronic environment that is associated with a specific person or helps identify a person. specific person.

Personal data includes basic personal data and sensitive personal data.

Basic personal data includes: surname, middle name, birth name, other names (if any); date of birth; date, month, year of death or disappearance; sex; place of birth, place of birth registration, permanent residence, temporary residence, current residence, hometown, contact address; nationality; image of the individual; phone number, identity card number, personal identification number, passport number, driver's license number, license plate number, personal tax code number, social insurance number, health insurance card number ; marital status; information about family relationships (parents, children); information about individual digital accounts; Personal data reflects activities and history of activities in cyberspace...

Sensitive personal data is associated with an individual's right to privacy, and when violated, it will directly affect that person's legitimate rights and interests. Such as political views, religious views; health status; racial origin, ethnic origin; genetic characteristics; unique biological characteristics; sex life; location data; data on crimes and criminal acts collected and stored by law enforcement agencies; Customer information of credit institutions...

Actions are strictly prohibited

Personal data protection is the activity of preventing, detecting, stopping, and handling violations related to personal data according to the provisions of law.

Article 8 of the Decree stipulates prohibited acts, including: processing personal data contrary to the law on personal data protection; processing personal data to create information and data aimed against the State of the Socialist Republic of Vietnam; Process personal data to create information and data that affects national security, social order and safety, and the legitimate rights and interests of other organizations and individuals.

The Decree also prohibits acts of obstructing personal data protection activities of competent authorities, as well as taking advantage of personal data protection activities to violate the law.

Where the processing of personal data does not require the consent of the data subject

Article 17 of the Decree stipulates cases where personal data processing does not require the consent of the data subject, including: in urgent cases, it is necessary to immediately process relevant personal data to protect life, the health of the data subject or another person; disclosure of personal data in accordance with the law.

Along with that is the case of data processing by competent state agencies in emergencies related to national defense, national security, social order and safety, major disasters, and dangerous epidemics; when there is a threat to security and national defense but not to the extent of declaring a state of emergency; prevent and combat riots, terrorism, prevent and combat crimes and violations of the law according to the provisions of law.

In addition, the controller and processor of personal data may also process personal data without the consent of the data subject in order to fulfill the data subject's contractual obligations with the agency, Relevant organizations and individuals according to the provisions of law; as well as in the case of serving the activities of state agencies as prescribed by specialized laws.

Children's ages must be verified before processing their personal data

The Decree clearly states that processing children's personal data is always carried out in accordance with the principle of protecting the rights and in the best interests of children.

Accordingly, the processing of children's personal data must have the child's consent in cases where the child is 7 years of age or older and has the consent of the parent or guardian as prescribed, except cases specified in Article 17.

Personal data controllers, personal data processors, personal data controllers and processors, third parties must verify the age of children before processing their personal data.

The Decree also stipulates a number of cases where parties must stop processing children's personal data, irreversibly delete or destroy children's personal data (unless otherwise prescribed by law).

Specifically, in cases where data processing is not for the right purpose or has completed the purpose of processing personal data agreed by the data subject; the child's parent or guardian withdraws consent to the processing of the child's personal data; or at the request of a competent authority when there is sufficient evidence to prove that the processing of personal data affects the legitimate rights and interests of children.

(Collective source)

Post a Comment