Personal Data Protection in Vietnam

Personal data protection in Vietnam has increasingly become a societal concern and an important issue, leading the Vietnamese government to establish numerous legal regulations to ensure that personal information of individuals is collected, used, and stored safely and fairly, while also safeguarding individuals’ rights and privacy.

What is Personal Data?

Personal data is a crucial concept in the field of privacy protection and information security. It is understood as any information related to an identified or identifiable individual. This information can include, but is not limited to:

• Basic personal information: such as name, address, date of birth, and phone number.
• Electronic identification information: such as email addresses, mobile phone numbers, IP addresses, cookies, and digital fingerprints.
• Financial information: such as bank account numbers, credit/debit card information, and transaction history.
• Medical information: including medical records, treatment history, test results, and health status.
• Information about personal characteristics: such as images, fingerprints, and DNA features.
• Personal behavior and preferences: information gathered from social media activities, shopping habits, and browsing history.

The key characteristic of personal data is the ability to use the information to identify an individual, either directly or indirectly, by combining it with other information. For example, a single email address may not be enough to identify an individual, but when combined with other information such as a name or address, it can facilitate identifying that person.

Types of Personal Data in Vietnam

Under Vietnamese law, personal data is classified based on sensitivity levels and usage purposes. Specifically, personal data can be distinguished into the following types:

• Ordinary Personal Data: This is basic information about individuals that is not particularly sensitive, including: names, addresses, birth dates; phone numbers, email addresses; employment, and educational information.
• Sensitive Personal Data: This type of data relates to information that, if disclosed, used, or processed improperly, could pose risks or negative impacts on an individual’s legal rights and interests. Sensitive personal data includes: health information, medical records; financial information, assets; fingerprints, other biometric information; marital status, personal life information; religious beliefs; legal records.

Sensitive Personal Data in Vietnam

Sensitive personal data is a special category of personal information that, when disclosed, can lead to high privacy or personal safety risks for the data subject. Due to its sensitive nature and potential risks, this data type is of particular concern to the law and requires strict protective measures when being collected, processed, or shared.

Sensitive personal data includes, but is not limited to, the following types of information:

• Health Information: Includes medical history, current and future health status, health insurance information, and biometric data related to health.
• Financial Information: Information about income, bank accounts, credit, and other financial transactions.
• Biometric Information: Fingerprints, retina scans, and other biometric data that can be used to accurately identify an individual.
• Private Life Information: Details about personal life, marital status, sexual information, and sexual orientation.
• Religious or Belief Information: Information about an individual’s religion, beliefs, or political views.
• Legal Records: Information about criminal records and other legal issues.

In many countries, the collection and processing of sensitive personal data are strictly regulated by law, often requiring clear and specific consent from the individuals concerned. Organizations and businesses must comply with strict regulations on protecting sensitive personal data, including implementing robust security measures to prevent unauthorized disclosure and protect individuals’ privacy.

Personal Data Protection in Vietnam

Personal data protection involves processes and measures to ensure the security and confidentiality of individuals’ personal data against unauthorized access, use, disclosure, destruction, modification, or unlawful destruction. The aim of personal data protection is not only to protect information from cybersecurity threats but also to ensure privacy and personal freedom as stipulated by the law. This includes a range of policies, regulations, procedures, and technologies designed to:

• Protect individual privacy: Ensure that personal data is processed fairly and lawfully with the consent of the data subject or on a clear legal basis.
• Prevent unwanted disclosure: Implement security measures to prevent unauthorized access or disclosure of personal data.
• Ensure integrity and availability: Protect personal data from unauthorized destruction, loss, or alteration while ensuring that data is available for legitimate use when necessary.
• Comply with legal requirements: Meet legal and regulatory requirements for personal data protection, including reporting data breaches and complying with data processing principles.
• Management and education: Develop data management policies and procedures and educate employees and stakeholders about the importance and methods of protecting personal data.

Organizations and businesses implement personal data protection by applying technical measures (such as encryption, access management, and cybersecurity monitoring) and management measures (such as privacy policies, employee training, and legal compliance). Protecting personal data is not only a legal obligation but also a crucial factor in building trust and maintaining positive relationships with customers and the public.

Decree on Personal Data Protection in Vietnam

On April 17, 2023, the Vietnamese Government issued Decree No. 13/2023/ND-CP on personal data protection, establishing a legal framework for personal data protection activities in Vietnam. Accordingly, businesses involved in the collection and processing of personal data must obtain the consent of the data subjects and must carry out a personal data processing impact assessment and/or an impact assessment for transferring personal data abroad as regulated.