Measures to Protect Personal Data: When Are They Applied? What Do They Include?

Main Content

When Are Personal Data Protection Measures Applied?

Based on Article 26 of the Decree 13/2023/ND-CP, the regulations are as follows:

Personal Data Protection Measures

1. Personal data protection measures are applied from the beginning and throughout the entire process of handling personal data.

2. Personal data protection measures include:

a) Administrative measures implemented by organizations or individuals involved in handling personal data;

b) Technical measures implemented by organizations or individuals involved in handling personal data;

c) Measures implemented by competent state management agencies according to the provisions of this Decree and relevant laws;

d) Investigative and procedural measures implemented by competent state agencies;

e) Other measures as stipulated by the law.

Personal data protection measures are applied from the beginning and throughout the entire process of handling personal data.

There are personal data protection measures, including:

- Administrative measures implemented by organizations or individuals involved in handling personal data;

- Technical measures implemented by organizations or individuals involved in handling personal data;

- Measures implemented by competent state management agencies according to the provisions of this Decree and relevant laws;

- Investigative and procedural measures implemented by competent state agencies;

- Other measures as stipulated by the law.

When Are Personal Data Protection Measures Applied? What Do Personal Data Protection Measures Include?

What Are the Rights of Data Subjects in Personal Data Protection?

According to Article 9 of Decree 13/2023/ND-CP regulating the rights of data subjects in personal data protection, the following provisions apply:

(1) Right to Know

Data subjects have the right to know about the activities of handling their personal data, except where laws provide otherwise.

(2) Right to Consent

Data subjects have the right to consent or not consent to the handling of their personal data, except as stipulated in Article 17 of Decree 13/2023/ND-CP:

- In emergencies, where immediate handling of personal data is required to protect the life, health of the data subject or others. The personal data controller, personal data processor, personal data control and processing party, or a third party has the responsibility to prove this case.

- The public disclosure of personal data as provided by law.

- Handling of data by competent state agencies in emergencies related to national defense, security, public order and safety, major disasters, dangerous epidemics; where there is a threat to security, national defense but it has not reached the level of declaring a state of emergency; prevention of riots, terrorism, crime and law violations as provided by law.

- To fulfill contractual obligations of the data subject with agencies, organizations, individuals related as provided by law.

- Serving activities of state agencies as prescribed by specialized laws.

(3) Right to Access

Data subjects have the right to access, view, edit or request to edit their personal data, except where laws provide otherwise.

(4) Right to Withdraw Consent

Data subjects have the right to withdraw their consent, except where laws provide otherwise.

(5) Right to Erase Data

Data subjects have the right to delete or request the deletion of their personal data, except where laws provide otherwise.

(6) Right to Restrict Data Processing

- Data subjects have the right to request the restriction of their personal data processing, except where laws provide otherwise;

- The restriction of data processing is executed within 72 hours upon the request of the data subject, with all the personal data which the data subject requested to restrict, except where laws provide otherwise.

(7) Right to Data Portability

Data subjects have the right to request the personal data controller, personal data control and processing party to provide their personal data, except where laws provide otherwise.

(8) Right to Object to Data Processing

- Data subjects have the right to object to the personal data controller, personal data control and processing party from handling their personal data to prevent or restrict the disclosure of personal data or use it for advertising, marketing purposes, except where laws provide otherwise;

- The personal data controller, personal data control and processing party must comply with the data subject's request within 72 hours upon receipt of the request, except where laws provide otherwise.

(9) Right to Complain, Denounce, and Sue

Data subjects have the right to complain, denounce, or sue according to the provisions of law.

(10) Right to Compensation for Damages

Data subjects have the right to compensation for damages according to the provisions of law when there is a violation of the regulations on the protection of their personal data, except where the parties have other agreements or laws provide otherwise.

(11) Right to Self-Protection

Data subjects have the right to self-protection according to the provisions of the Civil Code, other relevant laws, and Decree 13/2023/ND-CP, or request competent agencies, organizations to exercise civil rights protection methods according to the provisions of Article 11 of the Civil Code:

When the civil rights of an individual, legal entity are violated, that subject has the right to self-protection according to the provisions of the Civil Code, other relevant laws or request competent agencies, organizations:

- Acknowledge, respect, protect, and ensure civil rights.

- Compel cessation of the infringing act.

- Compel public apology and correction.

- Compel fulfillment of obligations.

- Compel compensation for damages.

- Annul illegal individual decisions of agencies, organizations, or competent individuals.

- Other requests as provided by law.

What Are the Obligations of Personal Data Subjects?

Based on Article 10 of Decree 13/2023/ND-CP regulating the obligations of personal data subjects, the following provisions apply:

- Protect their personal data; request other related organizations and individuals to protect their personal data.

- Respect and protect the personal data of others.

- Provide complete and accurate personal data when consenting to the handling of personal data.

- Participate in propagating, disseminating skills to protect personal data.

- Comply with the regulations of the law on the protection of personal data and participate in preventing and combating acts that violate the regulations on the protection of personal data.