Vietnam: Are banks required to make the notification of personal data processing upon processing biometric data of clients for the online opening of checking accounts?

“Are banks in Vietnam required to make the notification of personal data processing upon processing biometric data of clients for the online opening of checking accounts?” - asked Mr. M.Q.T (HCMC)

What are the requirements for methods adopted to identify and verify a client for the online opening of a checking account by banks in Vietnam?
Are banks in Vietnam required to make the notification of personal data processing upon processing biometric data of clients for the online opening of checking accounts?
Is the biometric data of clients in Vietnam classified into sensitive personal data or basic personal data?

What are the requirements for methods adopted to identify and verify a client for the online opening of a checking account by banks in Vietnam?

According to the provisions of Clause 2, Article 14a of Circular 23/2014/TT-NHNN supplemented by Clause 6, Article 1 of Circular 16/2020/TT-NHNN:

The bank or foreign bank branch shall decide on methods, forms and technologies adopted to identify and verify a client, which serve its online opening of checking account; assume responsibility for any risks and meet the following requirements:

+ It must adopt solutions/technologies for collecting, checking and verifying to ensure the matching between a client’s identity and biometric data and corresponding information and biometric data on the client’s identity papers prescribed in Clause 1 Article 12 of this Circular or personal identity data certified by competent authorities or other credit institutions or electronic certification and identification service providers;

Note: biometric data includes biological factor/characteristics that are specifically used to identify a person, cannot be forged, and are rarely matched with those of another person such as fingerprints, face, iris, voice and other biometric factors.

+ It must adopt technical methods for certifying the identified client’s consent to contents of the agreement on opening and use of the checking account;

- It must formulate procedures for risk management, control and assessment, that include measures for preventing acts of impersonating, intervening, correcting or falsifying the verification of a client’s identity before, during and after the checking account opening, and measures for checking and verifying a client’s identity to make sure that transactions made via a checking account opened online are made by the holder of that checking account.

Where any risks or differences between identity and biometric factors of a client or any suspicious transactions, as prescribed in the Law on anti-money laundering, are detected during the use of a checking account, the bank or foreign bank branch must promptly refuse or suspend transactions, block or freeze that checking account, and re-verify the client’s identity.

Procedures for risk management and control must be regularly reviewed and adjusted based on information/data updated during the provision of services;

- It must adequately store and manage information/data used for identifying clients during their opening and use of checking accounts in chronological order, including:

+ client’s identity and

+ client’s biometric factors,

+ client’s sounds, images, videos and recordings,

+ client’s telephone number used when making transaction, and transaction log.

Note: Information/data must be stored safely, kept confidential, backed up and have its adequacy and integrity ensured to serve the inspection, examination and solving of trace requests, complaints and disputes, and provide information at the request of competent authorities.

Storage period shall comply with the Law on anti-money laundering.

Are banks in Vietnam required to make the notification of personal data processing upon processing biometric data of clients for the online opening of checking accounts?

Under Article 13 of Decree 13/2023/ND-CP on notification of personal data processing:

Notification of personal data processing

1. The notification shall be made once before the personal data is processed.

2. The following contents of the processing of personal data shall be notified to the data subject:

a) Processing purposes;

b) Type of used personal data related to the purposes specified in Point a Clause 2 of this Article;

c) Method of processing personal data;

d) Information on other organizations and individuals related to the processing purposes specified in point a Clause 2 of this Article;

dd) Undesirable consequences and damage that may occur;

e) Starting and ending time.

3. The notification to the data subject shall be expressed in a format that can be printed and reproduced in writing, including in electronic or verifiable format.

4. The Personal Data Controller and the Personal Data Controller-cum-Processor are not required to comply with regulations specified in Clause 1 of this Article in the following cases:

a) The data subject knows and fully consents to the contents specified in Clauses 1 and 2 of this Article before permitting the Personal Data Controller and the Personal Data Controller-cum-Processor to collect his/her personal data in accordance with regulations in Article 9 of this Decree;

b) The personal data is processed by the competent state agency with a view to serving operations by such agency as prescribed by law.

Thus, banks in Vietnam are required to make notifications of personal data processing before the biometric data of clients is processed for the online opening of checking accounts.

Note: Banks in Vietnam are not required to make the notification of personal data processing upon processing biometric data of clients for the online opening of checking accounts if:

The data subject knows and fully consents to the contents specified in Clauses 1 and 2, Article 13 of Decree 13/2023/ND-CP before enabling the Personal Data Controller and the Personal Data Controller-cum-Processor to collect his/her personal data in accordance with regulations in Article 9 of Decree 13/2023/ND-CP.

Is the biometric data of clients in Vietnam classified into sensitive personal data or basic personal data?

Under Clause 4, Article 2 of Decree 13/2023/ND-CP, sensitive personal data is defined as follows:

4. “Sensitive personal data” refers to personal data in association with individual privacy which, when being infringed, will directly affect an individual's legal rights and interests, including:

a) Political and religious opinions;

b) Health condition and personal information stated in health record, excluding information on blood group;

c) Information about racial or ethnic origin;

d) Information about genetic data related to an individual's inherited or acquired genetic characteristics;

dd) Information about an individual’s own biometric or biological characteristics;

...

As mentioned above, biometric data includes biological factor/characteristics that are specifically used to identify a person, cannot be forged, and are rarely matched with those of another person such as fingerprints, face, iris, voice and other biometric factors.

Thus, the biometric data of clients in Vietnam is classified into sensitive personal data as specified.

LawNet

- This English translation is for reference purposes only and not a definitive translation of the original Vietnamese texts;
- Articles may be compiled from a variety of sources;
- Applicable Terms may have expired at the time you are reading;
- If you have any questions about the copyright of the article, please contact us via email [email protected];

Banks in Vietnam

Legal Grounds

The latest legal advice

{{i.Title}}

Address:	19 Nguyen Gia Thieu, Vo Thi Sau Ward, District 3, Ho Chi Minh City
Phone:	(028) 7302 2286 (6 lines)
E-mail:	[email protected]