Regarding this matter, LawNet would like to answer as follows:
According to the provisions of Article 2 of Decree 13/2023/ND-CP, personal data refers to electronic information in the form of symbols, letters, numbers, images, sounds, or equivalences associated with an individual or used to identify an individual. The personal data includes general personal data and sensitive personal data.
In there:
- General personal data includes:
+ Last name, middle name and first name, other names (if any);
+ Date of birth; date of death or going missing;
+ Gender;
+ Place of birth, registered place of birth; place of permanent residence; place of temporary residence; current place of residence; hometown; contact address;
+ Nationality;
+ Personal image;
+ Phone number; ID Card number, personal identification number, passport number, driver’s license number, license plate, taxpayer identification number, social security number and health insurance card number;
+ Marital status;
+ Information about the individual’s family relationship (parents, children);
+ Digital account information; personal data that reflects activities and activity history in cyberspace;
+ Information associated with an individual or used to identify an individual other than that specified in Clause 4 of Article 2 of Decree 13/2023/ND-CP.
- Sensitive personal data refers to personal data in association with individual privacy which, when being infringed, will directly affect an individual's legal rights and interests, including:
+ Political and religious opinions;
+ Health condition and personal information stated in health record, excluding information on blood group;
+ Information about racial or ethnic origin;
+ Information about genetic data related to an individual's inherited or acquired genetic characteristics;
+ Information about an individual’s own biometric or biological characteristics;
+ Information about an individual’s sex life or sexual orientation.
+ Data on crimes and criminal activities collected and stored by law enforcement agencies;
+ Information on customers of credit institutions, foreign bank branches, payment service providers and other licensed institutions;
+ Personal location identified via location services;
+ Other specific personal data as prescribed by law that requires special protection.
Personal data protection refers to an act of preventing, detecting and handling violations related to personal data in accordance with the law in Vietnam. The rules for protection of personal data are specified in Article 3 of Decree 13/2023/ND-CP specifically as follows:
- The personal data shall be processed as prescribed by law.
- The data subject shall be entitled to receive information related to the processing of his/her personal data, unless otherwise provided for by law.
- The personal data shall be processed for the purposes that have been registered and declared by the Personal Data Controller, the Personal Data Processor, the Personal Data Controller-cum-Processor and the Third Party.
- The collected personal data shall be appropriate for the scope and purposes of processing. The purchase or sale of personal data shall be prohibited in any form, unless otherwise provided for by law.
- The personal data shall be updated and added for the processing purposes.
- The personal data shall be protected and secured throughout the processing. To be specific, the personal data shall be protected from violations against regulations on protection of personal data and prevention of loss, destruction or damage caused by incidents and use of technical measures.
- The personal data shall be stored within a period of time that is appropriate for the processing purposes, unless otherwise provided for by law.
- The Personal Data Controller and the Personal Data Controller-cum-Processor shall comply with the rules for data processing specified above and prove their compliance.
Best regards!
Pham Thi Thu Ha
Please Login to be able to download