Recently we prepared a memorandum for a major international organization related to data protection in Vietnam. It serves as a really good overview of the issue of how to treat data, both personal and corporate, and as such, I would like to include a version of that document here. What follows is a redacted and amended overview of data protection responsibilities for the use of personal and corporate data. This guide only covers existing legislation and does not contemplate any draft legislation that is currently being considered.
Personally identifiable information / personal information / personal data / consumer information
Personally identifiable information / personal information / personal data
One of the first types of data protected in Vietnam was an individual’s image. The 2005 Civil Code clearly provided the moral right of each person in respect of his/her image, and that other entities were not allowed to use a person’s image without his/her consent. A person’s moral right in respect of his/her image was carried down to the 2015 Civil Code, which stated that other information types attached to an individual, which are also prohibited of unauthorized use, included information on private life, personal and family secrets. In general, regulations of the 2005 Civil Code and 2015 Civil Code created a foundation for subsequent data protection regulations, forming the basic and prerequisite principle in respect of collecting, storing, processing personal data – the requirement to obtain a data subjects’ prior consent before use.
The official definition of “personal information” was provided later as “information which is adequate to accurately identify the identity of an individual, covering at least one of the following information: full name, date of birth, profession, title, contact address, e-mail address, telephone number, ID number and passport number. Personal secrets include medical records, tax payment dossiers, social insurance card’s numbers, credit cards’ numbers and other personal secrets”. The Law on Cyber Information Safety also defines personal information as “information attached to the identification of one person”.
From this, “personal information” can be interpreted in various ways depending on the sector in question. This, coupled with the rapid deployment of information development, makes identification of which information is to be treated as personal information based on the said regulatory definitions alone difficult.
Personal information is also defined in other specialized laws for the purpose of professional management in particular sectors, e.g., information on health status and private life in the Law on Medical Examination and Treatment; information of taxpayers in the Law on Tax Management; customers’ information in the Credit Institution Law; etc. However, definitions provided in the specialized laws do not exceed the scope of the aforementioned interpretations, and until present, the laws of Vietnam do not have an exhaustive definition for “personal data / personal information”.
Due to the various laws governing personal information / data, private data, personal data protection, the use of personal information / data protection must comply with the general rules stipulated in the IT Law, the Law on Cyber Security and the Law on Cyber Information Safety, or as otherwise provided in the specialized laws for the purpose of personal data protection in such respective sectors.
Processing of Personal Information
The collection, use and processing (collectively “Processing / Process”) of personal information / data is generally based on the most fundamental principle, i.e., that of obtaining consent from the owner of such personal information/ data prior to any Processing (the “Consent Obtainment Principle”). This principle is applied throughout all regulations related to the data protection in Vietnam. The Processing of personal information is always subject to this Consent Obtainment Principle, unless such personal information is used in one of the following purposes/cases:
- To sign, amend or perform contracts or carry out transaction for use of information, products, services on cyberspace;
- To calculate the prices, rates for using information, products, services on cyberspace; and
- To perform other obligations under the prevailing laws.
Under the general laws, those Processing personal information must, in particular:
- notify the subject of the personal information of the manner, scope, place of, and purposes for the processing of their personal data. The subsequent actual Processing of such Processed personal information must abide by the manner, scope, place and purposes as consented by the personal information subjects;
- take the necessary managerial and technical measures to ensure the Processed personal information not be lost, stolen, disclosed, changed or destroyed; and
- take measures for subjects of personal information to check, rectify or destroy their personal information at their request.
Storing, disclosing of personal information
Neither the IT Law nor the Law on Cyber Information Safety explicitly provides that the storage of personal information shall be subject to the Consent Obtainment Principle. However, storing personal information can be understood as one of the purposes of personal information Processing. As such, in order to legally store personal information, a data processor must comply with the Consent Obtainment Principle.
The unauthorized provision, sharing, and dissemination (together, the “Disclosure/Disclose”) of personal information to a third party is clearly prohibited unless the party making the Disclosure has the consent of the subjects of personal information or as otherwise provided by law.
In addition, the storage and/or Disclosure of personal information must also comply with the following principles:
- Personal information may only be stored for a certain definite period, which is either regulated by the law or agreed between the party storing the personal information and the subject of the personal information;
- Upon the satisfaction of the intended purposes and/or expiration of the storage period, the party storing the personal information is required to destroy such personal information, and to notify the data subjects about such destruction, unless otherwise provided by the laws; and
- When demanding the use of the collected personal information for purposes other than those consented to by the subjects of the personal information, additional consent for such specific purpose is required. The Disclosure of collected personal information to any other third party is prohibited, except when requested by the competent authorities or having the consent of the data subjects for doing the same.
Data Subjects Rights
Data subjects are also entitled to exercise certain data subject rights, particularly, a right to request to check, rectify or destroy their personal information held by a data processor. Upon such request the data processor shall either implement the same and notify the data subjects of such implementation, or provide the data subjects with access to their personal information to implement the same by themselves. In case of inability to implement such request due to technical issues, appropriate measures shall be applied by the Processor in order to protect the concerned personal information.
There is currently no specific regulation protecting sensitive data, let alone conditions on collecting, using, storing and/or sharing the same. As a result, sensitive data can only be protected on the basis of the regulations applicable to the protection of personal data, if treated as personal data under the current laws, and protection of data in general. From the concept of “sensitive data” under an expired circular, it can be implied that the laws also require entities possessing this type of data to have appropriate protection measures in order to limit illegal access and exploitation of sensitive data.
“Sensitive data” is discussed in the draft personal data protection decree (see Vietnam’s New Draft Data Protection Law).
Public Corporate Data
Public Corporate Information can be accessed from public sources based on its transparency and for the purpose of protecting the disadvantaged side in a transaction, i.e., consumers in their relationship with enterprises. Information attached to the identification of one enterprise / company is published on open sources of State management agencies, as well as on the websites of such an enterprise / company (the “Public Corporate Information”). In particular, enterprise registration information (e.g., company name, active status, legal representative, tax code, etc.) are all published on the national portal. Such Public Corporate Information is allowed to be freely accessed without any consent. Some of the information is protected under the laws, namely trademarks and trade name, which are protected under the IP Law.
Non-Public Corporate Information
Besides Public Corporate Information, enterprises also have non-public information, typically such as business secrets, trade secrets, know-how, business information, corporate financial information, corporate credit information, inventory, etc. (the “Non-Public Corporate Information”). According to the IP Law, “trade secrets mean information obtained from activities of financial or intellectual investment, which have not yet been disclosed and which is able to be used in business”. Business / trade secrets are protected under the IP Law if they satisfy the following conditions:
- The relevant trade secret is neither common knowledge nor easily obtainable;
- When used in business activities, the trade secret will create for its holder advantages over those who do not hold or use it; and
- The owner of the trade secret maintains its secrecy by necessary measures so that the secret will not be disclosed nor be easily accessible.
Secrets related to personal identification, State management, national defense and security, and other secrets not related to business are not qualified for protection under the IP Law.
Trade Secrets and other Non-Public Corporate Information requires the consent of the data subject prior to its Processing. The IP Law does provide for certain cases where a trade secrets owner cannot prohibit others from using / disclosing such trade secret, including, inter alia: for the purposes of community protection; if the trade secret is created independently or when the discloser does not or is not obliged to know that the concerned trade secret was obtained illegally by another person, etc. A certain behavior is only considered an infringing act in respect of the right to the trade secret if such behavior falls in certain prescribed cases.
Prohibited / Restricted information
The laws of Vietnam mainly provide regulations on prohibited information in cyberspace. According to the Law on Cyber Security, one can understand that any information infringing national security, social order and safety, or the lawful rights and interests of agencies, organizations and individuals is prohibited from being provided, uploaded or transferred.
Prohibited information may fall into the following categories:
- State secrets, which means any information in the sectors of politics, national defense, security, external affairs, economy, science, technology and other sectors which are not or has not been yet publicized by the State of Vietnam. There are three levels of State secrets, each of which enjoys different levels of protection, comprising of: (1) absolute secret, (2) top secret, and (3) secret;
- Trade secrets;
- Civil cryptographic and legally encoded information of agencies, organization, or individuals, wherein, civil cryptographic means any materials, technical equipment and cryptographic skills for protecting information that is out of the state secret domain;
- Invented or untruthful information infringing the honor, reputation or dignity of any agency, organization or individual and causing confusion or causing loss and damage to their lawful rights and interests;
- Information relating to depraved lifestyle, lewd acts, criminal behaviors or unsuitable to good Vietnamese habits and traditions, social moral and health of community;
- Information advocating the bad practices, customs and superstition, or about the mysteries, causing confusion to society and community; and
- Information advertising for prohibited goods/services as prescribed by the law.
Restricted information is that which is restricted from disclosure to the public, i.e. is required to have relevant consent from the information owner prior to such disclosure. This type of information may comprise personal information, private information, copyrighted contents, protected copyright-related contents, and Non-Public Corporate Information which is not prohibited information, including, inter alia:
- Personal information / data;
- Non-Public Corporate Information (except for trade secrets);
- Private information;
- Commercial information in form of electronic/advertising messages. Such information cannot be sent to the email box of the recipients without his/her prior consent/request or if the recipient refuses to receive the same, unless he/she is obliged to do so under current Vietnam laws or regulations; and
- Copyrighted works: which comprises: Literary, scientific works, and other works expressed in written language or other characters; lectures, addresses and other speeches; press / musical / stage works; cinematographic works and works created by an analogous process; plastic art works and applied art works; photographic / architectural works; sketches, plans, maps and drawings related to topography or scientific works; folklore and folk art works; computer programs and data collections; and performances, audio and visual fixation, broadcasts and satellite signals carrying coded programs for protection of related rights only.