Hoang Viet Tien, Deputy Secretary-General of the Vietnam Digital Communications Association (VDCA), spoke to The Hanoi Times about the highlights of the recent decree on personal data protection that would affect businesses in Vietnam, as well as the association's recommendations related to the decree.
| Local businesses are waiting for regulators to issue guidance for personal data processors. Photo: VNA |
It is believed that more detailed data protection and cybersecurity obligations will be included in Decree No. 13. What is your view?
Vietnam's Decree on Personal Data Protection, also known as Decree No. 13, came into effect on July 1, 2023. The decree stipulates that many data subjects and data processors have the right to process data. Importantly, there are eight principles that local businesses processing personal data must adhere to and 11 rights of data subjects.
The decree provides clearer and more detailed obligations for businesses to collect, use, and manage personal data.
This decree focuses on processing, updating, modifying, deleting, and protecting personal data. The regulation improves the data processing process and enhances enforcement. We await the issuance of guidelines for personal data processors from regulatory authorities.
We consider certain cases, such as deleting personal information upon request. Many companies collect personal information to build customer profiles concerning interests, needs, and behaviors, referred to as analytically derived personal information. Consequently, building such profiles helps companies improve their operations.
Banks may use data about a customer's monthly salary to analyze interests and suggest better insurance policies or credit packages for the customer. In this case, personal information is used to enhance customer service.
However, when a customer requests the deletion of analytically derived personal data, the question arises as to whether all such personal data should be deleted under Regulation No. 13. The deletion of analytically derived personal data or newly created personal data from raw data is not clearly defined in Decree No. 13. This is one of many questions raised by members of the VDCA.
| Hoang Viet Tien, Deputy Secretary General, Vietnam Digital Communications Association. |
What should companies be aware of data subjects' rights under the Regulation?
Among these rights, companies should pay particular attention to the right of restriction of data processing and the right of objection to data processing, as compliance in these areas must adhere to the 72-hour rule. Restrictions must be implemented within 72 hours of the data subject's request for any personal data that the subject wishes to be restricted unless otherwise required by law.
This means the bank cannot sell the data to third parties, and all personal data can only be used for one application, such as a banking application.
Do you have any suggestions for Vietnamese businesses to meet their personal data protection obligations?
What enterprises need to do now is fulfill their obligations in protecting personal data by using encryption techniques and minimizing identification to ensure that data is used for necessary purposes or in emergencies.
Let's take Windows products as an example. We have had Win 98, Win 2000, Win XP, and many more products will be released in the future. Microsoft's role is to introduce products to the market, and the market will determine their suitability. Customers will provide feedback and suggestions for the product, similar to what we do today. State authorities are responsible for issuing Decree 13 and implementing it. Professional associations will conduct seminars and discussions to disseminate the decree and gather feedback. Today's discussion also aims to assist regulators in improving the regulation.
Based on your observations, what are the initial reactions of Vietnamese enterprises to the latest decree?
Some companies have taken measures to comply with Decree No. 13. For example, when a user accesses an application to buy movie tickets, a notification window will pop up, asking whether they agree to allow the company to process their personal data. If the person agrees, the company has the right to use the data. This is because the company has added some features to existing applications to establish the relationships between the data subject, the personal data controller, and the personal data processor.
In my opinion, data subjects must understand that the protection of their own data is their responsibility first. Then comes the role of regulators, who issue decrees or circulars to address violations or misuse of personal data.
Thank you for your time!
