Data Protection in Vietnam

Definitions in Vietnam

Definition of personal data

Under the PDPD, personal data is defined as information on an electronic medium in the form of symbols, letters, numbers, photos, sounds, or the like that is associated with or helps to identify a specific individual.  Information that helps to identify a specific individual is further clarified as information generated from an individual's activities that, when combined with other data and stored information, can identify a particular person.

Definition of sensitive personal data

The PDPD classifies personal data into two categories of “basic personal data” and “sensitive personal data”. Accordingly, basic personal data includes:

  • surname, middle name, and birth name, alias (if any);
  • date of birth, date of death or date of going missing;
  • gender;
  • place of birth, place of birth registration, permanent residence, current residence, hometown, contact address;
  • nationality;
  • personal image;
  • phone number, ID card number, personal identification number, passport number, driver's license number, plate number, personal tax identification number, social insurance number; health insurance card number;
  • marital status;
  • family relationship information (parents, children);
  • digital account information, personal data that reflects activities and activity history in cyberspace; and
  • information associated with an individual or used to identify an individual other than sensitive personal data. 

On the other hand, sensitive personal data is defined as personal data in association with individual privacy which, when being infringed, will directly affect an individual's legal rights and interests, and includes:

  • political and religious views;
  • health conditions and personal information stated in health record, excluding information on blood type;
  • information about racial or ethnic origin;
  • information about genetic data relating to inherited or acquired genetic characteristics of each individual;
  • information about physical or biological characteristics of each individual;
  • information about criminals and criminal acts collected and stored by law enforcement agencies;
  • information about sex life and sexual orientation of each individual;
  • information on customers of credit institutions, foreign bank branches, intermediary payment service providers and other;
  • licensed institutions, including: customer identification as prescribed by law, accounts, deposits, deposited assets,
  • transactions, organizations and individuals that are guarantors at credit institutions, bank branches, and intermediary payment service providers;
  • personal location data identified via location services; and
  • other specific personal data as specified by law as special and subject to necessary confidentiality measures.

Definition of Data Controller, Data Processor, Data Controller-Processor and Third Party

The PDPD also provides the definitions and roles of different stakeholders involved in the collection and processing of personal data with their respective obligations, notably:

Data controller

A data controller is an organization or individual that decides the purposes and means of processing personal data. The controller is responsible for serving privacy notices to and obtaining consent from the data subjects, preparing and filing to the authority a Data Processing Impact Assessment (“DPIA”) and Cross-border Transfer Impact Assessment (“TIA”), notifying the authority of violations of regulations on personal data protection, ensuring and honouring the data subjects’ rights, etc.

Data processor

A data processor is an organization or individual that processes data on behalf of the controller via a contract or agreement with the controller. Accordingly, the processor must receive and process personal data strictly in compliance with the contract or agreement with the controller. In particular, after the completion of the data processing / agreed purposes, the law requires the processor to delete and return all personal data to the controller. The processor is responsible for preparing and filing to the authority a processor’s DPIA and a TIA, notifying the controller of violations of regulations on personal data protection, etc.

Data controller-processor

A data controller-processor is an organization or individual that jointly decides the purposes and means, and directly processes personal data. Consequently, the controller-processor must fully comply with both the responsibilities of the controller and the processor.

Third party

A third party is defined as “an organization or individual other than the data subject, data controller or the data processor that is permitted to process personal data”.

Definition of Personal Data Processing

Under the PDPD, “personal data processing”, or “processing” is rather broad. It refers to one or multiple activities that impact personal data, including collection, recording, analysis, confirmation, storage, rectification, disclosure, combination, access, tracing, retrieval, encryption, decryption, copying, sharing, transmission, provision, transfer, deletion, destruction or other relevant activities. With such wide and open-ended definition of personal data processing, it appears that all types of activities related to personal data could be considered processing personal data and subject to the requirements prescribed by the PDPD.

Continue reading

  • no results

Previous topic
Back to top