1. The concept of personal data.

Personal data is information in the form of symbols, written text, numbers, images, sounds, or similar formats in an electronic environment that is associated with a specific individual or helps identify a specific individual. Personal data includes basic personal data and sensitive personal data.

CSPL: Clause 1, Article 2 of Decree 13/2023/ND-CP

Basic personal data includes:

• They, middle name and birth name, other names (if any);
• Date of birth; date of death or disappearance.
• Sex
• Place of birth, place of birth registration, permanent residence, temporary residence, current residence, hometown, contact address
• Nationality;
• Personal image
• Phone number, identity card number, personal identification number, passport number, driver's license number, vehicle license plate number, personal tax code number, social insurance number, insurance card number
• Marital status
• Information about family relationships (father, mother, children);
• Information about personal digital accounts; personal data reflecting activities and history of activities on cyberspace
• Information about accounts associated with a specific person or helping to identify a specific person that is not subject to the provisions of Clause 4 of this Article.

CSPL: Clause 3, Article 2 of Decree 13/2023/ND-CP

Sensitive personal data

Sensitive personal data is personal data associated with an individual's privacy that, when violated, will directly affect the individual's legitimate rights and interests, including:

• Political views, religious views
• Health status and personal information are recorded in medical records, including blood type information.
• Information regarding racial origin, ethnic origin
• Information about genetic traits inherited or acquired by an individual
• Information about individual physical attributes and biological characteristics
• Information about sex life, personal sexual orientation
• Data on crimes and criminal acts collected and stored by law enforcement agencies
• Customer information of credit institutions, foreign bank branches, payment intermediary service providers, and other licensed organizations, including: customer identification information as prescribed by law, information about organizations and individuals who are guarantors at credit institutions, bank branches, and payment intermediary service providers.
• Data on the individual's location determined through location services
• Other personal data is specified by law as special and requires necessary security measures.

CSPL: Clause 4, Article 2 of Decree 13/2023/ND-CP

2. Protection of personal data

Personal data protection is the activity of preventing, detecting, stopping and handling violations related to personal data according to the provisions of law.

Principles of personal data protection

According to the provisions of Article 3 of Decree 13/2023/ND-CP on the principles of personal data protection, as follows:

1. Personal data is processed in accordance with the law.

2. The data subject is informed about the activities related to the processing of his/her personal data, unless otherwise provided by law.

3. Personal data shall be processed only for the purposes specified by the Personal Data Controller, Personal Data Processor, Personal Data Controller and Processor, Third Party Register, Declaration on Personal Data Processing

4. Personal data collected must be appropriate to the scope and purpose of processing. Personal data may not be bought or sold in any form, unless otherwise provided by law.

5. Personal data is updated and supplemented in accordance with the processing purpose.

6. Personal data is protected and secured during processing, including protection against violations of personal data protection regulations and against loss, destruction or damage due to incidents, using technical measures.

7. Personal data shall only be stored for a period of time consistent with the purposes for which the data is processed, unless otherwise provided by law.

8. The Data Controller, the Personal Data Controller and Processor shall be responsible for complying with the data processing principles set out in Clauses 1 to 7 of this Article and demonstrating its compliance with such data processing principles.

3. Handling of data protection violations

Agencies, organizations and individuals violating regulations on personal data protection, depending on the severity, may be subject to disciplinary action, administrative sanctions or criminal prosecution according to regulations.

CSPL: Article 4 of Decree 13/2023/ND-CP

This article is for reference only and is not intended as advice. If you need advice, please contact us via email: info@barrso.com