Vietnam: What are the cases where data subjects have the right to request the deletion of personal data under Decree 13/2023/ND-CP?

Main Content

• What are the cases where data subjects have the right to request the deletion of personal data in Vietnam under Decree 13/2023/ND-CP?
• What is the time limit for deletion of personal data upon request in Vietnam?
• What are the rules of personal data protection in Vietnam?

What are the cases where data subjects have the right to request the deletion of personal data in Vietnam under Decree 13/2023/ND-CP?

According to Clause 1 Article 16 of Decree 13/2023/ND-CP, the data subject has the right to request the Personal Data Controller and the Personal Data Controller-cum-Processor to delete his/her personal data in the following cases:

- The data subject no longer finds the data necessary for the purposes for which it was collected under his/her consent and he/she accepts any damage that may be caused by the deletion;

- The data subject withdraws consent;

- The data subject objects to the processing of his/her personal data and the Personal Data Controller and the Personal Data Controller-cum-Processor do not have sound reasons for continuation in the processing;

- The personal data is processed for purposes other than those that the data subject gives the consent or the processing of personal data is a violation against regulations of law;

- The personal data shall be deleted as prescribed by law.

In addition, the personal data shall not be deleted at the request of the data subject in the following cases:

- The deletion of personal data is prohibited by law;

- The personal data is processed by the competent state agency to serve operations by such agency as prescribed by law.

- The personal data has been disclosed as prescribed by law.

- The personal data is processed to serve law, scientific research and statistics as prescribed by law;

- The personal data shall not be deleted in the event of a state of emergency on national defense, security, social order and safety, major disasters, or dangerous epidemics; when there is a risk of threatening security and national defense but not to the extent of declaring a state of emergency; to prevent and combat riots and terrorism, to prevent and combat crimes and law violations according to regulations of law;

- It is required to respond to emergent cases that threaten the life and health or the safety of the data subject or other persons.

According to the provisions of Clause 2 Article 3 of Decree 13/2023/ND-CP general personal data includes:

- Last name, middle name and first name, other names (if any);

- Date of birth; date of death or going missing;

- Gender;

- Place of birth, registered place of birth; place of permanent residence; place of temporary residence; current place of residence; hometown; contact address;

- Nationality;

- Personal image;

- Phone number; ID Card number, personal identification number, passport number, driver’s license number, license plate, taxpayer identification number, social security number and health insurance card number;

- Marital status;

...

What is the time limit for deletion of personal data upon request in Vietnam?

According to the provisions of Clause 5 Article 16 of Decree 13/2023/ND-CP, the deletion of personal data shall be implemented within 72 hours after receipt of the data subject’s request, and all personal data collected by the Personal Data Controller and the Personal Data Controller-cum-Processor, unless otherwise provided for by law.

What are the rules of personal data protection in Vietnam?

Personal data protection refers to an act of preventing, detecting and handling violations related to personal data under the law. The rules of personal data protection in Vietnam are specified in Article 3 of Decree 13/2023/ND-CP as follows:

(1) The personal data shall be processed as prescribed by law.

(2) The data subject shall be entitled to receive information related to the processing of his/her personal data, unless otherwise provided for by law.

(3) The personal data shall be processed for the purposes that have been registered and declared by the Personal Data Controller, the Personal Data Processor, the Personal Data Controller-cum-Processor and the Third Party.

(4) The collected personal data shall be appropriate for the scope and purposes of processing. The purchase or sale of personal data shall be prohibited in any form, unless otherwise provided for by law.

(5) The personal data shall be updated and added for the processing purposes.

(6) The personal data shall be protected and secured throughout the processing. To be specific, the personal data shall be protected from violations against regulations on protection of personal data and prevention of loss, destruction or damage caused by incidents and use of technical measures.

(7) The personal data shall be stored within a period of time that is appropriate for the processing purposes unless otherwise provided for by law.

(8) The Personal Data Controller and the Personal Data Controller-cum-Processor shall comply with the rules for data processing specified in Clauses 1 through 7 of this Article and prove their compliance.