In the era of technology, personal data privacy has become one of the most concerned legal problems. The rapid expansion of online services, social media platforms, and cutting-edge technologies like artificial intelligence has significantly heightened the risks of privacy breaches. Modern challenges demand serious consideration from lawmakers and businesses regarding the protection of personal data in the digital era. This article by TNTP will delve into the issues surrounding personal data privacy in the digital era.
1. Personal data privacy in the digital era
• According to Article 21 of the Constitution of the Socialist Republic of Vietnam, everyone has the inviolable right to privacy, personal secrets, and family secrets, along with the right to protect their honor and reputation. Information regarding private life, personal secrets, and family secrets is protected by law.
• Personal data is defined under Clause 1, Article 2 of Decree 13/2023/ND-CP as information in the form of symbols, letters, numbers, images, sounds, or other similar formats in an electronic environment that is associated with or can be used to identify a specific individual. As stipulated in Clauses 3 and 4, Article 2 of Decree 13/2023/ND-CP, personal data is categorized into basic personal data and sensitive personal data:
– Basic personal data: Includes identifying information such as full name, date of birth, gender, address, nationality, images, phone numbers, personal identification documents (ID cards, passports, driver’s licenses), marital status, family relationships, account numbers, and other details that help identify an individual.
– Sensitive personal data: Encompasses private information such as political opinions, religion, health status, racial or ethnic origin, genetic characteristics, criminal records maintained by competent authorities, credit customer information, personal location data obtained through tracking, and other data requiring special confidentiality as prescribed by law.
• To protect the rights of data subjects, the law explicitly stipulates the following fundamental rights:
– Right to be informed: Data subjects have the right to be informed about how their personal data is collected and processed.
– Right to give consent: Data subjects have the right to accept or decline the processing of their personal data.
– Right to access personal data: Data subjects have the right to access and request corrections to their personal information.
– Right to withdraw consent: Data subjects have the right to withdraw their consent for personal data processing.
– Right to delete personal data: Data subjects have the right to request the deletion of their personal data when it is no longer necessary.
– Right to obtain restriction on processing: Data subjects have the right to request restrictions on the processing of their data under specific circumstances.
– Right to obtain personal data: Data subjects have the right to request a copy of their personal data from the managing organization.
– Right to object to processing: Data subjects have the right to object to the use of their personal data for advertising, marketing, or undesired disclosure purposes.
Personal data privacy is a fundamental right of every individual, protected by law to ensure the safety and confidentiality of personal information. The collection, processing, and use of personal data must adhere to principles that protect the rights of data subjects. Furthermore, legal provisions ensure that data subjects have control over the use of their personal information, thereby ensure their legitimate rights and maintaining user trust in an increasingly digital environment.
2. Legal issues related to personal data privacy
The collection and use of personal data without the consent of data subjects is one of the most significant legal challenges today. Users who provide their information to technology platforms, social media, and online services face concerns that their data may be collected, stored, and used for various purposes without their consent.
a. Personal data of employees
Employers’ responsibilities to protect employees’ personal data under Decree 13/2023/ND-CP:
• Employers are responsible for complying with legal provisions on the protection of employees’ personal data. This requires them to implement organizational and technical security measures to safeguard personal data and demonstrate that the data processing is conducted in a valid manner.
• Additionally, employers must document and maintain logs of data processing activities and immediately notify authorities upon detecting any violations of personal data protection. This helps safeguard employees’ rights and ensures that all breaches are promptly addressed.
• Employers must also cooperate with state agencies in cases involving personal data incidents and are accountable for any damages caused by violating data processing practices.
b. Personal data of customers and consumers
• According to Point c, Clause 1, Article 41 of the Cybersecurity Law 2018, businesses providing services in cyberspace are responsible for implementing technical solutions and necessary measures to ensure security during data collection, preventing risks of data leakage, loss, or damage. In cases of data breaches or loss, businesses must promptly implement response measures and notify users in a timely manner.
• Additionally, under Article 69 of Decree 52/2013/ND-CP, when consumer information is collected through e-commerce websites, businesses must publicly display their personal information protection policy in a visible location on the website.
Traders and organizations that collect and use personal information from consumers via e-commerce websites must obtain explicit consent from the consumers (data subjects). Information collectors are required to establish mechanisms that allow data subjects to express their consent transparently, using methods such as online functionalities on websites, emails, messages, or other means as agreed upon by the parties.
3. Handling violations of personal data protection regulations
a. Common violations of personal data protection
• Unauthorized collection of personal data: Collecting data without the consent of the data subject or collecting data beyond the allowed scope.
• Misuse of personal data: Using data for purposes other than those disclosed or without the consent of the data subject.
• Data leaks and disclosure: Failing to implement necessary security measures, leading to data being leaked, stolen, or misused.
• Non-compliance with legal requirements: Failing to meet legal requirements for transparency, notification, or ensuring the rights of the data subject as required by law.
b. Legal provisions for handling violations of personal data protection regulations
According to Article 4 of Decree 13/2023/ND-CP, violations of personal data protection regulations will be handled in one of three ways:
• Disciplinary Action
• Administrative penalties
• Criminal Prosecution: Violations of personal data protection regulations will be criminally prosecuted when the elements constituting a criminal offense are present.
In the digital era, personal data privacy is an issue that cannot be overlooked. Individuals must be aware of their right to control their own data, while organizations and businesses have the responsibility to ensure data security and comply with related legal regulations. Protecting personal data privacy not only helps safeguard individual rights but also contributes to creating a safe, transparent, and trustworthy digital environment for everyone.
This article, “Personal data privacy in the digital era” is brought to you by TNTP. We hope this article proves helpful to our readers.
Best regards,
