Photo: Tuoi Tre
The Law on Personal Data Protection was passed at the ninth session of the 15th National Assembly and will take effect on January 1.
One of its most notable aspects is a dedicated set of rules governing how social media platforms and online communication services collect, process, and protect personal data.
As per the new law, providers of social networks and online communication services must clearly inform users about what personal data will be collected when they install and use these platforms.
Data collection must remain strictly within the scope agreed upon with users, and platforms are banned from collecting personal data unlawfully or beyond that agreement.
Crucially, the law prohibits platforms from requiring images or videos that contain all or part of a user’s personal identification documents as a method of account verification.
The law also strengthens user consent mechanisms.
Platforms must provide users with options to refuse the collection and sharing of data files, commonly known as cookies.
In addition, services must offer a ‘do not track’ option, or otherwise only track user activity when explicit consent has been given.
Another major provision bars social media and online communication services from eavesdropping, wiretapping or recording phone calls, as well as reading text messages, without the consent of the data subject, except in cases explicitly permitted by law.
Beyond consent, platforms are required to publicly disclose their privacy policies, clearly explaining how personal data is collected, used, and shared.
They must also provide users with tools to access, edit, and delete their data, adjust privacy settings, and report violations related to data security or privacy.
The law also addresses cross-border data transfers, requiring safeguards to protect Vietnamese citizens’ personal data when it is moved overseas, and mandates rapid and effective procedures for handling data protection violations.
In the financial and banking sectors, organizations involved in credit information activities must strictly protect sensitive personal data and comply with security standards.
Credit information cannot be used for scoring, ranking or evaluating an individual’s creditworthiness without their consent.
Institutions must also promptly notify users in the event of data breaches involving banking or credit information.
However, the law allows certain exceptions where personal data may be processed without user consent, such as in emergencies to protect life, health, dignity or lawful rights, or to safeguard legitimate interests of individuals, organizations or the state, including cases involving national security, crime prevention or disaster response.
Max: 1500 characters
There are no comments yet. Be the first to comment.