Global Data and Cyber Handbook

Vietnam

Select a Topic
Start Comparison
Information Requirements, Data Subject Rights, Accountability and Governance
Jump to
Information Requirements, Data Subject Rights, Accountability and Governance Start Comparison
What information needs to be included in a privacy notice to data subjects?

Last review date: 2 January 2025

☒  the identity and the contact details of the controller and, where applicable, of the controller's representative

☒  the purposes of the processing for which the personal data is intended

☒  the categories of personal data concerned

☒  the recipients or categories of recipients of the personal data, if any

☒  the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period

☒  other

Under the PDPD, a privacy notice must include:

  • Processing purposes
  • The types of personal data used in connection with the processing purposes
  • Processing methods
  • Information about other organizations and/or individuals related to the processing purposes
  • Unwanted consequences and/or damages that may occur
  • Starting time and ending time of the data processing

Besides a privacy notice, privacy disclosures are also prescribed for a consent form, which partially overlaps with those under a privacy notice. Details that are not yet covered under a privacy notice include the rights and obligations of the data subject and, if personal data is transferred overseas, the feedback and complaint mechanism when incidents or requests arise. Consolidating all information into one document can help avoid the need to communicate another privacy notice to the data subject after obtaining their consent.

Do data subjects have specific privacy rights that must be operationalized?

Last review date: 2 January 2025

Yes.

Data subjects have the following data privacy rights, although the specifics of the scope and conditions for each of these vary depending on the circumstances and local law:

☒  right to access the data subject's own personal data

☒  right to rectify/correct the data subject's own personal data where inaccurate or incomplete

☒  right to erasure of personal data

☒  right to restrict data processing

☒  right to data portability (not similarly recognized as the GDPR)

☒  right to object to the processing of personal data

☒  right to withdraw consent

☒  other

The PDPD prescribes the following specific rights for data subjects (including privacy rights and general civil rights):

  • Right to know
  • Right to give and withdraw consent
  • Right to access and rectify data
  • Right to erase data
  • Right to restrict data processing
  • Right to object to data processing
  • Right to be provided with data (the right to request the transfer of personal data to third parties is currently available under sector-specific regulations only, e.g., consumer protection)
  • Right to complain, denounce, and initiate a lawsuit
  • Right to claim for damages
  • Right to self-defense
Are there accountability and governance requirements?

Last review date: 2 January 2025

There are accountability and governance requirements to:

☒  perform and document data protection impact assessments (DPIAs) for high-risk processing

Note: The DPIAs must be conducted and submitted to the MPS by both a controller and processor whenever personal data is processed, regardless of its risk profile.

☒  maintain a record of processing activities

☒  implement appropriate measures to comply with data privacy and security

☒  demonstrate compliance with data privacy and security

{{ $store.state.loadingScreen.message }} ...