top of page
Search

Exploring the Key Highlights of the Draft Law on Personal Data Protection

  • Writer: Phương Nguyễn Hoàng Mai
    Phương Nguyễn Hoàng Mai
  • 2 days ago
  • 7 min read

Article 3.4

"The parent company, subsidiaries, and each company within the economic group members and the general company are responsible for independently protecting personal data as regulated by law. The consent of the data subject for one company does not imply consent for all companies within the economic group members and the general company to process personal data."

Article 6.1

Other laws that regulate the protection of personal data must not contradict the provisions of this Law. In cases where other laws do not provide for or have provisions regarding the protection of personal data that differ from the provisions of this Law, the provisions of this Law shall apply.

Article 9

Rights of Data Subjects

  • Right to be informed: Data subjects have the right to know about the processing of their personal data, unless otherwise provided by law.

  • Right to consent: Data subjects may consent or refuse to allow the processing of their personal data, unless otherwise provided by law.

  • Right to access: Data subjects can access, view, or edit their collected personal data, unless otherwise provided by law.

  • Right to withdraw consent: Data subjects may withdraw their consent, unless otherwise provided by law.

  • Right to erasure: Data subjects can delete or request the deletion of their personal data, unless otherwise provided by law.

  • Right to restrict processing: Data subjects can request restrictions on processing their personal data (e.g., if accuracy is doubted), with restrictions applied within 72 hours, unless otherwise provided by law.

  • Right to data provision: Data subjects can request their personal data from controllers or processors, unless otherwise provided by law.

  • Right to object: Data subjects can object to processing to prevent disclosure or use for advertising/marketing, with compliance within 72 hours, unless otherwise provided by law.

  • Right to complain or sue: Data subjects can lodge complaints, denunciations, or lawsuits under relevant laws.

  • Right to compensation: Data subjects can claim damages for violations of personal data protection, unless otherwise agreed or provided by law.

  • Right to self-protection: Data subjects can protect their rights under the Civil Code, related laws, or request competent authorities to enforce civil rights protection measures.


Article 11

3. It is not permitted to attach conditional requirements for agreeing to transfer the personal data of the data subject to other services that do not align with the purpose of collection. The data subject has the right to refuse this condition.

This rule says that we, as a company, can’t force users to agree to share their personal information with other services if that sharing has nothing to do with the original reason we collected their data. For example, if you sign up for our app to order food, we can’t make it a condition that you must let us give your info to another company—like an advertising company to send you random ads. You have the right to say "no" to this, and we still have to let you use our main service (ordering food) without punishing you for refusing.

In simple terms:

  • We can only use your info for the reason we first asked for it (like delivering your food).

  • We can’t sneak in extra conditions like "you have to let us share your info everywhere to use our app."

  • You can refuse, and we have to respect that.

This protects you so you’re not pressured into something you don’t want, and your info isn’t misused.

4. The consent of the data subject must be expressed through an affirmative action that creates a clear and specific indication, such as: in writing, verbally, checking a consent box, consenting via message syntax, selecting consent technical settings, or through another action that demonstrates this intention.

This rule means that when someone agrees to let us use their personal information, they have to show it clearly by doing something active. We can’t just assume they’re okay with it if they don’t say or do anything. For example, they might need to write it down, say it out loud, tick a box that says “I agree,” send us a message saying yes, choose a “yes” option in our app settings, or do something else that obviously shows they’re giving us permission.

In simple terms:

  • They have to do something to say “yes” to us using their info—like clicking a button or checking a box.

  • We can’t trick them by saying “if you don’t say no, we’ll take it as a yes.”

  • It has to be clear they mean it, not vague or accidental.

This is to make sure people really agree and aren’t confused or forced into letting us use their info. It protects them and keeps things fair.


Article 12.3

3. Upon receiving a request to withdraw consent from the data subject, the Personal Data Controller, the Data Processor, must inform the data subject of the consequences and potential damages that may occur when withdrawing consent.

This rule says that if someone tells us they want to take back their permission (withdraw consent) for us to use their personal information, we—the company handling their data—have to let them know what might happen as a result. This could include any downsides or problems they might face because of their choice. We can’t just ignore their request or keep using their info without explaining the consequences.

Let’s use our “Yummy Delivery” food app as an example:

  • Imagine a customer named Linh signed up and agreed to let us use her phone number to send her text messages about discounts. Now, she decides she doesn’t want those messages anymore and sends us a request to withdraw her consent.

  • When we get her request, we have to tell her something like: “Hi Linh, if you stop letting us use your phone number for texts, you won’t get our special discount codes anymore, like the 20% off deal we send every Friday. You might miss out on savings, but we’ll respect your choice and stop sending them.”

  • We’re not trying to scare her or force her to keep getting texts—we’re just making sure she understands what she’s giving up.

In simple terms:

  • If someone says “stop using my info,” we have to explain what changes for them—like losing perks or access to something.

  • It’s about being fair and clear, not hiding the impact.

  • We still have to follow their request after we explain


Article 20

2. Before processing personal data of children, the Data Controller, Data Processor, Data Controller and Processor, and third parties must verify the age of the child and obtain the consent of the parent, guardian, or person responsible as prescribed.

Article 26

1. Only information listed in the publicly disclosed recruitment content or the employee’s profile may be requested.

This rule means that when we, as a company, ask someone for their personal information—like during a job application process—we can only ask for details that we’ve already said we need in our public job posting or that are part of their employee file (if they’re already hired). We can’t randomly demand extra stuff that wasn’t mentioned upfront or isn’t relevant.

Let’s say our company, “Tasty Bakery,” is hiring a new baker:

  • In our job ad on a website, we list that we need: full name, phone number, email, and past baking experience. That’s the “publicly disclosed recruitment content.”

  • When someone applies, we can only ask for those things—nothing more. For example, we can’t suddenly ask for their home address or family details if we didn’t say we needed that in the ad.

  • If they get hired and become an employee, we can later ask for stuff in their “employee profile”—like their bank account for payroll—but only if it’s part of what we’ve set up as standard for employees.

In simple terms:

  • We can only ask for info we’ve already told people we need in the job ad or employee records.

  • No sneaky extra questions allowed—like asking for their favorite color or where their parents live if it’s not in the plan.

  • It keeps things fair and stops us from collecting too much personal stuff.


Article 29

Article 29. Signing contracts and agreements with data subjects
1. Contracts and agreements with data subjects must contain content related to the protection of personal data. In which, it clearly states the responsibilities, benefits, and obligations that must be complied with by the parties involved.
2. Clearly specify the cases in which the technologies and measures for monitoring workers are applied and require consent.

In Simple Terms:

  • Clause 1: Every deal we sign with someone has to spell out how we’ll protect their info and what everyone’s supposed to do.

  • Clause 2: If we’re watching employees with tech (like cameras or tracking software), we have to tell them what’s up and get their “yes” first.


Example:

Section X: Personal Data Protection and Monitoring

  1. Personal Data Protection

    • Purpose and Use: The Employer (Tasty Bakery) will collect and use your personal information (e.g., full name, phone number, email, bank account details) only for employment purposes like payroll and scheduling.

    • Responsibilities: We’ll keep your info safe and use it as promised. You’ll provide accurate info and update us if it changes.

    • Rights: You can ask about your info, correct it, or withdraw consent (if the law allows).

  2. Monitoring with Consent

    • Monitoring Details: We may use cameras at the cash register or a time-tracking app to ensure safety and track hours. For example:

      • A camera records the counter during your shift.

      • An app logs your clock-in/out times.

    • Your Consent: Check the box below if you agree to this monitoring. If you don’t check it, we won’t use these tools for you, but it may limit some job tasks (e.g., cash register duty).

      •  I agree to the monitoring described above.

Note: By signing this contract, you confirm you’ve read and agreed to these terms, including any monitoring consent you’ve checked above.

[Rest of Contract Continues…]

Employee Signature (at the end of the contract):I, [Employee Name], agree to the terms of this employment contract, including Section X on personal data and monitoring.


Article 46


Article 46. Updating the assessment documents for the impact of personal data processing and the assessment documents for the impact of personal data transfer abroad.


1. The assessment documents for the impact of personal data processing and the assessment documents for the impact of personal data transfer abroad shall be updated periodically once every six (06) months when there are changes.


2. The cases that need to be updated immediately include:

a) When the company dissolves or merges;

b) When there is a change in information about the Personal Data Protection Organization and the DPO;

c) When a new business sector or service arises or when ceasing to conduct services or products related to personal data registered in the assessment document for the impact of personal data processing, the assessment document for the impact of personal data transfer abroad.


3. The updating of the assessment documents for the impact of personal data processing and the assessment documents for the impact of personal data transfer abroad shall be carried out on the national portal on personal data protection, sent via postal service, or directly to the specialized agency for personal data protection.


Comments

Hi, thanks for stopping by!

I'm a paragraph. Click here to add your own text and edit me. I’m a great place for you to tell a story and let your users know a little more about you.

Let the posts
come to you.

Thanks for submitting!

  • Facebook
  • Instagram
  • Twitter
  • Pinterest

Get in Touch

Thank You for Contacting Me!

© 2021 Life of a Lowkey Girl. All rights reserved.

bottom of page