Update day: June 22 , 2023

Method to publish and get consent to personal data processing

Given the issuance of Decree 13/2023/ND-CP on personal data protection (“Decree 13”), all credit organizations are exploring different methods to get their customers’ consents before processing the personal data of such customers. Decree 13 paves a path to different methods and formats that organizations can the consents of their customers. To not only give the customers the most convenient way to give their consents but also ensure that such consents are given and gotten in compliance with Decree 13, credit institutions (the “CI”) are considering whether they can get the consents (the “Data Processing Consent”) of the data subjects (the “Data Subject”) by one of the following methods or they cannot:

Method 1: Insert the Data Processing Consent as a clause (the “Data Processing Clause”) in a document (the “Cover Document”) which is signed by the Data Subject, such as a clause in the credit contract or a term deposit contract.
Method 2: In the Cover Document, insert an embedded link (the “Embedded Link”) that directs the Data Subject to a landing page where a data processing agreement is published (the “Data Processing Agreement”).

(collectively as the “Methods”)

Given this proposal, we are interested in exploring the legality as well as available options that organizations may adopt to realize Method 1 and Method 2 above. For the purpose of this paper, we will collective refer to the organizations, which control and process the personal data of customers, as “Controller or Processor,” because, to have a thorough view, we want to deep-dive into data controller or data controller-cum-processor as the one who can decide not only the purposes and means of data processing, but also the processing of personal data itself.

Method to publish and get consent to personal data processing

Table of contents:

1.DEFINITION OF DATA PROCESSING AGREEMENT & DATA PROCESSING CONSENT

Article 2.8 of Decree 13 defines that: “Consent of a data subject means an act of the data subject permitting the processing of his/her personal data in a clear, voluntary and affirmative manner.” The definition in Article 2.8 of Decree 13 raises a question of how a consent is deemed to be “in a clear, voluntary and affirmative manner.” To answer this, Decree 13 provides a specific Article 11 for the Data Processing Consent. As we understand, if a Data Processing Consent meets the applicable requirements of this Article 11, it can be considered as being made in a clear, voluntary and affirmative manner.

Please refer to next page – TABLE 1. REQUIREMENTS OF DATA PROCESSING CONSENT

2. FEASIBILITY & RECOMMENDATION

We opine that either Method 1 or Method 2 is likely feasible under Decree 13, provided however that it meets the requirements set forth therein – which we analyzed in Table 1. For the recommendation and further analysis of how such requirements can be met, please refer to TABLE 2. ANALYSIS OF FEASIBILITY & SOLUTION RECOMMENDATION.

TABLE 1. REQUIREMENTS OF DATA PROCESSING CONSENT

< width: 50px>S/N	Requirements	Interpretation	Legal Base
1.	Scope of Data Processing Consent	A Data Processing Consent applies to all activities during the processing of the personal data, which are provided by Decree 13. In this sense, we understand that the Controller or Processor must explicitly state the detailed activities that they will do during the processing of personal data, including: collecting, recording, analyzing, confirming, storing, correcting, disclosing, combining, accessing, retrieving, recovering, encrypting, decrypting, copying, sharing, transmitting, providing, transferring, deleting, destroying personal data, or other related actions.	To clarify, Article 2.7 of Decree 13 defines that: “*Processing of personal data* is one or more activities that affect personal data, such as: collecting, recording, analyzing, confirming, storing, correcting, disclosing, combining, accessing, retrieving, recovering, encrypting, decrypting, copying, sharing, transmitting, providing, transferring, deleting, destroying personal data, or other related actions.”
2.	Conditions for the Data Processing Consent to be valid	A Data Processing Consent is valid if the Data Subject freely and explicitly knows the contents specified by Decree 13. This provision favors the Data Subject – it says that the condition is “the data subject freely and fully knows;” it is not “the data controller/ data processor/ data controller-cum-processor freely and fully informs.”	Article 11.2 of Decree 13 provides that: “The consent of the data subject is only valid when the data subject freely and fully knows the following contents: a) category of the personal data that are processed; b) purpose of the personal data processing; c) organization and individual permitted to process the personal data; d) rights and obligations of the data subject.”
3.	Methods by which a Data Processing Consent is expressed	A Data Processing Consent must be expressed clearly and specifically (a) in writing;[1] (b) by voice; (c) by ticking the consent box; (d) by syntax of instant message consent; (e) by selecting technical settings for consent; or (f) by other actions which express the consent. [1] Of note, we understand that “in writing” means that the Data Subject must active write down or type out his/her Data Processing Consent (either on physical paper or on computer).	Article 11.3 of Decree 13 provides that: “The consent of the data subject must be expressed clearly and specifically in writing, by voice, by ticking the consent box, by syntax of instant message consent, by selecting technical settings for consent, or by other actions which express the consent.”
4.	Purposes to which a Data Processing Consent is given	Simply speaking, a Data Processing Consent must be given to a purpose. If a Data Processing Consent is given to a specific purpose, it cannot be processed for other purposes. If the Controller or Processor intends to use a Data Processing Consent for multiple purposes, it must estimate the potential purposes as much as possible, and list such purposes thoroughly.	Article 11.4 of Decree 13 provides that: “Consent must be given to the same purpose. When there are multiple purposes, the personal data controller and the personal data controller-cum-processor list the purposes so that the data subject agrees to one or more of the stated purposes.”
5.	Format of the Data Processing Consent	In this sense, we understand that the Data Processing Consent must be in any form that can be read and understood by a natural person, and it must be printable or reproducible in written form (either physical paper or electronic files).	Article 11.5 of Decree 13 provides that: “The consent of the data subject must be expressed in a format that can be printed and reproduced in writing, including in electronic or verifiable formats.”
6.	Expression of the Data Processing Consent	We understand that, there must be proof that the Data Subject actively gives his/her Data Processing Consent.	Article 11.6 of Decree 13 provides that: “The data subject’s silence or non-response is not considered consent.”
7.	Partial or Conditional Consent	We understand that, with respect to a given personal data for which the Controller or Processor request Data Processing Consent, the Data Subject (a) can give his/her Data Processing Consent to a part of such personal data, or (b) attach certain conditions that the Controller or Processor must observe or satisfy when processing his/her personal data.	Article 11.7 of Decree 13 provides that: “The data subject may give partial or conditional consent.”
8.	Explicit Announcement of Sensitive Personal Data	We understand that, when processing sensitive personal data, the Controller or Processor must explicitly inform the Data Subject of the same. Moreover, even Decree 13 does not expressly require so, the explicit information, in this sense, must highlight not only the category of the data but also the characteristic of the sensitive data, so that the Data Subject is fully aware of the risks and potentials when permitting the Controller or Processor to process his/her sensitive personal data. In particular, the Controller or Processor must expressly let the Data Subject know that “sensitive personal data are personal data associated with an individual’s privacy that, when violated, will directly affect an individual’s legitimate rights and interests.”	Article 11.8 of Decree 13 provides that: “For the processing of sensitive personal data, the data subject must be informed that the data to be processed is sensitive personal data.”

TABLE 2. ANALYSIS OF FEASIBILITY & SOLUTION RECOMMENDATION

As we understand, the personal data that Controller or Processors collected are sensitive personal data as defined in Article 2.4(h) of Decree 13. Thus, the Data Processing Clause or the Data Processing Agreement must clearly spell out that the personal data requested for the transaction in the Cover Document (a) are sensitive personal data, and (b) are associated with an individual’s privacy that, when violated, will directly affect an individual’s legitimate rights and interests.” To be clear, as we understand, it is not acceptable, in the sense of Decree 13 – that is, a regulation definitely favors the Data Subject, to only state that such personal data are sensitive data without letting the Data Subject fully knows that such data, when violated, will directly affect their legitimate rights and interests.

S/N	Requirements	Comments	Method 1	Method 2
1.	Scope of Data Processing Consent	The Data Processing Clause or Data Processing Agreement must explicitly list out the activities of the personal data processing. Of note, the activities listed therein must be specific and limited only to the needs of the Controller or Processor in order to proceed with the transaction contemplated under the Cover Document. For example: If the transaction contemplated in the Cover Document is a loan transaction, the action of decrypting may be considered as unrelated and unspecific, unless the collected data is encrypted and needs to be decrypted before processing.	High	High
2.	Conditions for the Data Processing Consent to be valid	As for the requirement that the data subject is only valid when the data subject freely and fully knows the required contents, the Controller or Processor should design a mechanism to serve 2 purposes: Prove the efforts of the Controller or Processor in forcing the Data Subject to read and understand the Data Processing Clause or Data Processing Agreement. Create an irrefutable evidence that the Data Subject positively assented the Data Processing Clause or Data Processing Agreement. This means that in addition to the tick-box, there are several suggestions: The wording of the Data Processing Clause or Data Processing Agreement should be written in a user-friendly, straight-forward, understandable and transparent way without any jargons. Otherwise, the Data Subject may claim that they did not understand the wording, which may shatter the requirement of “freely and fully knows,” whereas the Data Subject may claim that they did not understand – that is, they did not fully know, what they read. The Data Processing Clause should be popped out of the Cover Document, which should not let someone claims that “they could not see such clause in a wall of text.” There should be “scroll-wrap” solution which forces the Data Subject to thoroughly scroll the browser interface down to the end of the webpage (assuming that the Data Subject uses computer or mobile application to read and sign the Cover Document), which may prevent the Data Subject from saying that they just tick the box without fully read the Cover Document. There should be a re-confirm pop-up or button for the Data Subject to make sure that they really want to confirm their Data Processing Consent. This, as we presume, would serve as a safeguard for the Controller or Processor to prove that it already applied the best endeavor to help the Data Subject be aware of the Data Processing Clause or Data Processing Agreement before they actually give the Data Processing Consent.	High	High
3.	Methods by which a Data Processing Consent is expressed	The tick-box solution allowed in Article 11.3 of Decree 13 is a method for the Data Subject to express or give the Data Processing Consent, rather than a method for the Controller or Processor to get and record the Data Processing Consent. The problem of the Controller or Processor is to how to get and record the result from the tick-box (“Tick-Box Consent”), which must be in the format specified in, and meet the requirements of, Decree 13. In particular, the result of the Tick-Box Consent must be gotten and recorded in any form that can be read and understood by a natural person, and it must be printable or reproducible in written form (either physical paper or electronic files). (Please also refer to our comments in Item 5 of this Table)	High	High
4.	Purposes to which a Data Processing Consent is given	As we understand, this requirement is applied with the same approach to the scope of activities of the personal data processing (mentioned in Item 1 of this Table). In particular, the Data Processing Clause must explicitly list out the purposes of the personal data processing. Of note, the purposes listed therein must be specific and limited only to the needs of the Controller or Processor in order to proceed with the transaction contemplated under the Cover Document. For example: If the transaction contemplated in the Cover Document is a loan transaction, the purpose of promoting another product may be considered as unrelated and unspecific.	Moderate (it is hard to list out everything in a clause)	High
5.	Format of the Data Processing Consent	We understand that the format as required in Article 11.3 of Decree 13 must be reflected from 2 sides: From the side of the Data Subject: Once the Data Processing Consent is given (e.g., by ticking consent box, by texting instant message, etc.), it must be generated in a form that the Data Subject can print it out in physical paper, or reproduce and store it anywhere they want (e.g., the Data Subject can copy such Data Processing Consent file, and store it in their personal computer). From the side of the Controller or Processor: Whenever it needs, the Controller or Processor can extract such Data Processing Consent in a printable and reproducible result, and such result must match with the one that the Data Subject owns from their side (point 1 above). There should be controls to ensure that the Controller or Processor can make a solid connection between what the Controller or Processor stores/retrieves at their side, and what the Data Subject stores/retrieves at their side as mentioned in point 1. (Please also refer to our comments in Item 3 of this Table)	High	High
6.	Expression of the Data Processing Consent	As for this requirement, the Controller or Processor should have a mechanism to ensure that the act of giving the Data Processing Consent is (a) actually made by a natural person (not a bot or machine), and (b) is made directly by the Data Subject (not his/her child, spouses or acquaintances). Besides, the Controller or Processor should ensure that they do not let the Data Subject give the Data Processing Consent without making an active action – that is, for example, avoid these solutions or like: Pre-ticked box: Which does not force the Data Subject to tick, and to go straight to the “submit button.” Opt-out option: Which commonly states that the Data Subject must tick the box to decline the Data Processing Clause. If the Data Subject does not tick such opt-out box and go straight to the “submit button,” then the Data Subject is considered as assenting to the Data Processing Clause. Browse-wrap approach: Which commonly states that if the Data Subject assent to the Cover Document, they also assent to the Data Processing Agreement that is usually embedded in a hyperlink in the Cover Document. This approach normally does not force the Data Subject to click the hyperlink and to thoroughly read the Data Subject Agreement. In this case, the Controller or Processor must ensure that, if the Data Subject does not click the embedded link, they cannot proceed the Cover Document onward. Only after the system recognizes that the Data Subject clicked the link, and went through all steps required, then the Data Subject may click the “submit button.” In this sense, if the Controller or Processor makes any changes to the contents announced to the Data Subject (as in Article 11.2 of Decree 13), the Controller or Processor must get the Data Processing Consent again. It is unacceptable The Controller or Processor sends a notification to the Data Subject, which says that if the Data Subject does not clearly reject or disagree with the changes, they will be considered as giving their Data Processing Consent to such changes. 2. The Controller or Processor provides a clause in the Data Processing Clause or the Data Processing Agreement which says that, the Data Processing Consent given in the first time will continue covering any changes later made in the Cover Document or the Data Processing Agreement.	Moderate	High
7.	Partial or Conditional Consent	As we understand, the Controller or Processor must give the Data Subject the options to give the Data Processing Consent in part, in whole, or with their conditions. We know that, (a) in most cases, the personal data for which the Controller or Processor asks the Data Subject, are necessary to conclude the transactions in the Cover Document; whereas, (b) in rare cases, the personal date requested are not really necessary for such transactions. Such that, in the sense of Article 11.7 of Decree 13, the Controller or Processor must let the Data Subject the option to decline, or attach their conditions to, the latter. If the Controller or Processor forces the Data Subject to give the Data Processing Consent to the latter (for example, by saying that the Controller or Processor will not provide products or services if the Data Subject does not give their Consent to all of the personal data the Controller or Processor requested because the Controller or Processor needs such personal data to assent the transaction, which is untrue and manipulative), such Data Processing Consent may be considered violating the principle of “the data subject permitting the processing of his/her personal data in a … voluntary … manner” as defined in Article 2.8 of Decree 13.	High	High
8.	Explicit Announcement of Sensitive Personal Data	As we understand, the personal data that Controller or Processors collected are sensitive personal data as defined in Article 2.4(h) of Decree 13. Thus, the Data Processing Clause or the Data Processing Agreement must clearly spell out that the personal data requested for the transaction in the Cover Document (a) are sensitive personal data, and (b) are associated with an individual’s privacy that, when violated, will directly affect an individual’s legitimate rights and interests.” To be clear, as we understand, it is not acceptable, in the sense of Decree 13 – that is, a regulation definitely favors the Data Subject, to only state that such personal data are sensitive data without letting the Data Subject fully knows that such data, when violated, will directly affect their legitimate rights and interests.	High	High

Time of writing: 20/05/2023

The article contains general information which is of reference value, in case you want to receive legal opinions on issues you need clarification on, please get in touch with our Lawyer at info@cdlaf.vn

Why choose CDLAF’s service?

We provide effective and comprehensive legal solutions that help you save money and maintain compliance in your business;
We continue to monitor your legal matters even after the service is completed and update you when there are any changes in the Vietnamese legal system;
Our system of forms and processes related to labor and personnel is continuously built and updated and will be provided as soon as the customer requests it;
As a Vietnamese law firm, we have a thorough understanding of Vietnam’s legal regulations, and grasp the psychology of employees, employers, and working methods at competent authorities;
CDLAF’s team of lawyers has many years of experience in the field of labor and enterprises, as well as human resources and financial advisory.
Strict information security procedures throughout the service performance and even after the service is completed.

You can refer for more information: