Method to publish and get consent to personal data processing
Given the issuance of Decree 13/2023/ND-CP on personal data protection (“Decree 13”), all credit organizations are exploring different methods to get their customers’ consents before processing the personal data of such customers. Decree 13 paves a path to different methods and formats that organizations can the consents of their customers. To not only give the customers the most convenient way to give their consents but also ensure that such consents are given and gotten in compliance with Decree 13, credit institutions (the “CI”) are considering whether they can get the consents (the “Data Processing Consent”) of the data subjects (the “Data Subject”) by one of the following methods or they cannot:
- Method 1: Insert the Data Processing Consent as a clause (the “Data Processing Clause”) in a document (the “Cover Document”) which is signed by the Data Subject, such as a clause in the credit contract or a term deposit contract.
- Method 2: In the Cover Document, insert an embedded link (the “Embedded Link”) that directs the Data Subject to a landing page where a data processing agreement is published (the “Data Processing Agreement”).
(collectively as the “Methods”)
Given this proposal, we are interested in exploring the legality as well as available options that organizations may adopt to realize Method 1 and Method 2 above. For the purpose of this paper, we will collective refer to the organizations, which control and process the personal data of customers, as “Controller or Processor,” because, to have a thorough view, we want to deep-dive into data controller or data controller-cum-processor as the one who can decide not only the purposes and means of data processing, but also the processing of personal data itself.
1.DEFINITION OF DATA PROCESSING AGREEMENT & DATA PROCESSING CONSENT
Article 2.8 of Decree 13 defines that: “Consent of a data subject means an act of the data subject permitting the processing of his/her personal data in a clear, voluntary and affirmative manner.” The definition in Article 2.8 of Decree 13 raises a question of how a consent is deemed to be “in a clear, voluntary and affirmative manner.” To answer this, Decree 13 provides a specific Article 11 for the Data Processing Consent. As we understand, if a Data Processing Consent meets the applicable requirements of this Article 11, it can be considered as being made in a clear, voluntary and affirmative manner.
Please refer to next page – TABLE 1. REQUIREMENTS OF DATA PROCESSING CONSENT
2. FEASIBILITY & RECOMMENDATION
We opine that either Method 1 or Method 2 is likely feasible under Decree 13, provided however that it meets the requirements set forth therein – which we analyzed in Table 1. For the recommendation and further analysis of how such requirements can be met, please refer to TABLE 2. ANALYSIS OF FEASIBILITY & SOLUTION RECOMMENDATION.
TABLE 1. REQUIREMENTS OF DATA PROCESSING CONSENT
< width: 50px>S/N | Requirements | Interpretation | Legal Base |
---|---|---|---|
1. |
Scope of Data Processing Consent |
A Data Processing Consent applies to all activities during the processing of the personal data, which are provided by Decree 13. In this sense, we understand that the Controller or Processor must explicitly state the detailed activities that they will do during the processing of personal data, including: collecting, recording, analyzing, confirming, storing, correcting, disclosing, combining, accessing, retrieving, recovering, encrypting, decrypting, copying, sharing, transmitting, providing, transferring, deleting, destroying personal data, or other related actions. |
To clarify, Article 2.7 of Decree 13 defines that: “Processing of personal data is one or more activities that affect personal data, such as: collecting, recording, analyzing, confirming, storing, correcting, disclosing, combining, accessing, retrieving, recovering, encrypting, decrypting, copying, sharing, transmitting, providing, transferring, deleting, destroying personal data, or other related actions.” |
2. |
Conditions for the Data Processing Consent to be valid |
A Data Processing Consent is valid if the Data Subject freely and explicitly knows the contents specified by Decree 13. This provision favors the Data Subject – it says that the condition is “the data subject freely and fully knows;” it is not “the data controller/ data processor/ data controller-cum-processor freely and fully informs.” |
Article 11.2 of Decree 13 provides that: “The consent of the data subject is only valid when the data subject freely and fully knows the following contents: a) category of the personal data that are processed; b) purpose of the personal data processing; c) organization and individual permitted to process the personal data; d) rights and obligations of the data subject.” |
3. |
Methods by which a Data Processing Consent is expressed |
A Data Processing Consent must be expressed clearly and specifically (a) in writing;[1] (b) by voice; (c) by ticking the consent box; (d) by syntax of instant message consent; (e) by selecting technical settings for consent; or (f) by other actions which express the consent. Of note, we understand that “in writing” means that the Data Subject must active write down or type out his/her Data Processing Consent (either on physical paper or on computer). |
Article 11.3 of Decree 13 provides that: “The consent of the data subject must be expressed clearly and specifically in writing, by voice, by ticking the consent box, by syntax of instant message consent, by selecting technical settings for consent, or by other actions which express the consent.” |
4. |
Purposes to which a Data Processing Consent is given |
Simply speaking, a Data Processing Consent must be given to a purpose. If a Data Processing Consent is given to a specific purpose, it cannot be processed for other purposes. If the Controller or Processor intends to use a Data Processing Consent for multiple purposes, it must estimate the potential purposes as much as possible, and list such purposes thoroughly. |
Article 11.4 of Decree 13 provides that: “Consent must be given to the same purpose. When there are multiple purposes, the personal data controller and the personal data controller-cum-processor list the purposes so that the data subject agrees to one or more of the stated purposes.” |
5. |
Format of the Data Processing Consent |
In this sense, we understand that the Data Processing Consent must be in any form that can be read and understood by a natural person, and it must be printable or reproducible in written form (either physical paper or electronic files). |
Article 11.5 of Decree 13 provides that: “The consent of the data subject must be expressed in a format that can be printed and reproduced in writing, including in electronic or verifiable formats.” |
6. |
Expression of the Data Processing Consent |
We understand that, there must be proof that the Data Subject actively gives his/her Data Processing Consent. |
Article 11.6 of Decree 13 provides that: “The data subject’s silence or non-response is not considered consent.” |
7. |
Partial or Conditional Consent |
We understand that, with respect to a given personal data for which the Controller or Processor request Data Processing Consent, the Data Subject (a) can give his/her Data Processing Consent to a part of such personal data, or (b) attach certain conditions that the Controller or Processor must observe or satisfy when processing his/her personal data. |
Article 11.7 of Decree 13 provides that: “The data subject may give partial or conditional consent.” |
8. |
Explicit Announcement of Sensitive Personal Data |
We understand that, when processing sensitive personal data, the Controller or Processor must explicitly inform the Data Subject of the same. Moreover, even Decree 13 does not expressly require so, the explicit information, in this sense, must highlight not only the category of the data but also the characteristic of the sensitive data, so that the Data Subject is fully aware of the risks and potentials when permitting the Controller or Processor to process his/her sensitive personal data. In particular, the Controller or Processor must expressly let the Data Subject know that “sensitive personal data are personal data associated with an individual’s privacy that, when violated, will directly affect an individual’s legitimate rights and interests.” |
Article 11.8 of Decree 13 provides that: “For the processing of sensitive personal data, the data subject must be informed that the data to be processed is sensitive personal data.” |
TABLE 2. ANALYSIS OF FEASIBILITY & SOLUTION RECOMMENDATION
As we understand, the personal data that Controller or Processors collected are sensitive personal data as defined in Article 2.4(h) of Decree 13. Thus, the Data Processing Clause or the Data Processing Agreement must clearly spell out that the personal data requested for the transaction in the Cover Document (a) are sensitive personal data, and (b) are associated with an individual’s privacy that, when violated, will directly affect an individual’s legitimate rights and interests.” To be clear, as we understand, it is not acceptable, in the sense of Decree 13 – that is, a regulation definitely favors the Data Subject, to only state that such personal data are sensitive data without letting the Data Subject fully knows that such data, when violated, will directly affect their legitimate rights and interests.
S/N | Requirements | Comments | Method 1 | Method 2 |
---|---|---|---|---|
1. |
Scope of Data Processing Consent |
The Data Processing Clause or Data Processing Agreement must explicitly list out the activities of the personal data processing. Of note, the activities listed therein must be specific and limited only to the needs of the Controller or Processor in order to proceed with the transaction contemplated under the Cover Document. For example: If the transaction contemplated in the Cover Document is a loan transaction, the action of decrypting may be considered as unrelated and unspecific, unless the collected data is encrypted and needs to be decrypted before processing. |
High |
High |
2. |
Conditions for the Data Processing Consent to be valid |
As for the requirement that the data subject is only valid when the data subject freely and fully knows the required contents, the Controller or Processor should design a mechanism to serve 2 purposes:
This means that in addition to the tick-box, there are several suggestions:
|
High | High |
3. |
Methods by which a Data Processing Consent is expressed |
The tick-box solution allowed in Article 11.3 of Decree 13 is a method for the Data Subject to express or give the Data Processing Consent, rather than a method for the Controller or Processor to get and record the Data Processing Consent. The problem of the Controller or Processor is to how to get and record the result from the tick-box (“Tick-Box Consent”), which must be in the format specified in, and meet the requirements of, Decree 13. In particular, the result of the Tick-Box Consent must be gotten and recorded in any form that can be read and understood by a natural person, and it must be printable or reproducible in written form (either physical paper or electronic files). (Please also refer to our comments in Item 5 of this Table) |
High |
High |
4. |
Purposes to which a Data Processing Consent is given |
As we understand, this requirement is applied with the same approach to the scope of activities of the personal data processing (mentioned in Item 1 of this Table). In particular, the Data Processing Clause must explicitly list out the purposes of the personal data processing. Of note, the purposes listed therein must be specific and limited only to the needs of the Controller or Processor in order to proceed with the transaction contemplated under the Cover Document. For example: If the transaction contemplated in the Cover Document is a loan transaction, the purpose of promoting another product may be considered as unrelated and unspecific. |
Moderate (it is hard to list out everything in a clause) |
High |
5. |
Format of the Data Processing Consent |
We understand that the format as required in Article 11.3 of Decree 13 must be reflected from 2 sides:
(Please also refer to our comments in Item 3 of this Table) |
High |
High |
6. |
Expression of the Data Processing Consent |
As for this requirement, the Controller or Processor should have a mechanism to ensure that the act of giving the Data Processing Consent is (a) actually made by a natural person (not a bot or machine), and (b) is made directly by the Data Subject (not his/her child, spouses or acquaintances). Besides, the Controller or Processor should ensure that they do not let the Data Subject give the Data Processing Consent without making an active action – that is, for example, avoid these solutions or like:
In this sense, if the Controller or Processor makes any changes to the contents announced to the Data Subject (as in Article 11.2 of Decree 13), the Controller or Processor must get the Data Processing Consent again. It is unacceptable
2. The Controller or Processor provides a clause in the Data Processing Clause or the Data Processing Agreement which says that, the Data Processing Consent given in the first time will continue covering any changes later made in the Cover Document or the Data Processing Agreement. |
Moderate |
High |
7. |
Partial or Conditional Consent |
As we understand, the Controller or Processor must give the Data Subject the options to give the Data Processing Consent in part, in whole, or with their conditions. We know that, (a) in most cases, the personal data for which the Controller or Processor asks the Data Subject, are necessary to conclude the transactions in the Cover Document; whereas, (b) in rare cases, the personal date requested are not really necessary for such transactions. Such that, in the sense of Article 11.7 of Decree 13, the Controller or Processor must let the Data Subject the option to decline, or attach their conditions to, the latter. If the Controller or Processor forces the Data Subject to give the Data Processing Consent to the latter (for example, by saying that the Controller or Processor will not provide products or services if the Data Subject does not give their Consent to all of the personal data the Controller or Processor requested because the Controller or Processor needs such personal data to assent the transaction, which is untrue and manipulative), such Data Processing Consent may be considered violating the principle of “the data subject permitting the processing of his/her personal data in a … voluntary … manner” as defined in Article 2.8 of Decree 13. |
High | High |
8. |
Explicit Announcement of Sensitive Personal Data |
As we understand, the personal data that Controller or Processors collected are sensitive personal data as defined in Article 2.4(h) of Decree 13. Thus, the Data Processing Clause or the Data Processing Agreement must clearly spell out that the personal data requested for the transaction in the Cover Document (a) are sensitive personal data, and (b) are associated with an individual’s privacy that, when violated, will directly affect an individual’s legitimate rights and interests.” To be clear, as we understand, it is not acceptable, in the sense of Decree 13 – that is, a regulation definitely favors the Data Subject, to only state that such personal data are sensitive data without letting the Data Subject fully knows that such data, when violated, will directly affect their legitimate rights and interests. |
High |
High |
Time of writing: 20/05/2023
The article contains general information which is of reference value, in case you want to receive legal opinions on issues you need clarification on, please get in touch with our Lawyer at info@cdlaf.vn
Why choose CDLAF’s service?
- We provide effective and comprehensive legal solutions that help you save money and maintain compliance in your business;
- We continue to monitor your legal matters even after the service is completed and update you when there are any changes in the Vietnamese legal system;
- Our system of forms and processes related to labor and personnel is continuously built and updated and will be provided as soon as the customer requests it;
- As a Vietnamese law firm, we have a thorough understanding of Vietnam’s legal regulations, and grasp the psychology of employees, employers, and working methods at competent authorities;
- CDLAF’s team of lawyers has many years of experience in the field of labor and enterprises, as well as human resources and financial advisory.
- Strict information security procedures throughout the service performance and even after the service is completed.
You can refer for more information:
- Establishment of Enterprise in Vietnam, What Foreign Investors Need to Consider (Part 1)
- Establishment of Enterprise in Vietnam, What Foreign Investors Need to Consider (Part 2)
- Procedure for Foreign Investor to contribute capital, purchase shares in the enterprise in Vietnam.
- The enterprise with opening and using direct investment capital account
- Avoiding the risks when leasing the office in Vietnam – some recommendations
- Foreign Investors provide Employment Services in Vietnam
- Franchise in Vietnam (Part 1)
- Franchise in Vietnam (Part 2)
- Foreign investor doing hotel business in Vietnam