{"id":5965,"date":"2023-06-22T12:32:47","date_gmt":"2023-06-22T05:32:47","guid":{"rendered":"https:\/\/cdlaf.az9s.group\/?p=5965"},"modified":"2024-03-06T09:52:32","modified_gmt":"2024-03-06T02:52:32","slug":"method-to-publish-and-get-consent-to-personal-data-processing","status":"publish","type":"post","link":"https:\/\/cdlaf.vn\/en\/method-to-publish-and-get-consent-to-personal-data-processing\/","title":{"rendered":"Method to publish and get consent to personal data processing"},"content":{"rendered":"<p>Given the issuance of Decree 13\/2023\/ND-CP on personal data protection (\u201c<strong>Decree 13<\/strong>\u201d), all credit organizations are exploring different methods to get their customers\u2019 consents before processing the personal data of such customers. Decree 13 paves a path to different methods and formats that organizations can the consents of their customers. To not only give the customers the most convenient way to give their consents but also ensure that such consents are given and gotten in compliance with Decree 13, credit institutions (the \u201c<strong>CI<\/strong>\u201d) are considering whether they can get the consents (the \u201c<strong>Data Processing Consent<\/strong>\u201d) of the data subjects (the \u201c<strong>Data Subject<\/strong>\u201d) by one of the following methods or they cannot:<\/p>\n<ol>\n<li><strong>Method 1<\/strong>: Insert the Data Processing Consent as a clause (the \u201c<strong>Data Processing Clause<\/strong>\u201d) in a document (the \u201c<strong>Cover Document<\/strong>\u201d) which is signed by the Data Subject, such as a clause in the credit contract or a term deposit contract.<\/li>\n<li><strong>Method 2<\/strong>: In the Cover Document, insert an embedded link (the \u201c<strong>Embedded Link<\/strong>\u201d) that directs the Data Subject to a landing page where a data processing agreement is published (the \u201c<strong>Data Processing Agreement<\/strong>\u201d).<\/li>\n<\/ol>\n<p>(collectively as the \u201c<strong>Methods<\/strong>\u201d)<\/p>\n<p>Given this proposal, we are interested in exploring the legality as well as available options that organizations may adopt to realize Method 1 and Method 2 above. For the purpose of this paper, we will collective refer to the organizations, which control and process the personal data of customers, as \u201c<strong>Controller or Processor<\/strong>,\u201d because, to have a thorough view, we want to deep-dive into data controller or data controller-cum-processor as the one who can decide not only the purposes and means of data processing, but also the processing of personal data itself.<\/p>\n<figure id=\"attachment_4558\" aria-describedby=\"caption-attachment-4558\" style=\"width: 800px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-4558\" src=\"http:\/\/cdlaf.vn\/wp-content\/uploads\/2023\/03\/dung.24.3.3-re-1400x583.jpg\" alt=\"\" width=\"800\" height=\"333\" srcset=\"https:\/\/cdlaf.vn\/wp-content\/uploads\/2023\/03\/dung.24.3.3-re-1400x583.jpg 1400w, https:\/\/cdlaf.vn\/wp-content\/uploads\/2023\/03\/dung.24.3.3-re-800x333.jpg 800w, https:\/\/cdlaf.vn\/wp-content\/uploads\/2023\/03\/dung.24.3.3-re-768x320.jpg 768w, https:\/\/cdlaf.vn\/wp-content\/uploads\/2023\/03\/dung.24.3.3-re-1536x640.jpg 1536w, https:\/\/cdlaf.vn\/wp-content\/uploads\/2023\/03\/dung.24.3.3-re-2048x853.jpg 2048w\" sizes=\"auto, (max-width: 800px) 100vw, 800px\" \/><figcaption id=\"caption-attachment-4558\" class=\"wp-caption-text\">Method to publish and get consent to personal data processing<\/figcaption><\/figure>\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_82_2 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of contents:<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #a32411;color:#a32411\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #a32411;color:#a32411\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/cdlaf.vn\/en\/method-to-publish-and-get-consent-to-personal-data-processing\/#1DEFINITION_OF_DATA_PROCESSING_AGREEMENT_DATA_PROCESSING_CONSENT\" >1.DEFINITION OF DATA PROCESSING AGREEMENT &amp; DATA PROCESSING CONSENT<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/cdlaf.vn\/en\/method-to-publish-and-get-consent-to-personal-data-processing\/#2_FEASIBILITY_RECOMMENDATION\" >2. FEASIBILITY &amp; RECOMMENDATION<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/cdlaf.vn\/en\/method-to-publish-and-get-consent-to-personal-data-processing\/#SEND_CONSULTATION_REQUEST\" >SEND CONSULTATION REQUEST<\/a><\/li><\/ul><\/nav><\/div>\n<h2><span class=\"ez-toc-section\" id=\"1DEFINITION_OF_DATA_PROCESSING_AGREEMENT_DATA_PROCESSING_CONSENT\"><\/span>1.DEFINITION OF DATA PROCESSING AGREEMENT &amp; DATA PROCESSING CONSENT<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Article 2.8 of Decree 13 defines that: \u201c<strong><em>Consent<\/em><\/strong><em> of a data subject means an act of the data subject permitting the processing of his\/her personal data in a <u>clear, voluntary and affirmative manner.<\/u><\/em>\u201d The definition in Article 2.8 of Decree 13 raises a question of how a consent is deemed to be \u201c<em>in a clear, voluntary and affirmative manner.<\/em>\u201d To answer this, Decree 13 provides a specific Article 11 for the Data Processing Consent. As we understand, if a Data Processing Consent meets the applicable requirements of this Article 11, it can be considered as being made in a <em>clear, voluntary and affirmative manner<\/em>.<\/p>\n<p><em><u>Please refer to next page \u2013 TABLE 1. REQUIREMENTS OF DATA PROCESSING CONSENT<\/u><\/em><\/p>\n<h2><span class=\"ez-toc-section\" id=\"2_FEASIBILITY_RECOMMENDATION\"><\/span>2. FEASIBILITY &amp; RECOMMENDATION<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>We opine that either Method 1 or Method 2 is likely feasible under Decree 13, provided however that it meets the requirements set forth therein \u2013 which we analyzed in Table 1. For the recommendation and further analysis of how such requirements can be met, <em>please refer to<\/em> <em><u>TABLE 2. ANALYSIS OF FEASIBILITY &amp; SOLUTION RECOMMENDATION<\/u><\/em>.<\/p>\n<p><strong>TABLE 1. REQUIREMENTS OF DATA PROCESSING CONSENT<\/strong><\/p>\n<table style=\"height: 400px;\" width=\"509\">\n<tbody>\n<tr class=\"row-1 odd\">\n<th class=\"column-1\">< width: 50px><strong>S\/N<\/strong><\/th>\n<th class=\"column-2\"><strong>Requirements<\/strong><\/th>\n<th class=\"column-3\"><strong>Interpretation<\/strong><\/th>\n<th class=\"column-4\"><strong>Legal Base<\/strong><\/th>\n<\/tr>\n<tr class=\"row-2 odd\">\n<td class=\"column-1\">1.<\/td>\n<td class=\"column-2\" style=\"text-align: justify;\">\n<p>Scope of Data Processing Consent<\/td>\n<td class=\"column-3\">\n<p>A Data Processing Consent applies to all activities during the processing of the personal data, which are provided by Decree 13. In this sense, we understand that the Controller or Processor must explicitly state the detailed activities that they will do during the processing of personal data, including: collecting, recording, analyzing, confirming, storing, correcting, disclosing, combining, accessing, retrieving, recovering, encrypting, decrypting, copying, sharing, transmitting, providing, transferring, deleting, destroying personal data, or other related actions.<\/td>\n<td class=\"column-4\">\n<p>To clarify, Article 2.7 of Decree 13 defines that: \u201c<strong><em>Processing of personal data <\/em><\/strong><em>is one or more activities that affect personal data, such as: collecting, recording, analyzing, confirming, storing, correcting, disclosing, combining, accessing, retrieving, recovering, encrypting, decrypting, copying, sharing, transmitting, providing, transferring, deleting, destroying personal data, or other related actions.<\/em>\u201d<\/p>\n<\/td>\n<\/tr>\n<tr class=\"row-3 odd\">\n<td class=\"column-1\">2.<\/td>\n<td class=\"column-2\" style=\"text-align: justify;\">\n<p>Conditions for the Data Processing Consent to be valid<\/td>\n<td class=\"column-3\">\n<p>A Data Processing Consent is valid if the Data Subject freely and explicitly knows the contents specified by Decree 13. This provision favors the Data Subject \u2013 it says that the condition is \u201c<em>the data subject freely and fully knows<\/em>;\u201d it is not \u201c<em>the data controller\/ data processor\/ data controller-cum-processor freely and fully informs<\/em>.\u201d<\/td>\n<td class=\"column-4\">\n<p>Article 11.2 of Decree 13 provides that: \u201c<em>The consent of the data subject is only valid when the data subject freely and fully knows the following contents: a) category of the personal data that are processed; b) purpose of the personal data processing; c) organization and individual permitted to process the personal data; d) rights and obligations of the data subject.<\/em>\u201d<\/td>\n<\/tr>\n<tr class=\"row-4 odd\">\n<td class=\"column-1\">3.<\/td>\n<td class=\"column-2\" style=\"text-align: justify;\">\n<p>Methods by which a Data Processing Consent is expressed<\/td>\n<td class=\"column-3\">\n<p>A Data Processing Consent must be expressed <em><u>clearly and specifically<\/u><\/em> (a) in writing;<a href=\"#_ftn1\" name=\"_ftnref1\">[1]<\/a> (b) by voice; (c) <em><u>by ticking the consent box<\/u><\/em>; (d) by syntax of instant message consent; (e) by selecting technical settings for consent; or (f) by other actions which <em><u>express the consent<\/u><\/em>.<\/p>\n<p><a href=\"#_ftnref1\" name=\"_ftn1\">[1]<\/a> <\/p>\n<p>Of note, we understand that \u201cin writing\u201d means that the Data Subject must active write down or type out his\/her Data Processing Consent (either on physical paper or on computer).<\/p>\n<\/td>\n<td class=\"column-4\">\n<p>Article 11.3 of Decree 13 provides that: \u201c<em>The consent of the data subject must be expressed <u>clearly and specifically<\/u><u> in writing, by voice, by ticking the consent box, by syntax of instant message consent, by selecting technical settings for consent, or by other actions which express the consent<\/u>.<\/em>\u201d<\/td>\n<\/tr>\n<tr class=\"row-5 odd\">\n<td class=\"column-1\">4.<\/td>\n<td class=\"column-2\" style=\"text-align: justify;\">\n<p>Purposes to which a Data Processing Consent is given<\/td>\n<td class=\"column-3\">\n<p>Simply speaking, a Data Processing Consent must be given to a purpose. If a Data Processing Consent is given to a specific purpose, it cannot be processed for other purposes. If the Controller or Processor intends to use a Data Processing Consent for multiple purposes, it must estimate the potential purposes as much as possible, and list such purposes thoroughly.<\/td>\n<td class=\"column-4\">\n<p>Article 11.4 of Decree 13 provides that: \u201c<em>Consent must be given to the same purpose. When there are multiple purposes, the personal data controller and the personal data controller-cum-processor list the purposes so that the data subject agrees to one or more of the stated purposes.<\/em>\u201d<\/td>\n<\/tr>\n<tr class=\"row-6 odd\">\n<td class=\"column-1\">5.<\/td>\n<td class=\"column-2\" style=\"text-align: justify;\">\n<p>Format of the Data Processing Consent<\/td>\n<td class=\"column-3\">\n<p>In this sense, we understand that the Data Processing Consent must be <em><u>in any form that can be read and understood by a natural person<\/u><\/em>, and it must be printable or reproducible in written form (either physical paper or electronic files).<\/td>\n<td class=\"column-4\">\n<p>Article 11.5 of Decree 13 provides that: \u201c<em>The consent of the data subject must be expressed in a format that can be <u>printed and reproduced in writing<\/u><u>, including in electronic <strong>or<\/strong> <\/u><u>verifiable formats<\/u><u>.<\/u><\/em>\u201d<\/td>\n<\/tr>\n<tr class=\"row-8 odd\">\n<td class=\"column-1\">6.<\/td>\n<td class=\"column-2\" style=\"text-align: justify;\">\n<p>Expression of the Data Processing Consent<\/td>\n<td class=\"column-3\">\n<p>We understand that, there must be proof that the Data Subject actively gives his\/her Data Processing Consent.<\/td>\n<td class=\"column-4\">\n<p>Article 11.6 of Decree 13 provides that: \u201c<em>The data subject&#8217;s <u>silence or non-response is not considered consent<\/u>.<\/em>\u201d<\/td>\n<\/tr>\n<tr class=\"row-8 odd\">\n<td class=\"column-1\">7.<\/td>\n<td class=\"column-2\" style=\"text-align: justify;\">\n<p>Partial or Conditional Consent<\/td>\n<td class=\"column-3\">\n<p>We understand that, with respect to a given personal data for which the Controller or Processor request Data Processing Consent, the Data Subject (a) can give his\/her Data Processing Consent to a part of such personal data, or (b) attach certain conditions that the Controller or Processor must observe or satisfy when processing his\/her personal data.<\/td>\n<td class=\"column-4\">\n<p>Article 11.7 of Decree 13 provides that: \u201c<em>The data subject may give partial or conditional consent.<\/em>\u201d<\/td>\n<\/tr>\n<tr class=\"row-8 odd\">\n<td class=\"column-1\">8.<\/td>\n<td class=\"column-2\" style=\"text-align: justify;\">\n<p>Explicit Announcement of Sensitive Personal Data<\/td>\n<td class=\"column-3\">\n<p>We understand that, when processing sensitive personal data, the Controller or Processor must explicitly inform the Data Subject of the same. Moreover, even Decree 13 does not expressly require so, the explicit information, in this sense, must highlight <em><u>not only the category of the data but also the characteristic of the sensitive data<\/u><\/em>, so that the Data Subject is fully aware of the risks and potentials when permitting the Controller or Processor to process his\/her sensitive personal data. In particular, the Controller or Processor must expressly let the Data Subject know that \u201c<em>sensitive personal data are personal data associated with an individual&#8217;s privacy that, <u>when violated, will directly affect an individual&#8217;s legitimate rights and interests<\/u>.<\/em>\u201d<\/td>\n<td class=\"column-4\">\n<p>Article 11.8 of Decree 13 provides that: \u201c<em>For the processing of sensitive personal data, the data subject must be informed that the data to be processed is sensitive personal data.<\/em>\u201d<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><strong>TABLE 2. ANALYSIS OF FEASIBILITY &amp; SOLUTION RECOMMENDATION<\/strong><\/p>\n<p>As we understand, the personal data that Controller or Processors collected are sensitive personal data as defined in Article 2.4(h) of Decree 13. Thus, the Data Processing Clause or the Data Processing Agreement must clearly spell out that<em> the personal data requested for the transaction in the Cover Document (a) are sensitive personal data, and (b) are associated with an individual&#8217;s privacy that, when violated, will directly affect an individual&#8217;s legitimate rights and interests.<\/em>\u201d To be clear, as we understand, it is not acceptable, in the sense of Decree 13 \u2013 that is, a regulation definitely favors the Data Subject, to only state that such personal data are sensitive data <em>without letting the Data Subject fully knows that such data, when violated, will directly affect their legitimate rights and interests<\/em>.<\/p>\n<table style=\"height: 400px;\" width=\"509\">\n<tbody>\n<tr class=\"row-1 odd\">\n<th class=\"column-1\"><strong>S\/N<\/strong><\/th>\n<th class=\"column-2\"><strong>Requirements<\/strong><\/th>\n<th class=\"column-3\"><strong>Comments<\/strong><\/th>\n<th class=\"column-4\"><strong>Method 1<\/strong><\/th>\n<th class=\"column-5\"><strong>Method 2<\/strong><\/th>\n<\/tr>\n<tr class=\"row-2 odd\">\n<td class=\"column-1\"><span style=\"color: #000000;\">1.<\/span><\/td>\n<td class=\"column-2\" style=\"text-align: justify;\">\n<p>Scope of Data Processing Consent<\/td>\n<td class=\"column-3\">\n<p>The Data Processing Clause or Data Processing Agreement must explicitly list out the activities of the personal data processing. Of note, the activities listed therein must be specific and limited only to the needs of the Controller or Processor in order to proceed with the transaction contemplated under the Cover Document. <strong>For example<\/strong>: <em>If the transaction contemplated in the Cover Document is a loan transaction, the action of <u>decrypting<\/u> may be considered as unrelated and unspecific, unless the collected data is encrypted and needs to be decrypted before processing.<\/em><\/td>\n<td class=\"column-4\">\n<p>High<\/td>\n<td class=\"column-5\">\n<p>High<\/td>\n<\/tr>\n<tr class=\"row-3 odd\">\n<td class=\"column-1\">2.<\/td>\n<td class=\"column-2\" style=\"text-align: justify;\">\n<p>Conditions for the Data Processing Consent to be valid<\/td>\n<td class=\"column-3\">\n<p>As for the requirement that the data subject is only valid when the data subject freely and fully knows the required contents, the Controller or Processor should design a mechanism to serve 2 purposes:<\/p>\n<ol>\n<li>Prove the efforts of the Controller or Processor in forcing the Data Subject to read and understand the Data Processing Clause or Data Processing Agreement.<\/li>\n<li>Create an irrefutable evidence that the Data Subject positively assented the Data Processing Clause or Data Processing Agreement.<\/li>\n<\/ol>\n<p>This means that in addition to the tick-box, there are several suggestions:<\/p>\n<ol>\n<li>The wording of the Data Processing Clause or Data Processing Agreement should be written in a user-friendly, straight-forward, understandable and transparent way without any jargons. Otherwise, the Data Subject may claim that they did not understand the wording, which may shatter the requirement of \u201c<em>freely and fully knows,<\/em>\u201d whereas the Data Subject may claim that they did not understand \u2013 that is, they did not <em>fully know<\/em>, what they read.<\/li>\n<li>The Data Processing Clause should be popped out of the Cover Document, which should not let someone claims that \u201c<em>they could not see such clause in a wall of text.<\/em>\u201d<\/li>\n<li>There should be \u201c<em>scroll-wrap<\/em>\u201d solution which forces the Data Subject to thoroughly scroll the browser interface down to the end of the webpage (assuming that the Data Subject uses computer or mobile application to read and sign the Cover Document), which may prevent the Data Subject from saying that they just tick the box without fully read the Cover Document.<\/li>\n<li><span style=\"font-family: inherit; font-size: inherit;\"> There should be a re-confirm pop-up or button for the Data Subject to make sure that they really want to confirm their Data Processing Consent. This, as we presume, would serve as a safeguard for the Controller or Processor to prove that it already applied the best endeavor to help the Data Subject be aware of the Data Processing Clause or Data Processing Agreement before they actually give the Data Processing Consent.<\/span><\/li>\n<\/ol>\n<\/td>\n<td class=\"column-4\">High<\/td>\n<td class=\"column-5\">High<\/td>\n<\/tr>\n<tr class=\"row-4 odd\">\n<td class=\"column-1\">3.<\/td>\n<td class=\"column-2\" style=\"text-align: justify;\">\n<p>Methods by which a Data Processing Consent is expressed<\/td>\n<td class=\"column-3\">\n<p>The tick-box solution allowed in Article 11.3 of Decree 13 is a method <em>for the Data Subject to express or give the Data Processing Consent<\/em>, rather than a method <em>for the Controller or Processor to get and record the Data Processing Consent<\/em>. The problem of the Controller or Processor is to how to get and record the result from the tick-box (\u201c<strong>Tick-Box Consent<\/strong>\u201d), which must be in the format specified in, and meet the requirements of, Decree 13. In particular, the result of the Tick-Box Consent must be gotten and recorded in any form that can be read and understood by a natural person, and it must be printable or reproducible in written form (either physical paper or electronic files).<\/p>\n<p>(<em>Please also refer to our comments in Item 5 of this Table<\/em>)<\/p>\n<\/td>\n<td class=\"column-4\">\n<p>High<\/td>\n<td class=\"column-5\">\n<p>High<\/td>\n<\/tr>\n<tr class=\"row-5 odd\">\n<td class=\"column-1\">4.<\/td>\n<td class=\"column-2\" style=\"text-align: justify;\">\n<p>Purposes to which a Data Processing Consent is given<\/td>\n<td class=\"column-3\">\n<p>As we understand, this requirement is applied with the same approach to the scope of activities of the personal data processing (mentioned in Item 1 of this Table). In particular, the Data Processing Clause must explicitly list out the purposes of the personal data processing. Of note, the purposes listed therein must be specific and limited only to the needs of the Controller or Processor in order to proceed with the transaction contemplated under the Cover Document. <strong>For example<\/strong>: <em>If the transaction contemplated in the Cover Document is a loan transaction, the purpose of <u>promoting another product<\/u> may be considered as unrelated and unspecific.<\/em><\/td>\n<td class=\"column-4\">\n<p>Moderate<\/p>\n<p>(<em>it is hard to list out everything in a clause<\/em>)<\/p>\n<\/td>\n<td class=\"column-5\">\n<p>High<\/td>\n<\/tr>\n<tr class=\"row-6 odd\">\n<td class=\"column-1\">5.<\/td>\n<td class=\"column-2\" style=\"text-align: justify;\">\n<p>Format of the Data Processing Consent<\/td>\n<td class=\"column-3\">\n<p>We understand that the format as required in Article 11.3 of Decree 13 must be reflected from 2 sides:<\/p>\n<ol>\n<li><strong>From the side of the Data Subject<\/strong>: Once the Data Processing Consent is given (e.g., by ticking consent box, by texting instant message, etc.), it must be generated in a form that the Data Subject can print it out in physical paper, or reproduce and store it anywhere they want (e.g., the Data Subject can copy such Data Processing Consent file, and store it in their personal computer).<\/li>\n<li><strong>From the side of the Controller or Processor<\/strong>: Whenever it needs, the Controller or Processor can extract such Data Processing Consent in a printable and reproducible result, and such result must match with the one that the Data Subject owns from their side (point 1 above). There should be controls to ensure that the Controller or Processor can make a solid connection between what the Controller or Processor stores\/retrieves at their side, and what the Data Subject stores\/retrieves at their side as mentioned in point 1.<\/li>\n<\/ol>\n<p>(<em>Please also refer to our comments in Item 3 of this Table<\/em>)<\/p>\n<\/td>\n<td class=\"column-4\">\n<p>High<\/td>\n<td class=\"column-5\">\n<p>High<\/td>\n<\/tr>\n<td class=\"column-1\">6.<\/td>\n<td class=\"column-2\" style=\"text-align: justify;\">\n<p>Expression of the Data Processing Consent<\/td>\n<td class=\"column-3\">\n<p>As for this requirement, the Controller or Processor should have a mechanism to ensure that the act of giving the Data Processing Consent is (a) actually made by a natural person (not a bot or machine), and (b) is made directly by the Data Subject (not his\/her child, spouses or acquaintances). Besides, the Controller or Processor should ensure that they do not let the Data Subject give the Data Processing Consent without making an active action \u2013 that is, for example, avoid these solutions or like:<\/p>\n<ol>\n<li><strong>Pre-ticked box<\/strong>: Which does not force the Data Subject to tick, and to go straight to the \u201c<em>submit button.<\/em>\u201d<\/li>\n<li><strong>Opt-out option<\/strong>: Which commonly states that the Data Subject must tick the box to decline the Data Processing Clause. If the Data Subject does not tick such opt-out box and go straight to the \u201c<em>submit button,<\/em>\u201d then the Data Subject is considered as assenting to the Data Processing Clause.<\/li>\n<li><strong>Browse-wrap approach<\/strong>: Which commonly states that if the Data Subject assent to the Cover Document, they also assent to the Data Processing Agreement that is usually embedded in a hyperlink in the Cover Document. This approach normally does not force the Data Subject to click the hyperlink and to thoroughly read the Data Subject Agreement. In this case, the Controller or Processor must ensure that, if the Data Subject does not click the embedded link, they cannot proceed the Cover Document onward. Only after the system recognizes that the Data Subject clicked the link, and went through all steps required, then the Data Subject may click the \u201c<em>submit button.<\/em>\u201d<\/li>\n<\/ol>\n<p>In this sense, if the Controller or Processor makes any changes to the contents announced to the Data Subject (as in Article 11.2 of Decree 13), the Controller or Processor must get the Data Processing Consent again. It is unacceptable<\/p>\n<ol>\n<li>The Controller or Processor sends a notification to the Data Subject, which says that if the Data Subject does not clearly reject or disagree with the changes, they will be considered as giving their Data Processing Consent to such changes.<\/li>\n<\/ol>\n<p>2. The Controller or Processor provides a clause in the Data Processing Clause or the Data Processing Agreement which says that, the Data Processing Consent given in the first time will continue covering any changes later made in the Cover Document or the Data Processing Agreement.<\/p>\n<\/td>\n<td class=\"column-4\">\n<p>Moderate<\/td>\n<td class=\"column-5\">\n<p>High<\/td>\n<\/tr>\n<tr class=\"row-8 odd\">\n<td class=\"column-1\">7.<\/td>\n<td class=\"column-2\" style=\"text-align: justify;\">\n<p>Partial or Conditional Consent<\/td>\n<td class=\"column-3\">\n<p>As we understand, the Controller or Processor must give the Data Subject the options to give the Data Processing Consent in part, in whole, or with their conditions. We know that, (a) in most cases, the personal data for which the Controller or Processor asks the Data Subject, are necessary to conclude the transactions in the Cover Document; whereas, (b) in rare cases, the personal date requested are not really necessary for such transactions. Such that, in the sense of Article 11.7 of Decree 13, the Controller or Processor must let the Data Subject the option to decline, or attach their conditions to, the latter. If the Controller or Processor forces the Data Subject to give the Data Processing Consent to the latter (for example, by saying that the Controller or Processor will not provide products or services if the Data Subject does not give their Consent to all of the personal data the Controller or Processor requested because the Controller or Processor needs such personal data to assent the transaction, which is untrue and manipulative), such Data Processing Consent may be considered violating the principle of \u201c<em>the data subject permitting the processing of his\/her personal data in a \u2026 voluntary \u2026 manner<\/em>\u201d as defined in Article 2.8 of Decree 13.<\/td>\n<td class=\"column-4\">High<\/td>\n<td class=\"column-5\">High<\/td>\n<\/tr>\n<tr class=\"row-9 odd\">\n<td class=\"column-1\">8.<\/td>\n<td class=\"column-2\" style=\"text-align: justify;\">\n<p>Explicit Announcement of Sensitive Personal Data<\/td>\n<td class=\"column-3\">\n<p>As we understand, the personal data that Controller or Processors collected are sensitive personal data as defined in Article 2.4(h) of Decree 13. Thus, the Data Processing Clause or the Data Processing Agreement must clearly spell out that<em> the personal data requested for the transaction in the Cover Document (a) are sensitive personal data, and (b) are associated with an individual&#8217;s privacy that, when violated, will directly affect an individual&#8217;s legitimate rights and interests.<\/em>\u201d To be clear, as we understand, it is not acceptable, in the sense of Decree 13 \u2013 that is, a regulation definitely favors the Data Subject, to only state that such personal data are sensitive data <em>without letting the Data Subject fully knows that such data, when violated, will directly affect their legitimate rights and interests<\/em>.<\/td>\n<td class=\"column-4\">\n<p>High<\/td>\n<td class=\"column-5\">\n<p>High<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><strong><em>Time of writing:<\/em><\/strong> 20<em>\/05\/2023<\/em><\/p>\n<p><em>The article contains general information which is of reference value, in case you want to receive legal opinions on issues you need clarification on, please get in touch with our Lawyer at <a href=\"https:\/\/mail.google.com\/mail\" target=\"_blank\" rel=\"noopener\"><strong>info@cdlaf.vn<\/strong><\/a><\/em><\/p>\n<div class=\"content-post-nd\">\n<div style=\"text-align: center;\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-5519 size-full aligncenter\" src=\"http:\/\/cdlaf.vn\/wp-content\/uploads\/2023\/05\/CHUONG-TRINH-THANG.png\" alt=\"\" width=\"1080\" height=\"600\" srcset=\"https:\/\/cdlaf.vn\/wp-content\/uploads\/2023\/05\/CHUONG-TRINH-THANG.png 1080w, https:\/\/cdlaf.vn\/wp-content\/uploads\/2023\/05\/CHUONG-TRINH-THANG-720x400.png 720w, https:\/\/cdlaf.vn\/wp-content\/uploads\/2023\/05\/CHUONG-TRINH-THANG-768x427.png 768w\" sizes=\"auto, (max-width: 1080px) 100vw, 1080px\" \/><\/div>\n<\/div>\n<div class=\"content-post-nd\">\n<p><strong>Why choose CDLAF\u2019s service?<\/strong><\/p>\n<ul class=\"li-content\">\n<li>We provide effective and comprehensive legal solutions that help you save money and maintain compliance in your business;<\/li>\n<li>We continue to monitor your legal matters even after the service is completed and update you when there are any changes in the Vietnamese legal system;<\/li>\n<li>Our system of forms and processes related to labor and personnel is continuously built and updated and will be provided as soon as the customer requests it;<\/li>\n<li>As a Vietnamese law firm, we have a thorough understanding of Vietnam&#8217;s legal regulations, and grasp the psychology of employees, employers, and working methods at competent authorities;<\/li>\n<li>CDLAF&#8217;s team of lawyers has many years of experience in the field of labor and enterprises, as well as human resources and financial advisory.<\/li>\n<li>Strict information security procedures throughout the service performance and even after the service is completed.<\/li>\n<\/ul>\n<\/div>\n<p><strong style=\"color: #a32411;\">You can refer for more information:<\/strong><\/p>\n<ul>\n<li><a href=\"https:\/\/cdlaf.vn\/en\/establishment-of-enterprise-in-vietnam-what-foreign-investors-need-to-consider-part-1\/\">Establishment of Enterprise in Vietnam, What Foreign Investors Need to Consider (Part 1)<\/a><\/li>\n<li><a href=\"https:\/\/cdlaf.vn\/en\/the-establishment-of-enterprises-in-vietnam-what-investors-need-to-consider-part-2\/\">Establishment of Enterprise in Vietnam, What Foreign Investors Need to Consider (Part 2)<\/a><\/li>\n<li><a href=\"https:\/\/cdlaf.vn\/en\/procedure-for-foreign-commercial-franchising-registration-in-vietnam\/\">Procedure for Foreign Investor to contribute capital, purchase shares in the enterprise in Vietnam.<\/a><\/li>\n<li><a href=\"https:\/\/cdlaf.vn\/en\/enterprises-with-the-opening-and-using-of-direct-investment-capital-account\/\">The enterprise with opening and using direct investment capital account<\/a><\/li>\n<li><a href=\"https:\/\/cdlaf.vn\/en\/avoiding-the-risk-when-leasing-the-office-in-vietnam-some-recommendations\/\">Avoiding the risks when leasing the office in Vietnam \u2013 some recommendations<\/a><\/li>\n<li><a href=\"https:\/\/cdlaf.vn\/en\/foreign-investors-provide-employment-services-in-vietnam\/\">Foreign Investors provide Employment Services in Vietnam<\/a><\/li>\n<li><a href=\"https:\/\/cdlaf.vn\/en\/franchise-in-viet-nam-part-1\/\">Franchise in Vietnam (Part 1)<\/a><\/li>\n<li><a href=\"https:\/\/cdlaf.vn\/en\/franchise-in-viet-nam-part-2\/\">Franchise in Vietnam (Part 2)<\/a><\/li>\n<li><a href=\"https:\/\/cdlaf.vn\/en\/foreign-investor-doing-hotel-service-business-in-vietnam\/\">Foreign investor doing hotel business in Vietnam<\/a><\/li>\n<\/ul>\n\n<div class=\"wpcf7 no-js\" id=\"wpcf7-f2681-o1\" lang=\"en-US\" dir=\"ltr\" data-wpcf7-id=\"2681\">\n<div class=\"screen-reader-response\"><p role=\"status\" aria-live=\"polite\" aria-atomic=\"true\"><\/p> <ul><\/ul><\/div>\n<form action=\"\/en\/wp-json\/wp\/v2\/posts\/5965#wpcf7-f2681-o1\" method=\"post\" class=\"wpcf7-form init\" aria-label=\"Contact form\" novalidate=\"novalidate\" data-status=\"init\">\n<fieldset class=\"hidden-fields-container\"><input type=\"hidden\" name=\"_wpcf7\" value=\"2681\" \/><input type=\"hidden\" name=\"_wpcf7_version\" value=\"6.1.5\" \/><input type=\"hidden\" name=\"_wpcf7_locale\" value=\"en_US\" \/><input type=\"hidden\" name=\"_wpcf7_unit_tag\" value=\"wpcf7-f2681-o1\" \/><input type=\"hidden\" name=\"_wpcf7_container_post\" value=\"0\" \/><input type=\"hidden\" name=\"_wpcf7_posted_data_hash\" value=\"\" \/>\n<\/fieldset>\n<h2 class=\"tt-form\"><span class=\"ez-toc-section\" id=\"SEND_CONSULTATION_REQUEST\"><\/span>SEND CONSULTATION REQUEST\n<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><label>Full name<\/label><br \/>\n<span class=\"wpcf7-form-control-wrap\" data-name=\"full-name\"><input size=\"40\" maxlength=\"400\" class=\"wpcf7-form-control wpcf7-text wpcf7-validates-as-required\" aria-required=\"true\" aria-invalid=\"false\" value=\"\" type=\"text\" name=\"full-name\" \/><\/span><br \/>\n<label>Email<\/label><br \/>\n<span class=\"wpcf7-form-control-wrap\" data-name=\"email\"><input size=\"40\" maxlength=\"400\" class=\"wpcf7-form-control wpcf7-email wpcf7-validates-as-required wpcf7-text wpcf7-validates-as-email\" aria-required=\"true\" aria-invalid=\"false\" value=\"\" type=\"email\" name=\"email\" \/><\/span><br \/>\n<label>Phone Number<\/label><br \/>\n<span class=\"wpcf7-form-control-wrap\" data-name=\"phone\"><input size=\"40\" maxlength=\"400\" class=\"wpcf7-form-control wpcf7-tel wpcf7-text wpcf7-validates-as-tel\" aria-invalid=\"false\" value=\"\" type=\"tel\" name=\"phone\" \/><\/span><br \/>\n<label>Message<\/label><br \/>\n<span class=\"wpcf7-form-control-wrap\" data-name=\"coment\"><textarea cols=\"40\" rows=\"10\" maxlength=\"2000\" class=\"wpcf7-form-control wpcf7-textarea\" aria-invalid=\"false\" name=\"coment\"><\/textarea><\/span><br \/>\n<input class=\"wpcf7-form-control wpcf7-submit has-spinner btn-yellow\" type=\"submit\" value=\"Send\" \/>\n<\/p><div class=\"wpcf7-response-output\" aria-hidden=\"true\"><\/div>\n<\/form>\n<\/div>\n\n","protected":false},"excerpt":{"rendered":"<p>Given the issuance of Decree 13\/2023\/ND-CP on personal data protection (\u201cDecree 13\u201d), all credit organizations are exploring different methods to get their customers\u2019 consents before processing the personal data of such customers. Decree 13 paves a path to different methods and formats that organizations can the consents of their customers. To not only give the&#8230;<\/p>\n","protected":false},"author":4,"featured_media":5406,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[64],"tags":[],"class_list":["post-5965","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-articles"],"acf":[],"_links":{"self":[{"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/posts\/5965","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/comments?post=5965"}],"version-history":[{"count":0,"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/posts\/5965\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/media\/5406"}],"wp:attachment":[{"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/media?parent=5965"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/categories?post=5965"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/tags?post=5965"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}