1. Your Rights under the PDPD

Vietnam's Personal Data Protection Decree (PDPD), implemented in July 2023, grants you greater control over your personal data held by organizations operating within the country. This section dives into the three key rights you possess under the PDPD:

1.1. Right to Access

The right to access empowers you to request information from an organization about your personal data. You can inquire about:

  • Confirmation of Data Possession: Does the organization hold any personal data associated with you?
  • Purpose of Data Processing: Why is the organization collecting and processing your data?
  • Data Categories Held: What specific categories of personal data do they have about you (e.g., name, contact details, purchase history)?
  • Data Sharing Recipients: Who are the organizations or entities with whom your data is shared (if applicable)?

This right allows you to gain transparency into how your data is being handled. With this knowledge, you can make informed decisions about your privacy and potential interactions with the organization.

1.2. Right to Rectify

Accuracy is crucial in data privacy. The right to rectification empowers you to identify and address any errors or inconsistencies in your personal data held by an organization. This could involve:

  • Correcting inaccurate information (e.g., a typographical error in your address).
  • Updating outdated information (e.g., notifying them of a new phone number).
  • Completing incomplete data (e.g., providing your middle name if it's missing).

By exercising this right, you can ensure the information the organization holds about you is accurate and reflects your current situation.

1.3. Right to Erasure (Right to be Forgotten)

Under certain circumstances, you have the right to request an organization to erase your personal data entirely. This "Right to be Forgotten" empowers you to take control of your data footprint and potentially detach yourself from certain information collected in the past. This right might be applicable if:

  • The organization no longer needs your data for the purpose it was originally collected.
  • You withdraw your consent for data processing (if consent was the lawful basis for processing).
  • You object to the processing of your data, and there are no overriding legitimate grounds for the organization to keep it.

It's important to note that exceptions exist. Organizations may not be obligated to erase your data if they are required by law to retain it for specific periods.

Understanding these three rights under the PDPD equips you to actively manage your personal data in Vietnam's digital landscape. The following sections will explore how to exercise these rights and what to expect from the organizations holding your data


2. Exercising Your Rights

The PDPD empowers you with control over your personal data, but knowing your rights is just the first step. This section dives into how you can effectively exercise your Right to Access, Right to Rectification, and Right to Erasure under the PDPD.

2.1. Submitting Your Request

To exercise your rights, you need to submit a written request to the organization holding your data. Here's what your request should typically include:

  • Clearly Stated Action: Clearly state your desired action. Are you requesting access to your data, rectification of inaccuracies, or complete erasure?
  • Your Personal Information: Include your full name and any other relevant identifying information to help the organization locate your data efficiently.
  • Supporting Details (Optional): For rectification requests, you might include documentation to support the changes you're requesting (e.g., a copy of your updated utility bill for a new address).

2.2. Submission Channels

Organizations should provide clear and accessible channels for submitting PDPD requests. While the specific method may vary depending on the organization, common options include:

  • Dedicated PDPD Request Portal: Many organizations may establish online portals specifically for handling PDPD requests.
  • Email: Submitting your request via email directed to a designated PDPD contact address is another possibility.
  • Postal Mail: Sending a written request by certified mail might be an option for organizations without online channels.

Consult the organization's website or privacy policy for their preferred method of receiving PDPD requests.

2.3. Timeframes and Fees

The PDPD mandates organizations to respond to your requests within a reasonable timeframe, typically no later than 72 hours from receiving your request. In most cases, organizations are not permitted to charge any fees for processing your PDPD requests, making it easier and more accessible for you to exercise your rights.

2.4. Additional Tips

Here are some additional tips for maximizing the effectiveness of your PDPD requests:

  • Clarity and Specificity: Frame your request clearly and specifically. The more precise your request, the easier it is for the organization to locate and process your data.
  • Maintain Copies: Keep copies of your requests and any communication with the organization for your records.
  • Seek Clarification: If you don't receive a response within the expected timeframe or the response is unclear, don't hesitate to follow up and seek clarification.

By following these steps and remaining proactive, you can effectively exercise your rights under the PDPD and ensure control over your personal data in Vietnam


3. Response Timeframes

The PDPD emphasizes prompt communication and transparency when it comes to your data privacy rights. This section clarifies the expected response timeframes for organizations handling your PDPD requests.

3.1. Legal Requirement for Timely Response

The PDPD mandates organizations to respond to your requests concerning access, rectification, or erasure of your personal data within a reasonable timeframe. This timeframe is typically set at no later than 72 hours from the moment they receive your request.

This prompt response requirement ensures you don't face unnecessary delays in exercising your rights. It also encourages organizations to maintain efficient data processing systems to facilitate quick retrieval and action on your requests.

3.2. Exceptions and Complex Requests

While 72 hours is the general timeframe, there might be some exceptions:

  • Highly Complex Requests: Involving a large volume of data or requiring extensive verification procedures, a complex request might take longer to process. However, the organization should still communicate this to you within the initial 72 hours and provide a revised timeframe for completion.
  • Need for Additional Information: If your request lacks clarity or the organization requires further information to locate your data or verify your identity, they may reach out to you for clarification. This communication exchange might extend the overall response timeframe slightly.

3.3. Importance of Clear Communication

Even in cases of exceptions, clear communication is crucial. If the organization anticipates a delay in responding to your request, they are obligated to inform you within the initial 72 hours. This explanation should detail the reason for the delay and provide a revised timeframe for when you can expect a response.

3.4. Your Right to Follow Up

If you haven't received a response within the expected timeframe (including any revised timeframe communicated by the organization), you have the right to follow up and inquire about the status of your request. You can utilize the same communication channel you used for your initial request or explore alternative methods offered by the organization


4. Exceptions and Limitations

The PDPD empowers you with significant control over your personal data in Vietnam. However, it's important to understand that there might be some exceptions and limitations to your rights under certain circumstances.

4.1. Legal Obligations

Organizations may be subject to laws or regulations that require them to retain your data for a specific period. For instance, tax regulations might mandate companies to retain financial transaction data for several years. In such cases, your right to erasure might be limited, as the organization has a legal obligation to keep your data on file.

4.2. Public Interest and National Security

National security or public interest considerations might also supersede your right to access or erasure in specific situations. For example, if law enforcement agencies require access to your data in the course of a criminal investigation, your right to access that data might be restricted.

4.3. Anonymized Data

The PDPD primarily applies to personal data that can be used to identify you. If your data is anonymized and cannot be linked back to you as an individual, your rights under the PDPD might not be applicable.

4.4. Third-Party Data

The PDPD focuses on data controlled by the organization to which you submit your request. If your data is held by a third-party organization that you haven't directly interacted with, you might need to submit your request directly to that third party to exercise your rights.

4.5. Balancing Rights

The PDPD strives to achieve a balance between your right to privacy and the legitimate interests of organizations. Organizations have a right to process data for lawful purposes, and limitations on your rights might be implemented to safeguard these interests as long as they are justified and proportionate.

Understanding these exceptions and limitations empowers you with a realistic understanding of your rights under the PDPD. It's always advisable to consult the organization's privacy policy or seek guidance from a legal professional specializing in Vietnamese data privacy law if you have any uncertainties regarding the applicability of your rights in a specific situation


5. Conclusion

Vietnam's Personal Data Protection Decree (PDPD) marks a significant shift towards empowering individuals with control over their personal data. By understanding your rights to access, rectify, and erase your data, you can take proactive steps to safeguard your privacy and ensure the accuracy of the information organizations hold about you.

This guide has equipped you with the knowledge to navigate the PDPD effectively. Remember, the PDPD emphasizes clear communication. When submitting requests, clarity and maintaining copies of your interactions are key. Organizations are obligated to respond within a reasonable timeframe, typically 72 hours, and keep you informed throughout the process.

While there might be exceptions and limitations to your rights in certain circumstances, the PDPD grants you significant control over your personal data landscape in Vietnam. With this newfound knowledge, you can make informed choices and exercise your rights with confidence. If you need further explanation on this subject, please don't hesitate to contact us through email at lienhe@luatminhkhue.vn or phone at: +84986 386 648. Lawyer To Thi Phuong Dzung.