Regarding the Processing of Personal Information (Exceptions to the Right to Protection of Personal Information)

- The Law on Information Technology 2006 stipulates:

Organizations and individuals collecting, processing and using personal information of others on the network environment must have the consent of that person, except in cases where the law provides otherwise (Article 21); 1. Individuals have the right to request organizations and individuals storing their personal information on the network environment to check, correct or cancel that information. 3. Individuals have the right to request compensation for damages caused by violations in providing personal information (Article 22).

- The 2010 Postal Law stipulates:

Users of postal services have the following rights and obligations: 1. To be provided with complete and accurate information about the postal services they use by postal service providers;

2. Guaranteed information safety and security; 3. Complaints about postal services used (Article 30).

Maybe you are interested!

• Inspiration of worldly and personal life in Vietnamese poetry 1975-2000 - 13
• Inspiration of worldly and personal life in Vietnamese poetry 1975-2000 - 1
• The right to inviolability of private life in Vietnamese law - 2
• Collecting, Synthesizing and Processing Information to Serve the Assessment of the Comprehensive Impact of Tourism on Vietnam's Economic Growth in 2013
• Improving the quality of personal customer care services at Daiichi Life Insurance Vietnam - Hue General Agency Office 1 - 1

- The 2015 Civil Procedure Code stipulates that the whistleblower has the right to "Request that his/her full name, address, and handwriting be kept confidential" (Article 510).

Based on the above provisions, the content of the right to personal information protection can be summarized as follows:

(i) The right to request the information holder to keep his/her personal information confidential;

(ii) The right to review, request correction or deletion of personal information.

(iii) The right to allow third parties to access your personal information.

(iv) The right to request compensation from the information holder when there is an illegal act of information infringement, causing damage to the individual.

2.3.1.3. Regarding the obligations of information subjects

In addition to regulating the rights of data subjects, some laws have provisions on the obligations of information subjects, specifically:

- The Law on Information Security stipulates:

Individuals shall protect their personal information and comply with the provisions of law on the provision of personal information when using online services (Article 16); 1. Agencies, organizations and individuals participating in network information security activities shall be responsible for coordinating with competent state agencies and other organizations and individuals in ensuring network information security. 2. Agencies, organizations and individuals using online services shall be responsible for promptly notifying service providers or specialized incident response departments when detecting acts of sabotage or network information security incidents (Article 15).

- The 2006 Law on Residence stipulates citizens' responsibilities:

Provide complete and accurate information and documents about one's residence to competent authorities and persons and be responsible for the information and documents provided (Article 11).

- The 2015 Law on Statistics stipulates the obligations of organizations and individuals subject to statistical surveys:

Provide truthful, accurate, complete and timely information upon request of statistical investigators or statistical investigation agencies; do not refuse or obstruct the provision of statistical investigation information; be subject to inspection by statistical investigation agencies and statistical specialized inspectors regarding the information provided (Article 33).

Thus, from the above provisions, it can be seen that there is no unified approach in Vietnamese laws when referring to the obligations of information subjects.

Currently, in addition to some obligations such as providing accurate and complete information and having measures to protect personal information, the Statistics Law stipulates the main

Information subjects have the obligation to “not refuse or obstruct the provision of statistical investigation information”. Meanwhile, some specialized laws stipulate that “allowing” agencies, organizations and individuals to access their personal information is the right of information subjects (Law on Information Security, Law on Access to Information, etc.).

2.3.1.4. Regarding the processing of personal information (exceptions to the right to protect personal information)

Clause 17, Article 3 of the Law on Network Information Security stipulates: “Processing personal information is the performance of one or several operations of collecting, editing, using, storing, providing, sharing, and disseminating personal information on the network for commercial purposes”. The Law on Information Technology stipulates a number of forms such as collecting, using, processing, storing, and transmitting personal information. Thus, it is possible to generalize aspects of activities affecting personal information, including:

- Providing, exchanging, transmitting, storing, managing and using information

digital news;

- Collection, processing and use of information;

- Monitoring, supervision and management of information content.

In principle, personal information is only processed in cases where the subject

consent information. Some specialized laws stipulate the principle that agencies, organizations, and individuals may not use, provide, or disclose personal information that they have access to or control without the consent of the individual, unless otherwise provided by law. However, current laws do not have general provisions on exceptions to the right to protect personal information. These exceptions are only stipulated in some specialized laws, according to which organizations and individuals have the right to collect, process, and use personal information of others without the consent of that person. Specifically:

- Clause 3, Article 21 of the Law on Information Technology stipulates:

Organizations and individuals have the right to collect, process and use personal information of others without their consent in cases where such personal information is used for the following purposes:

a) Signing, amending or performing contracts for the use of information, products and services on the network environment;

b) Calculating prices and fees for using information, products and services on the network environment;

c) Perform other obligations as prescribed by law.

- Article 223 and Article 224 of the Criminal Procedure Code stipulate that during the investigation of crimes against national security, drug crimes, corruption crimes, terrorism, money laundering, and other organized crimes that are considered particularly serious crimes, competent persons have the right to apply special investigative measures that violate the right to protect personal data, such as secret audio and video recording; secret phone listening; and secret collection of electronic data.

- Article 6 of the Law on Telecommunications stipulates that telecommunications enterprises may disclose private information related to telecommunications service users, including name, address, calling number, called number, calling location, called location, call time and other private information that users have provided when entering into a contract with the enterprise in the following cases:

a) Telecommunications service users agree to provide information;

b) Telecommunications businesses have a written agreement with each other on exchanging and providing information related to telecommunications service users to serve the purpose of calculating rates, making invoices and preventing acts of evading contractual obligations;

c) When requested by a competent state agency as prescribed by law.

- Clause 4, Article 70 of Decree No. 52/2013/ND-CP on e-commerce stipulates:

The information collection unit does not need the prior consent of the information subject in the following cases:

a) Collecting personal information publicly disclosed on e-commerce websites;

b) Collect personal information to sign or execute contracts for the purchase and sale of goods and services;

c) Collect personal information to calculate prices and fees for using information, products and services on the network environment.

Article 71 of this Decree also stipulates that information collection units may use, share, disclose and transfer personal information to third parties without notifying the information subject in the following cases:

a) Have a separate agreement with the information subject on the purpose and scope of use other than the notified purposes and scope;

b) To provide services or products as requested by the information subject;

c) Perform obligations as prescribed by law.

As a human right recognized in the Constitution, the restriction of the right to protect personal information must be consistent with the principle stipulated in Clause 2, Article 14 of the 2013 Constitution: “Human rights and civil rights may only be restricted in accordance with the provisions of law in necessary cases for reasons of national defense, national security, social order and safety, social morality, and public health”. Comparing with the provisions of current law, it can be seen that in many cases, the law stipulates

The exceptions to the right to personal information protection are not really consistent with the cases stipulated in Clause 2, Article 14 of the 2013 Constitution. At the same time, some exceptions to this right are stipulated in sub-law documents (Decrees).

2.3.1.5. On forms and methods of information protection

Research results show that the current legal system has initially had regulations on methods of protecting personal information/personal data. Right in the 2013 Constitution, Clause 3, Article 103 affirms: “People's Courts conduct trials publicly. In special cases where it is necessary to keep state secrets, national traditions and customs, protect minors or keep private life secrets at the legitimate request of the litigant, the People's Court may conduct trials in private”. This principle continues to be specified in procedural laws, specifically:

- The 2015 Civil Procedure Code stipulates that the personal secrets of minors must be kept confidential during the process of obtaining the minor's opinion and other procedural proceedings for minors (Clause 3, Article 208).

- The 2002 Ordinance on Organization of Military Courts also stipulates that Military Courts conduct trials publicly, except in cases where closed trials are required to preserve state secrets, military secrets, national customs, or to keep the parties' secrets at their legitimate request (Article 10).

In specialized legal documents, especially in sectors and fields directly related to personal information, the law has provisions to protect personal information appropriate to each sector and field, such as:

* In the medical field

- The Law on Donation, Collection and Transplantation of Human Tissues and Organs and on Donation and Collection of Corpses stipulates the protection of personal information by means of information encryption (Article 38), specifically:

+ All information about donors and recipients of human organ transplants must be encrypted and kept confidential.

+ In case of publishing this information, it must be anonymous so that the donor and the recipient cannot be identified, except in cases where the donor and the recipient are people of the same bloodline or are related within three generations.

+ In special cases for medical treatment purposes at the request of the head of the medical facility or at the request of the prosecuting agency, the information storage facility is allowed to provide information.

+ Records of donors and recipients must be kept and preserved for thirty years.

- Decree No. 56/2008/ND-CP regulating the organization and operation of tissue banks and the National Coordination Center for Human Organ Transplantation specifically stipulates the encoding of tissue information in Article 11: All information on tissue origin must be encoded on the principle of anonymity; the name, age, and address of the donor must not be recorded; each time the donor's tissue is collected, a separate identification code will be given.

- Decree No. 10/2015/ND-CP regulating childbirth by in vitro fertilization and conditions for surrogacy for humanitarian purposes stipulates that the donation, receipt, and storage of sperm, eggs, and embryos must be encoded and entered into a common database system, used nationwide, ensuring an information sharing mechanism between the Ministry of Health and facilities performing in vitro fertilization; ensuring that the donation and receipt of sperm, eggs, and embryos are carried out in accordance with the provisions of law (Clause 4, Article 3, Clause 5, Article 21, Clause 1, Article 23).

As can be seen, the main method of protecting personal information in the medical field is to encrypt personal information. In addition, there are also other methods to protect personal information in the medical field such as storing

Medical records according to the confidentiality levels of the law on state secret protection (Clause 3, Article 59 of the Law on Medical Examination and Treatment 2009).

* In the field of information technology

- The Law on Information Technology 2006 stipulates: Legal private information of organizations and individuals exchanged, transmitted, and stored on the network environment is guaranteed to be confidential according to the provisions of law (Point d, Clause 3, Article 18, Clause 1, Article 72).

With the above provisions, the new Law on Information Technology only stops at acknowledging the assurance of personal information confidentiality without specifically regulating methods and measures to protect personal information.

- The 2015 Law on Network Information Security stipulates the principles of protecting personal information online (Article 16). Accordingly, individuals must protect their personal information and comply with the provisions of law on providing personal information when using online services; agencies, organizations and individuals processing personal information are responsible for ensuring network information security for the information they process.

At the same time, Article 19 provides more specific regulations on ensuring information security on the network: organizations and individuals processing personal information must apply appropriate management and technical measures to protect the personal information they collect and store; comply with standards and technical regulations on ensuring network information security. When a network information security incident occurs or is at risk of occurring, organizations and individuals processing personal information must apply remedial and preventive measures as soon as possible.

- Decree No. 85/2016/ND-CP on ensuring information system security by level, Article 19 stipulates that the information system security plan must meet the basic requirements in the technical standards and regulations on ensuring information system security by level (including: ensuring information system security