Empowering Individuals: Understanding the 11 Rights of Data Subjects Under Decree 13/2023/NĐ-CP

After exploring the seven core principles of personal data processing under Decree 13/2023/NĐ-CP, we now turn to another vital aspect of this regulation: the 11 rights of data subjects outlined in Article 9. These rights empower individuals with significant control over their personal information, while imposing clear obligations for compliance and cybersecurity on businesses.

Understanding and respecting these rights is not just a legal requirement—it’s a cornerstone of building trust with customers and partners in today’s increasingly complex digital environment.

I. Empowering Individuals: The 11 Rights of Data Subjects (Article 9)

Decree 13 grants individuals substantial control over their personal data by outlining 11 fundamental rights, ensuring greater transparency and agency over how their information is processed. These rights include:

  1. Right to Be Informed
    Data subjects have the right to be informed about how their personal data is processed, unless otherwise stipulated by law. This includes details such as purpose, data type, processing methods, involved parties, potential risks, and processing duration.
    • Implications for businesses: Companies must establish clear, accessible, and understandable notification mechanisms (e.g., privacy policies, pop-ups) to ensure individuals know exactly how their data is collected, used, and shared. Absolute transparency is required.
  2. Right to Consent
    Individuals have the right to grant or deny consent for their data to be processed, with exceptions (e.g., emergencies, legal obligations, national security, or public agencies).
    • Implications for businesses: Consent must be informed, specific, and freely given. Silence or inaction cannot be interpreted as consent. Sensitive data requires additional transparency about its nature and purpose.
  3. Right to Access
    Data subjects may access, review, and request corrections to their personal data, unless restricted by law.
    • Implications for businesses: Companies must provide user-friendly systems or processes that allow individuals to view and amend their data. This requires agile, transparent data management capabilities.
  4. Right to Withdraw Consent
    Individuals may withdraw consent at any time. The withdrawal does not affect prior lawful data processing.
    • Implications for businesses: Clear withdrawal processes must be in place, and processing must cease immediately upon request. Data subjects must also be informed of potential consequences of withdrawal.
  5. Right to Erasure
    Individuals may request their data be deleted under specific conditions (e.g., data no longer needed, consent withdrawn, unlawful processing).
    • Implications for businesses: Companies must be able to securely and irreversibly delete data upon valid request—typically within 72 hours. This necessitates strong data retention policies and secure deletion tools.
  6. Right to Restrict Processing
    Individuals may request the restriction of data processing, unless otherwise specified by law. Restrictions must be applied within 72 hours of the request.
    • Implications for businesses: Companies need the ability to pause or limit processing activities without affecting other operations.
  7. Right to Data Provision
    Data subjects may request a copy of their personal data from the Data Controller/Processor, unless otherwise limited by law. This must be fulfilled within 72 hours.
    • Implications for businesses: Similar to access rights, systems must support the export of personal data in a readable, usable format.
  8. Right to Object to Processing
    Individuals may object to processing—especially for marketing—unless legal exceptions apply. Data controllers must respond within 72 hours.
    • Implications for businesses: Businesses must implement mechanisms to allow individuals to opt out of marketing or certain data uses quickly and clearly.
  9. Right to Complain or Sue
    Data subjects may file complaints or initiate legal proceedings if violations occur.
    • Implications for businesses: Internal complaint-handling mechanisms are essential, and companies must be prepared for potential legal challenges.
  10. Right to Compensation for Damages
    Individuals have the right to claim compensation for damages resulting from personal data violations, unless otherwise agreed upon or legally restricted.
    • Implications for businesses: This right increases financial and legal risks for non-compliance, encouraging robust security and compliance investments.
  11. Right to Self-Protection
    Data subjects may independently protect their rights under the Civil Code or related laws, or request intervention from competent authorities.
    • Implications for businesses: This right underscores Vietnam’s emphasis on empowering individuals. Businesses should expect proactive actions from individuals and increased regulatory scrutiny.

II. Implications for Cybersecurity and Businesses

The empowerment of individuals through these 11 rights significantly impacts corporate cybersecurity and data governance strategies:

  • Need for Robust Data Management Systems: To support access, correction, deletion, and restriction requests, businesses must have agile systems capable of tracking, managing, and manipulating personal data securely and efficiently.
  • Greater Transparency and Communication: Clear and accessible privacy policies and open communication channels are now essential, not optional.
  • Investment in Data Security: The risks of legal action and financial liability tied to these rights push businesses toward implementing advanced security measures like encryption, access control, and intrusion detection systems.
  • Effective Incident Response: Given strict response timeframes (e.g., 72 hours for deletion or restriction), businesses must establish clear incident response plans and workflows for handling data subject requests.
  • Building Trust: Respecting and facilitating these rights helps companies build credibility and trust, a critical asset in today’s competitive digital economy.

In conclusion, the 11 rights outlined in Decree 13/2023/NĐ-CP are more than just a legal checklist—they are a call to action for businesses. Compliance requires a holistic approach encompassing governance, cybersecurity, and customer interaction. This marks a pivotal step toward creating a more secure and trustworthy digital ecosystem in Vietnam.

 

Disclaimer: This publication is intended for general informational purposes only. It should not be construed as professional legal advice for any specific case, organization, or individual.