Personal Data Protection

What is personal data protection?

Personal data protection aims to protect information that can be used to identify a person. This can include information such as name, address, phone number, email address, social security number, passport number, credit card number, personal preferences, medical history, professional history, and more.

Personal data protection is important because this information can be used for malicious purposes, such as identity theft, fraud, cybercrime, and harassment. Additionally, this information can be sold or shared with third parties without the individual’s consent, which can compromise privacy and security.

To protect personal data, many laws have been put in place around the world, such as the European Union’s General Data Protection Regulation (GDPR), Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), Singapore’s Personal Data Protection Act (PDPA), and the United States’ California Consumer Privacy Act (CCPA).

These laws require companies and organizations to take measures to protect personal data and obtain consent from individuals before collecting, storing, using, or sharing this information. Individuals also have rights under these laws, such as the right to access their personal data, have it corrected or deleted, and object to its use for direct marketing purposes.

What are the applicable legal texts in Myanmar and Vietnam?

In Myanmar, personal data protection is currently regulated by the Personal Data Protection Law of 2017. This law was enacted in March 2017 and came into force in May 2020. The law aims to protect personal data in Myanmar by regulating its collection, processing, storage, and transmission. It also grants rights to individuals regarding the protection of their personal data, including the right to access their data and have it corrected or deleted.

In Vietnam, the Law on Cyber Information Security No. 86/2015/QH13 (November 19, 2015) ("CISL") establishes requirements for all entities involved in the collection, receipt, transmission, and use of data on the network. Personal data protection is regulated by the Cybersecurity Law of 2018 and the Personal Data Protection Law of 2019. The Cybersecurity Law aims to protect information security on computer networks and the Internet, while the Personal Data Protection Law establishes rules for the collection, use, processing, and transmission of personal data. It also grants rights to individuals regarding the protection of their personal data, including the right to access their data and have it corrected or deleted.

According to Resolution No.13/NQ-CP dated February 7, 2023, the Vietnamese government approves the regulation on the processing of personal data without the consent of the data owners in the following cases:

  • To protect the life and health of the data owner or concerned persons in emergency situations. The responsible parties for the control and processing of personal data and the relevant third parties must provide evidence in this case;
  • Disclosure of personal data in accordance with the law;
  • Processing data of competent public agencies in emergency situations concerning defense, national security, safety and social order, major natural disasters, or dangerous epidemics; risks that threaten national defense and security but not to the point of declaring a state of emergency; prevention and combat of riots, terrorism, criminal offenses, and other violations of the law;
  • Fulfilling obligations under the contract of the data owner with the relevant agencies, organizations, or individuals, in accordance with the law;
  • Serving the operations of state agencies provided by the relevant laws.

It should be noted that the implementation of these laws may vary depending on various factors, such as the availability of resources and appropriate regulatory mechanisms, as well as cultural and economic practices. Therefore, companies operating in Myanmar and Vietnam must be aware of these laws and their obligations regarding the protection of personal data, as well as the risks involved in non-compliance with these laws.