Legal News

Cases Where Personal Data Can Be Processed Without the Subject’s Consent

02
Mar

Cases Where Personal Data Can Be Processed Without the Data Subject’s Consent

In the current legal landscape, personal data protection is one of the most critical issues, especially as the Personal Data Protection Law has come into effect. As a general principle, the processing of personal data requires the consent of the data subject. However, the law also stipulates certain exceptions where organizations and individuals can process data without obtaining consent. These regulations aim to protect public interests, ensure national security, or fulfill legal obligations.

In this article, Luật Kỳ Vọng Việt will clarify the cases in which personal data can be processed without the data subject’s consent, helping businesses and individuals understand their rights and obligations in data processing activities.

1. What is Personal Data?

Legal Basis: Clause 1, Article 2 of Decree 13/2023/NĐ-CP

Personal data refers to information in the form of symbols, letters, numbers, images, sounds, or similar formats in an electronic environment that is associated with a specific person or helps identify a specific person.

Personal data includes basic personal data and sensitive personal data.

2. Cases Where Personal Data Can Be Processed Without the Data Subject’s Consent

Legal Basis: Article 17 of Decree 13/2023/NĐ-CP

The cases where personal data can be processed without the data subject’s consent include:

Case 1:

In emergency situations where immediate processing of personal data is necessary to protect the life or health of the data subject or others. The Personal Data Controller, Personal Data Processor, Personal Data Controller and Processor, or a Third Party is responsible for proving this case.

Case 2:

When personal data is publicly disclosed as required by law.

Case 3:

When data processing is conducted by a competent state agency in the following cases:

  • National defense and security emergencies
  • Public order and safety
  • Major disasters or dangerous epidemics
  • Threats to national security that have not yet led to a declared state of emergency
  • Prevention and control of riots, terrorism, crimes, and legal violations as prescribed by law

Case 4:

To fulfill contractual obligations of the data subject with relevant agencies, organizations, or individuals as prescribed by law.

Case 5:

For the operations of state agencies as prescribed by specialized laws.

3. Regulations on Storage, Deletion, and Destruction of Personal Data

Legal Basis: Article 16 of Decree 13/2023/NĐ-CP

The storage, deletion, and destruction of personal data are regulated as follows:

  • The data subject may request the Personal Data Controller or Personal Data Controller and Processor to delete their personal data in the following cases:
    • The data is no longer necessary for the agreed purpose, and the subject accepts potential consequences of deletion.
    • Consent is withdrawn.
    • The data subject objects to processing, and there is no legitimate reason to continue.
    • Data processing does not align with the agreed purpose or violates legal regulations.
    • The law mandates the deletion of the data.

However, data deletion will not apply if:

  • The law prohibits deletion.
  • The data is processed by a state agency for its legally defined functions.
  • The data has been made public as required by law.
  • The data is used for legal purposes, scientific research, or statistics.
  • National defense and security emergencies, major disasters, or epidemics require continued processing.
  • Emergency situations threaten the life, health, or safety of the data subject or another individual.

Other regulations include:

  • If a business undergoes division, merger, acquisition, or dissolution, personal data must be transferred as per legal requirements.
  • If a government agency undergoes restructuring or reorganization, personal data is transferred accordingly.
  • Data deletion must occur within 72 hours of a request from the data subject.
  • Personal Data Controllers, Processors, or Third Parties must store personal data appropriately and implement legal protection measures.
  • Data must be permanently deleted in cases such as:
    • It was processed for an unauthorized purpose or is no longer necessary.
    • The entity responsible for data processing ceases operations, is dissolved, or goes bankrupt.

This article outlines cases where personal data can be processed without the data subject’s consent. If you have further questions regarding this matter, please contact Luật Kỳ Vọng Việt for the most accurate consultation and support.