Clinics are entities that store and process some of the most sensitive types of customers’ personal information, including data relating to health conditions, medical records, and medical examination and treatment results. The disclosure of customers’ personal data to other organizations or individuals without the consent of the data subjects not only constitutes a violation of privacy rights but may also cause harm to patients.

In this article, VDPC provides a detailed analysis of the legal responsibilities of clinics in cases where incidents of personal data disclosure involving data subjects occur, in accordance with Law on Personal Data Protection 2025

1. Practical Scenario

Clinic X receives a complaint from a customer (Customer A) regarding the disclosure of Customer A’s personal information during the course of medical examination.

Specifically, after using medical examination services at Clinic X, Customer A received a phone call from a third party providing healthcare-related services, inviting Customer A to use additional services. As Clinic X had previously introduced information about a healthcare service package associated with the medical examination, Customer A trusted the call and agreed to use the third party’s services, and even made payment for a service package offered by the Third party.

After the transaction was completed, Customer A became suspicious because the service provider did not wear Clinic X’s uniform. Upon verification, Clinic X confirmed that the individual was neither its employee nor its partner. Customer A immediately requested termination of the service, a refund, and submitted a complaint, requesting that Clinic X apologize for the disclosure of personal data to a third party and take measures to retrieve Customer A’s leaked personal information.

2. What Responsibilities Does the Clinic Bear Toward Customer A?

Legal basis: Article 3, 37 Law on Personal Data Protection 2025

In this case, Clinic X acts as a Personal Data Controlling and Processing Party (an organization that determines the purposes and means of personal data processing and directly processes personal data). Clinic X is required to fulfill its legal obligations toward Customer A (the personal data subject), including the following responsibilities::

  • Specify the responsibilities, rights, and obligations of the concerned parties to be complied with in agreements or contracts regarding personal data processing
  • Only receive personal data after concluding an agreement or contract on personal data processing with the personal data controlling party or personal data processing and controlling party
  • Decide on the purposes and means of personal data processing in documents and agreements with personal data subject matters, ensuring compliance with the principles and contents
  • Adopt appropriate managerial and technical measures to protect personal data according to the law and review and update such measures if necessary
  • Process personal data in compliance with the agreement or contract concluded with the personal data controlling party
  • Issue notices of violations against personal data protection regulations

Additionally, there are other responsibilities, such as:

  • Select an appropriate personal data processing party to process personal data
  • Ensure the rights of personal data subject matters
  • Adequately implement measures to protect personal data
  • Assume responsibility before personal data subject matters for any damage arising from personal data processing
  • Assume responsibility before the personal data controlling party or personal data processing and controlling party for any damage arising from personal data processing
  • Prevent unauthorized collection of personal data from its system, equipment, and service
  • Cooperate with the Ministry of Public Security of Vietnam and competent state authorities in protecting personal data, providing information serving the investigation, and handling violations against personal data protection laws
  • Implement other responsibilities pursuant to regulations.

3. Is the Clinic Required to Issue a Public Apology? How Should This Situation Be Handled?

Legal basis: Article 11 Civil Code 2015

In the case of Customer A, the clinic may be required to issue a public apology if Customer A requests a competent authority to compel the clinic to do so.

However, in this situation, as the clinic is not the party that directly disclosed or exchanged Customer A’s personal information, the clinic may proactively issue a direct apology to Customer A. At the same time, the clinic should propose solutions in good faith, including support measures and remedial actions to address the incident and mitigate the consequences relating to Customer A’s leaked personal data.

4. Is Customer A’s Request to Retrieve the Leaked Information Consistent with the Law? If So, How Should It Be Handled?

Legal basis: Article 3, 4 Law on Personal Data Protection 2025

Customer A’s request for the retrieval of leaked information is consistent with the Law on Personal Data Protection. As the personal data subject, Customer A has the right to give or withdraw consent for personal data processing; to request the provision, deletion, or restriction of the processing of personal data; and to object to the processing of personal data.

(Personal data processing refers to any operation performed on personal data, including one or more of the following activities: collection, analysis, aggregation, encryption, decryption, modification, deletion, destruction, anonymization, provision, disclosure, transfer of personal data, and other activities affecting personal data.)

In this case, the clinic should verify which external service providers or third parties have accessed the clinic’s information. Subsequently, the clinic should take measures to retrieve the data and request such organizations or individuals to delete Customer A’s personal information in order to protect Customer A’s lawful rights and interests.

In addition, the clinic should conduct an internal review of its systems and personnel to identify the individual(s) responsible for the disclosure of patient information. The clinic should also strengthen controls or limitations on access rights and enhance the protection of patients’ personal data.

5. If the Individual Responsible for the Disclosure Is Identified, Can the Clinic Require That Individual to Bear Full Responsibility?

Legal basis:

Even if the individual responsible for disclosing Customer A’s personal information is identified, the clinic remains legally responsible. Although the clinic may not have intentionally committed the act of disclosure, it may still be subject to the following liabilities under applicable laws:

  1. Pursuant to the Law on Personal Data Protection, the disclosure of personal data constitutes a prohibited act. Organizations or individuals committing such violations may be subject to administrative penalties, with fines of up to 3 billion VND. In terms of civil liability, violators may also be required to compensate the personal data subject for any damages incurred, where applicable.
  2. According to Decree No. 98/2020/NĐ-CP, the act of transferring consumers’ information to a third party without the consumers’ consent may be subject to administrative fines ranging from 30,000,000 VND to 40,000,000 VND
  3. Pursuant to Decree No. 117/2020/NĐ-CP, the act of disclosing a patient’s medical condition, information provided by the patient, or medical records held by a general clinic may result in administrative fines ranging from 2,000,000 VND to 6,000,000 VND.

6. What Risks Does the Clinic Face If a Customer A Files a Complaint with a Competent Authority?

Yes. The clinic may still face legal and practical risks.

First, from a legal perspective, in addition to the administrative penalties and civil liability for compensation (if any) that the clinic may bear as mentioned in Section 4, the clinic’s honor, reputation, revenue, and even its operational activities may be adversely affected if Customer A files a complaint with a competent authority.

CONCLUSION

The responsibilities of clinics in cases where customers’ personal data is disclosed without consent are highly significant. To ensure legal compliance and protect their reputation, clinics must establish and maintain strict security systems, develop clear personal data processing procedures, and strictly comply with all applicable legal regulations.

The above outlines the Clinics’ responsibilities of clinics when customers’ personal data is disclosed to other organizations or individuals without consent. Should you have any further questions regarding this matter, please contact VDPC for the most accurate advice and support.

Sincerely !

Zalo: 090.225.5492

See more: