What does Decree 13/2023/ND-CP regulate?
Decree 13/2023/ND-CP (Decree 13) stipulates some of the main points as follows:
- The Decree provides for the protection of personal data and the responsibility for personal data protection of relevant agencies, organizations and individuals.
- Definition of personal data: It is s information in the form of symbol, script, digit, image or sound or in a similar form in the electronic environment which is affiliated to a specific person or helps identify a specific person.
Personal data includes basic personal data and sensitive personal data. - Roles of the parties in Decree 13:
4. Rights of data subject:
(1) The right to know (Right to consent))
(2) The right to access
(3) The right to withdraw consent
(4) The right to data deletion
(5) The right to restriction of data processing
(6) The right to data provision
(7) The right to object to data processing
(8) The right to file complaints or denunciations and initiate lawsuits
(9) The right to claim compensation for damage
(10) The right to self-protection
What did Mobio do to comply with Decree 13?
Regarded as a Customer Data Platform, Mobio needs to clearly define roles and responsibilities in complying with Decree 13 of the Government, and must ensure that businesses using Mobio’s software have enough “tools” to carry out this requirement.
Who is “responsible” in each service model Mobio is providing:
Model (1): Using Mobio’s Cloud – SaaS version (hosting in Vietnam)
| Profile (Business’s Customers) | Data Subject |
| Business using Mobio’s software | Data Controller |
| Mobio | Data Processor |
Model (2): Providing On-Prem installation on the hardware infrastructure of the business
| Profile (Business’s Customers) | Data Subject |
| Business using Mobio’s software | Data Controller & Data Processor |
| Mobio | As a software vendor, software maintenance, on-demand support |
The Mobio system focuses on satisfying 3 main rights:
– The right to consent
– The right to know
– The right to data deletion
1. The right to consent
Any data that is imported into the system (CDP) requires the consent of the “Data Subject”. Proof of consent must be clearly expressed, in a format that can be printed or reproduced in writing.
- Businesses need to ensure that the data collected and imported into Mobio has the consent of customers, including the following 3 “types” of consent:
Tracking Consent: Record consent for the purpose of “Storage” of personal data and “Behavior Tracking” on the website or application of “Data Subject”
Analytic Consent: Record consent for the purpose of “Analysis” of personal data of “Data Subject””
Marketing Consent: Record consent for the purpose of “Engagement, Marketing Promotion” by “Data Subject””
- Mobio needs to ensure to store proof of consent of allowing the business to use each customer’s data to reconcile when necessary.
➔ Mobio adds the following features:
- Improve Profiles synchronization rules: Allows configuration to record 3 types of customer consent when importing data from each source
For details, see the Synchronization Rule.
- Improve the flow of creating new Profiles: When creating new profiles one by one or uploading multiple profiles, the business configures to record 3 types of customer consent and attach the corresponding evidence file.
- Add consent information in Profile details: After uploading evidence, the system stores this information on a separate section in Profile details so that businesses can easily find, reconcile, and modify if necessary.
2. The right to know
Data subjects have the right to know that their data is stored on the Mobio system.
By using Mobio’s Journey Builder feature, businesses can send notifications to their customers that their data is being stored and processed by businesses.
See also: Journey Builder User Guide
3. The right to data deletion
The data subject has the right to send a data deletion request to the system.
Step 1: Create a rule to automatically delete a Profile when a Ticket “Profile Deletion Request” arises.
Step 2: When receiving a request to delete data from a customer, the business creates a Ticket, selects the type “Request to delete Profile”, selects any Ticket Owner, and selects the Profile to be deleted. The automatic law will be applied and the system will delete the profile information attached to the ticket.
See more: How to create a Ticket
