Article 14 of the Law regulating the deletion, cancellation, and revocation of personal data identification clearly states:
The deletion and cancellation of personal data is carried out in the following cases:
a) The personal data subject requests and accepts the risks and damages that may occur to them. The request of the personal data subject in this case must fully comply with the principles specified in Clause 3, Article 4 of this Law;
b) Has completed the purpose of processing personal data;
c) Expiring the storage period according to the provisions of law;
d) Implementation according to decisions of competent state agencies;
e) Implementation according to agreements;
e) Other cases as prescribed by law.
The Law also requires that the deletion and cancellation of personal data must be carried out by safe measures; preventing activities of intrusion and illegal recovery of deleted and destroyed personal data.
Currently, according to Decree No. 13/2023/ND-CP on the protection of personal data of the Government, data subjects are required by the controller of personal data and the controller and processor of personal data to delete their personal data in the following cases:
a) Recognizing that it is no longer necessary for the purpose of collection has agreed and accepted the possible damages when requesting data deletion;
b) Withdraw consent;
c) Opposing the processing of data and the Personal Data Controller, the Personal Data Control and Processing Agency has no legitimate reason to continue processing;
d) Personal data is processed not in accordance with the agreed purpose or the processing of personal data is a violation of the provisions of law;
e) Personal data must be deleted according to the provisions of law.
Notably, data deletion will not apply when requested by the data subject in the following cases: The law stipulates that data deletion is not allowed;
Personal data is processed by competent state agencies for the purpose of serving the operation of state agencies in accordance with the law;
Personal data has been made public in accordance with the law; Personal data is processed to serve legal requirements, scientific research, statistics in accordance with the law;
In case of a state of emergency for national defense, national security, social order and safety, major disasters, dangerous epidemics; when there is a risk of threatening security and national defense but not to the extent of declaring a state of emergency; preventing and combating riots, terrorism, crime prevention and law violations; responding to an emergency situation that threatens the life, health or safety of data subjects or other individuals.
The Decree also clearly states that data deletion is carried out within 72 hours after request from the data subject with all personal data collected by the Personal Data Controller, the Personal Data Control and Processing Entity, unless otherwise provided by law.
