The State Bank is finalizing a draft Decree amending and supplementing a number of articles of Decree No. 58/2021/ND-CP on credit information service provision activities.
One of the notable contents is that the draft supplements the requirement that credit information companies must have internal regulations on protecting personal data in credit information service provision activities.
Credit information can be understood as data related to bank borrowing history, repayment ability, and customer credit status. This is an important data group in the process of credit institutions evaluating loan applications, considering credit granting, or risk management.
According to the draft content, the internal regulations of credit information companies must include at least the contents on assessing the impact of personal data processing, updating the dossier of assessing the impact of personal data processing and the dossier of assessing the impact of cross-border personal data transfer if any. Businesses must also have content on notifications of violations of personal data protection regulations.
In the summary of comments, the Ministry of Foreign Affairs requested to clarify the basis of this regulation. The State Bank explained that the addition of internal regulations on personal data protection is to ensure compliance and conformity with the Law on Personal Data Protection, Decree No. 356/2025/ND-CP and related documents.
According to the State Bank, in addition to the content on requesting to withdraw the consent of borrowers, credit information companies must also comply with other contents related to personal data according to legal regulations on personal data protection.
In addition to the requirement for personal data, the Ministry of Public Security also contributed opinions to adjust regulations on security plans. Specifically, this agency proposed regulations in the direction that credit information companies must have plans to ensure network security for information systems, plans to respond to and overcome network security incidents, and disaster prevention plans.
The drafting agency said that it has received and revised the related contents in the draft Decree.
