Yesterday, the Vietnamese government issued Decree No. 13/2023/ND-CP dated 17 April 2023 on Personal Data Protection ("PDP Decree"). The PDP Decree takes effect on 1 July 2023 but provides a grace period of two years on obligation of appointing personal data officer/department applicable only to SMEs and start-ups (excluding those directly operating in the business of personal data processing).1
The full text of the PDP Decree can be accessed here. Accordingly, the PDP Decree provides, for the first time, the following – all of which have been referred to in the draft PDP Decree to some extent:
- specific rights and obligations of data subjects;
- cross-border transfer of data;
- processing of sensitive data and children's personal data; and
- exemptions cases in which personal data can be processed without the consent of data subjects.
In addition to the above, there are also newly introduced regulations which both data subjects and data controllers/processors should be aware of (e.g. protection of personal data in the business of marketing and product promotion etc.)2
We also note that the PDP Decree provides the legal ground to establish a Portal for the protection of personal data protection. The specialized agency for personal data protection will be the Department of Cyber Security and Hi-tech Crime Prevention under the Ministry of Public Security.3
Given the PDP Decree's vast coverage, we will provide more details on how regulated parties (e.g. data subjects, data processors, etc.) can be compliant in a follow-up publication. Please stay tuned.
Co-authors: Khanh Nguyen and Nhi Nguyen
Footnotes
1. Article 43 PDP Decree
2. Article 19, 21 PDP Decree
3. Article 29 PDP Decree
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
