Vietnam's new Personal Data Protection Decree
On 17 April 2023, the Vietnamese Government issued Decree No. 13/2023/ND-CP on Personal Data Protection (the 'PDPD'). This is a long-awaited legal instrument in the area of personal data protection, following the release of its early draft since 2021.
Decree 13/2023/ND-CP includes 44 articles, divided into four chapters; specifically:
- Chapter I provides the scope of regulation; the subject of application; definitions; personal data protection principles; prohibited conducts; and handle violations of personal data protection regulations.
- Chapter II articulates the provisions on personal data processing, including provisions on the rights and obligations of data subjects; protection of personal data during the processing of personal data; the obligation to conduct impact assessment of personal data processing and cross-border transfer of personal data; and measures and conditions to ensure the protection of personal data.
- Chapter III defines the responsibilities of government agencies, organisations that control and process personal data, as well as other relevant parties.
- Chapter IV provides for the effect and responsibility for implementation of the Decree.
Key provisions regarding personal data processing under Decree No. Decree No. 13/2023
The PDPD has a wide scope of application. This Decree applies to (i) Vietnamese agencies, organisations and individuals; (ii) Foreign authorities, entities and individuals being in Vietnam; (iii) Vietnamese agencies, organisations and individuals that operate in foreign countries; and (iv) Foreign agencies, organisations and individuals that directly process or are involved in processing personal data in Vietnam. Unlike the European Union's General Data Protection Regulation (GDPR), Vietnam's PDPD does not exempt the processing of personal data by a natural person in the course of a purely personal or household activity.
The PDPD defines personal data as information on an electronic medium in the form of symbols, letters, numbers, photos, sounds, or the like that is associated with or can be used to identify a specific individual (Personally Identifiable Information, or PII). PII is further defined as information generated from an individual's activities that, when combined with other stored data and information, can identify a particular individual. Personal data is divided into two categories: basic personal data and sensitive personal data. Basic personal data includes name, date of birth, gender, nationality, personal photos, phone number, identification number, marriage status, online account details, history of cyberspace activities, etc. Sensitive personal data comprises political and religious views, health information, racial or ethnic origin, sexual orientation, criminal records, bank account and transaction information in financial service providers, personal location data, among others.
The PDPD provides a general framework for personal data protection with 8 principles and 11 rights conferred to the data subjects. Closely following the GDPR model, the PDPD's eight basic principles include: lawfulness; transparency; purpose limitation; data minimisation; accuracy; integrity and confidentiality; storage limitation; and accountability (Article 3). Similarly, the 11 rights of data subjects cover the right to information; right to consent; right to access; right to revoke consent; right to erasure; right to restriction of data processing; right to data provision; right to object; right to complain and denounce and/or initiate lawsuits, the right to claim compensation for damages, and the right to self-defence. Data portability is provided as part of the right to data provision. While a definition for automated processing of personal data is provided, the Decree does not spell out data subject's right not to be subjected to automated individual decision-making, including profiling, as in the GDPR. However, according to Article 2.13 of the PDPD, automated processing of personal data is a form of personal data processing, and therefore, must be subject to other requirements applicable to personal data processing in general.
The PDPD adopts a consent-centric approach. Specifically, Article 11 sets out that consent must be made on a voluntary basis and based on the data subject's full understanding of (i) the type of personal data to be processed; (ii) the purpose of the personal data processing; (iii) the entities authorised to process personal data; and (iv) the data subject's rights and obligations. In terms of form, Article 11 stipulates that consent must be expressed clearly and specifically in written or oral format, by ticking the consent box, by text message, by selecting consent technical settings, or via other relevant forms. Consent must be expressed in a format that can be printed out or reproduced in writing, including in electronic or verifiable formats. Moreover, silence or non-response is not considered as consent under the PDPD. Article 17 provides exemptions of consent principle for the personal data processing in cases of emergency, in accordance with contractual obligations, or for the processing of personal data by competent authorities in accordance with the laws. While the consent rules under the PDPD in general are similar to global practices, the PDPD takes a slight departure by requiring consent by minors: Article 20 stipulates that for processing personal data of children, consent must be obtained from both children over the age of seven and their parents/guardians.
The PDPD divides regulated parties into four categories (Personal Data Controller, Personal Data Processor; Personal Data Controller-Processor; and Third Party) and imposes different obligations toward each of the regulated parties. In addition to the obligations to implement organisational and technical measures to protect personal data, some of the notable responsibilities of regulated entities include the appointment of a data protection officer (DPO) or department (DPD), notification of breach, assessment of impact of personal data processing, and assessment of impact of outbound transfer of personal data.
Following the entry into force of the Decree, companies will need to appoint a DPO/DPD. According to the Decree, the appointment of DPO/DPD requirement only applies to those processing sensitive personal data (Article 28) and Personal Data Controllers/ Personal Data Controller-Processors (Articles 36 and 38).1 The DPDP provides a grace period of two years for SMEs and start-ups to comply with the obligation on appointing personal data officer/department. This grace period however does not apply to SMEs and start-ups directly engaging in the personal data processing business activities. Depending on the severity of their violations, entities and individuals that commit violations against regulations on protection of personal data may face disciplinary actions, administrative penalties, or criminal prosecution according to regulations.
Similar to the GDPR, the PDPD requires mandatory data breach notification to the Persona Data Protection Authority (PDPA), in this case the Department of Cybersecurity and Hi-tech Crime Prevention of the Ministry of Public Security of Vietnam, within 72 hours of a breach, if feasible. Notifications of breach beyond the 72-hour timeframe must be accompanied with reason for such delay.
Article 24 clarifies the obligation of Personal Data Controllers, Personal Data Processors, and Personal Data Controller-cum-Processors to make and store Data Protection Impact Assessment Profile (DPIA) at the start of the personal data processing activities. The DPIA must include, among other details, processing purpose, types of personal data to be processed, cases of outbound transfer of personal data, duration of processing and deletion of personal data, description of measures for protecting personal data, and assessment of impact of personal data processing, including undesirable consequences and damage that may occur, measures for reducing or removing such consequences and damage. The DPIA, which is made in writing, must be kept available in order to serve inspection and assessment by the PDPA, while one original copy must be submitted to the PDPA within 60 days from the date of processing of personal data.
For Cross-Border Transfer of Personal Data (CBTD), the PDPD adopts an ex-post management approach. All four Regulated Entities can be subject to this requirement if they conduct CBTD According to Article 25, the transferor of personal data must first create an Impact Assessment for the Cross-Border Transfer of Personal Data (IA-CBTD) before the transfer. Similar to the requirements for the DPIA, the transferor shall send one (01) authentic copy of the assessment to the DPDA within 60 days from the date of processing of personal data, while keeping the dossier available in order to serve inspection and assessment by the authority. The PDPA will have the power to check and request amendment of the IA-CBTD dossier, as well as to stop the cross-border transfers of personal data if (i) the data is used for activities that violate the interests and national security of Vietnam; (ii) the transferor fails to complete or update the IA-CBTD dossier; or (iii) the personal data of Vietnamese citizens is disclosed or lost.
Implications for businesses
Before the issuance of the PDPD, there has been a number of legal instruments regulating data governance in Vietnam. These include the Law on Cybersecurity and the recently enacted Decree No. 53/2022/ND-CP elaborating several articles under the Law on Cybersecurity.2 The PDPD will regulate data protection in parallel with these instruments.
The PDPD represents a significant step towards strengthening data protection in Vietnam, and is aligned to Vietnam's rights for data protection under the CPTPP3. With its wide scope of application, the PDPD may prove to be costly and time-consuming for firms in making arrangements for their organisational and technical measures to protect the personal data of both their customers and employees. The PDPD is expected to have far-reaching implications to most companies, domestic or foreign, as they will need to revise their data collection and processing practices in Vietnam.
The PDPD shall take effect on 1 July 2023. As the Decree imposes different obligations toward each of the regulated parties, it is therefore critical for companies to understand and identify their roles correctly. While further guidance from the authorities can be expected, business should already, assess which category of Regulated Entities that they fall under, take stock and review their data collection and processing practices, and make necessary preparatory steps for necessary adjustment to their existing organisational and technical measures to protect the personal data.
1. This is different from the EU GDPR, where the requirement for controllers and processors to appoint a DPO is applied if the processing is carried out by a public authority; the core activities require regular and systematic monitoring of data subjects on a large scale; or the core activities consist of processing sensitive personal data on a large scale (Article 37, EU GDPR).
2. See our article on Decree No. 53/2022/ND-CP at https://www.tradeeconomics.com/what-are-the-data-localisation-implications-of-viet-nams-decree-no-53-2022-relating-to-cybersecurity
3. The CPTPP recognises the Parties' right to regulate, so long as the measures are not arbitrary or unjustifiable discrimination or a disguised restriction on trade and are not more restrictive than necessary.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.