On 17 April 2023, the Vietnamese government issued Decree No. 13/2023/ND-CP on Personal Data Protection (“PDP Decree”). The PDP Decree applies to Vietnamese and foreign organisations that processes personal data in Vietnam, and will take effect from 1 July 2023 save for specified enterprises that are exempted from certain requirements for a period of 2 years from the inception of the law (specified below).
Some key features of the new law:
1. Scope: The PDP Decree will apply to foreign organisations that process or participate in the processing of personal data in Vietnam, which suggests that the PDP Decree will have extra-territorial application.
2. Categories of Personal Data: The PDP Decree provides for two categories of personal data - “basic personal data” and “sensitive personal data”. Organisations processing “sensitive personal data” will need to comply with more stringent requirements.
The PDP Decree also specifies requirements relating to the processing of a child’s personal data.
3. Legal bases: Similar to most data protection laws in the APAC region, a consent-based approach is adopted. Consent to the specified purposes for the processing of personal data must be obtained unless an exception applies.
4. Data Subject Rights: The PDP Decree provides data subjects with specific rights and obligations, such as the right to consent, the right of access, the right to withdraw consent, the right of erasure, and the right to object to data processing, amongst others.
5. Appointing a Data Protection Officer: The PDP Decree imposes a requirement for organisations that process sensitive personal data to appoint a Data Protection Officer (“DPO”) and designate a data protection department (“DPM”). However, it should be noted that organisations processing personal data are required to prepare, maintain, and submit to the relevant authorities a Data Protection Impact Assessment Profile that includes information relating to the DPO. Practically, this suggests that organisations processing personal data should nonetheless appoint a DPO.
6. Cross Border Transfers: Before transferring personal data overseas, an organisation must prepare a Personal Data Transfer Impact Assessment Dossier that has to be made available for inspection by the relevant authority at all times. Such a Dossier must also be notified to the Department of Cybersecurity and Hi-Tech Crime Prevention under the Ministry of Public Security within 60 days from the date of such processing.
7. Data Breach Notification: In the case of a data breach, organisations must notify the relevant authority, the Department of Cybersecurity and Hi-Tech Crime Prevention under the Ministry of Public Security, of such violation within 72 hours from the occurrence of the violation.
8. Sector-specific requirements: The PDP Decree imposes requirements on businesses providing marketing and advertising services, requiring opt-in consent. Data subjects must also be notified of certain information relating to the advertising, such as the content, method, form, and frequency.
9. Exemption: Certain enterprises (small and medium, and start-ups) are exempted from the requirements to submit a Data Protection Impact Assessment Profile that includes information relating to the DPO and DPM for the first 2 years from the inception of the business, provided that such enterprises are not directly dealing in personal data processing activities.
Given the extra-territorial scope of the PDP Decree, the PDP Decree would apply to both businesses located in Vietnam and foreign businesses that process personal data of individuals in Vietnam.
Please get in touch if you wish to understand the practical implications of Vietnam’s PDP Decree to your business.
Article co-authored by Dominic Soh, Trainee at CMS Holborn Asia