On 1 July 2023, Vietnam’s Decree No. 13/2023/ND-CP on Personal Data Protection (PDP Decree), the country’s first comprehensive data protection law, came into effect, following guidance issued on 7 June 2023. We highlight the most pertinent updates below.
Scope: The PDP Decree applies to (i) all Vietnamese and foreign individuals and organisations in Vietnam, (ii) Vietnamese individuals and organisations operating abroad, and (iii) foreign individuals and organisations that process or participate in the processing of personal data in Vietnam.
Categories of personal data: The PDP Decree covers the processing of “basic personal data” and “sensitive personal data”. “Sensitive personal data” refers to personal data that would jeopardize a person’s legitimate rights and interests if violated. Therefore, organisations processing sensitive personal data will need to comply with more stringent requirements.
Categories of regulated parties: The PDP Decree applies to four categories of regulated parties: (i) personal data controllers (i.e. entities that determine the purposes and means of personal data processing), (ii) personal data processors (i.e. entities that process personal data on behalf of a controller via an agreement), (iii) personal data controller-processors (i.e. entities that perform both controller and processor roles concurrently) and (iv) third parties (i.e. any entities permitted to process personal data other than the three categories of regulated parties above).
Legal bases: The PDP Decree adopts a consent-based approach to the processing of personal data. Consent to the specified purposes for the processing of personal data must be obtained unless an exception applies.
Consent from a data subject is only valid if he/she voluntarily consents and is informed of (i) the type of personal data processed, (ii) the purposes for processing, (iii) the organisation or individual processing the data, and (iv) their rights and obligations. Organisations processing sensitive personal data must inform data subjects of the fact when obtaining consent.
A data subject must consent to each purpose for data processing and silence or non-response from the data subject shall not be regarded as valid consent. Consent must be expressed in a format that can be printed out or reproduced in writing.
Data subject rights: Data subjects have the following rights under the PDP Decree: the right to be informed, the right to consent, the right to access and rectify data, the right to withdraw consent, the right of erasure, the right to data provision, the right to restrict data processing, the right to object to processing, and the right to complain and claim damages.
Organisations should note the 72-hour requirement under the PDP Decree to respond to data subject requests to exercise the following rights: the right to access and rectify data, the right of erasure, the right to restrict data processing and the right to object to processing.
DPO requirement: Organisations processing sensitive personal data are required to establish an internal data protection department (DPD) and appoint a Data Protection Officer (DPO).
Organisations processing personal data in general are expected to establish an internal DPD and appoint a DPO since DPD and DPO details are required to be listed in a Data Protection Impact Assessment (DPIA) profile (see below for details).
DPIA requirement: Organisations processing personal data are required to prepare and submit a DPIA profile (in Vietnamese) to the Department of Cybersecurity and Hi-Tech Crime Prevention under the Ministry of Public Security (MPS) within 60 days from the date of processing.
A DPIA template is expected to be released by the MPS in the near future.
Cross-border transfer requirement: Organisations transferring personal data outside Vietnam (including those using automated systems located outside Vietnam to process personal data) must prepare and submit a Transfer Impact Assessment (TIA) dossier to the MPS within 60 days from the date of transfer. The TIA dossier must include information regarding: the details of the data transferor and receiver, the personal data being transferred, consent of the data subject, the purposes of personal data processing following the transfer, an explanation of how compliance with the PDP Decree will be achieved following the transfer, including details on the binding obligations between the data transferor and receiver, and the impact of the processing of personal data including any measures to minimise or eliminate any adverse consequences and/or damages.
A TIA template is expected to be released by the MPS in the near future.
Data breach notification requirement: Organisations must inform the MPS of any data breaches within 72 hours of a data breach in accordance with the prescribed template Form 03 in the Appendix to the PDP Decree.
Use of personal data for marketing/advertising: Marketing/advertising service providers are required to obtain informed, opt-in consent from data subjects before using their personal data to provide marketing services or advertise products. Data subjects should be notified of the content, method, form and frequency of marketing/advertising activities that will be provided.
Trading of personal data prohibited: The PDP Decree provides that the trading of personal data is prohibited unless otherwise provided by law, even if consent of the relevant data subjects is obtained.
Grace period for selected businesses: Certain enterprises (small and medium, and start-ups) are exempted from the requirements to submit a DPIA Profile that includes information relating to the DPO and DPD for the first 2 years from the inception of the business, provided that such enterprises are not directly dealing in personal data processing activities.
Click here to read more about the PDP Decree.
Click here for a copy of the PDP Decree (English translation).
Please get in touch with us if you would like to learn more about the impact of the above developments on your business.