Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Vietnam: Overview of the Personal Data Protection Decree
The Government of Vietnam issued, on 17 April 2023, the highly anticipated Decree No.13/2023/ND on the Protection of Personal Data ('PDPD') which represents the first comprehensive document governing personal data protection in Vietnam. In particular, the PDPD establishes data protection principles, data subject rights, as well as data controller and data processor obligations, among other things. OneTrust DataGuidance Research provides an overview of the most significant provisions under the PDPD.
Definitions
The PDPD outlines general terms, including 'basic personal data', 'sensitive personal data', 'personal data controller', 'personal data processor', 'data subject', and 'third party'. In regard to consent, the PDPD clarifies that consent is 'a clear, voluntary, affirmative expression of the data subject's permission to process personal data' (Article 2(8) of the PDPD).
Further to the above terms, 'personal data processing' is considered 'one of more activities affecting personal data, such as: collection, recording, analysis, confirmation, storage, correct, disclosure, association, access, retrieve, revoke, encrypt, decrypt, copy, share, transmit, provide, delete, destroy personal data, or other related actions' ; whereas 'automatic personal data processing' is defined as 'a form of personal data processing performed by electronic means in order to evaluate, analyse and predict the activities of a specific person such as: habits, preferences, trust levels, behaviour, locations, tendencies, competencies and other circumstances' (Article 2(13) of the PDPD).
Notably, 'transfer of personal data abroad' is defined as 'the use of cyberspace, equipment, electronic means or other forms of transferring personal data of Vietnamese citizens to a location outside the territory of the Socialist Republic of Vietnam or use a location located outside the territory of the Socialist Republic of Vietnam to process personal data of Vietnamese citizens, including:
- organisations, enterprises and individuals transferring personal data of Vietnamese citizens to overseas organisations, enterprises and management units for processing in accordance with the purposes agreed upon by the data subject; and
- processing personal data of Vietnamese citizens by automated systems located outside the territory of the Socialist Republic of Vietnam of the controller of personal data and the personal data processor in accordance with the purposes agreed to by the data subject' (Article 2(14) of the PDPD).
Scope
The PDPD prescribes personal data protection and personal data protection responsibilities of relevant agencies, organisations, and individuals. Specifically, the PDPD applies to (Article 1 of PDPD):
- Vietnamese agencies, organisations, and individuals in Vietnam;
- foreign agencies, organisations, and individuals in Vietnam;
- Vietnamese agencies, organisations, and individuals operating abroad; and
- foreign agencies, organisations, and individuals directly participating in, or related to, personal data processing activities in Vietnam.
Personal data protection principles
The PDPD establishes a range of personal data processing principles, including (Article 3 of the PDPD):
- lawfulness: ensuring personal data is processed in accordance with the law;
- transparency: making sure data subjects are aware of their personal data processing-related activities;
- purpose limitation: ensuring that personal data is processed only for the purposes that have been registered and declared by the personal data controller, personal data processor, and third party;
- data minimisation: ensuring personal data collected is appropriate and limited within the scope and purpose to be processed;
- accuracy: ensuring personal data is updated and supplemented in accordance with processing purposes;
- confidentiality and integrity: ensuring personal data is subject to protection and confidentiality measures during processing, including protection against violations of regulations on the protection of personal data and prevention of loss, cooling, destruction, or breakdown damage; and
- storage limitation: ensuring personal data is stored for a period suitable for the purpose of processing, unless otherwise provided for by law.
In line with the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), the data controller and data processor are responsible for complying with the data processing principles above and demonstrating their compliance (Article 3(8) of the PDPD).
Data subject rights
In addition, the PDPD outlines a range of data subject rights. Specifically, the PDPD provides that data subjects have the right (Article 9 of the PDPD):
- to know;
- to consent and withdraw consent;
- of access;
- to correction;
- to delete;
- to restrict data processing;
- to provide data;
- to object to data processing;
- to complain, denounce, and initiate lawsuits;
- to claim damages; and
- to self-defence.
More specifically, the PDPD provides that personal data controllers and personal data processors must respond to data subject requests, objecting to processing for advertising and marketing purposes, to restrict processing, and to provide personal data within 72 hours after receiving the request (Articles 9(6)(b), 9(8)(b), and 14(3) of the PDPD).
Consent
The PDPD specifically addresses consent, noting that consent applies to all activities of personal data processing unless provided otherwise by law (Article 11(1) of the PDPD). Further, the PDPD provides that consent is only valid when the data subject voluntarily and clearly knows (Article 11(2) of the PDPD):
- the type of personal data to be processed;
- the purpose of processing personal data;
- the organisations and individuals are allowed to process personal data; and
- the rights and obligations of data subjects.
Further, consent must be expressed clearly, specifically in writing, by voice, by ticking the consent box, in the syntax of consent via text message, by selecting consent in technical settings, or through another action that demonstrates this (Article 11(3) of the PDPD). Correspondingly, consent must be made for the same purpose, and where there are multiple purposes, the data subject must agree to one or more of the stated purposes (Article 11(4) of the PDPD). Notably, silence or non-response is not considered consent, and the data subject may give partial or conditional consent (Articles 11(6) and 11(7) of the PDPD). In regard to sensitive data, the data subject must be informed that the data to be processed is sensitive (Article 11(8) of the PDPD). On the above, where there is a dispute, the responsibility for proving the consent of the data subject lies with the data controller and data processor (Article 11(10) of the PDPD).
With regard to the withdrawal of consent, such withdrawal does not affect the legality of the data processing that was agreed prior to the withdrawal of consent (Article 12(1) of the PDPD). On this point, data controllers and processors must notify the data subject of the consequences and possible damages of the withdrawal of consent (Article 12(3) of the PDPD). In addition, the withdrawal of consent must be in a format that can be printed, reproduced in writing, including in electronic or verifiable format, and be notified to data controllers, data processors, and third parties that they must stop such processing in line with the data subject's withdrawal of consent (Articles 12(2) and 12(4) of the PDPD).
However, personal data may be processed without the consent of the data subject when (Article 17 of the PDPD):
- personal data is processed to protect the life and health of the data subject or others;
- the disclosure of personal data is made in accordance with the law;
- the processing is made by competent state agencies in the event of a state of emergency on national defence, security, social order and safety, major disasters, or dangerous epidemics;
- when there is a risk of threatening security and national defence, but not to the extent of declaring a state of emergency to prevent and combat riots and terrorism, to prevent and combat crimes and violations of the law;
- personal data is processed to fulfil contractual obligations of the data subject with relevant agencies, organisations, and individuals; and
- personal data is processed to serve the activities of state agencies prescribed by law.
Processing under different circumstances
The PDPD prescribes specific obligations for certain types of data processing, including personal data obtained from audio and video recording activities in public places. This may be conducted for the purpose of protecting national security, social order, and safety, as well as the legitimate rights and interests of organisations and individuals without the consent of data subjects. Although, the PDPD notes that when performing an audio or video recording, competent agencies must notify data subjects that they are being recorded or videotaped (Article 18 of the PDPD).
Similarly, the personal data of children seven years or older may only be processed where the consent of the parent or guardian has been obtained, with organisations required to verify the age of children before processing children's personal data (Article 20 of the PDPD).
Notably, the personal data of person's declared missing or deceased must be consented to by their spouse or child, and where such persons are absent, it is considered that there is no consent (Article 19 of the PDPD).
In addition, organisations and individuals providing marketing services and introducing advertising products may only use the personal data of customer collected through their business activities with the consent of the data subject, and the data subject must know the contents, methods, and forms, as well as the frequency of product communication (Article 21 of the PDPD).
Likewise, it is illegal under the PDPD to set up software systems, technical measures, or organise activities of collecting, transferring, buying, and selling personal data without the consent of data subjects. Organisations and individuals involved in personal data processing must also apply measures to prevent the unauthorised collection of personal data by translation systems, equipment, and services (Article 22 of the PDPD).
Sensitive data
In regard to sensitive data, the PDPD requires the designation of a department and personnel responsible for personal data protection and the exchange of personal information (Article 28(2) of the PDPD). In addition, the PDPD confirms that the measures outlined in Articles 26 and 27 of the PDPD must be implemented when processing sensitive personal information and data subjects must be notified of such processing, unless otherwise provided for in Articles 13(4), 17, and 18 of the PDPD.
Privacy notice
Data subjects must be notified of data processing prior to the processing of personal data, and such notification must include (Articles 13(1) and 13(2) of the PDPD):
- the purpose of processing;
- the type of personal data to be processed;
- the method of processing;
- information about other organisations related to the processing purposes;
- unexpected consequences and damages likely to occur from processing; and
- start time and end time of processing.
Notice must be given to the data subject in a format that can be printed, reproduced in writing, including in electronic form or verifiable format (Article 13(3) of the PDPD).
However, a data controller or data processor will not be required to provide notice where:
- the data subject has fully understood and agreed to the above before agreeing to the collection of personal data by the data controller and data processor in accordance with Article 9 of the PDPD; and
- personal data is processed by national regulatory agencies with the aim of serving the activities of national institutions in accordance with legal provisions.
Impact assessments
Data controllers and data processors must keep a profile of the impact assessment of their personal data processing when they begin to process personal data, which includes (Article 24(1) of the PDPD):
- information and contact details of the personal data controller and processor;
- the full name and contact details of the organisation responsible for protecting personal data and of the personal data protection officer of the data controller;
- the purpose of processing;
- the types of personal data to be processed;
- organisations and individuals receiving personal data, including organisations and individuals outside Vietnam;
- the processing time for personal data and retention period for personal data;
- a description of personal data protection measures applied; and
- an assessment of the benefit of the processing of personal data, consequences, unwanted damage likely to occur, and measures to reduce or eliminate such risk or harm.
Impact assessments must also be performed by data processors in case of contract with data controllers and should include the above information (Article 24(2) of the PDPD).
Likewise, where personal data is transferred abroad, the party transferring the personal data should make a dossier assessing the impact of transfer of personal data abroad, which should include (Article 25 of the PDPD):
- information and contact details of the party transferring the data and the party receiving personal data of Vietnamese citizens;
- the full name and contact details of the organisation or individual in charge of the data transfer party related to the transfer and receipt of personal data of Vietnamese citizens;
- a description and explanation of the objectives of the personal data processing activities of Vietnamese citizens after being transferred abroad;
- a description and clarification of the type of personal data transferred abroad;
- the impact of the processing of personal data;
- potential consequences, unwanted damage, and measures to reduce or eliminate such risk or harm;
- the consent of the data subject and the basis of clearly knowing the feedback and complaint mechanism when problems or requests arise; and
- a document showing the binding responsibility between organisations and individuals transferring and receiving personal data of Vietnamese citizens for the processing of personal data.
Dossiers on the assessment of impact of processing of personal data must always be available to the Ministry of Public Security ('MPS') (Article 25(3) of the PDPD).
Furthermore, cross-border transfers must be notified to the MPS along with the contact details of the organisation or individual in charge once the data transfer has taken place successfully (Article 25(4) of the PDPD).
In the following circumstances, the MPS can require the party transferring personal data abroad to stop transferring personal data (Article 25(8) of the PDPD):
- when it is discovered that the transmitted personal data is used for activities that violate the national interests and security of Vietnam;
- the party transferring data abroad does not comply with the provisions of Articles 25(5) and 25(6) of the PDPD; or
- there has been an incident of personal data leakage and loss among Vietnamese citizens.
Controller and processor obligations
Importantly, in case of detection of a violation of the PDPD, organisations processing personal data must notify the MPS within 72 hours after the violation occurred. Specifically, the notification should include (Article 23(3) of the PDPD):
- a description of the nature of the violation of the PDPD, including time, place, behaviour, organisations, individual, types of personal data, and amount of related data;
- contact details of the employee assigned to personal data protection or the organisation or individual responsible for the protection of personal data;
- a description of the possible consequences and damages of violating the PDPD; and
- a description of measures taken to solve and minimise the harm of violations.
In addition, the PDPD outlines data security obligations, including having personal data protection measures, are applied from the very beginning and throughout the processing of personal data (Article 26(1) of the PDPD). This measure include:
- management measures taken by organisations and individuals related to personal data processing;
- technical measures taken by organisations or individuals related to personal data processing;
- measures taken by competent state management agencies in accordance with the PDPD and relevant laws;
- investigation and procedural measures taken by competent state agencies; and
- other measures as prescribed by law.
Furthermore, the PDPD stipulates additional responsibilities for data controllers, including:
- the implementation of organisational and technical measures and appropriate safety and security measures (Article 38(1) of the PDPD);
- recording and logging personal data processing (Article 38(2) of the PDPD); and
- the selection of data processors in accordance with a clear mandate and only work with processor's who have appropriate safeguards in place (Article 38(4) of the PDPD).
In regard to data processors, the PDPD establishes that data processors must:
- only receive personal data after having a contract or agreement on data processing with the data controller;
- process personal data in accordance with the contract or agreement signed with the data controller;
- fully implement measures to protect personal data specified in the PDPD and other relevant legal documents;
- be responsible to the data subject for damages caused by the processing of personal data;
- delete and return all personal data to the data controller after finishing data processing; and
- cooperate with the MPS and competent state agencies in protecting personal data, provide information for investigations, and handle violations.
Data protection authority
The Department of Cybersecurity and High-Tech Crime Prevention and Control under the MPS, which is responsible for assisting the MPS in state management of personal data protection, will establish a national portal on data protection, which will (Article 29 of the PDPD):
provide information on guidelines and policies regarding data protection;
- issue notifications of violations regarding personal data protection;
- receive information, records, and data about the protection of personal data, including information on the results of assessment on the data protection of relevant agencies, organisations, and individuals;
- issue and coordinate warnings about risks and violations of personal data in accordance with the PDPD;
- handle violations of personal data protection in accordance with the PDPD; and
- perform other activities in accordance with the PDPD on protection of personal data.
Furthermore, the PDPD notes that different government bodies are involved in personal information protection, including the MPS, the Ministry of Information and Communications, the Ministry of National Defence, and the Ministry of Science and Technology, among others, as detailed in Chapter 3 of the PDPD.
Next steps
The PDPD enters into effect on 1 July 2023.
Importantly, the PDPD clarifies that micro, small, medium-sized, and start-up enterprises have the right to choose to be exempted from the PDPD for the first two years of registration when establishing a business (Article 43(2) of the PDPD). However, micro, small, medium-sized, and start-up enterprises directly engaged in personal data processing activities are not subject to the provisions under Section 43(2) of the PDPD (Article 43(3) of the PDPD).
Harry Chambers Senior Privacy Analyst
[email protected]