Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Vietnam: Exploring the Decree on the Protection of Personal Data

On April 17, 2023, the Government issued its long-awaited Decree on the Protection of Personal Data (PDPD). Logan Leung, Deputy Managing Partner at Rajah & Tann LCT Lawyers, provides an overview of the PDPD, including obligations for data processors and data controllers, consent requirements, and cross-border data transfers.

Balate Dorin / Essentials collection / istockphoto.com

The PDPD represents the first consolidated data protection regulation in Vietnam and introduces significant changes to the existing (fragmented) regulatory environment for data protection in the country. The PDPD drew influence from the General Data Protection Regulation (GDPR) and, as such, introduces concepts and obligations that are common with the GDPR (but adapted for the Vietnamese legal framework). As the PDPD envisages personal data protection affairs as matters of cybersecurity, enforcement of its provisions will be spearheaded by the Ministry of Public Security (MPS) – specifically, its Department of Cybersecurity and High-Tech Crime Prevention (A05).

The PDPD applies to both Vietnamese and foreign companies alike. Foreign companies will be required to observe the provisions of the decree if they directly participate in or otherwise involved in processing personal data in Vietnam.

Of particular note is that the PDPD will come into effect from July 1, 2023 – giving only a short window of time for companies to review their existing personal data processes policies and practice with the view to adapting them for compliance with the PDPD. This article summarises areas to watch out for under the PDPD:

Bases for processing and consent requirements

Under the PDPD, the basis for processing and collecting personal data is driven by consent. Unlike other data protection regulations, the PDPD does not prescribe specific labels for other bases for processing (legitimate interests, vital interests, contractual necessity, etc.).

Instead, other bases for processing are generally framed as exceptions to the consent requirement. For this purpose, the PDPD regulates five circumstances in which the data subjects' consent will not be required for processing their personal data:

  • in cases of emergency where it is necessary to immediately process relevant personal data to protect the life and health of the data subject or others;
  • disclosure of personal data in accordance with the law;
  • where it is done by the competent state agencies;
  • in the event of a state of emergency on national defense, national security, social order and safety, major disasters or dangerous epidemics, or where there is a risk of a threat to security and national defense (but not to the extent that it is declared a state of emergency);
  • or to prevent and combat riots and terrorism, or to prevent and combat crimes and violations of the law in accordance with the law;
  • to fulfill the contractual obligations of the data subject with relevant agencies, organizations and individuals as prescribed by law; or
  • to serve the activities of state agencies as prescribed by specialized laws.

However, it is worth mentioning the other laws of Vietnam also prescribe exceptions to the consent requirement - including the Law on Information Technology and Decree 52 on e-commerce. The interplay between the PDPD consent requirements and these other legislated exceptions remains to be seen.

Where consent is needed to process personal data, the PDPD introduces more detailed requirements as to how consent is to be obtained (and the conditions that need to be met to ensure valid consent is given). In particular, consent will only be valid if the data subject voluntarily has clear knowledge of the type of personal data to be processed, the purpose of processing personal data, the organizations and individuals that are allowed to process personal data, and the rights and obligations of data subjects.

The PDPD requires express consent, which the data subjects must express clearly, in writing, by voice, by ticking the consent box, by texting consent syntax, by selecting consent technical settings, or by other actions expressing such consent. Silence or non-response should not be taken as deemed consent.

When there are multiple purposes for which personal data will be processed, they must be listed for the data subjects to consent to one or more of the purposes. It follows that if the processing of personal data falls out of the scope previously consented to by the data subject, additional consent will be required. Otherwise, processing personal data outside of the consented scope will be considered in violation of personal data processing regulations.

Data processors and data controllers

The PDPD introduces the distinction between data controllers and data processors, as well as those that assume both processor and controller functions (i.e., a data controller-processor). The PDPD regulates the obligations for each party.

Data controllers must:

  • implement organizational and technical measures and appropriate safety and security measures to prove that personal data is processed in accordance with regulations of the PDPD, as well as review and update these measures when necessary;
  • record and store a log of the processing of personal data;
  • notify violations against regulations on the protection of personal data in accordance with the PDPD;
  • select an appropriate data processor with specific tasks and only work with the data processor that has appropriate measures for protecting personal data;
  • protect the rights of data subjects under the PDPD;
  • be responsible to the data subject for damage caused by the processing of personal data; and
  • cooperate with the MPS and the competent authorities in protecting personal data and providing information serving investigation and handling of violations against the PDPD.

Data processors must :

  • only receive personal data after concluding a contract or agreement on the processing of personal data with the data controller, and process personal data under such contract or agreement;
  • fully implement measures for protecting personal data specified in the PDPD and other relevant legal documents;
  • be responsible to the data subject for damage caused by its processing of personal data;
  • delete or return all personal data to the data controller after completing the data processing; and
  • cooperate with the MPS and relevant state authorities in protecting personal data and providing information serving investigation and handling of violations against the law on the protection of personal data.

Those that act as data controller-processor will need to comply with all of the above responsibilities as applied to data controllers and data processors.

Rights of data subjects

The PDPD introduces a significant expansion to the rights that data subjects can have in respect of the processing of their personal data. In particular, it specifies the following rights:

  • the right to know of the personal data processing activities, unless otherwise provided by law;
  • the right to consent in respect of the processing of their personal data save for certain exceptions;
  • the right to access to view, correct, or request correction of their personal data, unless otherwise provided by law;
  • the right to withdraw consent, unless otherwise provided by law;
  • the right to deletion (including to request for his/her personal data to be deleted), unless otherwise provided by law;
  • the right to restriction of data processing, unless otherwise provided by law;
  • the right to be provided with their data, unless otherwise provided by law;
  • the right to object to processing in order to prevent or limit the disclosure or the use of personal data for advertising and marketing purposes, unless otherwise provided by law;
  • the right to complain, denounce, and initiate lawsuits in accordance with the law;
  • the right to claim compensation in accordance with the law if there is a violation of personal data protection regulations unless the law provides or the parties otherwise agree; and
  • the right to self-defense in protecting themselves according to the Civil Code, other relevant laws, and the PDPD, or to request the relevant agencies and organizations to protect their civil rights.

It is important for companies to ensure that data subjects are made aware of these rights. This is because, as mentioned above, consent (as the basis for processing personal data) will only be valid if the data subject has full knowledge of their rights (and obligations).

The PDPD introduces tight timelines for which some of these rights must be processed. For example, where a data subject requests for deletion of his/her data, the restriction against the processing, or objects to the processing, the request must be implemented within 72 hours (unless the law states otherwise).

Impact assessments for processing personal data

The PDPD requires the data controller, data controller-processor, and data processor to prepare and retain a Personal Data Processing Impact Assessment Record (PDPIA) from the time it starts processing personal data. This requirement bears some resemblance to the Data Protection Impact Assessment (DPIA) that is required under the GDPR.

This PDPIA must be available for inspection and assessment by the MPS. An original copy must also be filed to the A05 of the MPS within 60 days from the date of processing of personal data.

Cross-border transfer of personal data

The PDPD introduces stricter requirements on cross-border transfers of personal data (of Vietnamese citizens) outside of Vietnam. Previously, such transfers were largely treated in a similar manner to other processing activities, in which generally only consent from the data subject was required.

Transferors' personal data are required to make and store a Cross-Border Transfer of Personal Data Impact Assessment (XBTIA).

Like the PDPIA, the XBTIA must be available for inspection and assessment by the MPS. An original must also be filed to the A05 of the MPS within 60 days from the date of processing of personal data. Where there is an amendment or update to the XBTIA, the data transferor will need to send a notification (together with relevant documents) to the MPS.

When a successful cross-border transfer of personal data is undertaken, the MPS must be notified of the same – such notice of which containing contact details of the responsible person(s) or organization(s).

Data protection officer and data protection department

Where sensitive personal data is processed, the PDPD requires those involved in the processing to designate a department that has the function of personal data protection and appoint personnel in charge of personal data protection and to exchange information on the matter with the relevant agencies (e.g., a data protection officer (DPO)).

The PDPD does not clearly regulate this requirement where no sensitive personal data is processed – i.e., only basic personal data is processed. However, subject to further legal guidance, it would be prudent for companies to still designate the department and appoint a DPO because such information forms part of the PDPIA and is to be specified for the purposes of notifications of violations of the PDPD (e.g., breach notifications).

Micro-enterprises, SMEs, and start-ups are exempt from these requirements for the first two years from the date of registering to set up their business. However, this does not apply where they are directly engaged in processing personal data.

What's next?

The enactment of the PDPD sees Vietnam join other jurisdictions that have enacted a consolidated data protection regulation, including those in the region such as Singapore, Thailand, Indonesia, and Malaysia.

The Government is in the process of developing the sanctioning decree which, when enacted, will arm the MPS with powers to pursue administrative sanctions against violations of the PDPD. The sanctioning decree is expected to introduce harsh penalties for non-compliance, such as revenue-based fines and additional non-monetary penalties (e.g., application of specific protection measures for cybersecurity).

However, until the PDPD takes effect, it remains to be seen how certain provisions will be implemented (and the extent to which the MPS will actively enforce against violators).

Given the very short period of time until the PDPD comes into effect (on July 1, 2023), it is recommended that companies start looking into reviewing compliance with their existing personal data processing procedures, practices, and policies.

Logan Leung Deputy Managing Partner
[email protected]
Rajah & Tann LCT Lawyers, Ho Chi Minh City