Recently, Vietnam has issued a draft decree on Personal Data Protection which become effective soon. What does this affect the investors and enterprises in Vietnam?
This century is a new turning point in the development of mankind. We are witnessing the development of tele-communication, internet with a pace never seen before. Such development opens up new era of science and technology, contributing to the promoting to 4.0 Revolution. However, this development also poses huge risks to the right of privacy, in which right to the personal data protection is one of the most importance.
The importance of Personal Data in the 4.0 Revolution
Right to Personal Data sits at the very core of a human’s Right to Privacy. Such right is human’s basic right, which protects a human’s independence and vogue. By this right, we are able to create ourselves a barrier from other, which distinguishes us from other, helps us control the flow of information as well as the interaction between others. Thus, create us our status in the community, which shall be void if the right if violated. Which means the personal data protection contribute to a democratic, civilized and sustainable society.
With the fast pace of technology development, most information is now stored in physical and cloud storage. This means that there are always risk of information breaching, resulting in the loss of information. Thus, the protection of personal data must be prioritized.
The personal data protection law on the world
Many countries around the globe have already fully established a functional personal data protection law.
In Asia, Malaysia (2010) and Singapore (Personal Data Protection Act of 2012, Personal Data Protection Regulations 2014), Thailand (Personal Data Protection Act (2019), Japan (2003, amended 2016), South Korea ( 2011, Amended 2013, 2014, 2015, 2017, 2020) have adopted the personal data protection law. Most of the world’s personal data protection law originated from the European Union, which is the first region that established the Act of Personal Data Protection in the 1981. When the Act of Personal Data first officially established in 1985, there were 85 countries involved in the Act, except Turkey.
According to General Data Protection Regulation (GDPR): personal data means any information relating to an identified or identifiable natural person. Under the definition, information including names, postal and email addresses plus telephone, driving license, bank account, credit card, passport and social security numbers. Under certain circumstances it also includes identifiers such as biometric data, web cookies, mobile device IDs and other factors specific to ‘physical, physiological, genetic, mental, economic, cultural or social identity.
Processing, consent and the right to be forgotten under the GDPR
- Processing: any set of manual or automated operations performed on personal data, including collection, storage, organisation and alteration;
- Consent: freely given, specific, informed and unambiguous. Consent requires an active, positive opt in, so efforts must be made to ensure, for instance, that all data relating to employees, customers and business partners is fully consented and evidenced;
- Right to be forgotten: individuals have right to see a copy of their data and right to request its deletion. Organisations must equip mechanisms in place not just to protect personal information from compromise, but also to identify, analyse and remove it from processing.
Due to Brexit, Britain’s Personal Data Protection Law is slightly different to the EU, but it still retains most of the core regulations.
The “Right to be Forgotten” is a unique system in the EU Personal Data Protection Law. Basically, this is a right that allows individual to view the copy of their record as well as to request that record deletion from the organization holding the information. This practice is applied in Argentina, Philippines and EU.
In Vietnam, Personal Data Protection law is not yet established thoroughly.
The current issues of Vietnam’s Personal Data Protection
Limitations in the provisions of current Vietnam laws on the protection of personal data
Currently, Personal Data’s definition and related regulations scattered among various legal documents, which makes it easy to conflict with one another. Other problems can be sighted such as:
- Firstly, the definition of Personal information is still inconsistent among relevant legal documents (shown in both regulatory content and legislative techniques).
- Secondly, the new current regulations focus on regulating the protection of personal information in the network environment (or cyber environment) only, there are no specific regulations on the protection of personal information in the traditional environment.
- Thirdly, the law protecting personal information has not kept pace with the practice of using personal data such as personal image data (facial recognition technology), biometric data (such as fingerprints, etc.) , iris etc.)
- Fourthly, legal documents on protection of personal information do not anticipate the actual situations in the collection and handling of personal information such as: the collection and handling of personal information are children who need to get consent from those who, how should cross-border transfer of personal information be controlled, what are the legal constraints to anonymize personal information for use.
- Fifthly, there is no regulation on the right to be forgotten in necessary cases (a kind of valuable human power that the laws on protection of personal information of many countries have stipulated).
- Sixthly, there is no specific regulation on liability to compensate for damage to the subject who commits misconduct in the collection and use of personal information. -Seventh, the level of administrative penalties for violations in the collection and use of personal information is too low: from $US940.00 to $US 1400.00
However, Vietnam has recently issued a draft decree about Personal Data Protection.
Vietnam’s Draft Decree about Personal Data Protection
This Decree was issued by Vietnam Ministry of Public Security in February 2021; and is expected to be taking effect starting from December 1st, 2021. The Decree promised a clearer Personal Data Protection in Vietnam.
Definition of personal data
- Definition: Personal data is data about an individual or related to the identification or possible identification of a particular individual. The definition is similar to that of EU.
- Personal data includes:
a) Full name, middle name and birth name, alias (if any);
b) Date of birth; day, month, year dead or missing;
c) Blood group, sex;
d) Place of birth, place of birth registration, place of permanent residence, current residence, hometown,
contact address, email address;
đ) Education level;
h) Phone number; i)Identity card number, passport number, citizen identification number, driver’s license number, license plate number, personal tax identification number, social insurance number;
k) Marital status;
l) Data reflecting activity or activity history in cyberspace.
Categories of personal data
The Decree also divides personal data into 2 groups: Basic personal data and Sensitive personal data.
Basic personal data includes basic identification information such as full name, age, date of birth .etc while sensitive personal data evolving around that individual life such as sexual orientation, bank account, medical history, criminal history .etc. By classifying the objects, the Decree provides a better classification to develop better regulations to protect single item of personal data.
Principles of personal data protection
1. Legal principle: Personal data is only collected in case of necessity as prescribed by law;
2. Principle of purpose: Personal data is only processed in accordance with the registered purpose, declared about processing personal information;
3. Principle of minimalism: Personal data is collected only to the extent necessary to achieve the defined purpose;
4. Principle of limited use: Personal data is only used with the consent of the data subject or with the permission of the competent authority in accordance with the law;
5. Principles of data quality: Personal data must be updated and complete to ensure data processing purposes;
6. Principles of security: Personal data protection measures are applied during the processing of personal data;
7. Personal principles: Data subjects must know and receive notifications about their activities related to the processing of personal data;
8. Privacy principle: Personal data must be kept confidential during data processing;
Rights of data subjects regarding the processing of personal data
Data subjects shall have the following rights:
1. Agree or disagree for the Personal Data Processor, the Third Party to process their personal data, unless otherwise provided for by law;
2. Receive notice from the Personal Data Processor at the time of processing or as soon as practicable;
3. Request the Personal Data Processor to correct, view and provide a copy of its personal data;
4. Request the Personal Data Processor to stop processing personal data, restrict access to personal data, stop disclosing or permitting access to personal data, delete or close personal data collected, except where required by law;
6. Claim compensation in accordance with the law when there are grounds to believe that your personal data has been infringed;
The Decree also raise a mush higher fine toward act of infringement. Furthermore, it also provides a better definition of Personal Data, as well as the act of infringement;
Consent of data subjects to personal data
1. The consent of the data subject to the processing of his/her personal data is only valid if it is based on his free will and knows the following:
a) The type of personal data to be processed;
b) Purpose of processing personal data;
c) Subjects are allowed to process and share personal data;
d) Conditions for transferring and sharing personal data to third parties;
d) The rights of data subjects related to the processing of their personal data in accordance with the law.
2. The silence or non-response of the data subject is not considered consent;
3. The data subject may agree in part or with accompanying conditions. 4. The consent of the data subject must be expressed in a format that can be printed, reproduced in writing;
New Administrative Sanctions for Violations
In case of violation:
-A fine up to $US4400.00
-A fine of up to 5% of the violator’s revenue (EU: 4%)
Impact on investors and enterprises in Vietnam
Specific requirement to sensitive personal data
Under the Draft, sensitive personal data must be registered with the The Personal Data Protection Commission (PDPC) prior to processing. Processors need to prepare an application meeting stipulated requirements and submit it to the PDPC for registration approval.
The PDPC will process the application within 20 working days from the date of receipt of a valid application. This requirement would be very burdensome for companies.
Appointing personnel in charge
Enterprises must appoint personnel in charge of personal data protection, and reporting this information to the Personal Data Protection Commission (PDPC).
New Regulation on Cross-Border Transfer of Data
The Draft Decree also sights the new regulations regarding the transfer of personal data cross-border. Personal data of Vietnamese citizens can be transferred out of Vietnam’s territorial borders when the following 04 conditions are fully met:
a) When the data subject consents to the transfer;
b) Original data is stored in Vietnam;
c) There is a document proving that the country, territory or a specific area in the country or territory to which it is moving has issued regulations on the protection of personal data to a level equal to or higher than that specified in the draft decree;
d) Having the written consent of the Personal Data Protection Commission (PDPC).
Personal Data has long played a huge role for many foreign investors, ranging from the field of finance, insurance, banking to technology, storage. Such development signals that privacy will be becoming more and more secured in Vietnam, which makes it different requirements to acquire the personal data.
ASL LAW is the top-tier Vietnam law firm. If you need any advice, please contact us for further information or collaboration.