Vietnam has officially issued the Decree No. 13/2023/ND-CP on personal data protection which shall become effective from July 01, 2023. It is assumed that the decree shall significantly affect the way of collecting, transferring data oversea, storing, and handling personal data in Vietnam.
Legal regulations on the protection of personal data have been promulgated by many countries around the world to protect personal data rights, which help preventing violations of personal data, and affect rights and interests of individuals and organizations, specifically: Personal Data Protection Act of Singapore (2012), The General Data Protection Regulation (GDPR) of EU (2016) and The Data Protection Act of United Kingdom (2018). Facing the urgent situation of promulgating regulations on personal data protection, on February 9, 2021 the Ministry of Public Security issued the first draft of the Decree on Personal Data Protection to submit to the Government for submission to the Government. Although this is a Government Decree under the promulgating authority of the Government of Vietnam, Vietnam has no Law or Ordinance related to this issue. Therefore, the issuance of Decree No. 13/2023/ND-CP must be approved by the Standing Committee of the National Assembly, according to the provisions of the Law on Promulgation of Legal Documents. On April 17, 2023, the Government of Vietnam officially issued the Personal Data Protection Decree No. 13/2023/ND-CP (PDPD) and will take effect from July 1, 2023.
The PDPD provides, the first time, the following provisions which have been reffered to in the draft if this decree to some extent:
1. Territorial scope of the application of the PDPD
The PDPD broads the territorial scope of application. This Decree is applied for all entities that directly involved in or related to personal data processing operations in Vietnam, including:
- Vietnamese agencies, organizations and individuals;
- Foreign agencies, organizations and individuals in Vietnam;
- Vietnamese agencies, organizations and individuals operating abroad; and
- Foreign agencies, organizations and individuals directly participating in or related to personal data processing activities in Vietnam.
2. Extension of definition of personal data and data processing in Vietnam
The definition of personal data and data processing is also extended in this Decree. According to the Article 2.1, “personal data” is devided into two groups of “basic personal data” and “sensitive personal data”. The PDPD defines the list of each group in details. Specially, the list of “Sensitive personal data” is extensive but not all-inclusive.
3. Extended categories of regulated subject
The PDPD extended the categories of regulated subject which are mentioned in the draft version of Cybersecurity Administrative Sanctions Decree. Acccordingly, the terms “data controller” and “data processor” are recognized in the PDPD. The concept “data controlling and processing entity” is also regulated in this Decree.
In addition, there are also newly introduced regulations which both data subjects and data controllers/processors should be aware of, such as (i) apply protection of personal data in the business of marketing and products promotion business; (ii) make and keep a Record of Personal Data Processing Impact Assessment from the time when personal data processing begins.
4. Classification of personal data
Personal data is divided into two categories, basic and sensitive.
Basic personal data includes full name; Date of birth; date of death or disappearance; sex; place of birth, place of permanent residence, temporary residence, current place of residence; nationality; personal image; phone number; identification number or personal identification number, passport number; driver’s license, license plate; Personal tax code; social insurance, health insurance number; marital status; family relationship.
Sensitive personal data is personal data associated with an individual’s privacy that, if violated, will directly affect an individual’s rights and interests, including: Political views, religion; health status and private life recorded in the medical record; racial or ethnic origin; genetic traits; unique biological characteristics; sexual life and orientation; offenses collected or stored by law enforcement; bank customer information such as identity, account, deposit, deposited assets, transactions; Personal location is determined via location services.
5. New requirements for a valid consent, sensitive personal data processing and cross-border data transfer in Vietnam
The DPDP also regulates new requirements for a valid consent, sensitive personal data processing, and cross-border data transfer. Details as belows:
a. Before carrying out and throughout the personal data processing, the Personal Data Controller, and the personal data processor need the consent of the data subject which applies to all activities, unless otherwise provided by law.
The consent of the data subject must be expressed clearly, specifically in writing, by voice, by ticking the consent box, in the syntax of consent by text message, by selecting consent settings or by other actions that demonstrate this, and may be printed, reproduced in writing, including in electronic or verifiable formats. It should be noted that, Data subject’s silence or non-response is not considered as consent.
However, in order to ensure the harmonization of the rights and interests of data subjects and public interests, this Decree also provides exceptions when processing personal data without the consent of data subjects in Article 17, including:
- in case of emergency, it is necessary to immediately process relevant personal data to protect the life and health of the data subject or others, but the Personal Data Controller, the Personal Data Processor, the Controller and the processing of personal data, the third party are responsible for proving this case;
- cases of publicizing personal data as prescribed by law;
- The processing of data by competent state agencies in the event of a state of emergency on national defense, security, social order and safety, major disasters or dangerous epidemics;
- when there is a threat to security and national defense but not to the extent of declaring a state of emergency; to prevent and combat riots and terrorism, to prevent and combat crimes and law violations according to the provisions of law;
- To fulfill the contractual obligations of the data subject with relevant agencies, organizations and individuals as prescribed by law; and
- Serving the activities of state agencies prescribed by specialized laws.
b. In case of sensitive data processing, the data processor must designate a department with the function of protecting personal data, appoint personnel in charge of personal data protection and exchange information about the department and individual in charge of personal data protection with the Personal Data Protection Authority.
c. Similar to the case of transferring personal data of Vietnamese citizens abroad, the data transferer abroad shall prepare a dossier to assess the impact of transferring personal data abroad. Dossier of assessment of the impact of transferring personal data abroad must always be available to serve the inspection and evaluation activities of the Ministry of Public Security and 01 original of the dossier to the Ministry of Public Security (Department of Cybersecurity and High-Tech Crime Prevention and Control) according to Form No. 06 in the Appendix to this Decree within 60 days from the date of processing of personal data.
6. Management measures taken by organizations and individuals to protect personal data in Vietnam
In order to ensure the ability to protect personal data rights and prevent personal data breaches, Articles 26, 27 and 28 of the Decree stipulate personal data protection measures to be applied right from the time of writing, beginning and during the processing of personal data, including:
- Management measures taken by organizations and individuals related to the processing of personal data;
- Technical measures taken by organizations and individuals related to the processing of personal data;
- Measures taken by competent state management agencies in accordance with this Decree and relevant laws;
- Investigative and procedural measures taken by competent state agencies and other measures as prescribed by law.
The PDPD also provides the legal ground to establish a portal for the protection of personal data protection in Vietnam. The specialized agency for personal data protection will be Department of Cyber Security and Hi-tech Crime Prevention under the Ministry of Public Security of Vietnam.
This Vietnam personal data Decree forbids all activities of buying and selling personal data in any forms. According to the provisions of Article 4 of this Decree, agencies, organizations and individuals that violate regulations on protection of personal data, which include activities of preventing, detecting, stopping and handling violations relate to personal data in accordance with the law and responsibility for protection, depending on the severity, may be disciplined, administratively sanctioned, criminal handling according to regulations.
7. Prohibited conduct regarding personal data
Prohibited conduct regarding personal data includes:
1. Processing personal data contrary to the provisions of the law on protection of personal data.
2. Processing personal data to create information and data to fight against the State of the Socialist Republic of Vietnam.
3. Processing personal data to create information and data that affect national security, social order and safety, and legitimate rights and interests of other organizations and individuals.
4. Obstructing personal data protection activities of competent authorities.
5. Taking advantage of personal data protection activities to violate the law.
8. Period of exemption from regulations on personal designation and personal data protection in Vietnam
According to Article 49, Micro enterprises, small enterprises, medium enterprises and start-up enterprises are allowed to choose to be exempt from regulations on personal designation and personal data protection for a period of the first 2 years since the establishment of the business, except for micro enterprises, small enterprises, medium enterprises, start-up enterprises directly engaged in personal data processing activities.
It is time for foreign investors doing business in Vietnam, multinational companies with offices, representative offices, branches in Vietnam, cross-border platforms and services aimed at Vietnamese customers to review the entire system of handling, recording, transmitting and protecting personal data to ensure that it meets the requirements of the Vietnam Personal Data Protection Decree. With years of experience in the fields of information, personal data, intellectual property, ASL LAW technology is working with customers to ensure this compliance.
In the explosive period of information technology, personal data, especially personal data in cyberspace, becomes a valuable resource that criminals and bad objects could collect, trade, used to commit acts of infringing upon human rights, civil rights, violating the law. Therefore, Decree 13/2023/ND-CP take effect on 1 July 2023 will play an important role in personal data protection in Vietnam effectively but also require many parties to increase their responsibility in the enforcement of these regulations.
Nguyen Thi Thuy Chung, Senior Partner of ASL LAW