The Vietnamese Government issued the first-ever comprehensive legal framework on personal data for the country in the form of Decree No. 13/2023/ND-CP dated 17 April 2023, on personal data protection (“DPD”). The DPD, which will take effect from 1 July 2023, applies to agencies, organizations and individuals that are involved in the collection and processing of personal data. Under the PDP, “personal data” refers to any information that relates to an identified or enables the identification of an individual. The DPD puts both local and foreign subjects within scope of the law and regulates the processing and transfer of personal data of individuals – both on- and offshore (“Data Subjects”).
This legal update highlights the most noteworthy novelties brought about by the DPD, overhauling the 2014 draft Decree on personal data protection.
- Consent of Data Subject
Unless otherwise specified by law, all operations that collect and process personal data must be approved by the Data Subject. Such consent by the Data Subject must be given freely, unambiguously, and explicitly.
- Obligation of Relevant Parties
The DPD assigns duties to three parties in the data collection and processing procedure:
(i) “Data Controllers”
Data Controllers determine the purposes and means of the processing of personal data. They must report to the Department of Cyber Security and Hi-tech Crime Prevention (the “DCHCP”) under the Vietnamese Ministry of Public Security. Data Controllers are responsible for:
– Notifying the Data Subject of certain information related to the processing of his/her personal data (unless the Data Subject already knew of and agreed with such information);
– Implementing appropriate technical and organizational measures;
– Preparing, retaining, and sending a copy of a data protection impact assessment dossier (the “DPIA Dossier”) to the DCHCP within 60 days from the day the data processing begins (the “Commencing Date”);
– In the case of a personal data breach, notify the personal data breach to the DCHCP no later than 72 hours after the occurrence of the breach.
(ii) “Data Processors”
Data Processors process personal data on behalf of the Data Controller by way of contract or agreement. They must:
– Take all appropriate measures to protect personal data;
– Issue the personal data protection policy;
– Designate a data protection department and data protection officer and provide information of such department and officer to the DCHCP (in case of processing sensitive personal data which is personal data associated with an individual’s privacy that, when violated, will directly affect an individual’s legitimate rights and interests);
– Prepare, retain and send a copy of the DPIA Dossier to the DCHCP within 60 days from the Commencing Date;
– Notify the Data Controller of any personal data breach, as soon as possible after becoming aware of it;
– Delete, and/or return all the personal data to the data controller after the end of the data processing.
(iii) Data Controlling and Processing Entities (“DCPEs”)
DCPEs are enterprises which simultaneously act as Data Controllers and Data Processors. DCPEs must have all obligations of both Data Controllers and Data Processors, as listed above.
- Cross-Border Transfer of Personal Data
Personal data of Vietnamese individuals may only be transferred to another country (i.e., any server located in a territory outside of Vietnam) if the Data Controller, Data Processor, DCPEs or other third party which is allowed to process the personal data fulfills the below conditions:
– Prepare, retain, and send a copy of a cross-border transfer of personal data impact assessment dossier to the DCHCP within 60 days after the data has been processed; and
– Send a notification to the DCHCP after successful transfer.
It is important to note that the Ministry of Public Security may inspect cross-border transfers of personal data, as performed by one of the above relevant parties, once per year.
- Administrative Fine
The DPD does not provide specific administrative fines imposed on any violation of the DPD. Agencies, organizations and individuals that violate the DPD may be subject to disciplinary action, administrative sanctions, or criminal penalties depending on the severity of the violation.