After more than two years since the last draft was published for public comments on 9 February 2021 (the “Draft Decree”) which draw hot debates among agencies and businesses, the Government of Vietnam finally issued Decree No. 13/2023/ND-CP on personal data protection on 17 April 2023 (the “PDP Decree”).
A Glance at the PDP Decree
The PDP Decree would act as the “backbone” for personal data protection in Vietnam with definitions and rules that seem to align with international standards such as the EU General Data Protection Regulation (GDPR). The PDP Decree covers the rights and obligations of concerned individuals and entities, applicable measures for data protection, requirements for cross-border data transfers, and the powers and duties of the authorities, especially the Department of Cybersecurity and Hi-tech Crime Prevention (“DCHCP”) under the Ministry of Public Security (“MPS”), which is assigned to enforce the rules on data protection in Vietnam.
Key Highlights
Scope of application
The subjects under the governance of the decree include: (i) Vietnam-based individuals and entities; and (ii) foreign entities which are directly involved in or related to data protection activities in Vietnam.
The PDP Decree broadly defines data processing acts which include collection, recording, analysis, confirmation, storage, correction, disclosure, combination, access, retrieval, encryption, decryption, copying, sharing, transmission, provision, transfer, deletion, destruction, and/or other related actions.
Parties that are involved in data processing acts are further classified into four categories. The PDP Decree defines those parties as follows:
- a data controller means an individual or entity who decides upon the purposes and manners of personal data processing;
- a data processor means an individual or entity who processes data on behalf of a data controller;
- a data controlling and processing party means an individual or entity which plays the role of both data controller and processor; and
- a third party means an individual or entity other than the data subject, data controller, and/or data processor.
(For the sake of convenience, in this Article we use the generic term of a “concerned entity” to collectively denote a data controller, data processor, data controlling and processing individual/entity, and/or a third party.)
The principles of personal data protection
The PDP Decree places emphasis on the fundamental principles of personal data protection, which include notable keywords including lawfulness, transparency, purpose limitation, data minimization, accuracy, integrity and confidentiality, accountability, and storage limitation. These principles appear to closely align with the key principles found in other major data protection regulations such as GDPR, the California Consumer Privacy Act (CCPA), the Personal Information Protection and Electronic Documents Act (PIPEDA) of Canada, etc.
The rights of data subjects and conditions for their consents
The PDP Decree spells out 11 rights of a data subject which include: (i) right to know; (ii) right to consent; (iii) right to access to his/her personal data in order to review and edit (or demand a concerned entity to edit); (iv) right to withdrawal of consents; (v) right to erase his/her data (or demand a concerned entity to do so); (vi) right to restrict or demand restriction in processing his/her data; (vii) right to be provided with his/her own data; (viii) right to object the processing of his/her data; (ix) right to take legal action; (x) right to damages; and (xi) right to self-defense (e.g., rights to demand correction, public apologies, etc.).
When a data subject exercises his/her rights, the PDP Decree requires the concerned entity to respond. For example, a concerned entity must provide, rectify, erase, or destroy personal data within 72 hours upon receipt of the data subject’s request. Nevertheless, the rights of a data subject could be restricted “in accordance with laws”. The decree does not clearly explain which laws restrict those rights. However, we understand that those laws include at least the Law on National Security of 2004, the Criminal Procedure Code of 2015 (amended in 2021), and the Law on Information Technology of 2006 (amended in 2017).
The consent of a data subject is a crucial requirement for all acts of personal data processing, including cross-border transfers. However, Article 17 of the PDP Decree provides some exceptions such as in emergency situations for health protection, national security, epidemic, compliance with the requests of authorities as provided in a specific law, and other circumstances as prescribed under laws. See further details on this topic in our recent article at here).
Consent is considered valid if it is given voluntarily by and when the data subject is clearly informed of the type of personal data to be processed, the purposes of the processing, the concerned entities, and the data subject’s related rights. Notably, the conditions for transferring or sharing personal data with third parties stated in the Draft Decree are no longer required in the PDP Decree. With respect to advertisements, in addition to the general conditions above, the data subject’s consent is only valid when he/she understands the contents, method, form, and frequency of advertisements.
In comparison with the Draft Decree, the forms of consent under the PDP Decree are broader and include writing, voice, consent box clicks, SMS, etc. The requirement of consent apparently applies to all stages of personal data processing.
Types of personal data and respective protective measures
According to the PDP Decree, there are two types of personal data namely basic personal data and sensitive personal data. The list of sensitive data seems broad, ranging from political views, health conditions to bank accounts and deposits, etc. of a data subject.
For basic personal data, the PDP Decree requires concerned entities to adopt necessary measures such as installing technical measures, issuing regulations on data protection, checking network security, etc. Regrettably, the requirements fall short of details for a concerned entity to apply. For sensitive personal data, a concerned entity is also required to meet the requirements applicable to basic personal data. In addition, instead of the requirement for registration of sensitive data processing under the Draft Decree, the concerned entity is required to set up a special unit or a person who is responsible for personal data protection, and provide his/her/its contact details with the DCHCP. Further, data subjects must be made aware that the data being processed is sensitive data before the processing begins.
Requirements for cross-border data transfers
For cross-border data transfers, the four prerequisites including the specific data localization in Vietnam introduced in the Draft Decree have been removed. Instead, the PDP Decree sets out new requirements for a transferor (i.e., a concerned entity) for cross-border data transfers:
- Preparing and maintaining an impact assessment dossier on personal data processing;
- Preparing and maintaining an impact assessment dossier on cross-border personal data transfer; and
- Submitting an original copy of the dossiers mentioned in Item Nos. (i) and (ii) above to the DCHCP within 60 days of the processing of personal data.
The MPS may order a transferor to stop transferring data offshore when the MPS discovers that such transfer violates the national security of Vietnam, causes the leaking or losing of data of Vietnamese citizens, or when the transferor breaches the requirements mentioned in Item Nos. (i) to (iii) above.
Once a year, the MPS will conduct a regular review/check of the act of cross-border transfers of a transferor. However, it may conduct a surprise check or raid when it discovers a law violation of the transferor or an incidence of data leaks or losses.
Effectiveness
The PDP Decree will take effect from 1 July 2023. However, micro, small, medium-sized, and start-up companies, excluding data processing companies, are optionally exempted from the application of the PDP Decree for a period of two years starting from the date of incorporation.
The issuance of the PDP Decree is anticipated to have a great impact on the operation of large businesses inside and outside of Vietnam. Indochine Counsel will keep readers updated on major developments on this topic and be pleased to assist businesses with legal awareness and compliance. Indeed, we have a very strong record of advising various businesses in this area.
