As of now, about 68 legal documents directly regulating personal data protection have been issued in Vietnam (as published at https://cand.com.vn/van-de-hom-nay-thoi-su/phu-hop-quy-dinh-cua-hien-phap-phap-luat-hai-hoa-voi-thong-le-quoc-te-bai-cuoi–i684175/), but there is inconsistency among them regarding the definitions of and rules on personal data and personal data protection. To address this issue and catch up with international practices in personal data protection, a Government decree on personal data protection (the “PDP Decree”) is being built by the Ministry of Public Security. The second draft of the PDP Decree was published for public consultation on 9 February 2021, and since then, the Government has issued two resolutions, Resolution No. 27/NQ-CP on 7 March 2022 (“Resolution 27”) and Resolution No. 13/NQ-CP dated 7 February 2023 (“Resolution 13”), which both address certain contents of the draft PDP Decree. However, till date, the latest draft as mentioned under Resolution 13 has not yet been published.
Under Resolution 13, the processing of personal data can be performed without the consent of data subjects in the following circumstances:
- The processing of personal data is for the protection of the life and health of the data subject or others in emergencies. In this case, the personal data controller, the personal data processor, the personal data controlling and processing party, and/or the relevant third parties will bear the burden of proof. Compared to the second draft PDP Decree, Resolution 13 further mentions the personal data controller and the personal data controlling and processing party as the parties involved in the process of personal data processing. This addition is intended to bring the PDP Decree more in line with the EU General Data Protection Regulation (GDPR).
- The disclosure of personal data is required by Vietnamese laws. This exception has been provided in the second draft PDP Decree.
- The processing of personal data by competent state authorities in the following cases: (a) Emergencies in respect of national defense and security, social order and safety, great disaster, or dangerous epidemic; (b) when there is a threat to national defense and security but not to the extent of declaring a state of emergency; and (c) for the prevention and combat of riots, terrorism, crimes, and law violations under Vietnamese laws. Compared to Resolution 27 and the second draft PDP Decree, Resolution 13 specifies more details of exceptions for processing personal data by competent state authorities without the data subject’s consent.
- The processing of personal data for the implementation of contractual obligations of the data subjects with the relevant agencies, organizations, and/or individuals as regulated by Vietnamese laws. This exception has not been provided in Resolution 27. However, similar provisions have been provided in the Law on Information Technology No. 67/2006/QH11 dated 29 June 2006, as amended in 2017 (in respect of the implementation of contracts on the use of information, products, or services in the network environment), and Decree No. 52/2013/ND-CP dated 16 May 2013 on e-commerce (in respect of the implementation of e-commerce trading contracts).
- The processing of personal data for serving operations of state authorities as regulated in the specialized laws of Vietnam. It appears that this exception is a combination of the exceptions provided by Clauses 1.4 and 1.5 of Resolution 27.
The National Assembly’s Committee for National Defense and Security held its 5th plenary session on 8 February 2023 to examine the latest draft PDP Decree which is intended to come into effect from 1 July 2023. However, this seems to be delayed further, as certain delegates opined that the draft PDP Decree needs to be further reviewed and completed before being approved and promulgated.