LEGAL UPDATE – MARCH 2024 – Vietnam – Key compliance requirements on personal data protection

Issue March 2024

Nguyen Anh Tuan
Managing Partner 

Phan Thi Minh
Senior Associate

Preface:

“With effectiveness from 01 July 2023 for compliance, acts related to personal data in the territory of Vietnam, acts of using cyberspace, electronic devices, equipment, or other forms to transfer personal data of a Vietnamese citizen to a location outside the territory of Vietnam or using a location outside the territory of Vietnam to process personal data of a Vietnamese citizens are subject to compliance with regulations on personal data protection set forth in Government’s Decree 13”

One of the latest and most fundamental legal instruments in place governing the protection of personal data in Vietnam is Decree No. 13/2023/ND-CP (“Decree 13”). This long-awaited Decree 13 was issued by the Government on 17 April 2023.

Decree 13 introduces, inter alia, new requirements with respect to the protection of personal data, which apply to any domestic or foreign organizations or individuals that directly participate in or are involved in processing personal data in Vietnam. Those requirements under Decree 13 take effect on 01 July 2023, save small and medium-sized enterprises are afforded a grace period of two years with regard to the obligation of appointing a data protection officer and/or department. As such, it is highly recommended for businesses to review their internal privacy policies and compliance practice to identify the incompatibilities with Decree 13 and take immediately actions to ensure compliance with Decree 13.

Key compliance requirements in Decree 13 are outlined hereunder.

1. Identifying role in processing personal data

Decree 13 clearly distinguishes between the different roles of parties involves in the processing of data and provides respective responsibilities for each role. Specifically:

Data Controller refers to an organization or individual that decides the purpose and means of processing personal data. The Data Controller has the highest responsibility to comply with data protection requirements, including obtainment of the data subject’s prior consent for all processing activities, receipt of the data subject requirements and carrying out notification of any personal data breach to the Ministry of Public Security (“MPS”).

Data Processor refers to an organization or individual that process personal data on behalf of the Data Controller through a contract with the Data Controller. Data Processor is responsible for notifying the Data Controller of any personal data breaches and process personal data in accordance with a contract entered into with the Data Controller.

Data Controlling and Processing Party is a hybrid role of both Data Controller and Data Processor.

Third Party refers to individuals or entities other than the data subject, Data Controller, Data Processor or Data Controlling and Processing Party that are allowed to process personal data. The Third Party is responsible to archive personal data in forms in conformity with its operation and adopt measures for protecting the personal data as prescribed by law.

Accordingly, it is crucial for businesses to identify their exact roles in processing personal data to determine their responsibilities in the course of processing personal data.

2. Obtainment of the data subject’s consents

Decree 13 requires the obtainment of the individual’s prior consent in all activities of data processing, save for a few exceptions. The consent by a data subject will be valid only when (i) it is freely given, and (ii) the data subject fully knows information about the type of personal data, purpose of data processing, parties processing the data, and the data subject’s rights and obligations. Noted that, the consent must be expressed by written instrument, by voice, by ticking the consent box, in the syntax of consents through text messages, by selecting technical settings to consent, or by another action that expresses the same.

A silence or non-response from the data subject shall not be deemed as their consent. In case of dispute, Data Controller and Data Controlling and Processing Party bears the burden of proving the data subject’s consent.

3. Assessment of the impact of personal data processing

All Data Controller and Data Controlling and Processing Party must form and store their personal data processing impact assessment dossier (“Impact Assessment Dossier”) since the commencement of processing personal data. Impact Assessment Dossier must be submitted to A05 within 60 days from the date of processing of personal data for A05’s review and made available at all times for the inspection and evaluation by the MPS.

The Impact Assessment Dossier must include:

  • Information on Data Controller, Data Controlling and Processing Party and their internal data protect officer;
  • Purposes and types of personal data processed;
  • Recipients of personal data, including overseas entities;
  • Cases of cross-border transfer of personal data;
  • Retention period; expected time for deletion or disposition of personal data (if any);
  • Description on measures of personal data protection applied;
  • Assessment of the impact of personal data processing; potential and unwanted consequences and/or damage, and measures for minimization or elimination thereof.

Data Processor also may be subject to the requirement of conducting and maintaining Impact Assessment Dossier if so required by a contract signed with Data Controller.

4. Cross border data transfer requirements

Decree 13 however allows the transferor (including Data Controller, Data Controlling and Processing Party, Data Processor and the Third Party) to transfer the personal data of the Vietnamese citizens to a third country, subject to the following requirements:

  • The transferor must prepare a cross-border personal data transfer processing impact assessment dossier. The dossier must include mandatory contents such as a description of types of personal data transferred overseas, descriptions and explanations of the objectives of the personal data processing of Vietnamese citizens, a document showing the binding and responsibilities between the transferor and the recipient of transferred personal data of Vietnamese citizens.
  • The impact assessment dossier must be available at any time for review and inspection by MPS. The transferor must submit an original of the impact assessment dossier in prescribed form to MPS within 60 days from the date of processing of personal data. MPS may require the transferor to complete the impact assessment dossier in the event of improper dossier;
  • Upon the successfully transfer of data, the transferor must submit a written notification on the data transfer and contact detail of person in-charge to MPS.

MPS retains the discretion to suspend any cross-border transfer if the transferor fails to satisfy such above requirements or violates interests and national security of Vietnam or has Vietnamese citizen’s personal data leaked or lost.

5. Personal data breach notification requirement

In the event of inspecting any personal data breaches, (i) Data Processor is required to notify the Data Controller immediately of a breach occurring, and (ii) Data Controller and the Data Controlling and Processing Party are required to notify MPS (Department of Cybersecurity and Hi-tech Crime Prevention) within 72 hours of the breach occurring. Notification must be made in a prescribed form with compulsory contents.  In case of notifying after 72 hours, Data Controller and Data Controlling and Processing Party is required to provide reasons for delay or late notification.

A comprehensive administrative penalty on violations against personal data protection regulations may not be available at the effectiveness of Decree 13. However, there are certain sanctions imposed on violations against regulations on collection, use, updating, alteration and removal of personal information and the assurance of security of personal information in cyberspace, with administrative fines ranging from VND 10 million to VND 70 million or be prosecuted under Penal Code for serious cases of violations.

Outlook

Requirements set forth in Decree 13 place significant burdens to parties involved in the personal data processing, especially multi-national businesses. Given such requirements are broadly worded, it is expected that MPS would issue further guidance on interpretation and enforcement of provisions stipulated in Decree 13.

Download pdf version