Effective from this coming July 1, 2023, the long-awaited Decree on Personal Data Protection (“DPDP”) No. 13/2023/ND-CP dated April 17, 2023 sets out clear and strict regulations on personal data protection that will heavily affect the current practice of domestic and foreign individuals/entities concerning the processing of personal data. The issuance of the DPDP follows a number of public discussions after its introduction of the draft in February 2021.  

1. Clear Definition of Personal Data

Under the DPDP, personal data has been defined as information in the form of symbols, letters, numbers, images, sounds, or in similar form in an electronic environment that is associated with a particular person or helps to identify a particular person.

Further, the DPDP distinguishes personal data between (i) basic personal data and (ii) sensitive personal data, of which basic personal data includes basic information of a person, such as a name, date, place of birth, gender, nationality, residential address, etc., while the sensitive personal data concerns data associated with an individual’s privacy which, when violated, will directly affect the rights and legitimate interests of such individual. Some examples of sensitive personal data include political and religious views, health status, criminal record, physical locations (via GPS), racial or ethnic origin information, etc.  

2. Introduction of new concepts

For the first time, the new Decree introduces the concepts of ‘data controller’, ‘data processor’, and ‘data controller cum processor’.

According to the DPDP

• ‘data controller’ is organization(s) or individual(s) determining the purposes and means of the processing of personal data;

• ‘data processor’ is organization(s) or individual(s) processing the personal data on behalf of the data controller through a contract or an agreement with the data controller; and

• ‘data controller cum processor’ is the combination of ‘data controller’ and ‘data processor’.  

For sensitive personal data, the DPDP requires that an internal ‘data protection department (DPD)’ and a ‘data protection officer (DPO)’ who to be involved to take charge of protecting sensitive personal data. However, the government has not yet provided a clear guidance on the required qualification of the DPD and the DPO  in the DPDP.

3. Fundamental Rights of Data Subjects

The Decree distinctively sets out the rights of the data subject, who is an individual to whom the data relates . Among those, the below are the most notable:

• Right to be informed. The data subject must be informed or notified about, among others, the collection purpose, the type of collected data, organizations, and individuals that have access to the data, etc.

• Right to give consent and withdrawal. It is required to obtain the explicit consent of the data subject prior to processing the personal data. The consent must be expressly made (no silent default consent), in printable or copyable form, and can be partial or conditional. In case of dispute, the data controller bears the burden of proof. The consent is valid until the data subject withdraws his/her consent. In such a case, the relevant personal data must be deleted within 72 hours.

• Right to claim for damages. Data subjects are entitled to claim damages if there is a violation related to their personal data. Also, it is illegitimate to collect, transfer, or sell personal data without the data subject’s consent.

4. Basis Regulations in Data Processing

In addition to requirements concerning the technology solution, the DPDP requires data controllers and data controllers cum processors to follow certain rules when processing personal data, including the following:

• Obtaining consent from and notifying data subjects prior to processing their personal data.

• Preparing and validating internal rules on personal data protection in line with DPDP’s requirements.

• Preparing, achieving, and validating a ‘data processing impact assessment’ upon processing of personal data. The data processing impact assessment must be made available at all times for audit and evaluation by the Ministry of Public Security (“MPS”), and one (1) original of the assessment report must be submitted to the Police Department of Cybersecurity and Hi-tech Crime Prevention (“A05”) within 60 days of the commencement of the processing of personal data. The A05 will review the assessment report and may request the controllers/ the controllers cum processors to complete the assessment report should it is incomplete and not comply with the DPDP. The assessment report must be updated and resubmitted to A05 upon substantive change to the submitted assessment report.

• Notifying A05 of any data breach or other violations of the DPDP within 72 hours of such breach or violation.

5. Transfer of personal data out of Vietnam

Any cross-border transfer of personal data of Vietnamese citizens must be accompanied by a ‘transfer impact assessment’, which includes the following information:

• information and full contact details of the exporter and importer of the data and other parties involved (organization and/or individual in charge of the transfer)

• description and explanation of the objectives of the personal data processing following the transfer;

• description and clarification on the type of personal data to be transferred;

• description and explanation of the compliance with the DPDP, detailing the applied measures for personal data protection;

• assessment on the impact of the processing, as well as the potential and unwanted consequences and/or damages, and measures to minimize or eliminate such consequences and/or damages;

• consent from the data subject; and

• documents pertaining to the binding responsibilities of personal data processing between the transferor and transferee.

It’s worthy to note that the transfer impact assessment must always be ready for auditing and evaluation by the MPS, and one (1) original of the assessment must be submitted to A05 within 60 days from the date of the personal data processing. The A05 will review the dossier and may request the transferor to complete the dossier should it is incomplete and not comply with the DPDP. The transferor must update and resubmit to A05 the dossier if there is a substantive change to the submitted dossier within 10 days from the requested date of A05. Furthermore, upon the successful completion of the transfer, the transferor must report in writing to A05 the information on the transfer, as well as the contact details of the responsible organization and individuals.

The Ministry of Public Security has the power to:

• audit the cross-border data transfers once per year; and

• stop the cross-border data transfers if (i) the data is used for activities that violate the interests and national security of Vietnam; (ii) the transferor fails to complete or update the ‘dossier of impact assessment for the cross-border transfer of personal data’; or (iii) the personal data of Vietnamese citizens is disclosed or lost.

6. Sanctions

Failing to comply with the DPDP may result in suspensions of certain activities, such as the processing or overseas transfer of data, and may lead to administrative penalties, although specific regulations have not yet been established. Additionally, criminal sanctions may be imposed for acts that infringe on personal privacy.  

Currently, it is unclear how strictly the DPDP’s requirements will be enforced during the initial transition period and how entities will manage the demanding obligations outlined in the DPDP in the upcoming months. In the meantime, it is advisable for businesses to exercise caution and start developing their compliance plans.

To read and download the full article, please find attached PDF below.