▶️ Overview
Vietnam’s first comprehensive data privacy legislation, Decree No. 13/2023/ND-CP dated 17 April 2023 was issued by the Government on the Protection of Personal Data (“Decree 13”) took effect on July 1, 2023.
The Decree applies to anyone – enterprises, organizations or individuals who are resident or nonresident, but which are involved in or related to the processing of personal data inside and outside the territory of Vietnam[1]. Processing data in this context means any activity that has an impact on data including, but not limited to collection, recording, analysis, confirmation, storage, rectification, disclosure, combination, access, tracing, retrieval, encryption, decryption, copying, sharing, transmission, provision, transfer, deletion, destruction of personal data.[2]
▶️ Legal Framework
The Decree 13 has classified stakeholders involved in the collection and processing of personal data as Data Controller – who decides the purposes and means of processing personal data, and as Data Processor – who performs data processing on behalf of the Data Controller, through an agreement with the Data Controller, and Data Controller cum Processor.
The main legal requirements of the Data Controller, Data Controller cum Processor are the consent of the data subjects to process their personal data, the obligations to notify the processing of personal data, as well as certain reporting duties in case of data transfers outside of Vietnam’s territory.
In principle, any Data Controller and Data Controller cum Processor is obliged to notify the data subject before any personal data is processed[3]. In addition, the data subject must be informed before sensitive personal data is being processed[4]. Sensitive personal data in that sense includes political and religious opinions, sexual orientation, criminal records, bank records, etc.[5].
It is possible to process data without the consent of the data subject in specific circumstances, for example when the disclosure of the data is in accordance with the law; fulfill contractual obligations with the data subject, as required by competent state authorities, or if it is necessary to protect the life and the health of the data subject[6].
In addition to that, companies are required to conduct Data Processing Impact Assessment (“DPIA”) from the moment they commence processing personal data[7] and conduct Transfer Impact Assessment (“TIA”)[8] before the transfer personal data of a Vietnamese citizen abroad or to process them by a system located outside of Vietnam. These dossiers must be submitted to the Ministry of Public Security (A50) within 60 days from the date of commencing the processing of personal data[9]. Since the launch of the National Portal for Data Protection (https://baovedlcn.gov.vn/), companies are able to submit all administrative procedures online – including dossiers of outbound data transfer.
We emphasize that data subjects have the right to withdraw their consent and request the deletion of all collected personal data.[10] Failure to comply with this may be punished with fines and expose the company to lawsuits.
▶️ Key takeaways
One key issue for companies involved in the processing of sensitive personal data will be the appointment of a Data Protection Officer (“DPO”) who is in charge of the protection of sensitive personal data.[11] Taking into account that sensitive personal data is already being processed if for example a criminal record is requested, it is advisable to appoint a DPO even if there is no initial intention to process sensitive personal data.
It is worth mentioning Clause 2 Article 16 of the Decree which allows exceptions to the obligation to delete any personal data if the data subject demands it for cases in which deletion of data is against the law.[12] An example of such a case is the data localization regulations (Decree No. 53/2022/ND-CP). Decree 53 stipulates that if a foreign enterprise conducts some business in the Vietnamese cyberspace, it must store data on personal information of service users on the territory of Vietnam for 24 months if requested by the Government.[13]
Contact our team to discuss your privacy challenges and learn how we can help you manage data privacy regulations.
[1] Clause 2 Article 1 of Decree 13
[2] Clause 7 Article 2 of Decree 13
[3] Clause 1 Article 13 of Decree 13
[4] Clause 8 Article 11 of Decree 13
[5] Clause 4 Article 2 of Decree 13
[6] Article 17 of Decree 13
[7] Clause 1 Article 24 of Decree 13
[8] Clause 1 Article 25 of Decree 13
[9] Clause 4 Article 24 and Clause 3 Article 25 of Decree 13
[10] Clause 4, 5 Article 9 of Decree 13
[11] Clause 2 Article 28 of Decree 13
[12] Clause 2 Article 16 of Decree 13
[13] Clause 1 Article 27 of Decree 53/2022/ND-CP