Following our recent article titled "Vietnam accelerates drafting of Personal Data Protection Decree with EU support" posted on 3 January 2021, the Vietnamese Ministry of Public Security (“MPS”) recently published the long-awaited draft Decree on Personal Data Protection for public consultation. The draft Decree proposes for the first time the regulation of specific rights of data subjects, cross-border transfer of data, processing of sensitive personal data, and other related subjects.
In this article, we outline the following notable points in the draft Decree.
Guiding Principles in Personal Data Protection
There are eight principles in protecting personal data (“PD”).
- Lawfulness. PD can only be obtained in necessary situations in accordance with the laws.
- Purpose Limitations. PD can only be processed for the purpose that was registered or declared.
- Data Minimization. PD can only be obtained to the extent necessary to achieve the purpose set.
- Use Limitations. PD can only be used when there is consent from the data subjects or when it is required by authorities.
- Data Quality. PD should be updated and complete to ensure its processing.
- Security. Security measures should be applied to protect PD from being processed.
- Informed Data Subjects. The data subjects have the right to know and be informed about the processing activities over their PD.
- Confidentiality. PD should be kept confidential while being processed.
Some of these principles are somewhat similar to those found in the General Data Protection Regulation (“GDPR”), which includes regulations on data minimization and purpose limitation.
Broad and Cross-Border Governing Scope
The draft Decree proposes to apply to any organisation or individual that has a relation to PD. This means the processing of data of Vietnamese residents by either local or foreign companies (whether based in Vietnam or not) would be governed by this Decree.
Specific Rights of Data Subjects
The draft Decree has for the first time provided for specific rights to the processing of an individual’s PD. The data subjects have the rights to: –
- Give consent for the processing of their PD;
- Receive notice of the data processor at the time of processing or as soon as possible;
- Request the processor to correct, show and provide a copy of their PD;
- Request the processor to terminate the processing of their PD, limit the access to their PD, terminate the disclosure or access to their PD, delete or close their PD;
- Complain with the Personal Data Protection Committee in case of data violation or misuse; and
- Claim damages from a breach of PD.
The draft Decree requires the consent of a data subject to be in a format that can be printed or copied in writing.
Establishment of Personal Data Protection Committee
According to Chapter IV of the draft Decree, the Personal Data Protection Committee will be established to implement this regulation. This new agency is an independent governmental body under the Department of Cyber Security and Hi-tech Crime Prevention, Ministry of Public Security (A05 Department). The Director of the A05 Department is proposed to be the Chairman of this Committee. The main function of the Committee includes appraising privacy policies of data processors before their announcement, reviewing and approving applications for cross-border transfer of PD and for applications for processing of sensitive data, requesting the A05 Department to issue a decision to inspect and examine data protection activities, and handling complaints on data violation or misuse.
Cross-border Transfer of Data
The Decree would be the first instrument to specifically regulate this area. The proposed requirements for cross-border data transfer include (i) the consent of the data subject; (ii) the original data is stored in Vietnam; (iii) there is written evidence that the jurisdiction where the data is received offers the same or higher level of data protection compared to Vietnam; and (iv) the Personal Data Protection Committee has issued a written approval for the transfer.
The application for cross-border transfer of data must include: (i) a form with details on the data processor, legal grounds for the transfer, purposes of the transfer, types of data to be transferred, data sources, location and conditions for transfer, detailed description of the protection measures; (ii) a report on assessment of the impact of the data cross-border transfer, including a description of the transfer, purposes of the transfer, risk and harm assessment and measures to mitigate or eliminate such risks or harms; (iii) documents relating to information in the application and impact assessment report for processing of sensitive data. The Personal Data Protection Committee may take steps to verify the information in the application.
Sensitive Personal Data
The draft Decree specifies the following types of information as sensitive PD: Political and religious opinions; personal health data; personal genetic data; personal biometric data; PD on gender status; PD about life, sexual orientation; PD about criminals and crimes collected and stored by law enforcement agencies; personal financial data; personal location data; PD on social relationships; other PD as specified by law to require necessary security measures.
The processing of sensitive PD must also be approved by the Personal Data Protection Committee, with the application including a form and an impact assessment report with contents similar to those for a data cross-border transfer.
Sanctions against Violation
The draft Decree proposes to apply a monetary fine range of VND 50 million to 80 million (approx. US$ 2,170 to 3,480) for violations in relation to rights of the data subjects, data storage, destruction, disclosure, processing (including those by automatic means), accuracy and data relating to children. The monetary fine range would be raised to VND 80 million to 100 million (approx. US$ 3,480 to 4,350) for violations in relation to cross-border transfer of PD, processing of sensitive data, and failure to apply technical measures. For the latter violations, additional sanctions may also include the suspension of data processing for one to three months and revocation of the rights to process sensitive data and cross-border transfer. For repeat violations, a monetary fine of 5% of the total revenue of the violator may be imposed.
Apart from the above, the draft Decree also covers –
- circumstances that PD can be processed or disclosed without prior consent from the data subjects, automated processing of PD;
- required technical security measures and publication of PD protection policies;
- storage, deletion and destruction of PD;
- processing of PD in relation to children; and
- PD processing for scientific research and statistics purposes.
There are certain areas in the draft Decree that seemingly overlap with other decrees (e.g. Decree No. 52/2013/ND-CP dated May 16, 2013 on E-Commerce and Decree No. 72/2013/ND-CP dated 15 July 2013 on the Management, Provision and Use of Internet Services and Online Information) and the pending draft decree guiding the implementation of the Vietnamese Cyber Security Law. It remains to be seen how the MPS would reconcile the differences between the draft Decree and other existing legal instruments. The MPS aims to finalise the draft and submit it to the Government within the first quarter of 2021.