Decree No. 13/2023/ND-CP on personal data protection (PDP Decree) was officially issued by the Vietnamese government on 17 April 2023. As Vietnam’s first-ever consolidated set of data protection regulations, the PDP Decree serves as the foundation of the local legal framework and aims to enhance the protection of PD subjects’ rights and interests.

As follow-up to our previous article (see here) and the recently held EuroCham Vietnam webinar (see here) at which Yen Vu, Eunjung Han, and Khanh Nguyen were speakers – this article delves deeper into Decree 13 by going over key provisions to offer insights on specific issues to help businesses and organizations bring themselves into full legal compliance.

Key Provisions

Effective Date

• The PDP Decree goes into effect on 1 July 2023.
• A two year-grace period applies only to micro-enterprises, SMEs, and start-ups with the data protection officer (DPO)/data protection department (DPD) requirement. However, this does not apply to micro-enterprises, SMEs, and start-ups directly engaged in personal data processing.

Territorial Scope

• The PDP Decree’s extraterritorial scope covers both domestic and foreign individuals and entities that directly participate in or relate to personal data (PD) processing activities in Vietnam.

Key Definitions

Personal data

Personal data is defined as information expressed in the form of symbols, text, numbers, images, sounds, or similar forms in an electronic environment that is associated with a specific individual or helps to identify a specific individual. The PDP Decree further clarifies “information that helps to identify a specific individual” as information created from activities of an individual that can be used to identify such individual when combined with other data.[1]

The PDP Decree goes further to classify PD into two groups: Basic PD and Sensitive PD. Basic PD includes, among others, name, date of birth, gender, contact address, nationality, personal photos, phone number, identification number, marriage status, history of cyberspace activities.

Sensitive PD is the information relating to the private life of an individual. The PDP Decree provides a non-exhaustive list of data to be considered sensitive (e.g., religious views, health-related information in medical records (excluding blood type), information on customers of credit institutions, sexual orientation, criminal records, and location data determined via location services).[2]

Parties involved in the processing of data:

The PDP Decree introduces the concepts of PD controller, PD processor (which are similar to those provided under the EU’s General Data Protection Regulation (GDPR)), and PD controller-processor. The table below compares definitions provided under this Decree and the GDPR.

Data Processing Principles

Eight basic principles under the PDP Decree which also serve as guidelines for compliance procedures of businesses and organizations include lawfulness, transparency, purpose limitation, minimization, accuracy, integrity and security, storage limitation, and accountability.[7]

Data Subject Rights

Data subject rights stipulated in the Decree include:

• the right to be informed of the PD processing activities;
• right to give consent; right to access PD;
• right to withdraw consent;
• right to delete PD;
• right to obtain restriction on processing; right to obtain PD;
• right to object to processing;
• right to file complaints, denunciation and lawsuits;
• right to claim damages; and
• right to self-protection.[8]

Among these, the right to obtain restriction on processing, right to object to processing, right to obtain PD, and right to delete PD are subject to a 72-hour deadline.[9]

Consent

Consent[10] of a data subject is only valid when it is freely given and the data subject fully knows about (i) type of PD, (ii) processing purposes, (iii) processing parties, and (iv) his/her rights and obligations. In case of a dispute, the PD controller/controller-processor is responsible for proving the consent of the data subject. In addition, the consent must be:  

• clearly and specifically expressed by affirmative action, e.g., default pre-ticked boxes may not be regarded as consent by the data subject. In addition, the PDP Decree further emphasizes that silence or non-response by the data subject shall not be regarded as consent;
• bound to a single purpose. In case of multiple purposes, such purposes must be listed out so that data subjects can give consent to one/more of the provided purposes; and
• expressed in a format that can be printed and/or reproduced in writing, including in electronic or verifiable formats. However, it is still unclear under this Decree which are covered by verifiable formats.

Consent will be applied in all activities of data processing, except for the following circumstances under Article 17:

• In emergency situations to protect the life or health of the data subject or others;
• To disclose personal data in accordance with the law;
• When the processing of PD is carried out by competent state agencies (i) in a state of emergency (SOE) for the purposes of national defense, national security, social order and safety, major disasters, or dangerous epidemic; or (ii) where there is a threat to national security and defense but not to the extent of SOE; or (iii) to prevent and fight against riots, terrorism, crimes and violations of laws;
• To fulfil the contractual obligations of the data subject as prescribed by the law;
• To serve the activities of state agencies in accordance with sector-specific laws; or
• The processing of PD obtained from audio and video recording activities in public places (with conditions set out in Article 18).

Responsibilities of PD Controllers, PD Processors, and Third Parties

To guarantee the rights of data subjects, the PDP Decree sets out responsibilities of PD controllers, PD processors, and third parties in Articles 38, 39 and 41. Importantly, both PD controllers and PD processors are responsible to the data subject for the damage caused by the processing of PD. In other words, this can be interpreted to mean that data subjects can now bring claims directly against PD processors in all cases in which damages arise (unless the involved parties agreed, or the law stipulated otherwise[11]). This mechanism is different from what is provided in the Civil Code under which only PD controllers would be responsible to data subjects for damages and PD controllers would have to separately deal with PD processors according to their agreements. Thus, the parties should pay attention to provisions relating to authorization when entering into processing authorization contracts.

Cross-Border Transfer of PD

A PD transferor must comply with the following procedures[12] for the cross-border transfer of PD:

• The transferor must prepare a dossier of impact assessment for cross-border transfer(s) of PD before transferring it overseas. The dossier must include: (i) information and contact details of the transferor and receiver; (ii) full name and contact details of the transferor’s organization and/or individual in charge; (iii) description and explanation of the objectives of the processing of PD after being transferred; (iv) description and clarification on the type of PD to be transferred; (v) description and explanation on the compliance with the regulations under this Decree, detailing the applied measures for PD protection; (vi) assessment on the impact of the processing, the potential and unwanted consequences and/or damages, and measures to minimize or eliminate such consequences and/or damages; (vii) consent from the data subject; and (viii) documents that show the binding responsibilities of PD processing between the transferor and transferee;
• The dossier must always be available for inspection and evaluation by the Ministry of Public Security (MPS). The transferor is required to send one original copy to the Department of Cyber​​Security and Hi-tech Crime Prevention (A05) under the MPS within 60 days from the date of personal data processing; and
• The transferor notifies and submits to A05 the information on the data transfer and contact details of the responsible entity and/or individual in writing upon the successful completion of the data transfer.

The MPS has the authority to cease cross-border data transfer if (i) such data is used for activities that violate Vietnam’s interests and national security; (ii) the transferor fails to complete or update the dossier of impact assessment; or (iii) the PD of Vietnamese citizens is lost or disclosed.

PD Processing

The Decree imposes technical and non-technical measures to protect personal data[13] by entities/individuals that relate to PD processing or by competent state management agencies. Competent state agencies can also carry out investigations and procedural measures to protect PD. The listed measures being quite broad and general, it may be inferred that the involved parties can determine the best course of action on a case-by-case basis to protect PD.

In addition to the listed measures, the PDP Decree provides protection measures for two types of PD. The Decree seems to impose stricter conditions for sensitive data than those for basic data. Particularly, PD controller and processor must (i) notify data subject for processing sensitive data, unless otherwise provided by law, and (ii) appoint a DPO and a DPD (information of DPO and DPD should be notified to the authority). However, Article 24, which stipulates that the data protection impact assessment dossier must include the information on DPO and DPD, also applies to basic data. Therefore, we are not aware of a significant distinction between sensitive and basic data in this regard.

PD Processing in Special Cases

• The processing of the PD of a child[14] is subject to his/her consent if he/she is seven years old or above but with consent of his/her parents/guardians. However, the Decree stays silent when it comes to children under seven. It seems that only the consent of parents/guardians is required in this situation in accordance with the Civil Code. Businesses and organizations should carefully check the age of the children prior to processing their PD.
• Organisations and individuals that provide marketing and advertising services may only use customers’ PD collected during their business activities to provide marketing and advertising services with the consent of the data subjects. The data subjects should be notified of content, method, form and frequency of marketing and advertising activities provided to them.[15]

In Part II of our deep dive into the PDP Decree, we will discuss potential challenges when applying/enforcing the PDP Decree, the prospective regulatory framework, and common questions and answers.

Co-authors: Ly Nguyen and Uyen Doan

[1] Articles 2.1 and 2.2, PDP Decree

[2] Articles 2.3 and 2.4, PDP Decree

[3] Article 2.9, PDP Decree

[4] Article 2.10, PDP Decree

[5] Article 2.11, PDP Decree

[6] Article 2.12, PDP Decree

[7] Article 3, PDP Decree

[8] Article 9, PDP Decree

[9] Articles 9.6b, 9.8b, 14, 16.5, PDP Decree

[10] Article 11, PDP Decree

[11] Article 9.10, PDP Decree

[12] Article 25, PDP Decree

[13] Article 26-28, PDP Decree

[14] Article 20, PDP Decree

[15] Article 21, PDP Decree

TAGS

• Vietnam
• Personal Data
• Data Protection
• Cross Border Data