Examines the potential challenges, prospective regulatory framework and common questions and answers regarding Decree 13
Following Part I in this series of insights into Decree 13, Part 2 examines the potential challenges, the prospective regulatory framework and common questions and answers regarding Decree 13.
What to Expect
Although the PDP Decree sheds light on the direction of PD protection in Vietnam is going in, difficulties and challenges in terms of implementation, practice, and enforcement are anticipated. For instance, PD processors and controllers may find the strict consent requirements for PD processing, in some cases, limiting their legitimate interests. Organisations and individuals may also be confused by the broad scope of application that covers both online and offline PD processing activities and cross-border data transfers, especially when some new concepts are not consistent with existing laws and regulations. Furthermore, the Decree does not provide clear guidance on how to implement some of the obligations and responsibilities of PD controllers and processors. One example is the DPO appointment requirement, which may require further clarification from the Government.
In the Pipeline
This Decree serves as the foundation of the local framework for PD protection, so the MPS is expected to provide further guidance by issuing circular(s) for effective implementation though a timeline is not yet available.
Further, the draft Cybersecurity Administrative Sanctions Decree (CAS Decree), which facilitates enforcement of some provisions of the PDP Decree, remains pending. That said, organisations and individuals will be liable for PDP violations and subject to administrative sanctions, civil liabilities, or criminal penalties where available under current regulations. Such lack of a consolidated legal instrument specifying administrative violations and with corresponding penalties, sanction levels, remedial measures, and the competent authorities indicates the pressing need for the draft CAS Decree’s issuance.
Common Questions Regarding the PDP Decree
The following are excerpts from questions we received from the audience about the PDP decree during our recent webinar with EuroCham Vietnam
Question: Under Article 2.1 of the PDP Decree, PD means “any information that is expressed in the form of symbols, letters, numbers, images, sounds or in similar forms in an electronic environment that is associated with a particular natural person or helps identify a particular natural person”. Should this be interpreted to mean that PD encompasses only data in an electronic environment? Or should it be understood to mean that “electronic environment” refers specifically to data in “similar forms”?
Response: “Electronic environment” acts as a complement for “similar forms” in this case. Here, “similar forms in an electronic environment” refers to the forms of expression in the electronic environment that are similar to symbols, letters, numbers, images, and sounds in the physical environment. Therefore, PD’s forms of expression under the PDP Decree should be interpreted to include symbols, letters, numbers, images, sounds:
- in their original forms in the physical environment; and
- in similar forms in an electronic environment.
Question: How does the definition of “personal data” in the PDP Decree differ from “data on personal information” stipulated in Decree 53/2022/ND-CP guiding the Cybersecurity Law?
Response: Under Article 2.1 Decree 53/2022/ND-CP, “data on personal information” is data on information in the form of symbols, letters, numbers, images, sounds, or equivalences to identify an individual. This definition is narrower in scope compared to PD as defined under the PDP Decree, which also involves information used for identifying an individual – meaning information that:
- results from an individual’s activities, and
- may identify an individual when combined with other stored information/data.
Question: Vehicle identification number (VIN) or chassis number of car are PD under GDPR, but can it be considered PD under the PDP Decree? Is “masked” or “encrypted” data interpreted as PD under PDP Decree?
Response: VIN or Chassis number of a car/ “masked” or “encrypted” data can be deemed PD under the PDP Decree if it may identify an individual when combined with other stored information/data (Article 2.2, PDP Decree).
Obligations of Regulated Parties
Question: The PDP Decree provides the obligation of damages compensation to both PD controller and PD processor. As a data subject, in which cases should we claim damages against the PD controller and which cases should we claim against the PD processor?
Response: The PDP Decree requires PD controllers and PD processors to compensate for damages resulting from PD processing, regardless of which party is at fault (Articles 38.6 and 39.4, PDP Decree). Data subjects may choose to claim damages from both or either of these parties, considering the factual and legal elements in each case, such as type of damages (contractual or non-contractual damages) and the corresponding burden of proof, PD controller and PD processor’s headquarters, the enforceability of the decision granting the damages, etc.
Question: Is the notification of the PD processing under Article 13 of the PDP Decree required before obtaining the data subject’s consent?
Response: No. The PDP Decree only requires that such notification be made before processing PD. (Article 13.1, PDP Decree)
Question: What does “notify once” under Article 13.1 of the PDP Decree mean? Does it mean PD controller shall not amend the notification even if the processing purposes change?
Response: The PDP Decree only requires one notification before processing PD. No other notification is required for later processing of the PD. In case the processing purposes change, although the PDP Decree doesn’t explicitly require an updating notification, such change may be deemed a new processing, therefore subject to a separate notification requirement.
Question: Would a transcript of a recording of a call during which verbal consent is given deemed valid consent under the PDP Decree?
Response: Regarding consent, the PDP Decree provides as follows:
- Consent can be made verbally (Article 11.3, PDP Decree);
- Consent must be expressed in a format that can be printed and reproduced in writing, including in electronic or verifiable format (Article 11.5, PDP Decree).
Transcripts of verbal consent may fall under the verifiable format qualifying such provisions. Yet there has been no detailed guidance regarding “verifiable format”. It remains to be seen how competent authorities will clarify/implement such regulations in the future.
Question: Would a tick box providing a “Yes” or “No” choice (e.g., tick boxes in a Google Form Survey) and the response given by the data subject constitute valid consent?
Response: Yes. That said, please note that the PDP Decree requires that consent be made for a single purpose. When multiple purposes are involved, such purposes must be listed out so that data subjects can consent to one/more of the provided purposes, which means that there must be a consent tick box for each purpose. (Article 11.4, PDP Decree)
Question: Would it be acceptable for service or goods providers to request customers that they provide full consent, implying that if consent is not given, they would not be provided with the goods or services?
Response: Service/goods providers have the freedom of contract to set out conditions for providing goods/services, but they must ensure that customer consent is always freely given (Article 2.8, PDP Decree).
Alternatively, besides consent, fulfilling contractual obligations (an exception to consent) may also be an applicable ground under the PDP Decree for service/goods providers to process customers’ PD (Article 17.4, PDP Decree).
Question: Under point d, Article 1, Resolution No. 13/NQ-CP and Article 17.4 PDP Decree, PD can be processed without a data subject’s consent “to perform contractual obligations of the data subject with relevant agencies, organizations and individuals as prescribed by the laws”. Please clarify if this regulation allows data to be processed without the data subject’s consent to (i) perform the contractual obligations between the data subject and related organizations/individuals as prescribed by the laws; or (ii) only to fulfil the data subject’s contractual obligations, but not the business’ contractual obligations towards the data subject.
Response: As there is currently no detailed guidance on this important exception, it remains to be seen how competent authorities will clarify/implement it. That said, as the exception applies to contractual obligations prescribed by specific laws, such laws may serve as the basis for interpretation of this exception on a case-by-case basis.
Impact Assessment and Cross-Border Transfer
Question: What should businesses do to fully comply with the requirement of conducting an impact assessment for PD processing or cross-border PD transfers, considering that these activities occur regularly and on an on-going basis?
Response: The impact assessment requirements will be in force as of the PDP Decree’s effective date of 1 July 2023. For data processed/cross-border transferred on an on-going basis, companies thus have 60 days from the effective date to submit their impact assessments. (Articles 24, 25, 43.1, PDP Decree)
As you will have seen across all our content on the Personal Data Protection Decree, there is a lot to be unpacked and examined by organisations. There will be more guidance to come from the authorities by way of circulars which the Rouse team will continue to monitor and share with you.
If you have any questions now about how the PDP Decree could potentially impact your business or operations then please contact any of the authors or your usual Rouse contact.
Co-authors: Ly Nguyen and Uyen Doan