We believe that two key concerns still remain in terms of Decree No.13/2023/ND-CP on personal data protection (PDPD), including the fact that many businesses do not fully understand their compliance obligations or the operational challenges in complying with its provisions.
Kevin Hawkins, partner and Khanh Le, legal adviser at DFDL Vietnam |
A clearer understanding can be provided of what steps businesses need to adopt in order to comply with the PDPD’s requirements, and offer some guidance on its current and future impact on businesses in Vietnam.
The decree provides a broad territorial scope of application, encompassing any Vietnamese or foreign agencies, organisations, and individuals (operating both within and outside Vietnamese territory) involved in personal data processing in this country, irrespective of whether the processing occurs within or without the territory of Vietnam.
Although the PDPD was built upon the framework of the EU’s General Data Protection Regulation (GDPR), the scope and application of the PDPD differs in several key aspects.
For example, certain defined terms under the GDPR have different meaning and/or interpretations under the PDPD.
Personal data is defined as any information in the digital environment that relates to a specific individual or aids in the identification of a particular person. Basic personal data, meanwhile, is defined by a non-exhaustive list provided under the PDPD, including details such as name, date of birth, gender, ID, and more.
Sensitive personal data is defined as personal data closely linked to individuals’ privacy rights, with any infringement can directly impact the lawful rights and interests of the individuals. Article 2.4 of the PDPD also provides a non-exhaustive list of sensitive personal data, for example, political and religious views, health status and private life recorded in medical records, and inherited or acquired genetic characteristics.
Elsewhere, personal data processing covers one or more activities affecting personal data, such as collecting, analysing, storing, editing, publicising, and many more.
Other keywords are “controllers” and “processors”. Controllers are entities who determine the purpose and means of personal data processing, while processors are entities engaged under a contract with a controller to process personal data on behalf of such controller. Controller-cum-processors is a new concept compared to the GDPR, to refer to entities simultaneously acting as controllers and processors. This hybrid role will require compliance with the obligations of both the controllers and processors.
Key obligations
Valid consent of the data subject is necessary to process personal data, and controllers must obtain valid consent from the data subject before processing his/her personal data. Such consent entails data subjects being fully aware of the type of personal data processed, the processing purpose, entities authorised to process data, and their rights and obligations.
Consent must be clearly expressed and capable of being printed or reproduced in text, including electronic or verifiable formats. This suggests that a website’s use of a banner notification, implying user consent through continued access (without any click-to-select action), may struggle to demonstrate compliance with the valid consent requirement.
Of note, under the PDPD, the sale or purchase of personal data is prohibited except otherwise permitted by law. A notification must be sent to the data subject before any processing of personal data takes place. Such notification should include all required content stipulated in the PDPD to be considered valid.
If it can be ensured that the data subject is fully aware of and consents to all the content that a notification must include, then the controller or controller-cum-processor is not required to fulfill the obligation of “prior notification once before data processing”.
Businesses may leverage this provision by explicitly incorporating the required notification content into their data privacy policies in order to obtain clear consent from data subjects. Accordingly, if there are no updates or changes to such policies, the controller or controller-cum-processor will not need to provide prior notification before processing data each time.
Both controller and processor are obliged to prepare, retain, and send a copy of a data protection impact assessment dossier (DPIA) to the Department of Cybersecurity and High-tech Crime Prevention (DCP) under the Ministry of Public Security not later than 60 days after commencing, or modifying, its personal data processing activity. Mandatory forms for the DPIA are published on the DCP portal on data privacy.
Under the PDPD, it is possible to transfer personal data of Vietnamese citizens from Vietnam to another country. However, the transferors must prepare, retain, and send a copy of a transfer impact assessment dossier to the DCP not alter than 60 days after the relevant data processing. The same submission methods for DPIA will also apply to the dossier, with the mandatory form also published on the portal.
Data protection and impact
In the case of processing sensitive personal data, all sides must designate and notify the DCP of the details of their data protection department and/or data protection officer.
Furthermore, the parties involved are obligated to ensure the rights of data subjects (such as rights to access their personal data, withdrawal of consent, deletion of personal data, objections, and other claims), as well as compliance with data storage requirements, violation notification and reporting obligations.
Failure to fulfill these obligations may result in administrative fines or criminal penalties, depending on the extent of the damage caused and the nature of the violation.
The primary impact has been increasing compliance costs for businesses. Those lacking an existing data privacy system must establish, develop, and implement one to adhere to regulations.
Businesses already operating based on a data privacy system (such as compliance with GDPR) will also incur costs to adjust their processes, standards, and operations in Vietnam according to the PDPD, due to the differences between the two regulatory systems. This highlights the necessity for a harmonised mechanism between the data privacy requirements across jurisdictions.
Business performance could also be negatively affected when compliance with the PDPD and data privacy regulations in general becomes a factor in evaluating the ability to cooperate between businesses or in selecting suppliers of goods/services for customers.
Although the PDPD has been in effect for over eight months, businesses’ compliance with the PDPD is observed as difficult. Many provisions in the PDPD are broadly worded, making interpretation challenging. Businesses may encounter challenges when determining the following questions:
Unlike GDPR, DPIA obligations under the PDPD apply universally to all controllers and processors, regardless of the potential risk level. This raises questions in some specific cases about whether small businesses collecting only employee data, such as shops or restaurants, need to conduct DPIAs.
Additionally, concerns arise regarding DCP capacity to process and manage all the submitted DPIAs, given Vietnam’s nearly one million businesses, mostly small- and medium-sized enterprises.
Businesses, especially foreign-invested ones, may encounter difficulties at the early stage when determining the boundaries of personal data processing in Vietnam. For example, due to an application scope that is deemed broad, it is challenging to provide definitive answers to some questions. For example, if a Vietnamese business processes data of foreign individuals in Vietnam or abroad, are such activities subject to the PDPD’s requirements?
Currently, no specific guidelines exist for completing administrative procedures at DCP under the PDPD, including filling out standard forms, causing confusion for businesses. Of note, even those with GDPR-compliant forms may not automatically comply with the PDPD, as it mandates adaptation to its specific forms.
At present, businesses need to thoroughly understand the requirements, seeking advice from legal experts to ensure compliance. Proactively engaging with DCP is also necessary. The best recourse is to await further guidance from government agencies and swiftly navigate operations in the meantime, in order to avoid unnecessary legal risks.
New requirements to shore up personal data protection The forthcoming legal framework on personal data protection means all domestic and foreign organisations processing personal information must handle sensitive individual personal information in a proper manner. |
Data protection heads digital banking efforts Vietnamese authorities have been busy at work dismantling an illicit information network involving bank employees, as local lenders prioritise data protection and digital infrastructure for customer privacy and growth. |
Personal data decree poses compliance challenges Robert Trong Tran, partner, EY Vietnam Cybersecurity Services Co., Ltd.; and Thach Thi Cam Tran, senior manager, EY Law Vietnam Co., Ltd., delve into the challenges businesses are facing over enforcement of Decree 13 on personal data protection, and suggest recommendations to cope with compliance challenges. |
What the stars mean:
★ Poor ★ ★ Promising ★★★ Good ★★★★ Very good ★★★★★ Exceptional