Data protection receives draft fillip

Minh Nguyen, senior associate of ACSV Legal

The entry into force of the European Union’s General Data Protection Regulation (GDPR) in May 2018 was a wake-up call for companies in Vietnam which have business relationships with EU-based companies or employ EU citizens. The main reason was because the GDPR has an extraterritorial effect under which the supervisory authority of each member state of the EU is empowered to penalise non-EU companies violating the GDPR while having business transactions with EU individuals or companies.

Using a model similar to the GDPR in sanctioning the non-compliance activities, the highest level of fine might be calculated based on the annual turnover of the violator of the preceding financial year. The draft decree on personal data protection (DPDP) is therefore foreseen to have a significant impact on all businesses operating in Vietnam, especially foreign-invested enterprises (FIEs) which often have cross-border data transfer activities.

The personal data protection (PDP) committee is an independent governmental body to be established under the auspices of the Ministry of Public Security (MoPS) of Vietnam. The PDP committee will function as the supervisory authority which oversees PDP activities in Vietnam.

Some of its duties include developing and running a national portal of personal data protection; approving data privacy policies of companies and organisations before they are rolled out; examining registration dossiers for the processing of sensitive personal data and transferring personal data cross border and requesting the MoPS to approve or reject the registration dossiers; requesting the MoPS to inspect suspected violations in PDP activities or to sanction the violations; issuing guidelines to implement the DPDP; and proposing inspection plans to the MoPS which might be conducted maximum twice a year, save for the case of a manifest violation.

Sensitive personal data

The definition of sensitive personal data is introduced for the first time in Vietnam by the MoPS to distinguish between that and the definition of basic personal data. Sensitive personal data includes genetic and biometric data, data concerning health, gender, sexual orientation, financial status and income, criminal records, location, and social relations of an individual.

According to the draft DPDP, the list of sensitive personal data is not an exhaustive one as any signature data of a person which requires a high level of confidentiality and special protection of the laws will be considered as sensitive personal data. Due to this special characteristic of the sensitive personal data, any processor wishing to process such data must register the data with the PDP committee in advance, save for certain exceptional circumstances.

The registration process would take maximum 20 working days from the date the PDP committee receives a sufficient registration dossier. Violation of the registration requirement might expose the processor to a fine of up to $4,300. Fintech companies, banks, hospitals, fitness centres and healthcare clinics would be the first ones that would get hit by this regulation when the DPDP takes effect.

According to the draft DPDP, cross-border transfer of personal data of Vietnamese citizens is restricted to a large extent. Specifically, cross-border transfer is conditional upon the satisfaction of four elements: the data subject consented to the transfer; the original data is stored in Vietnam; the country or the state where the data recipient is based offers the same or a higher level of data protection in comparison with Vietnam; and the PDP committee approves the transfer.

Although the draft DPDP sets out an exception where the cross-border transfer would be permissible without satisfying the four aforesaid elements, the prerequisites for this exceptional case need to be clarified in the subsequent drafts of the DPDP as they are still very obscure in this draft.

It is worth noting that in respect to the fourth element as set forth above, it would take a maximum of 20 working days to obtain an approval from the PDP committee after a sufficient registration dossier is lodged. Again, violation of the aforesaid requirement regarding cross-border transfer might expose the data transferor to a fine of up to $4,300.

As FIEs, as well as branches and representative offices of foreign investors in Vietnam, are often involved in multiple cross-border transfer activities, the draft DPDP proposes to apply a very severe fine, being 5 per cent of the total revenue in Vietnam, to violators of the regulation.

Data protection officers will soon be in high demand across Vietnamese organisations. Photo: Le Toan

Additional requirements

Similar to the concept of data controller in the GDPR, the draft DPDP requires a company or organisation which conducts data processing to set up or designate an internal department to function as a personal data protection department; and appoint a data protection office.

The main responsibilities of the PDP department and the data protection officer are to supervise activities within the organisation and to be the contact point for liaison with the PDP committee. The contact details of such department and officer must be notified to the committee.

The draft DPDP also requires a company or organisation which conducts data processing to issue a policy on PDP and applicable templates in implementation of the DPDP; and internal regulations governing the process of handling complaints and whistle-blowing reports with regard to personal data protection.

Last but not least, the draft DPDP requires a company or organisation which conducts cross-border transfer of personal data to store the records containing the timing of the transfer, recipient identity and contact details, and nature and volume of the data transferred within three years from the date of the transfer.

The draft DPDP sets out different types of administrative sanctions against violations of PDP, for example monetary penalty, suspension of personal data processing, or revocation of the rights for processing sensitive personal data and cross-border transfer of personal data. Some of these have been mentioned before.

Of note, similar to GDPR, the draft DPDP proposes to apply a very severe fine, being 5 per cent of the total revenue in Vietnam, to violators of the DPDP.

Although the draft is still in the process of being completed, given the fact that it is proposed to take effect in December, both local and foreign-invested enterprises should develop action plans as soon as possible to address new requirements imposed by the DPDP, for instance an internal policy regarding data protection, and setting up a department and appointing a data protection officer to oversee and censor data processing activities within the company.

This might require the involvement and collaboration of different departments in a company such as legal, HR, IT, and finance. Companies and organisations operating in Vietnam should keep the developments of the draft DPDP on the radar in the coming months.