New requirements to shore up personal data protection

May 19, 2023 | 11:00
(0) user say
The forthcoming legal framework on personal data protection means all domestic and foreign organisations processing personal information must handle sensitive individual personal information in a proper manner.

Decree No.13/2023/ND-CP is the first comprehensive regulation on personal data protection in Vietnam and will take effect from July 1. The key points can be analysed based on a comparison with General Data Protection Regulations (GDPR).

New requirements to shore up personal data protection
Nguyen Huu Phuc, lawyer, Dentons LuatViet

The decree expands to all Vietnamese and foreign individuals and organisations in Vietnam; Vietnamese individuals and organisations operating abroad; and foreign individuals and organisations directly involved or related to personal data processing activities in Vietnam.

The definition in the decree is generally broader than the GDPR when regulating all individuals and organisations processing data in Vietnam. However, it is still unclear whether personal data processed in Vietnam for foreign individuals falls under the scope of this decree.

In addition, the decree provides a detailed definition of personal data when referring to any information, whether in the form of symbols, letters, numbers, images, sounds or other electronic means, that is linked to an individual or can be used to identify them. It includes all basic personal data and sensitive personal data.

Consent is the legal basis for processing personal data, unless a derogation or exception applies. Both the decree and GDPR have more detailed circumstances on this requirement. Therefore, explicit consent would be required to process the basic and sensitive data. To be more specific, if the organisation or individual processing personal data intends to rely on the consent of individuals, they should ask for the consent of data subjects before processing personal data.

Personal data cannot be bought or sold in any form, except as otherwise provided by law. This new provision is seen as an excellent solution to the current situation where personal information is often disclosed or sold in many forms. GDPR is silent on the sale of personal data, but to do so, it must rely on the principles of personal data processing.

This may include the consent of the data subject, other legal bases necessary to perform the contract, and the need to notify the data subject. Therefore, it can be seen that Decree 13 applies strictly to protect personal data in Vietnam.

There are new terms and definitions, including “personal data controller”, “personal data processor”, “personal data controller and processor”, and “third party”. In this, the definition of personal data controller and processor aree different to GDPR. Further, Decree 13 does not clarify whether the data controller can identify a purpose or individual measures for processing or bear joint responsibility with other subjects.

According to Article 24, the data controller, data processor, and data controller/processor must establish and maintain a record of the assessment of the impact of personal data processing in all cases. This new obligation under the decree will impose additional burdens on data processors and controllers, such as providing services when performing data processing contracts.

Compared to GDPR, the impact assessment report is considered a strict requirement that Vietnamese law applies to individuals and organisations processing data. GDPR only requires an impact assessment for the use of new technologies that could pose a high risk.

Regarding the act of transferring personal data across borders, as regulated in Article 25, the data processor must comply with the conditions for transferring personal data. Unlike GDPR, the decree does not impose restrictions on transferring personal data to third countries – for example, the European Commission’s decision that the third country ensures an adequate level of data protection.

There is a new requirement for processing sensitive data: designating an internal agency responsible for protecting personal data and appointing a person in charge of protecting personal data and exchanging information with the competent authority. This provision has a transition period of two years from the establishment for small- and medium-sized enterprises and newly established enterprises, except for those directly engaged in processing personal data.

According to Article 17, processing personal data without consent shall include: in emergencies where personal data needs to be processed immediately to protect the life and health of the data subject or others; public disclosure of personal data in accordance with the law; processing of data by authorised state agencies in the case of emergencies related to national defence, national security, and similar; to fulfill obligations under contracts between the data subject and relevant agencies, organisations, or individuals in accordance with the law; and for the activities of state agencies as provided by specialised laws.

These regulations are similar to those provided under GDPR. However, GDPR also includes another case that benefits the data controller or third party when processing is necessary for the legitimate interests of the data controller without requiring the consent of the data subject.

Decree 13 is considered a significant milestone for Vietnam in response to the recent wave of serious personal data violations. With specific and detailed provisions, it will resolve persistent issues that were previously scattered and lacked consistency in many legal documents.

Decree on Personal Data Protection promulgated Decree on Personal Data Protection promulgated

The Government on April 17 issued Decree on Personal Data Protection which specifies measures and conditions to ensure the work.

Legislators seek to reinforce protection of personal data Legislators seek to reinforce protection of personal data

The addition of provisions on buying and selling private information is expected to be a robust sanction to protect the personal data of consumers in Vietnam.

Protections to be ramped up via new personal data rules Protections to be ramped up via new personal data rules

The new Decree No.13/2023/ND-CP on protection of personal data will come into effect on July 1, and will apply to both local and offshore entities engaged in personal data processing. While Decree 13 does reflect most of the comments and views from the business community, there are additional requirements applicable to businesses that process such data. In comparison to the last draft, Decree 13 introduces several new and revised concepts.

Six highlighted points of new decree on personal data protection in Vietnam Six highlighted points of new decree on personal data protection in Vietnam

Vietnam has officially issued a new decree on personal data protection, which shall be become effective in July. Nguyen Thi Thuy Chung, senior partner at ASL Law, explains how the decree could significantly affect the way such data is collected, transferred, stored, and handled in Vietnam.

Nuts and bolts of new personal data decree Nuts and bolts of new personal data decree

Last month the government in Vietnam finally issued Decree No.13/2023/ND-CP on personal data protection (PDP). The decree will take effect from July; however, micro, small, and medium-sized enterprises as well as startups (excluding data processing companies) are optionally exempted for two years.

By Huu Phuc

What the stars mean:

★ Poor ★ ★ Promising ★★★ Good ★★★★ Very good ★★★★★ Exceptional