Nuts and bolts of new personal data decree

May 09, 2023 | 15:00
(0) user say
Last month the government in Vietnam finally issued Decree No.13/2023/ND-CP on personal data protection (PDP). The decree will take effect from July; however, micro, small, and medium-sized enterprises as well as startups (excluding data processing companies) are optionally exempted for two years.
Nuts and bolts of new personal data decree
Nuts and bolts of new personal data decree, Photo: Shutterstock

The decree would act as the backbone for PDP in Vietnam, with definitions and rules that seem to align with international standards such as the EU General Data Protection Regulation. It covers the rights and obligations of concerned individuals and entities, applicable measures for data protection, requirements for cross-border data transfers, and the powers and duties of the relevant authorities.

The subjects under the governance of Decree 13 include Vietnam-based individuals and entities; and foreign entities which are directly involved in or related to data protection activities in Vietnam. The decree broadly defines data processing acts which include collection, recording, analysis, storage, correction, disclosure, and many other related actions.

Parties that are involved in data processing acts are further classified into four categories. The decree defines those parties as a data controller (individual or entity who decides upon the purposes and manners of personal data processing); a data processor (individual or entity who processes data on behalf of a data controller); a data controlling and processing party (individual or entity which plays the role of both the above); and a third party (individual or entity other than those listed previously).

For the sake of convenience, here we use the generic term “concerned entity” to collectively denote all four of the aforementioned categories.

Decree 13 places emphasis on the fundamental principles of PDP, which include notable keywords including lawfulness, transparency, accuracy, integrity, and more. These principles appear to closely align with the key principles found in other major data protection regulations.

The decree spells out 11 rights of a data subject, including the right to know and consent, the right to access or erase his/her personal data, and more besides.

When a data subject exercises his/her rights, the decree requires the concerned entity to respond. For example, a concerned entity must provide, rectify, erase, or destroy personal data within 72 hours upon receipt of the data subject’s request. Nevertheless, the rights of a data subject could be restricted “in accordance with laws”. The decree does not clearly explain which laws restrict those rights.

The consent of a data subject is a crucial requirement for all acts of personal data processing, including cross-border transfers. However, Article 17 of Decree 13 provides some exceptions such as in emergency situations for health protection, national security, and compliance with the requests of authorities as provided in a specific law.

Consent is considered valid if it is given voluntarily by and when the data subject is clearly informed of the type of personal data to be processed, the purposes of the processing, the concerned entities, and the data subject’s related rights. Notably, the conditions for transferring or sharing personal data with third parties stated in the draft decree are no longer required in Decree 13.

With respect to advertisements, in addition to the general conditions above, the data subject’s consent is only valid when he/she understands the content, method, form, and frequency of advertisements. In comparison with the draft decree, the forms of consent under Decree 13 are broader and include writing, voice, consent boxes, and text messages, among others.

According to the decree, there are two types of personal data – basic and sensitive. The list of sensitive data seems broad, ranging from political views and health conditions to bank accounts and deposits. For basic personal data, it requires concerned entities to adopt necessary measures such as installing technical measures and checking network security.

Regrettably, the requirements fall short of details for a concerned entity to apply. For sensitive personal data, a concerned entity is also required to meet the requirements applicable to basic personal data. In addition, the concerned entity is required to set up a special unit or a person who is responsible for PDP, and provide his/her/its contact details with the Department of Cybersecurity and Hi-tech Crime Prevention (DCHCP) under the Ministry of Public Security (MoPS).

For cross-border data transfers, the four prerequisites including the specific data localisation in Vietnam introduced in the draft decree have been removed. Instead, Decree 13 sets out new requirements to prepare and maintain an impact assessment dossier on cross-border personal data transfer; and submit them to the DCHCP within 60 days of the processing of personal data.

The MoPS may order a transferor to stop transferring data offshore when the MoPS discovers that such transfer violates national security, causes the leaking or loss of data of Vietnamese citizens, or when the transferor breaches the requirements above.

Once a year, the MoPS will conduct a regular review of the act of cross-border transfers of a transferor. However, it may conduct unannounced checks when it discovers a law violation of the transferor or an incidence of data leaks or loss.

Decree on Personal Data Protection promulgated Decree on Personal Data Protection promulgated

The Government on April 17 issued Decree on Personal Data Protection which specifies measures and conditions to ensure the work.

Legislators seek to reinforce protection of personal data Legislators seek to reinforce protection of personal data

The addition of provisions on buying and selling private information is expected to be a robust sanction to protect the personal data of consumers in Vietnam.

Protections to be ramped up via new personal data rules Protections to be ramped up via new personal data rules

The new Decree No.13/2023/ND-CP on protection of personal data will come into effect on July 1, and will apply to both local and offshore entities engaged in personal data processing. While Decree 13 does reflect most of the comments and views from the business community, there are additional requirements applicable to businesses that process such data. In comparison to the last draft, Decree 13 introduces several new and revised concepts.

Six highlighted points of new decree on personal data protection in Vietnam Six highlighted points of new decree on personal data protection in Vietnam

Vietnam has officially issued a new decree on personal data protection, which shall be become effective in July. Nguyen Thi Thuy Chung, senior partner at ASL Law, explains how the decree could significantly affect the way such data is collected, transferred, stored, and handled in Vietnam.

(*)Nguyen Quoc Vinh - Senior counsel and Tran Tu Xuan Legal assistant, Indochine Counsel

By Quoc Vinh

What the stars mean:

★ Poor ★ ★ Promising ★★★ Good ★★★★ Very good ★★★★★ Exceptional

Latest News ⁄ Your Consultant ⁄ Indochine Counsel