Protections to be ramped up via new personal data rules

Personal data is defined as information in the form of signs, texts, numbers, pictures, sounds, and similar forms that exist in a digital environment and that refer either to a specific person or which, when combined with other data, identifies a specific person. Decree 13 still divides the data into basic and sensitive personal data, but new types are now included.

Le Ton Viet - Russin & Vecchi

For example, basic data now includes personal photos/images and other information that may not, itself, be sensitive data but can help identify a specific person. The term ‘sensitive personal data’ retains its definition and is information which, if violated, the subject’s legal rights and benefits may be damaged. It is notable that ‘gender identity’ is no longer included as sensitive. These concepts are robust and comprehensive, but at the same time provide the authorities with discretion to enlarge them.

Processing personal data is broadly defined. It is any activity which affects collecting, writing, analysing, confirming, storing, editing, publishing, combining, accessing, acquiring, retrieving, encrypting, decrypting, copying, sharing, transmitting, providing, transferring, deleting, and removing it.

Decree 13 introduces the new concept of ‘data controller’; it is a party that determines the purpose and method of processing such data. Data controller is a concept that has long existed in the regulations, but its introduction as a Vietnamese legal concept indicates the government’s intention to be in sync with global regulations.

A data processor is a party who directly processes personal data on behalf of the controller as a result of an agreement with the controller. A party can be both a controller and a processor.

Decree 13 also governs automated processing of such data (using digital tools to process it to predict habits, hobbies, reliability, locations, tendencies, performance, and other aspects of a person). It also addresses the processing of personal data collected in public, processing that of missing or deceased persons or children, and processing in advertising.

The Department of Cybersecurity and prevention of cyber-crimes (A05 Department) under the Ministry of Public Security will oversee the enforcement and application of related regulations, including Decree 13. A national portal on protection of such data will be established to update new information on protection, receive notices of breaches, and handle violations of regulations.

A data controller is ultimately responsible when it processes the personal information of a subject. It is required to implement organisational and technical measures together with security measures and be ready to prove that processing activities have been legally performed – including keeping a log of processing activities, only working with a data processor that has implemented appropriate security measures and notifying authorities in the case of a breach.

Interestingly, neither the data controller nor the processor must notify the subject in the case of a personal data breach.

To process it, a processor must have a contract with a controller. After processing is completed, the processor must delete or return all personal data to the controller. A party processing sensitive information must have a specialised department and qualified personnel to protect it and information, and must make certain disclosures to the A05 Department. Of course, a party which both controls and processes it assumes the responsibilities and obligations of both the controller and processor.

Decree 13 gives a subject the right to know, to give and withdraw consent, to access, to delete, to request to delete their personal data, to restrict processing activities, to provide information, to object to processing activities, to make claim, to receive compensation and to implement self-protection. But a subject must provide complete and true personal data once she has given consent with specific input to process it.

Decree 13 requires both the controller and the processor to prepare a written impact assessment of their processing activities and to provide the A05 Department with necessary details within 60 days of processing it. The content of the impact assessment of the controller and processor is different. It need not be approved by the A05 Department before processing may begin. However, the department may require revisions.

Prior to an offshore transfer of personal data, the transferor must prepare an impact assessment. Again, this assessment need not be approved by the A05 before information is transferred offshore. The A05 Department may, however, make annual inspections. This mechanism clarifies a major uncertainty in the previous draft.

The obligation to perform impact assessments will no doubt increase business costs for the entities involved. What remains unclear is how this obligation will apply to existing entities which will assume the role of data controllers and processors under Decree 13.

Additionally, the A05 Department may request that the impact assessment be supplemented if it deems an insufficiency. Decree 13 does not provide the consequences if a party fails to submit impact assessments or if it fails to update and revise an impact assessment after being requested to do so.

Under Decree 13, Vietnam’s regulations on cybersecurity and personal data protection have aligned much more closely to existing international regulations. However, many areas of Decree 13 still need clarification. It is anticipated that the government will issue a decree on the enforcement of the regulations.

Decree on Personal Data Protection promulgated The Government on April 17 issued Decree on Personal Data Protection which specifies measures and conditions to ensure the work.

Legislators seek to reinforce protection of personal data The addition of provisions on buying and selling private information is expected to be a robust sanction to protect the personal data of consumers in Vietnam.