Six highlighted points of new decree on personal data protection in Vietnam

Nguyen Thi Thuy Chung, senior partner, ASL Law

Legal regulations on the protection of personal data have been promulgated by many countries around the world to protect rights in recent years, which help prevent violations and affect the rights and interests of individuals and organisations.

Facing the same urgent situation, in February 2021 the Ministry of Public Security (MoPS) issued the first draft of the decree on personal data protection to submit to the government.

Although this was a government decree, Vietnam has no law or ordinance related to this issue. Therefore, the issuance of Decree No.13/2023/ND-CP had to be approved by the Standing Committee of the National Assembly; and in April 2023 the government officially issued Decree 13, which will take effect from July 1.

Decree 13 provides, the first time, several provisions which have been referred to in the draft to some extent. First off, it broadens the territorial scope of application. The decree is applied for all entities that directly involved in or related to personal data processing operations in Vietnam, including: Vietnamese and foreign agencies, organisations, and individuals; Vietnamese groups or individuals operating abroad; and foreign groups or people directly participating in or related to such processing activities in Vietnam.

Extensions and requirements

The definition of personal data and data processing is also extended in this Decree. According to the Article 2.1, it is divided into two groups of “basic personal data” and “sensitive personal data”. Decree 13 defines the list of each group in details. Specially, the list of sensitive personal data is extensive but not all-inclusive.

Decree 13 extended the categories of regulated subject which are mentioned in the draft version of Cybersecurity Administrative Sanctions Decree. Accordingly, the terms "data controller" and "data processor" are recognised in the decree. The concept "data controlling and processing entity" is also regulated.

In addition, there are also newly introduced regulations which both data subjects and controllers/processors should be aware of, such as applying protection of personal data in the business of marketing and products promotion business; and keeping a record of processing impact assessments from the time when such processing begins.

The decree also regulates new requirements for a valid consent, sensitive personal data processing, and cross-border transfer. Before carrying out and throughout the processing, the personal data controller and processor need the consent of the data subject which applies to all activities, unless otherwise provided by law.

The consent of the subject must be expressed clearly, and may be printed or reproduced in writing, including in electronic or verifiable formats. It should be noted that the data subject's silence or non-response is not considered as consent.

However, in order to ensure the harmonisation of the rights and interests of data subjects and public interests, this decree also provides exceptions when processing personal data without the consent of subjects in Article 17.

For example, in the case of an emergency, it is necessary to immediately process relevant personal data to protect the life and health of the data subject or others, but the data controller or processor or third parties are responsible for proving this. The processing of data by competent state agencies in the event of a state of emergency is also classed under exemption; as is a threat to security and national defence but not to the extent of declaring a state of emergency.

Exemptions are also possible to prevent and combat riots and terrorism, or to prevent and combat crime; to fulfill the contractual obligations of the data subject with relevant agencies, organisations, or individuals; and for the activities of state agencies prescribed by specialised laws.

In the case of sensitive data processing, the processor must designate a department with the function of protecting personal data, appoint personnel in charge and exchange information about the department and individual in charge with the Personal Data Protection Authority.

Similar to the case of transferring such data of Vietnamese citizens abroad, the data transferor abroad shall prepare a dossier to assess the impact of transferring the abroad. A dossier of assessment of the impact of doing so must always be available for the inspection and evaluation activities of the MoPS.

Management and exemptions

In order to ensure the ability to protect personal data rights and prevent breaches, Articles 26-28 of the decree stipulate protection measures to be applied from the time of writing and during the processing of personal data.

This included management and technical measures taken by organisations and individuals related to the processing of personal data; and both investigative and procedural measures taken by competent state management agencies in accordance with this decree and relevant laws.

Decree 13 also provides the legal ground to establish a portal for the protection of personal data protection in Vietnam. The specialised agency for such protection will be the Department of Cybersecurity and High-tech Crime Prevention under the MoPS.

The country's personal data decree forbids all activities of buying and selling such data in any forms. According to the provisions of Article 4, agencies, organisations, and individuals that violate regulations on protection of personal data, which include activities of preventing, detecting, stopping and handling violations relate to personal data in accordance with the law and responsibility for protection, depending on the severity, may be disciplined, administratively sanctioned, criminal handling according to regulations.

According to Article 49, micro, small, and medium-sized enterprises as well as startups are allowed to choose to be exempt from regulations on personal designation and personal data protection for the first two years of establishment, except for those enterprises directly engaged in personal data processing activities.

In the explosive period of IT, personal data, especially in cyberspace, has become a valuable resource that criminals could collect, trade, and use to commit acts of infringing upon human rights, civil rights, and more. Therefore, Decree 13 will play an important role in personal data protection in Vietnam effectively, but it will also require many parties to increase their responsibility in the enforcement of these regulations.