For years, regulation on data privacy of Vietnam has been limited to general principle under the Civil Code and rephrased and shattered through a number of other legal instruments (including the Law on Cyberinformation Security). The application of data privacy regulation is thus difficult (and somewhat ambiguous), due to the lack of a centralized legal instrument on data privacy.

Nevertheless, the long-awaited centralized regulation on data privacy has now been formally promulgated by the Government of Vietnam – under the Government Decree No. 13/2023/ND-CP on Personal Data Protection (Decree 13) on 17 April 2023.

Decree 13, consisting of 44 Articles divided into 4 chapters, is expected to mitigate the ambiguity on data privacy regulation, thus create a more-solid foundation to boost the growth of Vietnam’s digital economy when it becomes fully effective from 01 July 2023. Unclear or ambiguous data privacy matters such as classification of personal data, principles of personal data processing, the rights and obligations of stakeholders in the data processing, consent and cross-border transfer of personal data or the extra-territorial scope of application of data privacy laws of Vietnam, are now addressed with clearer guidelines stipulated in Decree 13.

Below are some of the key takeaways from Decree 13 that worth the attention from international business entrepreneur:

  1. Clearer definition of personal data, classification of personal data, and new legal concept introduced by Decree 13

One of the most important matters on data privacy regulation is to clearly clarify the ambit of “personal data” concept. But for such a long time, personal data is not centrally legalized with a clear definition. In particular, the current Civil Code 2015 adopts the term “information about the private life of an individual” and “personal secrets” without providing any clear definitions, meanwhile the Law on Cyberinformation Security 2015 uses the term “personal information” to refer to information associated with the identification of a specific person. Such different terms have cause confusion and give rise to difficulties when the business tries to develop their policy to be fully comply with the data privacy laws of Vietnam.

Decree 13 now introduces a clearer definition for “personal data” concept, which means “information in specific formats (i.e., symbols, letters, sounds, etc.) that is associated with a particular person or helps to identify a particular person”.

Decree 13 also classifies personal data into 02 categories: “basic personal data” and “sensitive personal data”. This classification gives rise to the differences between the requirements for the processing of “basic personal data” and the processing of “sensitive personal data”.

  • Processing of personal data: Decree 13 now clearly defines “processing of personal data” as an activity or several activities that affect personal data, including but not limited to data collecting, recording, analysing, verifying.
  • Decree 13 also introduces the concept of “data controller” (organisations or individuals who decide the purposes and the means of the data processing), “data processor” (organisations or individuals who process personal data on behalf of Data Controller, via a contract or an agreement with the Data Controller) and “data controller and processor” (organisations or individuals who simultaneously decide the purposes and means of the data processing and directly process personal data).

In comparison with draft version which was made available for public review in 2021, we observe that Decree 13 has deleted the concept of “data anonymisation”. This means that data anonymisation has yet to be recognized under this newly developed data privacy regulation of Vietnam.

  1. Clear requirement regarding content of data privacy consent, specific requirements applicable to the processing of sensitive personal data, and exceptions to the consent requirements

The current Civil Code of Vietnam only requires generally that consent is required when personal data is being collected, preserved, used or published, but there is no such detailed guidance as how explicit the consent should be. Decree 13 now provides much clearer requirements on data privacy consent to verify if such consent is valid or not, in particular:

    1. consent must be freely given,
    2. when giving the consent, the data owner should be well advised of (i) types of data to be collected and processed (i.e. either basic or sensitive personal data – NB: with the introduction of the category for classification of personal data, Decree 13 now requires that in case the personal data is of sensitive nature, the data owner must be clearly informed and advised about the collection and processing of such data), (ii) purpose of data collection and processing, (iii) the data processor, and (iv) rights (and obligations, if any) of the data owner when giving such consent,
    3. regarding the consent form, consent must be expressed in a clear and specific manner in either writing, by voice, by ticking the opt-in box, by texting syntax, by selecting consent settings or by other action that demonstrates the consent given manner.

Notwithstanding the above, Decree 13 also introduces circumstances in which personal data can be collected and processed without consent, which are:

    1. data processing for the purpose of protecting the well-being of the data owner or others person in an emergency situation (however, Decree 13 is silent on what situation will be considered as emergency nature, thus the enforcement of this circumstance remains to be seen),
    2. the disclosure of personal data is in accordance with the law,
    3. processing of data by competent regulatory authorities in the event of a state of emergency on national defence, security, social order and safety, major disasters, or dangerous epidemics; when there is a risk of threatening security and national defence but not to the extent of declaring a state of emergency; for the purpose of preventing and combating riots and terrorism, preventing and combating crimes and law violations according to the provisions of law,
    4. data processing conducted for the purpose of fulfilling the contractual obligations of the data owners, and
    5. data processing to serve the activities of regulatory agencies as prescribed by specialised laws.
  1. New requirement re Personal Data Processing Impact Assessment Dossier

Decree 13 particularly requires that from the time of processing personal data, the “data controller” or the “data controller and processor” must establish and maintain a Personal Data Processing Impact Assessment Dossier (PDPIAD) with specific contents including, among others, the purpose(s) and means of data collection and processing. The data processor is also subject to a similar requirement when performing the contract with the data controller. The aforementioned parties must (i) ensure that the PDPIAD is always available for the purpose of assessment and examination, and (ii) send an original copy of the PDPIAD to the Department of Cyber Security and Hi-tech Crime Prevention (A05) under the Ministry of Public Security (MPS) within 60 days from the date of data processing.

  1. Cross-border data transfer

“Cross-border transfer of personal data” is another first-ever introduced concept under Decree 13. Cross-border data transfer of Vietnamese citizens is only permitted when the data transferor establishes a Personal Data Transfer Impact Assessment Dossier (PDTIAD). Within 60 days from the date of processing personal data, the data transferor must send a notification and the original PDTIAD to the A05. After the cross-border transfer is complete, the data transferor must also serve written notification to the A05 about the transfer and contact details of the responsible organisations and individuals.

  1. Rights of the data owner and statutory timeline to comply with the data owner’s request

Decree 13 now clearly sets out the rights of the data owner which include the (i) right to know; (ii) right to consent; (iii) right to access; (iv) right to withdraw consent; (v) right to delete data; (vi) right to restrict data processing; (vii) right to request access; (viii) right to object data processing; (ix) right to complain, denounce, and file lawsuit; (x) right to claim compensation; and (xi) right to self-defense.

In addition, Decree 13 stipulates that in case of receiving request from the data owner, the data controller, data controller and processor, or  the data processor are obliged to comply with such request within a specified time period (e.g., if the request is about deletion of the data that has been collected/process and such request impose a time limit for the deletion, the data controller, data controller and processor must comply and proceed the deletion of personal data within such time limit requested by the data owner).

  1. Other noteworthy points:
    1. Regulated subjects and the extra-territorial effect: Towards the global convergence of promoting data regulation’s extraterritorial effects, Decree 13 clearly confirms that the scope of application of data privacy regulations outlined under Decree 13 go beyond the territoriality limit of Vietnam. In particular, the scope of application of this Government Decree signifies that Decree 13 has an extra-territorial effect where it applies not only to Vietnamese entities and individuals but also to any entities and individuals (regardless of their nationality and location) who are involved in the processing of personal data in Vietnam.
    2. For the protection of sensitive personal data, Decree 13 requires that data controller, data processor, data controller and processor and third party involved in the processing or personal data must assign a personal data protection officer. However, micro-enterprises, SMEs and start-ups have the right to be excluded from this regulation within 2 years from the establishment of the company. This exemption is not applicable to micro-enterprises, SMEs and start-ups directly operating data processing business.
    3. More specific requirements on data privacy applicable to specific circumstances, such as (i) processing of personal data of person declared missing or deceased (ii) processing of children’s data (iii) processing of personal data in marketing business, introducing marketing products (iv) processing personal data obtained from audio and video recording activities in public places.
    4. Commercial exploitation of personal data – remains to be seen. Decree 13 now makes it clear that the transfer, sale and purchase of personal data without the data owner’s consent is illegal and strictly forbidden. But this general rule give rise to an open issue: whether and how the sale and purchase or other form of commercial exploitation of personal data could be legally established with the owner’s consent, because Decree 13 is still silent on the specific requirements for the sale and purchase of personal data.
    5. Notification obligation re breaches of personal data protection regulations: Decree 13 now imposes a clear notification obligation on the data controller, data processor and data controller and processor – i.e. the aforesaid subject must serve notification to the A05 within 72 hours from the date that data privacy breach has been detected.

Decree is expected to exert extensive influence on data-related sectors, it is advisable for stakeholders to take special note of the above key requirements and be on full alert for its implementation.


 

More from Lexcomm Vietnam LLC