On 17 April 2023, Vietnam issued Decree No. 13/2023/ND-CP on Personal Data Protection (“Decree”), its first data protection law. The Decree compiles provisions relating to data protection contained in various other laws into one instrument. The Decree will come into effect on 1 July 2023.
This Article provides an overview of the Decree.
The Decree provides for personal data protection and ensuing responsibilities for relevant agencies, organisations, and individuals.
It will apply to the following:
- Vietnam agencies, organisations, and individuals
- Foreign agencies, organisations, and individuals in Vietnam
- Vietnam agencies, organisations, and individuals operating outside of Vietnam
- Foreign agencies, organisations, and individuals directly involved in personal data processing activities in Vietnam
2. Definition of personal data
Personal data is defined in the Decree as information on an electronic medium in the form of symbols, scripts, notebooks, images, sounds, or similar forms that is attached to or can aid in identifying a specific individual. Information that helps identify a particular person is information formed from the activities of a person that, when combined with other data and information, can identify a particular person.
The Decree also specifies that the term “personal data” includes both basic personal data and sensitive personal data, with the parameters of each elaborated on in the Decree. Sensitive personal data is defined as data associated with the privacy of individuals that, when infringed, would directly affect the individual’s legitimate rights and interests.
Examples of sensitive personal data given in the Decree include customer information held by credit institutions, foreign bank branches, intermediary payment service providers, and other permitted organisations. The type of information in this regard includes information on customer identification, accounts, deposits, deposited assets, transactions, and organisations and individuals who are guarantors at credit institutions, bank branches, and intermediary payment service providers.
3. Parties involved in processing data
The Decree distinguishes between a “data controller” and a “data processor”. A data controller is an organisation or individual that decides on the purposes and means of processing personal data, while a data processor is an organisation or individual that performs the processing of data on behalf of the data controller, through a contract or agreement with the latter.
The Decree also utilises the term “data controller and processor” which is defined as an organisation or individual that decides on the purpose and means and also directly processes personal data.
4. Personal data protection principles
The Decree sets out the following principles for the protection of personal data:
- Personal data shall be processed in accordance with the provisions of the law;
- The data owner shall know about activities relating to the processing of his personal data, unless otherwise provided by law;
- Personal data shall be processed in accordance with the purposes that have been registered and declared by the personal data controller, personal data processor, personal data controller and processor, and third party on processing of personal data;
- Personal data collected must be appropriate and limited to the scope and purposes to be processed. Personal data may not be bought or sold in any form, unless otherwise provided for by law;
- Personal data shall be updated and supplemented in accordance with the purposes of processing;
- Personal data is subject to protection and confidentiality measures during processing, including protection against violations of regulations on protection of personal data and prevention of loss, destruction or damage caused by antiquities, using technical measures;
- Personal data shall be stored for a period of time appropriate to the purpose for which the data is processed, unless otherwise provided by law; and
- The data controller and the data controller and processor shall comply with these principles and prove their compliance with the principles of processing such data.
6. Rights of data subject
A “data subject”, defined as an individual who is reflected by personal data, has the following rights under the Decree:
· Right to know
· Right to consent
· Right to access
· Right to withdraw consent
· Right to delete data
· Right to restrict data processing
· Right to request the provision of data
· Right to object to data processing
· Right to complain, denounce and initiate lawsuits
· Right to claim damages
· Right to self-protection
7. Requirement for consent
A data subject must voluntarily consent and must be aware of (i) the type of personal data to be processed, (ii) the purpose of the personal data processing, (iii) the organisations and individuals authorised to process personal data, and (iv) his rights and obligations.
The Decree goes on to stipulate that a data subject’s consent must be clearly expressed, specifically in writing, by voice, by ticking the consent box, in the syntax of consent through text messages, by the selection of consent in technical settings, or through another action that demonstrates this. Consent must be conducted for the same purpose. Where there are multiple purposes, the data controller, the controller, and processor of personal data must list the purposes for the data owner to consent to one or more of the purposes specified.
It is noteworthy that the Decree explicitly provides that silence or non-response by the data subject shall not be considered consent.
The Decree also provides that the withdrawal of consent does not affect the lawfulness of the prior processing of the agreed data.
Article 17 of the Decree allows the processing of personal data without consent in the following circumstances:
- In emergencies, where relevant personal data must be immediately processed in order to protect the life or health of the data subject or others;
- Where the disclosure of personal data is in accordance with the law;
- When the processing of data is done by competent state agencies for national security or in the event of a national security emergency, social order and safety, major disasters, or dangerous epidemics; when there is a threat to national security or defence, but not to the extent of declaring a state of emergency; preventing and combating riots, terrorism, preventing and combating crimes and violations of law in accordance with the provisions of law;
- To fulfil the contractual obligations of the data subject with relevant agencies, organisations, and individuals as prescribed by law; or
- To serve the activities of state agencies as prescribed by sector-specific laws.
The data subject is also generally entitled to be notified prior to the processing of his personal data, save where the data subject has granted his prior consent to the collection and processing of his personal data or where the personal data is processed by the competent state agencies for their operations.
7. Measures to ensure protection of personal data
Article 26 of the Decree sets out the basic measures to be undertaken to protect personal data including mandating “management” and “technical” measures be taken by organisations and individuals involved in personal data processing. These terms are not elaborated upon.
Parties processing data must also issue regulations on personal data protection, clearly stating what needs to be done in accordance with the Decree and must encourage the application of data protection standards suitable to areas, industries, and activities related to the processing of personal data.
The Decree requires that systems and devices and equipment used in the processing of personal data must be inspected prior to processing, irreversibly deleting, or destruction.
In relation to sensitive data, the Decree imposes additional requirements, including the need to create a department to protect personal data, appoint personnel to be in charge of such data, and report on these measures to the designated state agency.
The Decree also mandates the creation of a specialised data protection task force which shall be appointed by the Personal Data Protection Agency. It is also noted that agencies, organisations, and individuals shall seek to raise personal data protection awareness.
8. Impact assessment on data processing
Personal data controllers and personal data controllers and processors are required to create an impact assessment dossier on data processing and store such dossier for the period that the personal data is processed. A personal data processor is also required to create an impact assessment dossier on data processing in the event that it performs the processing of personal data for a personal data controller. Such dossiers must be provided to the Ministry of Public Security’s Department of Cyber Security and High-Tech Crime Prevention within 60 days from the date of processing of the personal data and be available for inspection by the Ministry of Public Security.
9. Cross-border transfer of data and impact assessment on overseas transfer
Prior to transferring any personal data of Vietnamese citizens outside of Vietnam, the transferor must first create an impact assessment dossier for transferring personal data abroad (which is separate and distinct from the impact assessment on data processing mentioned in paragraph 8 above). Similar to the data processing impact assessment dossiers, the impact assessment dossier for transferring personal data abroad must be provided to the Ministry of Public Security’s Department of Cyber Security and High-Tech Crime Prevention within 60 days from the date of processing of the personal data and be available for inspection by the Ministry of Public Security. The Ministry may request the data transferor cease transferring personal data overseas where the transferred personal data is used for activities that violate Vietnam’s national interests and security, where the transferor has not complied with the provisions set out here, or where personal data of Vietnamese citizens has been disclosed or lost.
10. Implementation of the Decree
The Decree takes effect from 1 July 2023. Small and medium-sized enterprises are afforded a grace period of two years with regard to the obligation of appointing a data protection officer and/or department.