
Knowledge Highlights 5 June 2023
Knowledge Highlights 15 May 2023
On 17 April 2023, Vietnam issued Decree No. 13/2023/ND-CP on Personal Data Protection (“Decree”), its first data protection law. The Decree compiles provisions relating to data protection contained in various other laws into one instrument. The Decree will come into effect on 1 July 2023.
This Article provides an overview of the Decree.
1. Scope
The Decree provides for personal data protection and ensuing responsibilities for relevant agencies, organisations, and individuals.
It will apply to the following:
2. Definition of personal data
Personal data is defined in the Decree as information on an electronic medium in the form of symbols, scripts, notebooks, images, sounds, or similar forms that is attached to or can aid in identifying a specific individual. Information that helps identify a particular person is information formed from the activities of a person that, when combined with other data and information, can identify a particular person.
The Decree also specifies that the term “personal data” includes both basic personal data and sensitive personal data, with the parameters of each elaborated on in the Decree. Sensitive personal data is defined as data associated with the privacy of individuals that, when infringed, would directly affect the individual’s legitimate rights and interests.
Examples of sensitive personal data given in the Decree include customer information held by credit institutions, foreign bank branches, intermediary payment service providers, and other permitted organisations. The type of information in this regard includes information on customer identification, accounts, deposits, deposited assets, transactions, and organisations and individuals who are guarantors at credit institutions, bank branches, and intermediary payment service providers.
3. Parties involved in processing data
The Decree distinguishes between a “data controller” and a “data processor”. A data controller is an organisation or individual that decides on the purposes and means of processing personal data, while a data processor is an organisation or individual that performs the processing of data on behalf of the data controller, through a contract or agreement with the latter.
The Decree also utilises the term “data controller and processor” which is defined as an organisation or individual that decides on the purpose and means and also directly processes personal data.
4. Personal data protection principles
The Decree sets out the following principles for the protection of personal data:
6. Rights of data subject
A “data subject”, defined as an individual who is reflected by personal data, has the following rights under the Decree:
· Right to know |
· Right to consent |
· Right to access |
· Right to withdraw consent |
· Right to delete data |
· Right to restrict data processing |
· Right to request the provision of data |
· Right to object to data processing |
· Right to complain, denounce and initiate lawsuits |
· Right to claim damages |
· Right to self-protection |
|
7. Requirement for consent
A data subject must voluntarily consent and must be aware of (i) the type of personal data to be processed, (ii) the purpose of the personal data processing, (iii) the organisations and individuals authorised to process personal data, and (iv) his rights and obligations.
The Decree goes on to stipulate that a data subject’s consent must be clearly expressed, specifically in writing, by voice, by ticking the consent box, in the syntax of consent through text messages, by the selection of consent in technical settings, or through another action that demonstrates this. Consent must be conducted for the same purpose. Where there are multiple purposes, the data controller, the controller, and processor of personal data must list the purposes for the data owner to consent to one or more of the purposes specified.
It is noteworthy that the Decree explicitly provides that silence or non-response by the data subject shall not be considered consent.
The Decree also provides that the withdrawal of consent does not affect the lawfulness of the prior processing of the agreed data.
Article 17 of the Decree allows the processing of personal data without consent in the following circumstances:
The data subject is also generally entitled to be notified prior to the processing of his personal data, save where the data subject has granted his prior consent to the collection and processing of his personal data or where the personal data is processed by the competent state agencies for their operations.
7. Measures to ensure protection of personal data
Article 26 of the Decree sets out the basic measures to be undertaken to protect personal data including mandating “management” and “technical” measures be taken by organisations and individuals involved in personal data processing. These terms are not elaborated upon.
Parties processing data must also issue regulations on personal data protection, clearly stating what needs to be done in accordance with the Decree and must encourage the application of data protection standards suitable to areas, industries, and activities related to the processing of personal data.
The Decree requires that systems and devices and equipment used in the processing of personal data must be inspected prior to processing, irreversibly deleting, or destruction.
In relation to sensitive data, the Decree imposes additional requirements, including the need to create a department to protect personal data, appoint personnel to be in charge of such data, and report on these measures to the designated state agency.
The Decree also mandates the creation of a specialised data protection task force which shall be appointed by the Personal Data Protection Agency. It is also noted that agencies, organisations, and individuals shall seek to raise personal data protection awareness.
8. Impact assessment on data processing
Personal data controllers and personal data controllers and processors are required to create an impact assessment dossier on data processing and store such dossier for the period that the personal data is processed. A personal data processor is also required to create an impact assessment dossier on data processing in the event that it performs the processing of personal data for a personal data controller. Such dossiers must be provided to the Ministry of Public Security’s Department of Cyber Security and High-Tech Crime Prevention within 60 days from the date of processing of the personal data and be available for inspection by the Ministry of Public Security.
9. Cross-border transfer of data and impact assessment on overseas transfer
Prior to transferring any personal data of Vietnamese citizens outside of Vietnam, the transferor must first create an impact assessment dossier for transferring personal data abroad (which is separate and distinct from the impact assessment on data processing mentioned in paragraph 8 above). Similar to the data processing impact assessment dossiers, the impact assessment dossier for transferring personal data abroad must be provided to the Ministry of Public Security’s Department of Cyber Security and High-Tech Crime Prevention within 60 days from the date of processing of the personal data and be available for inspection by the Ministry of Public Security. The Ministry may request the data transferor cease transferring personal data overseas where the transferred personal data is used for activities that violate Vietnam’s national interests and security, where the transferor has not complied with the provisions set out here, or where personal data of Vietnamese citizens has been disclosed or lost.
10. Implementation of the Decree
The Decree takes effect from 1 July 2023. Small and medium-sized enterprises are afforded a grace period of two years with regard to the obligation of appointing a data protection officer and/or department.