Vietnam Launches National Portal for Data Protection

Posted by Written by Dezan Shira and Associates Reading Time: 3 minutes

In line with recent updates to data protection regulations in Vietnam, the Department of Cyber ​​Security and Crime Prevention and Control has unveiled the National Information Portal no Data Protection. Here’s what foreign firms should know.

Over the past year or so, the authorities in Vietnam have taken a number of steps to protect the data of Vietnam’s citizenry, including two key pieces of legislation: the Personal Data Protection Decree and revisions to the Law on Cybersecurity.

These regulations make clear the rights of consumers as well as the obligations of firms collecting personal data. Furthermore, to facilitate compliance with these regulations, the National Portal for Data Protection (NPDP) has been developed.

What is the National Portal for Data Protection?

The NPDP is a centralized repository of information on Vietnam’s various data protection laws and decrees. It is also set to allow firms to lodge relevant forms online, though these features are still in the works and were not functional at the time of writing.

The NPDP brings together the:

  • The Personal Data Protection Decree (Decree 13/2023/ND-CP): This applies to all individuals and entities operating in Vietnam who engage in the provision, collection, or utilization of data for any purpose within the country. It outlines their rights and responsibilities with respect to data collection.
  • The Law on Cybersecurity (24/2018/QH14): Passed in 2018, the Law on Cybersecurity came into effect on January 1, 2019. The major provisions in the law include data localization, government control over online content, and requirements for setting up local offices in Vietnam for cross-border service providers.
  • Decree 53 (53/2022/ND-CP): Decree 53/2022/ND-CP (Decree 53) mandates that all domestic companies and certain foreign firms providing services in areas like telecommunications, e-commerce, and online payment will need to store specific types of data in Vietnam for a minimum period of 24 months.

The NPDP also provides forms for the following:

  • Reporting violations of regulations on personal data protection;
  • Submitting personal data processing impact assessment records;
  • Submitting dossiers assessing the impact of transferring personal data abroad;
  • Changing records assessing the impact of processing personal data;
  • Changing records assessing the impact of transferring personal data abroad; and
  • A number of other key forms and documents.

These can now be submitted online to make it faster and easier to comply with Vietnam’s data protection requirements.

Transferring data abroad using the NPDP

For foreign firms, the transfer of data abroad should be easier using the NPDP.

Firstly, firms will still need to compile a dossier, including:

  • The contact information and details of the sender and the receiver;
  • The contact details of a representative of the sender;
  • A description and explanation of the objectives of transferring the personal data abroad;
  • A description of the type of personal data to be transferred abroad;
  • A description and explanation of how the regulations on the protection of personal data in this Decree will be met in the transfer process;
  • An assessment of the impact of personal data processing abroad, including any potentially undesirable consequences or damage that may occur, and measures for mitigating these outcomes;
  • The consent of the person from whom the data is being collected and evidence that they are aware of the means of recourse available should any problems arise; and
  • A document that outlines the obligations and responsibilities of both the sender and receiver processing the data.

They will have the capability to submit the aforementioned information through the portal, facilitating compliance with regulations that mandate the submission of this data to the Ministry of Public Security within 60 days of processing a user’s information.

That said, it is worth noting that currently the website is only in Vietnamese, however, the content is mostly text and can be easily translated using Google Translate.

Moving forward

While the PDPD is a significant step towards enhancing data protection in Vietnam, the Decree is fairly wide-ranging and contains certain ambiguous clauses. Moreover, certain provisions within the legislation may prove to be both expensive and time-consuming for firms, depending on how they are implemented.

Notwithstanding these challenges, the PDPD is set to have far-reaching implications and it is expected that most companies, domestic or foreign, will need to revise their data collection and processing practices in Vietnam.

With this in mind, the new National Portal for Data Protection should simplify compliance procedures and make clear the obligations of firms collecting data in Vietnam. This should also ensure that firms avoid administrative fines for violations of these regulations.

To ensure compliance with the PDPD, companies can seek the support of IT service experts at Dezan Shira and Associates.

About Us

Vietnam Briefing is published by Asia Briefing, a subsidiary of Dezan Shira & Associates. We produce material for foreign investors throughout Eurasia, including ASEANChinaIndiaIndonesiaRussia & the Silk Road. For editorial matters please contact us here and for a complimentary subscription to our products, please click here.

Dezan Shira & Associates provide business intelligence, due diligence, legal, tax and advisory services throughout the Vietnam and the Asian region. We maintain offices in Hanoi and Ho Chi Minh City, as well as throughout China, South-East Asia, India, and Russia. For assistance with investments into Vietnam please contact us at vietnam@dezshira.com or visit us at www.dezshira.com