Vietnam Law on Personal Data Protection: Latest Developments and Insights

Vietnam has announced the forthcoming Law on Personal Data Protection signaling a significant step toward bolstering data privacy measures and harmonizing regulations for a more cohesive framework. This initiative, coupled with the implementation of the Vietnam Personal Data Protection Decree in July 2023, highlights the country’s commitment to addressing data protection challenges and fostering trust in its digital landscape.

On February 29, 2024, the Vietnam Ministry of Public Security (MPS) announced the development of the Law on Personal Data Protection (hereinafter, “PDP Law”). This initiative, marked by the publication of a dossier on the government’s official website, is aimed at enhancing data privacy measures within the country.

The objective of the proposed PDP Law is to establish robust frameworks and regulations designed to guarantee the secure management, processing, and utilization of personal data. By doing so, the PDP Law aims to uphold citizens’ privacy rights and cultivate confidence in the country’s rapidly evolving digital environment.

What is new in the PDP Law announcement?

The announcement underscores significant developments in Vietnam’s efforts towards enhancing personal data protection. While a draft version of the new PDP Law has not yet been published, the dossier released by the government comprises a comprehensive report assessing current social dynamics related to personal data protection and an impact assessment of proposed policies within the Vietnam PDP Law.

FIND BUSINESS SUPPORT

De-Risk Your Business with Multi-disciplinary Review and Legal Advisory

Despite the focus on social-political considerations, the report and impact assessment also delve into key legislative issues. These include:

• Defining personal data;
• Outlining data subject rights; and
• Establishing measures for data protection.

Following the release of the dossier for public consultation, the MPS plans to gather feedback through various channels, including workshops and conferences. These initiatives aim to foster broader engagement and insight from stakeholders.

The introduction of the PDP Law holds the promise of resolving conflicts between existing regulations, such as the Vietnam Personal Data Protection Decree (Decree No. 13/2023/ND-CP, hereinafter “PDPD”), and other laws concerning personal data protection. This alignment of legal frameworks is expected to contribute to a more cohesive and effective data protection environment.

However, stakeholders are cautioned that the drafting and issuance of the PDP Law may be a lengthy process, spanning two to three years. Regular updates on the law’s progress and timeline will be provided as developments unfold.

What does Vietnam’s data protection legal framework look like?

In Vietnam, individuals enjoy constitutional rights to privacy and the protection of personal secrets. Before July 2023, regulations governing personal data protection could be found in different laws. These included the Civil Code of 2015 and the Law on Cyber Information Security No. 86/2015/QH13. Additionally, sector-specific laws also played a role in shaping the legal landscape surrounding personal data protection.

FIND BUSINESS SUPPORT

Build Your Asia Business with Turnkey Market Entry and Cross-Regional Support

The introduction of the PDPD in April 2023 represents a significant milestone in Vietnam’s data protection journey, consolidating and strengthening regulations previously dispersed across multiple laws. Effective on July 1, 2023, the PDPD mandates stringent requirements for businesses and organizations operating in Vietnam.

The PDPD introduces several key concepts and principles. It mandates adherence to fundamental data protection principles such as lawfulness, transparency, purpose limitation, data minimization, accuracy, integrity, confidentiality, and accountability.

Furthermore, the PDPD emphasizes the importance of data subject notification, consent, and rights. Data subjects must be informed about the collection and usage of their personal data, and their consent must be obtained explicitly. The regulation prohibits the collection, transfer, or sale of personal data without the data subject’s consent, and data subjects have the right to access and review their personal data.

What are the current key compliance requirements on personal data protection in Vietnam?

Until the future officialization of the PDP Law, the PDPD currently stands as the most fundamental instrument governing the protection of personal data in Vietnam.

Notably, the PDPD outlines key compliance obligations for organizations and individuals involved in processing personal data in Vietnam. Compliance with PDPD is of key importance for organizations operating in Vietnam that handle personal data. Failure to adhere to the regulations outlined in the PDPD will result in legal repercussions, including administrative fines or prosecution under the Penal Code for serious violations. Moreover, compliance ensures the protection of individuals’ privacy rights and fosters trust in data handling practices, contributing to a safer and more secure digital environment.

The following sections highlight key compliance requirements for organizations and entities handling personal data in Vietnam under the PDPD.

Roles in processing personal data

The PDPD introduced clear distinctions between the various roles involved in the processing of data, assigning specific responsibilities to each:

• Data Controller: Assumes a pivotal role, being either an organization or an individual vested with the authority to determine the purpose and methodology of processing personal data. Their responsibilities encompass compliance with data protection requirements, including obtaining prior consent from data subjects for all processing activities and promptly notifying the MPS of any personal data breaches.
• Data Processor: Refers to an entity or individual tasked with processing personal data on behalf of the Data Controller through a contractual agreement. Their duties include notifying the Data Controller of any breaches and processing personal data in accordance with the terms agreed upon in the contract.
• Data controlling and processing party: Serves as a hybrid role combining elements of both Data Controller and Data Processor responsibilities.
• Third party: Encompasses individuals or entities, distinct from the data subject, Data Controller, Data Processor, or Data Controlling and Processing Party, permitted to process personal data under specific conditions. They are obliged to archive personal data appropriately and adopt measures to protect the data as mandated by law. Businesses must accurately discern their roles in data processing to delineate their corresponding responsibilities effectively.

Data subject’s consent

The PDPD stipulates that obtaining prior consent from individuals is mandatory for all data processing activities, except for specific exemptions. Valid consent from a data subject requires it to be given freely and with full understanding of the type of personal data, the purpose of data processing, the entities involved in processing, as well as the rights and responsibilities of the data subject.

Express consent can take various forms, including written agreements, verbal confirmation, ticking consent boxes, or any other actions indicating consent. It’s important to note that silence or lack of response from the data subject does not constitute consent. In the event of a dispute, the responsibility of proving the data subject’s consent rests with the Data Controller and Data Controlling and Processing Party.

Assessment of the impact on personal data processing

Every Data Controller and Data Controlling and Processing Party must generate and uphold Impact Assessment Dossiers right from the initiation of personal data processing. These dossiers, which are forwarded to the MPS (A05 department) for assessment, should encompass comprehensive details like the objectives and categories of data processed, recipients (inclusive of foreign entities), instances of cross-border transfers, duration of data retention, measures for data protection, and an evaluation of potential ramifications along with strategies for mitigation.

Data Processors might also be obligated to comply with these regulations if stipulated in agreements with Data Controllers.

Cross-border data transfer requirements

Cross-border data transfer requirements under the PDPD allow for the transfer of personal data of Vietnamese citizens to foreign countries under specific conditions. Entities responsible for such transfers, including Data Controllers, Data Controlling and Processing Parties, Data Processors, and Third Parties, are obliged to compile a detailed dossier outlining the impact assessment of the transfer.

FIND BUSINESS SUPPORT

How we can help companies achieve a competitive advantage within the IT industry

This document must include information on the types of personal data transferred, the intended purposes of processing, and the responsibilities binding the transferor and the recipient. The dossier must be readily accessible for review by the MPS and submitted within a 60-day window from the commencement of data processing. If deemed insufficient, MPS may request further completion of the dossier. Furthermore, following the successful transfer of data, the transferor must provide written notification and contact information to MPS.

MPS retains the authority to suspend any cross-border transfer that fails to comply with these stipulations or poses risks to the interests, national security of Vietnam, or the personal data of Vietnamese citizens.

Notification requirement for personal data breach

In the event of a personal data breach, the PDPD mandates immediate notification. The Data Processor notifies the Data Controller, who, along with the Data Controlling and Processing Party, must inform the MPS within 72 hours.

Failure to do so promptly requires providing reasons for the delay. While comprehensive penalties aren’t yet in place, breaches may incur fines from VND 10 million to VND 70 million, or prosecution under the Penal Code for serious violations.

Outlook

Predictions about Vietnam’s data economy in 2024 suggest a significant transformation in the country’s economic landscape, particularly in sectors such as e-commerce, fintech, healthcare technology, and smart production. As businesses increasingly rely on data-based solutions, the growth of these sectors is projected to contribute significantly to the overall output of the economy. Cross-border agreements and initiatives focused on knowledge exchange are anticipated to facilitate technology transfer and expand market access opportunities, further fueling the growth of Vietnam’s data economy.

This heightened reliance on data underscores the critical importance of robust legal frameworks to ensure the privacy and security of individuals’ information.

The announcement regarding the PDP Law in Vietnam signals a pivotal step forward in the country’s commitment to safeguarding personal data and enhancing privacy rights in the digital age. This legislative initiative reflects Vietnam’s proactive approach to addressing the evolving challenges of data protection, thereby fostering trust in data handling practices.

Besides, the implementation of the PDP Law not only reinforces individual privacy rights but also positions Vietnam as a key player in the global digital economy, fostering sustainable growth and prosperity.

• Previous Article An Investor’s Guide to Vietnam’s Bắc Ninh Province
• Next Article Why Cambodia’s Funan Techo Canal Project is Worrying Vietnam