On 17 April 2023, Decree No. 13/2023/ND-CP on personal data protection (PDPD) was officially issued by the Vietnamese Government. The long-awaited and controversial decree is set to be the first ever legal document with comprehensive regulations on both personal data and its protection in Vietnam. With an exception being the grace period of 2 years for SMEs, after 1 July 2023, the PDPD will be applicable to all entities located in Vietnam and/or outside Vietnam but directly conducting activities in relation to the processing of personal data in Vietnam.
According to the PDPD, personal data is divided into basic personal data and sensitive personal data. Basic personal data is defined as name, gender, contact details, address, identification numbers, images etc. while sensitive data is the information relating to the private life of one person, such as political opinion, religion, race, sexual preference, criminal record, or health status. It seems that the definition of basic personal data fits the understanding of the majority, however, for sensitive data, the list is non-exhaustive.
Similar to the famous EU’s General Data Protection Regulation, the PDPD introduces the concept of “data controller” and “data processor” and a whole new concept of “data controlling and processing entity” (Entities). The Entities, under the PDPD, are strictly regulated regarding their actions towards personal data. Taking the valid consent of the data subject for instance, the Entities must receive the acceptance to process personal data of the data subject under specific forms (in writing, orally, ticking in boxes, through messages, etc.). Also, acceptance is only valid in case the data subject clearly and voluntarily knows (i) the type of personal data to be processed; (ii) the purpose of data processing; (iii) the allowed entities to process personal data; and (iv) their rights and obligations. Further, opposed to ordinary understanding, silence in case of request for personal data collection is not the usual “yes” but a big “no”. In addition, there are only five limited cases whereby personal data can be processed without prior consent of the data owner, including (i) emergency situations to protect life and health; (ii) lawful disclosures; (iii) processing by competent state authorities for national defense and security; (iv) contractual obligations; and (v) activities of state authorities as stipulated under the laws.
Other various management and technical measures to protect personal data are also applied to the Entities. The PDPD requires the Entities to make available and submit the dossier on personal data protection impact to the Department of Cyber Security and High-Tech Crime Prevention in case of processing personal data and transferring personal data abroad within a timeframe of 60 days from the processing date. While it is clearly a new obligation applicable to the Entities, the implementation of such obligation is anticipated to be time-consuming for both organizations and relevant state authorities.
Although until 01st July 2023 does the PDPD take effect, it is time for organizations, either local or foreign, to prepare for PDPD’s compliance, especially in terms of personal data processing mechanisms, and internal data compliance policies. Foreign Entities or those who might export personal data outside of Vietnam must consider the extra-territorial scope of the PDPD and put in place relevant proper cross-border data transfer methods. Difficulties are foreseeable in the early days of the PDPD and it is everyone’s job to address it. It is advised that enterprises immediately review their personal data processing plan to avoid non-compliance with the PDPD. In case you need assistance with the compliance issue in relation to the PDPD, Duane Morris Vietnam LLC, led by Dr. Oliver Massmann with almost 25-year working experience in Vietnam, is happy to support you in this matter.
***
Please do not hesitate to contact Dr. Oliver Massmann at [email protected] in case you need more analysis on the PDPD and how to make your policies comply with the PDPD. Dr. Oliver Massmann is the General Director of Duane Morris Vietnam LLC.
