Navigating Vietnam’s Pioneering Personal Data Protection Decree: A Comprehensive Overview

Bhavesh Sharma
February 8, 2024

“Understanding the Implications for Businesses and Individuals”

On April 17, 2023, Vietnam approved its first Personal Data Protection Decree (PDPD), a historic step that will have a lasting impact on the nation's data protection laws. With the designation Decree No. 13/2023/ND-CP, this law unifies several data protection laws in Vietnam. It could bring the country's policies closer to the strict General Data Protection Regulation (GDPR) of the European Union. It's important to remember that the PDPD will complement current laws rather than replace them. With very few exclusions for a grace period, the regulation went into force on July 1, 2023, and it affected both foreign and domestic organizations that process personal data in Vietnam.

Now, let's examine the main points of the PDPD and see what immediate effects they may have on businesses using Vietnamese data.

  1. Defining and Categorizing Personal Information

According to the PDPD, personal data is any electronic information connected to or helpful in identifying a specific person. Subdivided further into categories labelled as basic and sensitive, basic personal data comprises common information, whilst sensitive data contains more personal information like political opinions, medical conditions, and criminal histories.

  1. Novel Ideas Regarding Regulated Entities

The four categories of regulated parties are third parties, personal data controller-processors, personal data controllers, and personal data processors. Each group bears specific responsibilities, the largest of which falls on controllers and controller-processors.

  1. Guidelines for Handling Personal Information

The PDPD includes eight principles that govern the lawful processing of personal data and are in line with the principles of the GDPR. These include responsibility, correctness, integrity, confidentiality, transparency, purpose limitation, and data minimization. Interestingly, the PDPD does not recognize the GDPR's "legitimate interests" premise.

  1. The Need for Consent and Exceptions

According to a permission-centric approach, consent must be sought explicitly and clearly, stating the goal, type of data, authorized entities, and data subject's rights. Nevertheless, some exceptions permit data processing without consent in particular circumstances, such as preserving life, carrying out contractual duties, or handling emergencies.

  1. Handling Sensitive and Basic Personal Information 

Protective procedures for processing personal data are required by the PDPD, with more stringent guidelines for sensitive data. The processing of sensitive data entails the formation of an internal personal data protection department and a data protection officer (DPO). 

  1. Cross-border Personal Data Transfer

A Dossier of Impact Assessment for the Cross-Border Transfer of Personal Data (TIA Dossier) is necessary for cross-border data transfers. Vietnam's Ministry of Public Security controls this procedure and can stop transfers under certain conditions.

  1. Data Subject Rights

There are eleven recognized rights for data subjects, including the right to information, the ability to withdraw consent, access to data, and the right to delete data—all subject to a 72-hour compliance deadline.

  1. Additional Notable Clauses
  • Introduction of "automated personal data processing."
  • Consent is required with parental consent for minors older than seven.
  • Rules governing the use of personal information in advertising and marketing.
  • Limitations on the purchase or sale of personal information.
  • Creation of a national personal data protection portal

It's important to note that specific controversial criteria from previous editions of the PDPD have been removed, notwithstanding the document's possible effects on businesses. Businesses have two years to adjust to the considerable changes the order brings. Businesses are advised to proactively plan their compliance plans during this period of uncertainty over the enforcement strategy. Businesses must be cautious when navigating these regulatory seas as Vietnam's data protection policy treads new ground.

On April 17, 2023, Vietnam approved its first Personal Data Protection Decree (PDPD). This decree implements measures to personal data processing activities in Vietnam, regulating general data processing activities in Vietnam. The PDPD defines personal data including basic personal data and sensitive personal data of Vietnamese citizens. It requires the establishment of a data protection officer (DPO) to oversee the processing of sensitive personal data.

The PDPD brings Vietnam closer to the standards of the General Data Protection Regulation (GDPR) of the European Union. It unifies several existing laws for the protection of personal data in Vietnam. The Ministry of Public Security oversees cross border transfers of personal data through a Dossier of Impact Assessment.

Key aspects of the PDPD include:

- Requiring consent of the data subject for most personal data processing activities. The data subject can withdraw consent within 72 hours. 

- Exceptions permitting processing without consent for reasons such as security, social order and safety, major disasters or dangerous epidemics. These exceptions have a 60 day limit.

- Stricter measures for handling sensitive personal data like political views, health conditions, and criminal records.

- Principles governing lawful processing aligned with the GDPR, including purpose limitation and data minimization. 

- Cross-border transfer of personal data requires approval from the Ministry of Public Security.

- Data subjects granted rights like the right to access data and have data deleted, with entities required to comply within 72 hours.

The PDPD allows two years for adjustment to the new regulations. Businesses should proactively develop compliance plans to handle the increased obligations for processing personal data of Vietnamese citizens. Careful navigation of Vietnam's evolving data protection landscape is advised.