This post is also available in: Vietnamese
In April this year, Decree No. 13/2023/ND-CP – the first Vietnam data protection law – was issued, providing guidelines on personal data protection in the country. The Decree shall become effective from July 1st, 2023. Foreign investors should take note of these regulations.
As a country with a high adoption rate of internet usage and a population known for being prolific social media users, Vietnam has long needed regulations to protect personal data.
These regulations have finally arrived in the form of Decree No. 13/2023/ND-CP, which outlines the rights and responsibilities of individuals and organizations involved in data collection and processing, whether they are providing or requesting data.
In this article, we examine the new decree and the provisions most pertinent to foreign enterprises collecting data in Vietnam.
Scope of Vietnam’s Decree on Personal Data Protection
The Decree on Personal Data Protection (PDPD) applies to all individuals and entities operating in Vietnam who engage in the provision, collection, or utilization of data for any purpose within the country. This includes:
- Vietnamese agencies, organizations, and individuals;
- Foreign agencies, organizations, and individuals in Vietnam;
- Vietnamese agencies, organizations, and individuals operating abroad; and
- Foreign agencies, organizations, and individuals directly participating in or related to personal data processing activities in Vietnam.
Core principles
The PDPD is guided by a set of core principles that define personal data protection measures. Unless other laws permit circumvention of these measures, the PDPD’s basic guiding principles are as follows:
- Awareness: Data subjects must be notified when their data is being collected or processed.
- Clarity on data collection and purpose: Data subjects must be informed about the reason for collecting their data and how it will be used. Data processing can only be done for the outlined purposes.
- Relevance: The collected data and reasons must be relevant to the stated purpose for which the data is being collected.
- Commercial use: Personal data cannot be bought or sold in any form.
- Privacy: Personal data must be protected and kept confidential.
- Time limits: Personal data must only be stored for the period necessary for its processing.
Rights pertaining to the subjects of data requests
Article 9 of the PDPD grants 11 key rights to data subjects, which are drawn from the core principles (mentioned above) and can only be circumvented in compliance with other laws. The key rights are as follows:
Right to know
The subjects of data requests have the right to know that their data is being collected. This means that firms need to notify consumers that their data is being collected.
Consent is only considered valid when the data subject is aware of:
- The type of personal data being collected;
- The purpose for which it is being collected;
- The organization or individual permitted to process their personal data; and
- Rights and obligations of the individual subject to the data request.
Right to consent
Under the PDPD, data subjects have the right to decide whether to provide their personal information or not. While the law does not specify the form of consent, digital terms and conditions accompanied by a checkbox indicating acknowledgment and understanding of the terms are considered adequate.
Right to access
Once personal data is collected, the data subject has the right to access their information, review it, and request corrections if necessary. It is the responsibility of firms collecting the data to ensure that the process of requesting access or corrections is convenient and expeditious.
Right to withdraw consent
In situations where an individual no longer wishes for an organization or entity to retain their data, they have the right to withdraw their consent. Similar to access rights, it is the obligation of firms to guarantee that the withdrawal process is prompt and user-friendly.
Right to delete data
Data subjects have the right to request the deletion of their personal data held by an entity. The process for requesting the deletion of personal data must be clear and easily accessible.
Right to restrict data processing
Data subjects have the right to limit the processing of their personal data. Firms must comply with requests to restrict the use of personal data within 72 hours. Failure to comply may result in administrative fines or legal consequences, including the right to seek damages.
Right to complain, denounce, and initiate lawsuits
Under the PDPD, if an individual’s personal data has been collected and misused, they have the right to file a complaint, report the incident, or initiate a lawsuit against the offending party. Additionally, the PDPD guarantees the right to seek damages and financial compensation for any violations committed.
Obligations of the data subjects
Outlined in Article 10 of the PDPD are several obligations for individuals with respect to protecting their own personal data. These include:
- Individuals should endeavor to protect their own data and ask organizations and individuals to protect their personal data.
- They should respect and protect the personal data of other individuals.
- They should also fully and accurately provide their personal data in instances where they consent to it being collected and processed.
- Furthermore, they should participate in the distribution of personal data protection skills.
- And, finally, they should comply with the regulations laid out in the law on the protection of personal data.
Cross-border data transfers
Foreign companies must take note of Article 25 in the PDPD, which outlines the transfer of data abroad.
To transfer the data of Vietnamese citizens abroad, a “dossier” must be completed and submitted to the Ministry of Public Security within 60 days of processing the data. The dossier should include:
- The contact information and details of the sender and the receiver;
- The contact details of a representative of the sender;
- A description and explanation of the objectives of transferring the personal data abroad;
- A description of the type of personal data to be transferred abroad;
- A description and explanation of how the regulations on the protection of personal data in this Decree will be met in the transfer process;
- An assessment of the impact of personal data processing abroad including any potentially undesirable consequences or damage that may occur, and measures for mitigating these outcomes;
- The consent of the person from whom the data is being collected and evidence that they are aware of the means of recourse available should any problems arise; and
- A document that outlines the obligations and responsibilities of both the sender and receiver processing the data.
Compliance with this component of cross-border data transfers may be costly and limiting for foreign companies, depending on how it is enforced.
Personal data protection in Vietnam
The PDPD represents a significant step towards enhancing data protection in Vietnam. Nevertheless, the decree is fairly wide-ranging and contains certain ambiguous clauses. Moreover, certain provisions within the legislation may prove to be both expensive and time-consuming for firms, depending on how they are implemented.
Notwithstanding these challenges, the PDPD is set to have far-reaching implications and it is expected that most companies, domestic or foreign, will need to revise their data collection and processing practices in Vietnam.
Source: Vietnam Briefing