Deep-dive into the Personal Data Protection Decree
Last month, we highlighted the long-awaited publication of the Personal Data Protection (“PDP”) decree. Issued on 17 April 2023, Decree No. 13/2023/ND-CP on personal data protection (“Decree 13”) better aligns Vietnam’s PDP legal landscape with the EU’s General Data Protection Regulations (“GDPR”) through the use of concepts such as “data controller” and “data processor”.
What’s new in Decree 13?
Elaborating on our previous update, Decree 13 requires entities to get the consent of data subjects. This topic is covered under Article 13, which specifies the issues which consent must cover, including the purposes of data processing, and the formalities under which it must be expressed.
Decree 13 also enshrines the rights of data subjects. These rights are also more aligned with European GDPR, and include the right to be informed, to give (and to withdraw) consent, to access and delete data, to obtain restrictions on processing, to object or complain, and to claim compensation.
The new legislation includes a renewed definition of personal data. In doing so, it separates data into two groups: “basic” and “sensitive”. In particular, the processing of sensitive personal data is subject to more stringent regulations. These include the obligation to appoint a department and an office in charge of personal data protection and to provide their contact details to the Ministry of Public Security (“MPS”).
This data controller is responsible for putting in place organisational, technical, and data safety measures to show that data processing activities are done in compliance with the law.
Decree 13 also requires enterprises to prepare so-called “impact assessment dossiers” for both data processing and overseas transfers. These dossiers must include an assessment of the impact of personal data processing or personal data overseas transfer, respectively. Copies of these dossiers must be sent to the Department of Cybersecurity and High-tech Crime Prevention (“DCHCP”) under MPS.
For overseas transfer of Vietnamese citizens’ data, this dossier must be kept in case MPS requires it for inspection and must include copies of:
- The consent of the data subjects
- The document showing the obligations and responsibilities of the sender and receiver
- An overseas transfer agreement showing the rights and obligations of each party.
- Furthermore, the enterprise is required to notify the DCHCP upon the successful transfer of personal data overseas.
What do I need to do?
Enterprises should start to prepare now, as Decree 13 will enter into force on 1 July 2023, with a two-year grace period for micro, small, and medium-sized enterprises as well as start-ups.
APFL & Partners can help our clients to ensure compliance with Decree 13, including drafting their impact assessment dossiers, overseas data transfer dossiers, and overseas transfer agreements.
For more information on these documents, Decree 13, or personal data protection regulations in general, please contact our team on: firstname.lastname@example.org