Long-awaited Personal Data Protection Decree Published
The Government issued Decree No. 13/2023/ND-CP on Personal Data Protection (the “PDPD”) on 17 April 2023, more than a year after the first draft was released by the Ministry of Public Security (“MPS”) for public comment.
The PDPD introduces a standardised framework for personal data protection and imposes new requirements for organisations and individuals owning, controlling, and processing personal data in Vietnam.
In a nutshell:
International reach: The PDPD has an international reach and applies to domestic and foreign entities engaged in personal data processing activities in Vietnam.
Data processing and control recognised: The PDPD enshrines the concepts of “data controller” and “data processor” which are the backbone of international PDP regulations.
Sensitive data: the PDPD categorises personal data into “basic personal data” and “sensitive personal data” exemplified in an extensive open list.
In detail:
The PDPD applies to:
- Data processors: This includes all organisations, agencies, and individuals – either local or offshore – that process personal information by carrying out the following activities: Collecting, editing, using, storing, publishing, providing, transferring, and sharing personal information to any third party;
- Data controllers: Organisations or individuals that decide the purpose and means of processing personal data; and
- Data owners who are identified or identifiable from the personal data.
Personal data is defined as information in various forms (symbols, letters, numbers, images, sounds, etc. in an electronic environment) that is associated with or could identify an individual.
Personal data is classified into:
- Basic personal data: Any information which relates to the identification of its owner; and
- Sensitive personal data: Personal data associated with an individual’s privacy that, when infringed, shall directly affect their legitimate rights and interests.
Remarkable requirements imposed on data controllers and processors:
- To obtain valid consent from the data owner;
- To notify the data owner about data processing;
- To provide the data owner with his/her personal data upon request (with certain exemptions);
- To process personal data in particular cases: (i) obtained from audio or video recording in public places; (ii) of persons who are declared missing or deceased; (iii) of children, and; (iv) in marketing services and product advertising.
- Cross-border data transfer.
The data owner is granted a number of rights to ensure personal data protections: The right to be informed; the right to consent and withdraw consent; the right to access personal data; the right to remove data and limit the processing of data; the right to request data provision; the right to object; the right to complain, claim, and initiate a lawsuit; the right to claim for damages; and right to self-defense.
Depending on the severity, non-compliance with Vietnam’s data protection laws can be subject to discipline, administrative penalties, or criminal penalties. However, the PDPD does not provide specific administrative fines imposed for particular violations in relation to personal data.
The PDPD will take effect from 1 July 2023. A two-year grace period will apply to small and medium-sized enterprises, excluding those that directly engage in personal data processing business.
For more information about the PDPD or data privacy in Vietnam, please contact Partner Etienne Laumonier on: laumonier@apflpartners.com
