Vietnam: Decree 13 and the new regulations on personal data protection
The Vietnamese government has issued long-awaited Decree No.13/2023/ND-CP on Personal Data Protection (Decree 13). This is Vietnam’s first-ever comprehensive legal document regulating personal data protection. Released on April 13, 2023, wit provides new requirements for collecting and processing personal data. Decree 13 will take effect on July 1, 2023. Below are some notable issues arising from Decree 13.
- Scope of application
Decree 13 has an extraterritorial scope of application, which covers Vietnam-based and foreign individuals as well as entities directly participating in or relating to data processing activities in Vietnam. - Classification of personal data
Inheriting from previous definitions of personal information specified in various legal documents, Decree 13 develops a new and extended definition of personal data: “Personal data means information in the form of signs, letters, numbers, images, sounds or other similar forms on the electronic environment, which is attached to a specific individual or helps identify a specific individual.” Compared with previous laws and regulations, Decree 13 has finally provided a specific definition of the term “information helps identify a specific individual” to mean information derived from an individual's activity that, when combined with other stored data and information can identify a particular person.
Additionally, personal data are classified into “basic personal data” and “sensitive personal data.” - Classification of processing entities
Four new concepts of processing entities have been introduced:
• Data Controller (meaning organizations or individuals who decide the purposes and means of processing personal data)
• Data Processor (meaning an organization or individual that performs data processing on behalf of the Data Controller, through a contract or agreement with the Data Controller)
• Data Controller cum Processor (meaning an organization or individual who simultaneously decides the purposes, means and directly processes personal data) and
• Third Party (meaning an organization or individual other than the Data Subject, Data Controller, Data Processor, Data Controller cum Processor that is authorized to process personal data).
Stricter requirements are applied to the Data Controller and the Data Controller cum Processor. - Consent requirements
“Consent” is specifically defined to be a clear, voluntary, and affirmative expression of the data subject’s permission to process personal data. In particular, the data subject’s consent must be made in writing, by voice, by ticking the consent checkbox, by consent messages, by selecting consent technical settings, or by other methods that can express such consent.
The Data Subject’s consent is only valid when he/she voluntarily and clearly knows (a) the type of personal data to be processed; (b) the purpose of processing personal data; (c) organizations and individuals allowed to process personal data; and (d) rights and obligations of Data Subjects.
Furthermore, such Data Subject’s consent must also be expressed in a format that is printable and able to be copied in writing.
On the other hand, there are some new exceptions where the Data Subject’s consent is not required for data processing. - Personal Data Processing Impact Assessment
The Data Controller, Data Processor, and Data Controller cum Processor are required to formulate and store a Personal Data Processing Impact Assessment (PDPIA) dossier in writing according to standard form at the time they start processing personal data, which must always be available to serve the inspection and assessment activities of the Ministry of Public Security (MoPS).
Furthermore, an original of this dossier must be sent to the Department of Cybersecurity and Prevention of Crimes Using High Technologies directly managed by the MoPS (the Cybersecurity Department) within 60 days from the date of processing, which shall evaluate and may request to complete if finding out such dossier is incomplete and does not conform to regulations.
When there is a change in the contents of the dossier already sent to the Cybersecurity Department, the relevant processing entity must update and supplement the PDPIA dossier according to standard form. - Notification of personal data processing
The Data Controllers and the Data Controller cum Processors are required to notify the Data Subjects of their personal data processing, and the notice thereof must contain statutory contents, be made once prior to such processing, and be expressed in a format that is printable and able to be copied in writing. - Notification of personal data breach
Individuals and organizations must notify the Cybersecurity Department upon detection of a violation of personal data regulations. Unlike the current legal framework, which requires a notification “within 5 days” in general and “within 24 hours” in e-commerce, Decree 13 sets forth a time limit of 72 hours for notification by the Data Controllers or the Data Controller cum Processors of such violation. - Stricter requirements for cross-border data transfer
New requirements will be applied to cross-border data transfer, which has been an unregulated sector before issuance of Decree 13. Particularly, any processing entities, including Third Party, that conduct a cross-border transfer of data are required to perform the following obligations:
(i) Formulating an Overseas Data Transfer Impact Assessment dossier in standard form
(ii) Submitting one original of this dossier to the Cybersecurity Department within 60 days from the date of processing, which shall evaluate and may request to complete if founding out such dossier is incomplete and does not conform to regulations
(iii) Notifying the Cybersecurity Department of the data transfer and contact details of the organization or individual in charge thereof in writing after a successful transfer and
(iv) Updating and supplementing such dossier according to statutory form when there is a change in the contents of this dossier already sent to the Cybersecurity Department within 10 days from the date of request. - Data Protection Staff appointment
Sensitive data processing entities have to designate a personal data protection unit and personnel and notify the Cybersecurity Department. In case where a processing entity is an individual, the information on the implementing individual shall be notified. - Personal Data Protection Agency
The Cybersecurity Department is designated as the specialized Personal Data Protection Agency, which is responsible for assisting the MoPS in performing the state management on data protection.
WELCOME TO CROSSROADS – ICR INSIGHTS
Crossroads – ICR Insights is our series of short-read articles designed to assist organizations considering an international corporate reorganization (ICR). Each country-specific, solutions-based brief will answer a key consideration during a global transaction such as carveouts, spinoffs, acquisitions and dispositions, pre- and post-acquisition integration, or legal entity rationalization. Visit Crossroads – ICR Insights to view the entire collection or sign up to be notified of new postings. Have an idea of a topic or interested in discussing further? Email ICRCrossroads@dlapiper.com.
*Luu Tien Ngoc, Partner, Business Development, Vision & Associates
**Le Tuan Anh, Partner, Legal Practice, Vision & Associates