1. Home
  2. advocacy updates
  3. ministry public security call comments draft law personal data protection cob 01st

Ministry of Public Security - Call for comments on Draft Law on Personal Data Protection - COB 01st November 2024

The Ministry of Public Security (MPS) has just released the Draft Law on Personal Data Protection for public consultation. This proposed legislation, expected to be enacted in May 2025 and take effect on January 1, 2026, includes 68 articles that expand upon the existing Personal Data Protection Decree. The Draft Law regulates on the following key matters:

  • Rights and obligations of data subjects;
  • Personal data protection in the process of personal data processing;
  • Use of personal data in business activities;
  • Measures and conditions to ensure personal data protection.

The PDPL draft is expected to be adopted by the National Assembly in May 2025. It does not provide a transition period for compliance, except for micro-enterprises, SMEs, and startups, which are only exempt from appointing a data protection department during their first two years from establishment. However, these smaller businesses must meet all other PDPL obligations within the same timeline as larger enterprises.

Should you have any comments, kindly send them to the AusCham Advocacy at advocacy@auschamvn.org by 01 November 2024 for our submission.

Key features of the draft PDPL

  1. Expanded scope:The PDPL draft applies to all Vietnamese agencies, organizations, and individuals operating domestically and abroad, as well as foreign entities involved in data processing within Vietnam. This wide-ranging scope ensures the law will cover data processing activities within the country and for Vietnamese data subjects overseas.
  2. Strict consent requirements:Consent remains the primary legal basis for processing personal data, with new stipulations for cross-border data transfers. Controllers and processors are required to gain affirmative, informed consent from data subjects, particularly for sensitive personal data like health records, political views, and biometric data. The PDPL draft specifies that silence or non-response cannot be deemed consent, which reinforces Vietnam’s stance on stringent data privacy.
  3. Definitions of personal data:The draft PDPL introduces a clearer distinction between ‘basic personal data’ and ‘sensitive personal data.’ Sensitive data categories have expanded to include land-use information, location data, and credit records. Additionally, new definitions like “personal data protection expert,” “personal data protection credit rating,” and “use of personal data for marketing” have been introduced, further refining data protection responsibilities.
  4. Data Protection Impact Assessments (DPIA) and Transfer Impact Assessments (TIA):The draft PDPL mandates both DPIAs and TIAs for organizations, which must be updated every six months or upon any material change. This ensures that personal data processing is continuously monitored and compliant with the evolving regulatory landscape.
  5. Obligations for enterprises: The draft PDPL imposes strict obligations on companies regarding data protection compliance. For instance, enterprises must appoint a data protection department for both basic and sensitive data processing. This department can be outsourced to external service providers, enabling more flexibility for businesses. The draft law also promulgates that companies must have at least one personal data protection expert in these departments while providing detailed requirements for eligible recruitment of these personnel.
  6. Exemption for MSMEs: Micro-enterprises, SMEs, and startups are only exempted from the requirement of a data protection department for their first two years, and all other obligations must be adhered to within the same timeline as larger organizations. However, micro-enterprises, SMEs, and startups directly engaged in personal data processing activities are not subject to the exemption.
  7. Data breach notifications:Enterprises will have a 72-hour window to notify authorities of any data breach incidents, a rule carried over from the PDPD. This rapid response requirement reflects international best practices, ensuring timely action in case of data security violations.
  8. New certification mechanisms:The draft introduces personal data protection certification, effectively creating a credit rating system for businesses based on their compliance. Companies can earn ratings like “high credibility” or “trust” based on their personal data protection practices, which could enhance consumer trust and market reputation.

Prohibition of personal data sales in any form

The draft PDPL clearly states eight principles of personal data protection, one of which is that personal data cannot be bought or sold in any form.

According to the draft law, personal data is information in symbols, letters, numbers, images, sounds, or similar forms in the electronic environment that are associated with a specific person or help identify that person. These data are divided into two types:

  • Basic personal data, which includes full name, date/month/year of birth, gender, place of birth, nationality, personal image, phone number, identification number, marital status, etc.; and
  • Sensitive personal data, which is information that, when violated, will directly affect the legitimate rights and interests of organizations and individuals, and is closely related to the privacy of individuals.

Stop marketing activities when requested by the data subject

The draft law sets aside a separate article to regulate personal data protection in marketing services.

Accordingly, organizations and individuals providing marketing services are only allowed to use customers’ personal data collected through their business activities for marketing services. The collection and use of personal data must ensure the data subject’s rights.

The processing of customers’ personal data for marketing services must receive the customer’s consent, on the basis that the customer clearly knows the content, method, form, and frequency of product introduction.

Personal data protection regulations in financial, banking, credit, and credit information activities

The draft PDPL stipulates that financial, banking, and credit companies must:

  • Not buy, sell, or illegally transfer credit information between financial, credit, and credit information institutions.
  • Not transmit or share unencrypted financial and credit data of data subjects between such institutions.
  • Fully comply with regulations on protecting sensitive personal data, as well as payment and credit security standards prescribed by law.
  • Obtain explicit consent from data subjects before using their credit information to score credit or assess their creditworthiness.
  • Ensure that credit assessments of data subjects result only in binary outputs, such as “Pass or Fail,” “Yes or No,” or scales based on data collected directly from customers.
  • Clearly identify and declare stages that require the application of personal data de-identification measures.
  • Notify data subjects promptly in the event of financial account information breaches or data loss.

Organizations providing credit information services, as well as those in banking, insurance, and finance, and payment intermediaries, are prohibited from unlawfully sharing or transferring personal data to one another or to third-party businesses, except in cases permitted by law.

Credit information and related products of a data subject may only be provided to financial, banking, and credit institutions as explicitly prescribed by law.

The agency responsible for personal data protection serves as the primary authority for requesting credit information in order to investigate and address legal violations in accordance with applicable regulations.

Challenges and compliance considerations

Despite the new provisions, certain challenges remain unresolved. For example, how the PDPL will interact with the existing PDPD is still unclear. Will the PDPL replace the PDPD or coexist alongside it? Moreover, while the law reinforces consent-based data processing, it does not recognize “legitimate interest” as a legal basis, which contrasts with global standards like the GDPR.

For businesses operating in Vietnam, this draft law will require significant adjustments. Companies must prepare to enhance their data processing operations, particularly around DPIAs, cross-border transfers, and the stringent consent regime. Additionally, sectors like marketing, behavioral advertising, healthcare, and AI will need to adapt their practices to remain compliant with the heightened requirements around sensitive personal data processing.