On 17 April 2023, the Government issued the long-awaited Decree 13/2023/ND-CP on Personal Data Protection, which took effect on 01 July 2023. Mirroring the EU’s General Data Protection Regulation in different aspects, the PDPD introduces various new requirements to any organizations/individuals engaging in and/ or related to personal data processing activities in Vietnam.
Scope of Application
As of 1 July 2023, Decree 13 will be the primary legislation governing personal data protection in Vietnam. Decree 13 adopts, consolidates and elaborates in detail certain key principles of previous legal instruments on personal data protection, including the 2015 Law on Protection of Cyberinformation and the 2014 Law on Cybersecurity.
Decree 13 applies to both domestic and overseas entities directly involved in or related to the processing of personal data in Vietnam, including those processing personal data of Vietnamese customers and those utilising infrastructure in Vietnam to conduct such activities.
Terms and Definitions
Building on previous legislation, Decree 13 defines “personal data” as “information in the form of symbols, letters, numbers, images, sounds or equivalent formats on the electronic environment associated with a specified person or helps identifying a specified person”.¹ The “data subject” of specific “personal data” is “the individual whose identity is reflected through the personal data”.²
“Personal data” includes (i) basic personal data (such as name, address, telephone number, etc.) and (ii) sensitive personal data which, if violated, the consequences will directly affect the legitimate rights of the data subject (such as political or religious viewpoints, health (excluding blood types), gender orientation, criminal records, bank records, etc.).³
Decree 13 defines “processing of personal data” as “one or more actions affecting personal data, such as collecting, recording, analysing, confirming, storing, editing, publicising, combining, accessing, logging, retrieving, encrypting, decrypting, copying, sharing, transferring, supplying, assigning, deleting, destroying personal data or other connected actions”.⁴ This broad definition means Decree 13 is likely to affect most, if not all, businesses in all industries.
"This broad definition means Decree 13 is likely to affect most, if not all, businesses in all industries."
In addition, Decree 13 distinguishes between different types of entities engaging in personal data processing. In particular:
“Personal Data Controller” is defined as an individual or organisation deciding on the purpose or method of processing personal data (a “PDC”)⁵;
“Personal Data Processor” is defined as an individual or organisation engaged in data processing on behalf of a Personal Data Controller through a contract or agreement with the Personal Data Controller (a “PDP”)⁶; and
“Personal Data Controller and Processor” is defined as an individual or organisation engaged in both of the above simultaneously (a “PDCP”)⁷.
Decree 13 regulates the processing of personal data via five main categories.
In general, consent of the data subject must be obtained before the processing of personal data. Such consent must be given expressly, voluntarily and in full knowledge and in a format capable of being printed or copied in writing.
The requirement to obtain consent is exempted in certain cases, including in emergency circumstances to protect the life or wellbeing of the data subject or another person, or where personal data is processed by state authorities in accordance with applicable laws.
2. Rights of data subjects
These include the right for the data subject to be notified by the PDC or PDCP prior to the conduct of data processing;⁸ the right to be provided with their personal data from the PDC or PDCP, to request or authorise the PDC or PDCP to supply their personal data to other individuals or organisations;⁹ and to request the amendment, deletion and destruction of their personal data.¹⁰
Nonetheless, there are important qualifications to the foregoing rights – e.g. a PDC or PDCP must not supply personal data if doing so would prejudice national defence, national security or social order and safety, or put at risk the safety, physical or mental wellbeing of another person.¹¹
3. Security measures
Decree 13 specifies the security measures that must be implemented by a PDC, PCP, or PDCP. These include the promulgation of internal regulations on personal data protection pursuant to Decree 13 and the conduct of cybersecurity examination of systems and devices utilised for the processing of personal data.¹²
Notably, entities processing sensitive personal data must appoint specialised department and personnel to protect personal data and inform the Cybersecurity Department under the Ministry of Public Security (“MPS”) of the details of any such departments and personnel.¹³
"Compared to previous legislation, Decree 13 provides for a broader scope of application and more stringent requirements on protection of personal data."
4. Impact assessment
Decree 13 requires the PDC, PDP and PDCP to prepare and submit to the MPS an impact assessment dossier relating to their data processing activities. The dossier will be reviewed by the MPS and must be updated from time to time by the submitting entities upon any change to its content or upon request of the MPS.¹⁴
A separate impact assessment is also required if the personal data of Vietnamese citizens is transferred to a location outside Vietnam and if a location outside of Vietnam is used process the data of Vietnamese citizens¹⁵ (a “cross-border transfer”). In particular, the transferor must submit an impact assessment dossier to the MPS within 60 days from the start of the transfer¹⁶ and must update such dossier from time to time upon any change to its content or upon the request of the MPS¹⁷.
Relevant entities must report to the MPS within 72 hours from the occurrence of certain events, including a violation of personal data protection laws, a processing of personal data for improper purposes or a failure to protect or properly implement the protection of the rights of data subjects.¹⁸
After a cross-border transfer, the transferor must inform the MPS of information on the transfer and the contact details of the organisations or individuals in charge.¹⁹
Additionally, the MPS has the right to inspect a cross-border transfer once a year and may require the transferor to cease the transfer if (i) the relevant data is being used to infringe upon the national security interests of Vietnam; (ii) the transferor fails to comply with relevant impact assessment and reporting requirements; and (iii) there has been a leak or loss of personal data of a Vietnamese citizen.²⁰
The MPS has proposed a draft decree under which administrative penalties for violations in cybersecurity, including for non-compliance with Decree 13, will be raised significantly compared to those imposed under previous regulations. For instance, disclosure or loss of data affecting more than 1,000,000 data subjects may incur fines of up to 5% of the entity’s total revenue in Vietnam. The MPS may also impose additional punitive measures, including termination of service, compulsory remedial measures, revocation of relevant licences, compulsory public apology and compensation for loss and damages.