Understanding Vietnam's Data Protection Regulation: A Year On Since the PDPD

By Sarah Wang Han, Head of Research, Straits Interactive

Earlier this year, Vietnam announced that a new data privacy law is in the works: the Personal Data Protection Law (PDP Law). This is the nation’s latest step forward in her mission to develop a cohesive legal framework for personal data regulation. And it comes nearly a year after the country’s landmark Personal Data Protection Decree (PDPD), Decree No. 13/2023/ND-CP, was first introduced in April 2023 and later implemented in July 2023.

While a draft of the PDP Law is not yet available, a dossier has been published for public consultation on the government’s official website, containing an impact assessment of proposed policies within the Vietnam PDP Law. Still, we won’t be expecting to see it finalised for a while. 

Until the future officialisation of the PDP Law, the PDPD currently stands as the primary standard governing the protection of personal data in Vietnam. As we approach a year since this legislation came into effect, let’s take a look at the key principles and provisions of the PDPD and how organisations may comply with them.

Scope and Application

Vietnam's PDPD establishes comprehensive data protection regulations that apply to a broad spectrum of entities. These include not only Vietnamese agencies, organisations, and individuals but also foreign entities operating within Vietnam. Moreover, the PDPD’s jurisdiction extends beyond traditional borders, asserting extraterritorial applicability. This means that the PDPD also governs foreign entities that process the personal data of Vietnamese citizens, regardless of whether these entities have a physical presence in Vietnam. 

The scope of data protected under the PDPD encompasses both basic personal data, such as names and contact information, and sensitive personal data, including health records, personal location data, and financial information, among others. This latter category requires additional safeguards due to its nature.

Lawful Basis for Processing

Under the PDPD, personal data can be processed based on several lawful grounds. These include protecting individuals' health or life, complying with legal obligations, handling state emergencies, fulfilling contractual obligations, and processing data as required by specialised laws. These provisions ensure that personal data is processed in a fair and responsible manner.

Data Subject Rights

The law recognises and upholds the rights of individuals regarding their personal data. Data subjects have the right to access their data, correct any inaccuracies, delete their information when necessary, and withdraw consent for data processing. Additionally, individuals can object to the processing of their personal data and request the portability of their information.

Cross-border Data Transfers

Entities involved in outbound data transfers from Vietnam, whether as data controllers, data controlling and data processing parties, data processors, or third parties, are required to fulfil specific conditions under the PDPD. They must prepare an outbound transfer impact assessment dossier that aligns with the requirements specified by the PDPD. The dossier for outbound data transfers must encapsulate essential details including the types of personal data transferred overseas, the objectives for processing Vietnamese citizens' personal data, and a document outlining the obligations and responsibilities between the transferor and the recipient. 

This impact assessment dossier needs to be readily accessible for the Ministry of Public Security (MPS) review and inspection at any time. The transferor is required to submit the original dossier in the prescribed format to the MPS within 60 days from the start of data processing. If the dossier is found to be incomplete or improperly assembled, MPS may request that it be corrected. Following the successful transfer of data, the transferor must also provide MPS with a written notification detailing the data transfer and the contact information of the responsible person.

Appointing a Data Protection Officer

To promote accountability and compliance, organisations processing sensitive personal data are required to appoint a Data Protection Officer (DPO). The DPO is responsible for ensuring compliance with data protection regulations and acts as a point of contact for individuals and authorities.

Micro-enterprises, small enterprises, medium-sized enterprises, and startups that do not directly engage in processing personal data can, however, opt out of appointing a Data Protection Officer (DPO) for the first two years post-establishment. But if these businesses process personal data as a core activity, they are then required to appoint a DPO from the outset, irrespective of their size or age. This emphasises the priority given to data protection in Vietnam.

Breaches, Enforcement and Penalties

Non-compliance with Vietnam's data protection laws can be subject to disciplinary action, administrative penalties or criminal penalties. While the PDPD doesn’t provide the actual amount of fines, the latest draft decree on sanctions for cybersecurity violations outlines the administrative sanctions that could be imposed on violators. 

Administrative fines vary depending on the nature of the violation, ranging from as low as VND 2 million (approximately USD 78) for minor infractions like retaining personal data beyond the necessary period, to up to VND 70 million (approximately USD 2,750) for more severe breaches such as illegal trading of personal information.

Criminal penalties are also applicable for serious violations related to the confidentiality and safety of personal communications, which can lead to sanctions including fines, non-custodial reform, or imprisonment. The government is further intensifying its regulatory framework by drafting additional decrees to sanction cybersecurity infractions, highlighting the increasing rigour in enforcing data protection standards.

In the event of a personal data breach, the PDPD mandates immediate notification. The Data Processor notifies the Data Controller, who, along with the Data Controlling and Processing Party, must inform the MPS within 72 hours. These measures ensure that organisations prioritise the protection of personal data and comply with their obligations under the law.

The Journey Ahead

The announcement of Vietnam's new PDP Law, coupled with the existing PDPD, represents the country’s commitment toward safeguarding personal data in the digital age. As individuals and organisations, it is important for us to understand and comply with the key principles outlined in the law to ensure the secure and ethical handling of personal data. Protecting personal data is not just a legal obligation but also an ethical responsibility that fosters trust and transparency in our increasingly data-driven society.

This article was first published on The Governance Age on 19 June 2024.