In this article...
ToggleVietnam’s Personal Data Protection Decree sets out comprehensive guidelines for foreign firms operating within the country to ensure robust protection of personal data. In addition, the decree establishes strict requirements for the transfer of personal data abroad. Depending on foreign firms’ operations in Vietnam, an understanding of this Decree could be crucial to ensuring a firm’s operations run smoothly. With this in mind, foreign firms looking to do business in Vietnam in the technology sector including video game developers and cross border service providers should make sure they are familiar with these regulations.
Scope and Definitions
This decree applies to Vietnamese and foreign individuals, organisations, and entities involved in the processing of personal data in Vietnam or related to Vietnamese citizens, both domestically and internationally.
Key Definitions
- Personal Data: Information that identifies a person, categorised into basic (e.g., name, contact details) and sensitive (e.g., health, ethnicity, political views).
- Data Processing: Actions like collecting, storing, analysing, or sharing personal data.
- Data Subject: The individual to whom the personal data belongs.
- Consent: Explicit permission from the data subject for processing their data.
Principles and Responsibilities
The decree establishes core principles for personal data protection:
- Legal Compliance: All data processing must comply with laws.
- Data Subject’s Awareness: Individuals must be informed about how their data is being processed, except when legally exempt.
- Purpose Limitation: Data can only be processed for the declared purposes.
- Data Protection: Data must be protected against breaches and mishandling.
Entities involved in data processing (data controllers, processors, and third parties) are responsible for adhering to these principles. The government manages and enforces personal data protection through policy creation, legal oversight, and public education.
Violations, Prohibited Acts, and International Cooperation
Violations: Breaching data protection laws can result in disciplinary action, administrative penalties, or criminal prosecution, depending on severity.
Prohibited Acts:
- Unlawful data processing.
- Using personal data to create information harmful to national security or public safety.
- Obstructing government agencies from enforcing data protection.
International Cooperation: Vietnam encourages international collaboration on personal data protection, including sharing expertise, legal assistance, and participating in technology transfer to improve data protection capabilities.
Rights and Obligations of Data Subjects
- Right to Know: Data subjects are informed about their data processing.
- Right to Consent: Data subjects may consent or refuse data processing, with exceptions.
- Right to Access: Data subjects can access and correct their personal data.
- Right to Withdraw Consent: Consent can be withdrawn at any time, subject to legal provisions.
- Right to Erasure: Data subjects may request the deletion of their data.
- Right to Restrict Processing: Requests to limit data processing must be fulfilled within 72 hours.
- Right to Data Portability: Data subjects can transfer their data between controllers.
- Right to Object: They can object to processing, especially for marketing purposes.
- Right to Complain/Sue: Legal actions can be taken against data protection violations.
- Right to Compensation: Compensation may be claimed for violations of data protection.
- Right to Self-Defence: Data subjects may self-protect or seek legal remedies.
Obligations of Data Subjects:
- Protect their own and others’ data.
- Provide accurate data.
- Follow data protection laws.
Protection During Data Processing
- Consent: Informed, explicit consent is required for data processing, except as otherwise provided by law. Consent must be clear, written, and verifiable.
- Withdrawal of Consent: Data controllers must cease processing upon withdrawal of consent.
- Notification: Data subjects must be informed about data processing activities.
- Provision of Personal Data: Data controllers must provide personal data upon request, barring specific legal exceptions. Requests must include identification and reasons for access.
Impact Assessments (Article 24)
Personal Data Impact Assessment Record
The Personal Data Controller, Personal Data Controller and Processor, and Personal Data Processor must establish and maintain a Personal Data Impact Assessment Record from the start of personal data processing. This record includes:
- Information and contact details of the involved parties.
- Contact details of the organisation responsible for data protection and the data protection officer.
- Purpose and types of personal data processed.
- Organisations and individuals receiving personal data, including those outside Vietnam.
- Details on the duration of data processing and the anticipated time for deletion or destruction of the data.
- Description of data protection measures applied.
- Impact assessment of data processing, including potential consequences, damages, and risk mitigation measures.
Personal Data Processing Impact Assessment for Processors
When a Personal Data Processor performs a contract with a Personal Data Controller, they must prepare and maintain a Personal Data Processing Impact Assessment Record. This record should include:
- Information and contact details of the Personal Data Processor.
- Details of the organisation responsible for processing personal data and its employees.
- Description of processing activities and types of data.
- Duration of data processing and expected time for data deletion.
- Details on data protection measures applied.
- Possible risks and damages, with measures to mitigate them.
Documentation and Reporting
The impact assessment records must be documented legally and be available for inspection by the Ministry of Public Security. An original copy of the record must be submitted to the Ministry within 60 days from the commencement of data processing. The Ministry may request updates and improvements to the assessment file if necessary.
Updates to the Assessment File
The Personal Data Controller, Personal Data Controller and Processor, and Personal Data Processor are required to update and supplement the Personal Data Processing Impact Assessment File when there are changes. These updates must be submitted to the Ministry of Public Security within 60 days, using the prescribed form.
Transfer of Personal Data Abroad (Article 25)
Conditions for Data Transfer
Personal data of Vietnamese citizens can be transferred abroad if the transferring party prepares an impact assessment dossier and follows specific procedures. This includes the Personal Data Controller, the Personal Data Controller and Processor, the Personal Data Processor, and any Third Party involved in the transfer.
Dossier for Data Transfer Impact Assessment
The dossier must include:
- Information and contact details of both the Data Transfer Party and the Data Recipient.
- Contact details of the organisation or individual in charge of the transfer.
- Objectives and types of personal data being transferred.
- Compliance with personal data protection regulations and the measures applied.
- Impact assessment, including potential risks and mitigation strategies.
- Data subject’s consent and mechanisms for feedback and complaints.
- Binding agreements between transferring and receiving parties regarding data processing.
Documentation and Reporting
The assessment dossier must be available for inspection by the Ministry of Public Security. The transferring party must send an original copy of the dossier to the Ministry within 60 days of data processing. Notification of the successful transfer and contact details of the responsible organisation must also be provided.
Updates and Inspections
The transferring party must update the impact assessment dossier when there are changes. The Ministry of Public Security will assess and request any necessary improvements to the dossier. Additionally, the Ministry may inspect data transfers annually or more frequently if violations or incidents occur.
Suspension of Data Transfer
The Ministry of Public Security may request a halt to data transfers abroad if:
- Transferred data is used in ways that threaten national security or interests.
- The transferring party fails to comply with regulatory requirements.
- There are incidents of data disclosure or loss.
Personal Data Protection Measures
Article 26 outlines the measures required to protect personal data, which must be implemented from the outset and maintained throughout the processing period. These measures include management practices, technical safeguards, compliance with regulatory requirements, investigative actions by state agencies, and any additional legal measures prescribed by law.
Basic Personal Data Protection
Article 27 focuses on the protection of basic personal data. It mandates the implementation of the measures specified in Article 26, along with the development and enforcement of specific regulations for data protection. Organisations are encouraged to adopt relevant personal data protection standards and ensure network security. Additionally, they must properly handle and dispose of any devices containing personal data.
Sensitive Personal Data Protection
Article 28 addresses the protection of sensitive personal data. This involves applying the measures detailed in Articles 26 and 27, designating a dedicated department and personnel for data protection, and coordinating with the Personal Data Protection Authority. It is also required to notify data subjects when their sensitive data is processed, with certain exceptions outlined in the Decree.
Specialized Agency and National Portal
Article 29 establishes the Department of Cyber Security and High-Tech Crime Prevention and Control as the primary agency responsible for data protection. This department manages the National Portal on personal data protection, which provides guidelines, updates, and information on data protection activities. The portal also handles records, violations, public warnings, and facilitates assessments and law enforcement coordination.
Implementation
The Decree will be effective from July 1, 2023. During the initial two years of their establishment, micro-enterprises, small enterprises, medium-sized enterprises, and startups are permitted to be exempt from the requirement to appoint individuals and departments specifically for personal data protection. However, this exemption does not apply to enterprises that are directly engaged in personal data processing, which must comply with the decree’s provisions from the outset. This phased approach allows for a smoother transition for smaller and newly established businesses while ensuring that all entities handling personal data adhere to stringent protection standards.
All of that said, foreign firms operating in Vietnam’s digital arena–in the video games, social media, or internet services, for example–should keep in mind that law, rules, and regulations in Vietnam change frequently. With this in mind, foreign firms doing business in Vietnam can best keep up to date with these changes by subscribing to the-shiv.