For the first time in Vietnamese legal framework, the personal data protection matter has been institutionalized into legislation – Decree No. 13/2023/NĐ-CP on Protection of Personal Data (“Decree 13”) on the bases of its reference to APPI (Japan), GDPR (Europe) and the needs of Vietnam. The integration of approaches under GDPR and legislations of other countries into Decree 13 has been made, but even so, it is promulgated with its localization requirements and highlights below. Decree 13 takes effect from July 01, 2023.

Definitions and regulated entities

Personal data is information in the form of symbols, letters, numbers, images, sounds or the like on the electronic environment associated with a particular natural person and help identify that person. Personal data includes basic personal data and sensitive personal data.

The two separate entities are now recognized in Decree 13, rather than in the previous version where there was only a single entity – personal data processor. The personal data controller is an organization or individual that decides the purpose and means of processing personal data. Personal data processor is an organization or individual that performs data processing on behalf of the data controller, through a contract or agreement with the data controller.

Unlike GDPR, an entity having the combination of both controller and processor is now being defined as the controller cum processor of personal data who is an organization or individual that simultaneously decides the purposes, means and directly processes personal data.

Privacy notice, consent requirement

Decree 13 prescribes that the data subject has the right to consent to or dissent to the use of his/her personal data, with the no consent exceptions. In addition, privacy notice must be presented to the data subject prior to the processing of personal data in either electronic or verifiable formats, with the exceptions of particular cases provided in Decree 13.

Protection of personal data upon the provision of marketing advertising services

Marketing and advertising services providers is uniquely entitled to use personal data of customers collected through their business activities if the consent of the data subject is given. The customer’s consent must be based on the customer’s clear understanding of the method, frequency, form and content of the usage of personal data in marketing and advertisement.

Withdrawal of consent and destroy of personal data

The subject of personal data has the right to withdraw his consent provided that the withdrawal of consent does not affect the legality of the previously agreed processing of personal data. Withdrawal of consent must be clearly expressed in specific formats such as in writing, or electronic form. When receiving a request to withdraw consent of the data subject, the data controller, the controller cum processor of personal data is obliged to notify the data subject of possible consequences and damages when consent is withdrawn. Then, the data controller, the data processor, the data controller cum processor, third parties must stop and request the relevant organizations and individuals to stop processing the data.

In addition, the data subject is enabled to order the personal data controller, personal data controller cum processor to delete their personal data in certain circumstances. However, there will have a number of instances that the requirement for deletion of personal data will not apply despite the request of the personal data subject in accordance with the laws of Vietnam. Data deletion must be carried out within 72 hours after the request of the data subject with all personal data collected by the personal data controller, controller cum processor of personal data, unless otherwise provided by law.

Protection measures

Taking into account of personal data protection principles, the nature, scope, context and purposes of processing, Decree 13 lays down that the regulated entities must apply appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with the laws of Vietnam. Even though the approach may be very diverse between sensitive and basic data natures, the protection of sensitive data must include all measures to safeguard the basic data. In addition, the Decree obliges the data processing-related entity to appoint a team or staff in charge of personal data protection.

Impact assessment and outbound transfer of personal data

The controller, controller cum processor is obligated to make and save the filings of impact assessment of their personal data processing as from its beginning. While the processor is only ordered to save the impact assessment dossiers in accordance with the contract with the controller.

The party transferring Vietnamese citizens’ data abroad must compile the assessment dossier for the outbound transfer of personal data and carry out mandatory procedures.

Specialized agency and national portal for personal data protection

The agency in charge of personal data protection is the Department of Cybersecurity and Crime Prevention uses High Technology – the Ministry of Public Security (MPS). The national portal on personal data protection shall be built and operated to provide information on guidelines, propaganda and dissemination of legal policies, and handling of violations of personal data protection.

Legal consequences arising from breaches of personal data regulations

Regarding the legal implication due to the breach of personal data protection. Violating agencies, organizations and individuals, depending on the severity, will be disciplined, administratively sanctioned and especially may be criminally charged. Nevertheless, the Decree seems toothless in its handling of any violations since it does not set forth any real implication or consequences despite the fact that MPS referred to penalties foisted upon gigantic tech corporations in the EU and US, for instance. The rules on penalties and fines should be clearly delineated in the near future.