Even if it has been more than one year since the issuance of Decree No. 13 on personal data protection of Vietnam (DPDP), the determination of the personal data processing roles is still struggled by the business community, particularly the third parties allowable to process personal data. In some cases, the personal data protection authority has different views on this role due to the equivocal wording of the regulation and lack of official guidance.
The definition under DPDP, in lieu of being provided as who the third parties are, opts for the similar exclusion approach under GDPR – who they are not. A “Third Party” in accordance with Article 2.12 of DPDP refers to an organization or individual other than the data subject, Personal Data Controller, Personal Data Processor, and Personal Data Controller-cum-Processor that is permitted to process personal data. While the personal data processor is only entitled to process personal data on behalf of the controller in accordance with a contract or an arrangement. The personal data protection authority at times reckons that an entity, though absent any contract or data processing agreement, no controller can be determined, and no service is rendered to the data subject, is a processor.
Data Protection Act 2018 of the United Kingdom reads that a “third party”, in relation to personal data, means a person other than the data subject, the controller or a processor, or another person authorised to process personal data for the controller or processor.
In a similar vein, the California Consumer Privacy Act also lists out persons who are not third parties, i.e. (i) the business with whom the consumer intentionally interacts and that collects personal information from the consumer as part of the consumers’ current interaction with the business, (ii) a service provider to the business; and (iii) a contractor.
With reference to relevant rules under certain jurisdictions under which the definition of a third party can be found and pivoting around these regulations, a third party, in respect of personal data protection, may be identified through:
• The absence of a contract, data processing agreement with or instruction/authorization from the controllers or these documents are in place;
• The interaction between data subjects and their business;
• Whether it is a service provider or a contractor.
Taking into account the above, during the discussion and work with the supervisory authority, Vietnamese businesses may employ and share their opinions on the determination of their roles as third parties. On the back of proper policies, data processing and transfer impact assessments, procedures, contractual and non-contractual arrangements for handling personal data, and gap bridging, the acceptability of their third-party positions will be more likely.
However, above all, there must be clear-cut regulations in this respect rather than the subjective perspectives of any parties. The law on personal data protection is now in the drafting process and may soon be available for public consultation. All stakeholders should lead the way in proposing more definitive regulations on third parties.