Vietnam has taken a significant step towards safeguarding citizens’ privacy rights and protecting personal information with the issuance of a landmark decree on data protection. The new law, which was approved by the country’s government in December 2018 and took effect on January 1, 2019, establishes a comprehensive legal framework for ensuring the privacy and security of personal data in Vietnam. The decree comes at a time of increased concern over data breaches and misuse of personal information by companies and individuals, making it a vital development for both the Vietnamese people and the economy as a whole. This article will delve into the key provisions of the new data protection decree, its potential impact on businesses, and the challenges that lie ahead in its implementation.
Vietnam has issued Decree No. 13/2023/ND on the Protection of Personal Data (PDPD), which is set to take effect on July 1, 2023. This marks a significant milestone for the Vietnamese government, as the PDPD serves as the very first comprehensive regulation on the protection of personal data in the country. The decree is extensive and has been under review since its draft version was introduced in February 2021, undergoing several rounds of public consultations. All Vietnamese and foreign organizations and individuals located in Vietnam and/or directly involved in personal data processing activities in Vietnam are required to comply with the PDPD.
The PDPD has a significant impact on the processing of personal data in Vietnam. There are several critical provisions set out in the decree, including eight principles for the processing of personal data, such as lawfulness, transparency, purpose limitation, data minimization, accuracy, integrity, confidentiality, security, storage limitation, and accountability. The PDPD also introduces new definitions and concepts, notably including personal data, basic personal data, sensitive data, data subject, data controller, data processor, parties controlling and processing personal data, third parties, and cross-border transfer of personal data.
Data subject rights are protected by the PDPD, which outlines eleven rights such as the right to know, right to consent, right to access, right to withdraw consent, right to delete data, right to restrict data processing, right to request the provision of data, right to object to data processing, right to complain, denounce and initiate lawsuits, right to claim compensation for damage, and right to self-defense. Moreover, the decree outlines specific duties of data controllers, data processors, and third parties. Data subjects’ rights are further protected by rules on data subjects’ consent, including the requirements on validity, acceptable formats, and withdrawal of consent.
The PDPD also establishes requirements regarding cross-border transfer of personal data, including a transfer impact assessment and post-transfer notification sent to the Department of Cyber Security and Hi-Tech Crime Prevention of the Ministry of Public Security. Moreover, the decree outlines rules on privacy notices, including timing to send the notices and mandatory content of the notices. The PDPD also includes rules on processing of personal data obtained through audio and video recording activities in public places, processing of personal data of individuals who are declared missing or deceased, processing of children’s personal data, protection of personal data in marketing services and introducing advertising products, and cases where personal data can be processed without consent.
The PDPD will have far-reaching implications across virtually all business operations in Vietnam. The decree introduces measures to protect personal data in general, basic personal data, and sensitive personal data. The measures to protect sensitive personal data include assigning a data protection officer. The PDPD will bring Vietnam closer in line with global privacy and data protection standards, and businesses operating in Vietnam should take immediate steps to update their data handling processes and ensure they are in compliance with the PDPD.
Overall, the PDPD represents a significant milestone for personal data protection in Vietnam. The new regulations are designed to offer enhanced protection for individuals’ personal information, promoting transparency and ensuring that organizations are accountable for their handling of personal data. Despite the challenges of implementing these regulations, the PDPD is an essential step towards ensuring that individuals’ personal data is protected, promoting privacy and data security across the country.
