Vietnam Issues Much-awaited Landmark Data Protection Law to address the concerns regarding the misuse and mishandling of personal data. With the increase in the use of digital devices and the internet, there has been a growing need to safeguard sensitive and private information from unauthorized access, theft, and misuse. In recognition of this, Vietnam has established a new legal framework to protect personal data, making it the latest country to adopt stricter data protection regulations. This article will delve into the details of the law and its implications for individuals and businesses in Vietnam.
Vietnam has issued its first-ever comprehensive data privacy law, Decree No. 13/2023/ND on the Protection of Personal Data, on April 17, 2023. The Decree will take effect on July 1, 2023, with no transition period. All Vietnamese and foreign businesses located in Vietnam or carrying out data processing activities in Vietnam must comply with the Decree.
The issuance of the Decree followed an extensive and protracted series of public consultations and numerous rounds of reviews of its proposed text since the release of the first draft in February 2021. The final text of the issued Decree is currently available only in the Vietnamese language.
The Decree applies to any Vietnamese agency, organization, or individual, any foreign agency, organization, or individual in Vietnam, any Vietnamese agency, organization or individual operating abroad, and any foreign agency, organization or individual that processes personal data in Vietnam.
The Decree distinguishes between basic personal data and sensitive personal data. Basic personal data includes an individual’s full name, middle name, birth name, date of birth, gender, place of birth, place of birth registration, place of permanent or temporary residence, contact address, nationality, image, phone number, national identification numbers, medical insurance card number, marital status, family relationship details, digital account details, and online activities. Sensitive personal data includes personal data that, when violated, will directly affect an individual’s legitimate rights and interests, political views, religious views, health status, medical records, racial or ethnic origins, inherited, or acquired genetic characteristics, physical attributes and biological characteristics, sex life, sexual orientation, criminal records, information held by credit institutions, foreign banks, payment intermediary service providers, and other authorized organizations, and location data identified through location services.
The Decree is centered around eight principles for personal data processing, namely lawfulness, transparency, purpose limitation, data minimization, accuracy, integrity, confidentiality, and security, storage limitation, and accountability.
Under the Decree, data subjects have the right, according to applicable law, to know how their personal data is being processed, consent to their data being processed, access their data where access must be granted within 72 hours from the request being received, have their data corrected, withdraw their consent, have their data deleted, restrict or object to data processing, and bring complaints, initiate lawsuits, and claim damages for contraventions of the Decree. In relation to access requests, these must be written in Vietnamese and must contain the requesting individual’s full name, residential address, national identification number, and contact details, data that is to be provided and its format, and reasons for the request.
A number of unique provisions are relevant to the provision of consent by data subjects. Consent must be expressed in a format that can be printed, reproduced in writing, including in electronic or verifiable formats. Any silence or the lack of a response by a data subject does not constitute consent. However, the Decree explicitly recognizes that partial or conditional consent can be valid.
If an organization detects a breach of any of the Decree’s provisions, it must notify the Ministry of Public Security, Department of Cybersecurity and High-Tech Crime Prevention within 72 hours after the violation occurs, using a prescribed Form. An explanation must accompany any late notification.
Vietnam will develop an international cooperation mechanism to facilitate the effective enforcement of personal data protection laws and participate in mutual legal assistance in the protection of personal data of other countries, including potential investigation assistance and information exchange with other authorities.
In conclusion, the Decree is a significant development in the protection of personal data in Vietnam. Businesses operating in Vietnam or processing personal data in Vietnam must comply with the new rules or risk facing significant penalties. Data subjects now have clearly defined rights under the Decree, and organizations must ensure that they respect these rights. The Decree sets out strict requirements for consent and notice to be valid and imposes mandatory breach reporting requirements. It also introduces specific restrictions on the transfer of personal data abroad and presents mandatory breach reporting requirements.
