Personal Data Protection obligations in Vietnam – Decree 13, legal framework and 2023 obligations.

After a protracted period of deliberation, the Vietnamese government ultimately passed the Decree No. 13/2023/ND-CP on Personal Data Protection (Decree 13) on 17 April 2023. Decree 13 is a landmark legal instrument that integrates all of Vietnam’s disparate data protection legislation. Scheduled to take effect on 1 July 2023, Decree 13 will apply to both domestic and foreign entities that directly engage in or relate to personal data processing activities in Vietnam.

The Personal Data Protection Decree represents a significant legal provision which investors and businesses operating in Vietnam should peruse in thorough detail, to ensure they maintain full compliance with the new legal requirements. In this article, we cover some of the most significant components of the Decree and explain how they may impact local and foreign stakeholders. We recommend investors to urgently review their current processes and seek advice where appropriate to ensure they are not at risk with any of the provisions of this decree.

Regulated entities

Decree 13 enforces regulations covering the following entities:

• Vietnamese agencies, organizations and individuals
• Foreign agencies, organizations and individuals in Vietnam
• Vietnamese agencies, organizations and individuals operating abroad
• Foreign agencies, organizations and individuals directly participating in or related to personal data processing activities in Vietnam

Decree 13 classifies regulated entities into the below categories, based on how they process and deal with data:

1. Data Subject is the individual reflected by the personal data. Controller of personal data is an organization or individual that decides the purpose and means of processing personal data
2. Personal Data Processor refers to an organization or individual that performs data processing on behalf of the Data Controller, through a contract or agreement with the Data Controller
3. Controller and Processor of personal data is an organization or individual that simultaneously decides the purposes, means and directly processes personal data
4. A third party is an organization or individual other than Data Subject, Personal Data Controller, Personal Data Processor, Personal Data Controller and Processor authorised to process personal data.

Definition and classification of personal data

Personal data refers to information in the form of symbols, letters, numbers, photos, sounds, or the alike in an electronic environment that is associated with or helps to identify a specific individual. Information that helps to identify a specific individual is further clarified as information generated from an individual’s activities that, when combined with other data and stored information, can identify a particular person.

Personal data is classified into two different categories – basic personal data and sensitive personal data. Basic personal data includes name, date of birth, gender, nationality, personal photos, phone number, identification number, marriage status, history of one’s cyberspace activities, and so on.

On the other hand, sensitive personal data is more private and, if violated, will be harmful to a person’s legitimate rights and interests. Accordingly, sensitive personal data comprises, among other things, political and religious views, health status and private life information as recorded in medical records, racial or ethnic origin, sexual orientation, criminal records, customer information of credit institutions/foreign bank branches/payment intermediary service providers, or location data.

Principles of Protection of Personal Data

Article 3 of Decree 13 sets out 8 principles which enforce personal data protection. The principles mainly revolve around complying with the law in ensuring the security of personal data. There are several principles emphasizing the rights of data subjects and the limits of data collection and processing by related parties:

1. Personal data is processed in accordance with the law
2. The data subject is made aware of his/her personal data processing activities, unless otherwise provided for by law
3. Personal data is processed only for the purposes that have been registered and declared by the Personal Data Controller, Personal Data Processor, Personal Data Controller and Processor, and third parties, in the statement on the processing of personal data
4. Personal data collected must be appropriate and limited within the scope and purpose to be processed. Personal data may not be bought or sold in any form, unless otherwise provided by law
5. Personal data is updated and supplemented in accordance with the processing purposes
6. Personal data is subject to protection and confidentiality measures during processing, including protection against violations of regulations on protection of personal data and prevention of loss, destruction or damage due to breakdown, using technical measures
7. Personal data is only stored for a period suitable for the purpose of data processing, unless otherwise provided for by law
8. The Data Controller, the Controller and the Processor of personal data are responsible for complying with the data processing principles specified above and proof their compliance with the data process principles

The above highlighted principles are extremely important to keep in mind, as they will play a key role in guiding businesses’ compliance procedures.

Rights of Data Subjects

Article 9 of Decree 13 sets out 11 rights of the Data Subjects, including the right to be informed, the right to consent, the right to access, the right to withdraw consent, the right to delete data, the right to restrict data processing, the right to data provision, the right to object to data processing, the right to complain and denounce and/or initiate lawsuits, the right to claim compensation for damages, and the right to self-defense.

Among these rights, enterprises should pay special attention to (i) the right to restrict data processing, and (ii) the right to object to data processing, as compliance in these regards would be subject to a restriction of 72-hours. Particularly as follows:

1. Restrict data processing: restriction of data processing is carried out within 72 hours after the request of the data subject, with all personal data that the data subject requests to restrict, unless otherwise provided by law.
   
2. Object to data processing: the Personal Data Controller, Personal Data Controller and Processor shall fulfill the request of the data subject within 72 hours after receiving the request, unless otherwise provided for by law.

When can entities process personal data without consent of Data Subjects

As stated in Article 17, there are 5 circumstances where other parties are entitled to process personal data without any agreement/consent of the Data Subjects:

1. In emergency cases where it is necessary to immediately process relevant personal data to protect the life or health of the data subject or others
2. Public disclosure of personal data is in accordance with the law
3. Processing data is carried out by a relevant authority in the event of emergency on national defense, security, social order and safety, major disaster, or dangerous epidemic; or when there is a risk that threatens security and national defense but not to the extent where it is necessary to declare a state of emergency; or to prevent and combat riots, terrorism, crimes and violations of the law
4. To fulfill the contractual obligations of the data subject with relevant entities as prescribed by law
5. To serve the activities of the authority as prescribed by sector-specific laws

Entities that violate regulations on protection of personal data, depending on the severity of violation, may be disciplined, administratively sanctioned, or criminally handled (Article 4 of Decree 13).

Measures required to protect personal data

Personal data protection measures are used throughout the entire process of dealing with personal data. Measures to protect personal data include:

1. Management measures taken by organizations and individuals related to personal data processing
2. Technical measures taken by organizations and individuals related to personal data processing
3. Measures taken by relevant state management agencies in accordance with this Decree and relevant laws
4. Investigation and procedural measures taken by relevant state agencies
5. Other measures as prescribed by law

With respect to sensitive personal data, under Article 28 on the protection of sensitive personal data, the standards for processing sensitive personal data appear to be stricter than those for basic personal data.

More specifically, the protection of sensitive personal data would necessitate:

• All of the managerial and technical measures required for the protection of basic personal data, and
• The appointment of a Data Protection Officer and an Internal Personal Data Protection Department, and
• Notification to data subjects that their sensitive personal data is processed except in specified cases.

Transferring personal data outside Vietnam

According to Article 2.14, Transferring Data outside Vietnam includes (1) transferring data from inside to outside Vietnam, or (2) processing data of Vietnamese individuals by electronic automatic system located outside Vietnam. The entities which are transferring data are organizations, enterprises, individuals whilst the entities in circumstance include the Personal Data Controller, Personal Data Controller and Processor, Personal Data Processor (Transferor). Note that (a) the Transferor is required to obtain the approval, consensus of Personal Data Subject prior to carrying out the transfer of personal data outside Vietnam, and (b) the purpose of the data transfer must be agreed by the Personal Data Subject as well.

According to Article 25.1, the transferor of personal data is required to prepare a Dossier of Impact Assessment for the Cross-Border Transfer of Personal Data (Dossier) before starting the personal data transfer out of Vietnam. According to Article 25.3, the transferor submits one original copy of the Dossier to the Department of Cybersecurity and Hi-Tech Crime Prevention – Ministry of Public Security of Vietnam within 60 days from the date of the personal data processing.

Since the personal data processing refers to any activities impacting data, including either collection, record, analysis, share, transfer, etc under Article 2.7, it can be construed from the above provisions that there may be 2 scenarios:

• The Transferor will prepare the Dossier as the master plan of transferring personal data before undertaking any activities impacting data. Subsequently, when the Transferor actually processes data (impacting data) by any activities (e.g. collecting, analyze, etc) regardless of whether the data transfer is conducted, the Transferor will submit the Dossier within 60 days after that. When the data transfer is actually conducted, the Transferor also notifies the Ministry about the completion of transfer under Article 25.4.
• At the outset, the Transferor does not have any plan to transfer data outside Vietnam. When the Transferor needs to transfer data, they can undertake the transfer first and then submit the Dossier to the Ministry within 60 days, and finally notify the Ministry on the completion of data transfer. This scenario may be tentatively allowed and should be guided, detail by Circular.

The Dossier must include required information as regulated under Article 25.2 such as information of the parties relevant to the data transferor and the officer in charge of the parties, description of the type of the data, explanation of the purpose of the data processing after transferring, etc.

In addition, it is worth noting that the Ministry of Public Security of Vietnam has the power to halt cross-border data transfers if (i) the data is used for activities that violate the interests and national security of Vietnam; (ii) the transferor fails to complete or update the Dossier, or (iii) the personal data of Vietnamese citizens is disclosed or lost. Needless to say, the first criterion is very broad and vague.

Other notable provisions

In addition to the essential regulations listed above, it might also be necessary for businesses to take note of the following provisions:

1. Article 21 addresses personal data protection in the marketing and advertising industries. Accordingly, marketing/advertising service providers can only use customers’ personal data collected during the course of their business activities to provide marketing services or introduce advertising products provided the data subject gives informed, opt-in consent. The data subject should be notified about the content, method, form, and frequency of marketing/advertising activities that will be provided to them.
2. Pursuant to Article 3.4, personal data shall not be bought or sold in any form, unless otherwise provided by law. However, Article 22 provides that the establishment of software systems and technical measures, or the organization of the collection, transfer, purchase and sale of personal data without the consent of the data subject are personal data violations. Accordingly, it can be interpreted that the trading of personal data is not entirely prohibited but will be permitted with the consent of the data subject.

Decree 13 will apply to enterprises in all sectors which engage in the processing of personal data. At the moment, it is uncertain how seriously the authorities will enforce the requirements of Decree 13 during this initial transition period, and how companies will be able to handle all of the obligations set out by the Decree in the following months. For the time being, businesses should exercise prudence and begin preparing their compliance plans.

The Decree may pose a challenge to data controllers and data processors that need to review the entire system and process to meet the requirements, including technical options so that users can access, view, edit, delete their data stored on the system. Currently, many systems do not have a technical plan, or not enough, requiring further investment and upgrading.

We advise businesses in Vietnam to urgently develop a compliance plan with the new Decree and review their existing processes immediately, to ensure they are compliant by the 1 July implementation date. Special emphasis should be placed to comply with storing and processing data outside of Vietnam and also ensuring the capability of the system to remove or amend personal data as and when data subjects require organizations to do so.

There are many similarities between Decree 13 and European GDPR, in many ways. In general, Decree 13 brings a fundamental change in how personal data must be treated and is a major shift towards data privacy in Vietnam.

With Decree 13, data privacy is not a luxury, it’s a necessity. Personal data is the business of data subjects and no longer belongs to the organizations. The decree also gives the right to the data subjects to protect their data in order to protect themselves. It also doesn’t let businesses spy on the data subject by securing their data. Last but not least, data privacy matters, because your business matters.

If you need any assistance with these or any other matters relevant for international investors in Vietnam, our experts are ready to work with your company to ensure you understand how the above will apply to your specific situation in Vietnam.

Contact our teams for expert support and further information on Personal Data Protection Obligations in Vietnam to ensure you are compliant and protected in the market.

Nguyen Cong Huy – Senior Associate, Licensing, Market Entry and Corporate Services – huy.nguyen@acclime.com

Phuong Vo – Head of Incorporation, Licensing and Secretarial Services – phuong.vo@acclime.com

Matthew Lourey – Managing Partner – m.lourey@acclime.com