Key considerations for any company that collects and processes personal data 15 min read
From 1 July 2023, Vietnam's first ever consolidated Personal Data Protection Decree (PDPD) will take effect. Following international trends, in particular the European Union's General Data Protection Regulation (GDPR), the PDPD seeks to strengthen rules on the collection, processing and transfer of personal data.
In this Insight, we take a close look at the key provisions of the PDPD and its impacts on businesses.
Key takeaways
Decree No. 13/2023/ND-CP of the Government will take effect from 1 July 2023 and bring about the following major developments:
- more comprehensive list of personal data: the new list of personal data is more detailed than ever before, with certain categories of data normally collected from consumers such as health, banking and location data being classified as 'sensitive personal data', which entail more stringent requirements for their handling;
- more stringent consent rules: more specific requirements on consent of individuals identified by the personal data (Data Subjects). Accordingly, a generic and umbrella consent as per previous practice may no longer be sufficient. Other grounds for processing personal data not based on consent are also prescribed;
- application to offshore parties: the cross-border collection of personal data from Vietnam will be regulated, as the PDPD covers (among others) foreign organisations and individuals being directly involved in or related to the processing of personal data in Vietnam;
- impact assessment requirement: those who process personal data—particularly those who transfer personal data of Vietnamese citizens offshore—will need to conduct an impact assessment of such activities (setting out, among others, details of data processing, protective measures and potential impacts) and submit the assessment dossier to the Department of Cybersecurity and Prevention of Hi-tech Crimes under the Ministry of Public Security. There are also new requirements for the appointment of internal department/personnel in charge of personal data protection when processing sensitive personal data, and reporting of breaches of personal data protection regulations.
Broad scope of application
Even though Vietnamese laws have long upheld general principles on the protection of privacy and personal secrets, in the past, detailed rules for collection and processing of personal information were only incorporated into certain sector-specific regulations such as cyberinformation, e-commerce, banking or healthcare (and absent in other sectors, eg labour). The new PDPD has now adopted a unified approach and applies to any personal data collection and processing activities regardless of the particular sector in which they take place.
In term of subject coverage, the PDPD captures broadly:
- Vietnamese organisations and individuals, including those operating overseas; and
- foreign organisations and individuals in Vietnam1, or participating in or relating to personal data processing activities in Vietnam.
Due to the broad subject coverage and the wide spectrum of personal data processing activities (as discussed below), the PDPD can be interpreted to capture offshore entities and individuals collecting personal data of individuals in Vietnam on a cross-border basis (eg via website, app or other electronic means) even if the data is then stored offshore and other stages of the processing take place offshore.
Types of personal data and processing activities
Basic and sensitive personal data
Personal data is generally defined as information (in the form of symbols, texts, numbers, images, sounds or similar form in an electronic environment) which (i) is attached to a specific individual or (ii) is formed from personal activities and helps identify a specific individual when combined with other data and information. While this is more or less in line with existing regulations, the PDPD goes further in prescribing a comprehensive list of personal data and categorising personal data into 'basic personal data' and 'sensitive personal data' (which has more stringent requirements for processing). To this end, 'sensitive personal data' includes certain data commonly collected from contemporary consumer platforms and apps such as customers' information in the banking sector, location data and health information in medical records. The PDPD prescribes the non-exhaustive, descriptive list of basic personal data and sensitive personal data as below.
Basic personal data | Sensitive personal data |
---|---|
|
|
Personal data processing
The PDPD captures a wide range of data processing activities. Personal data processing is defined as one or more activities that impact personal data, such as collection, recording, analysing, confirmation, storage, modification, publication, combination, access, retrieval, recovery, encryption, decryption, copying, sharing, transmission, provision, transfer, deletion, termination of personal data or other relevant activities.
Basis for processing personal data and rights of Data Subjects
Processing personal data based on consent
Consent remains the key basis for processing personal data (although it is not the only basis—see exemption cases below). The PDPD prescribes various rules for consent which are more stringent than before. Accordingly, the current common practice of obtaining a generic umbrella consent for all data processing purposes may no longer be sufficient. The key rules introduced by the PDPD are:
- consent must be express and specific;
- consent by silence and deemed consent are not acceptable;
- consent is only effective if the Data Subject gives consent voluntarily and is clearly aware of the following matters:
- the types of personal data being processed;
- the purposes of data processing;
- the organisation or individual that can process personal data; and
- the rights and obligations of the Data Subject;
- consent must be obtained for each purpose of data processing, and if there is more than one purpose, the purposes must be listed out for the Data Subject to give consent to one or more of those listed purposes;
- if sensitive personal data (as listed above) is processed, the Data Subject must be notified; and
- in case of dispute, the liability to prove consent belongs to the Data Controller (as defined below).
- Some specific aspects of the above rules are quite general and could be open to interpretation. For example, it is unclear how detailed the types of personal data and processing purposes should be described when obtaining consent, or whether the specific names and details of the parties that process personal data must be given and updated from time to time. Currently, it is not known whether the authorities will issue further guidance, nor which approach they will take when enforcing these rules. In this respect, while the EU's GDPR (which inspired many provisions in the PDPD) may be used as reference for interpretation, Vietnamese authorities may develop a distinctive view on how the law should work in the Vietnam context.
- Even though the PDPD allows for consent to be made via different mediums such as writing, voice, tick-the-box or SMS, it also requires that consent be presented in a format which is printable or copiable in writing, including in electronic or other verifiable form. These seemingly contradictory rules, and the fact that the Data Controller must prove the existence of consent in a dispute, mean that it may be more prudent to always obtain consent via written form.
- The PDPD does not have a grandfathering clause or specific exemption for consents obtained before its effective date. Based on the principle that laws will not be applied retrospectively unless specifically provided, there is an argument that such consents are still valid in accordance with the law of their time, even if they are inconsistent with the PDPD. That being said, to be prudent, the consents should be updated to be in line with the new law and avoid unnecessary disputes, particularly if the data processing is ongoing.
Other grounds for processing personal data
Personal data can be processed without consent of the Data Subject based on one of the following grounds:
- in an emergency situation to protect the life and health of the Data Subject;
- disclosure of personal data in accordance with the law;
- processing by competent government authorities in a state of emergency concerning national defence, national security, social order and safety, major disasters or dangerous epidemics; or if there is a threat to security and national defence but not to the extent of declaring a state of emergency; or to prevent riots and terrorism, crimes and law violations in accordance with the law;
- processing to fulfill obligations pursuant to contract of the Data Subjects with the relevant organisations and individuals in accordance with the law; and
- processing to serve operations of the government authorities in accordance with the law.
Arguably, the inclusion of ground (d) above may justify the processing of personal data without separate consent if such processing can be based on an obligation pursuant to contract of the Data Subject with the processing party2. However, the PDPD is unclear if such an obligation needs to be independent in nature from the processing itself and genuinely necessary for the performance of the contract, or the parties can simply agree that the Data Subject is obliged to allow processing of personal data even if the contract can operate without that. In lack of clear guidance, it may be more prudent to take the first, more conservative approach—which is also in line with the approach under the GDPR.
Rights of the Data Subject
The Data Subject also has various rights to control their personal data, including the so-called 'right to be forgotten'. Some key rights are:
- withdrawing consent for processing of personal data;
- requesting the Data Controller to provide a copy of their personal data;
- accessing and editing (or requesting the Data Controller to edit) their personal data; and
- requesting the deletion of their personal data in certain circumstances (including in case of withdrawing consent).
The purchase and sale of personal data without the Data Subject's consent is prohibited.
Obligations when processing personal data
Data Controller and Data Processor
For the first time, the PDPD introduces concepts of key roles in personal data processing activities, including 'Data Controller' and 'Data Processor':
- Data Controller: is the organisation or individual that decides the purpose ('why') of, and means ('how') for, personal data processing. For example, Company A would be considered as the Data Controller if it collects personal data from its customers and decides to use such data for providing services to customers or for marketing its products, as well as deciding how such data is used, transmitted and stored.3
- Data Processor: is the organisation or individual that processes data on behalf of the Data Controller on a contractual basis. For example, if Company B provides IT systems and stores customers' data for Company A, but it only follows Company A's instructions and does not make any decision as to why and how the data can be processed, then Company B will be treated as the Data Processor.
- Data Controller-processor: is the organisation or individual that does both the activities in (a) and (b), and has the obligations of (a) or (b) in the relevant capacity. Given their similarities, in this Insight we do not mention Data Controller-processor separately, and a reference to Data Controller should be read to include Data Controller-processor. In the example above, if Company A does not rely on Company B but internally has IT systems and stores/processes personal data all by itself, then Company A is the Data Controller-processor.
- Third Party: is a party that is not the Data Controller or Data Processor but is permitted to process personal data. This category seems to follow the catch-all approach of the GDPR to cover any party that has authorisation to process personal data (eg it receives the lawful transfer of personal data from the Data Controller) but neither decides the purposes and means of processing nor acts on behalf of the Data Controller. However, it remains unclear what this may capture specifically.
Generally, the Data Controller has more obligations towards the Data Subjects and the authorities, including to obtain consent and perform the Data Subjects' requests relating to their personal data, record and archive system logs of data processing, and is liable to the Data Subjects for any damage caused by the data processing activities. On the other hand, the Data Processor has fewer direct responsibilities to the Data Subjects (limited to certain cases such as ceasing data processing upon request, or allowing the editing of personal data), but can still be held liable by the Data Subjects for any damaged caused by its data processing activity.
In practice, there may be cases where the Data Controller transfers personal data it has collected to another party (the transferee) to process on the transferee's own behalf, eg for cross-advertising or credit rating/KYC. In such cases, it is not entirely clear into which category above the transferee will fall (ie Data Controller or Third Party). The conclusion may depend on the specific circumstances of the case and the activities/decisions taken by the transferee.
Additional rules for processing of 'sensitive personal data'
An entity that controls or processes 'sensitive personal data' (such as banks that process customer data or e-hailing providers that process customers' location data) has extra obligations to:
- designate both a department and personnel in charge of personal data protection, and exchange information about that department and personnel with the personal data protection agency (as mentioned below); and
- notify Data Subjects about the processing of their sensitive personal data (unless the Data Subjects have agreed to the processing already, or in one of the consent-exemption cases).
There is a grace period whereby micro enterprises, SMEs and startups are exempted from the obligation to designate both a department and personnel in charge of personal data protection in the first two years from their incorporation.
Micro enterprises, SMEs and startups are not defined in the PDPD but are mentioned in the Law on Supports for SMEs. Under that law, in general, micro, small and medium enterprises are those that have, on average, no more than 200 employees participating in a compulsory insurance scheme, and have either total equity not exceeding VND100 billion (c. USD4.26 million) or total revenues in the preceding year not exceeding VND300 billion (c. USD12.78 million). There are further specific criteria depending on sector, and for qualification as innovative startups.
Regulatory supervision
Personal data protection agency
The authority in charge of personal data protection is the Department of Cybersecurity and Prevention of Hi-tech Crimes (A05) under the Ministry of Public Security. This agency is also tasked with setting up a national portal on personal data protection via which reports and information prescribed under the PDPD can be submitted.
Impact assessment for personal data processing
The Data Controller or Data Processor must conduct an impact assessment and maintain the assessment dossier from the time it starts personal data processing. It must also submit the dossier to the personal data protection agency for approval within 60 days after starting data processing. The authority will review and can request an update of the dossier if not yet compliant. The dossier includes key details such as contact details of the Data Controller and its personnel in charge of personal data protection, processing purposes, types of personal data to be processed, cases of offshore transfer of personal data, time durations, protective measures and impact levels, among others.
There is no limit or exemption to this impact assessment requirement (eg no limit to sensitive personal data only as previous drafts seemed to suggest, and no carve-out for internal processing of employees' data or for SME). This means the amount of reports that must be submitted to the authority could be staggering and impose heavy procedural burdens on the business community as a whole. For now, no specific penalty has been promulgated for breach of this obligation.
Notification of breach of personal data protection regulations
After discovering/becoming aware of a breach of data protection regulations, the Data Processor must notify the Data Controller as soon as possible and the Data Controller must notify the personal data protection agency within 72 hours. Notification can be made in stages if not all required information is available.
It is unclear if this is only intended to capture the Data Controller or Data Processor's breach of law or also any incident of breach of personal data under their control. One may take the prudent approach to notify data breach incidents as well.
Offshore transfer of personal data
Impact assessment for offshore transfer of Vietnamese citizens' personal data
The Data Controller, Data Processor or Third Party that transfers personal data of Vietnamese citizens offshore must conduct an impact assessment and maintain the assessment dossier from the time it starts data processing. It must also submit the dossier to the personal data protection agency within 60 days after starting data processing. Similar to the case of general processing of personal data, the authority will review and can request an update of the dossier. The dossier includes key details such as contact details of the data transferor and recipient, objectives of the personal data processing after transfer overseas, types of personal data to be transferred and measures for personal data protection, among others. It is unclear whether personal data can be transferred offshore before the dossier is approved by the authority.
- There is no exemption for cases of internal data transfer (such as employees' information within the company group) or cases where the transferred personal data is minimal (such as the signatory's name in a contract signed with foreign parties). Therefore, the procedural burden of making this impact assessment may also become out of proportion. For now, no specific penalty has been promulgated for breach of this obligation.
- It is unclear whether a party that already has to make the impact assessment for offshore data transfer still needs to make the impact assessment for general data processing. Taking a conservative approach, it is likely it will need to conduct both assessments.
Additional requirements during the offshore transfer period
- After a successful transfer, the transferor must give notice to the personal data protection agency, including contact details of the responsible parties.
- The Ministry of Public Security can decide to inspect the offshore transfer once per year (except in case of breach of regulations or occasion of data loss of Vietnamese citizens, where—presumably—there can be extraordinary inspection).
- The Ministry of Public Security can request to stop personal data transfer if: (i) the transferred data is used for activities violating the national interest and security of Vietnam; (ii) the transferor does not comply with requests to supplement the impact assessment dossier; or (iii) there is an incident of leakage or loss of personal data of Vietnamese citizens—it seems this may be applied even if there is no fault of the transferor.
What's next?
Given the effective date of the PDPD is fast approaching and there is no transition or grace period, any company that collects and processes personal data should consider the following key actions:
- submitting questions to the authorities for guidance for any unclear points, whether independently or via your respective business associations;
- reviewing your role and whether you are classified as a Data Controller or Data Processor, and the categories of data you control and/or process (including whether it includes any 'sensitive personal data'), to identify the obligations you may be subject to;
- reviewing your personal data protection policies and regulations to ensure compliance with the new regulations;
- reviewing your standard Data Subject consents to analyse any gap with the new regulations and updating accordingly;
- preparing the impact assessment dossier(s) for personal data processing and, if applicable, for offshore transfer of Vietnamese citizens' personal data; noting that while the PDPD contains some broad criteria for the content of these dossiers, it is unclear whether there may be more detailed guidance and additional forms in future regulations from the Ministry of Public Security; and
- designating the internal department and personnel in charge of personal data protection if you process sensitive personal data.
Footnotes
-
Given the generic wording of the PDPD, it is unclear if this is intended to cover those with business operations in Vietnam only, or even those with mere presence (eg. a representative office) but do not engage in personal data processing in Vietnam. The second interpretation may be too broad, but it remains to be seen how wide the law may be implemented.
-
Due to ambiguous drafting of the PDPD, it is unclear if this refers to obligations of the Data Subjects under the contract or obligations of any party under the contract.
-
These examples are based on our reading of the PDPD, and are not expressly provided in the PDPD.