Table Of Contents

1. Understanding the Decree

The Decree marks a significant step towards safeguarding personal data in the country's thriving digital landscape. This section delves into the core principles and key provisions of the Decree, equipping you with the foundational knowledge to navigate data protection compliance in Vietnam.

1.1. Scope and Applicability:

The Decree casts a wide net, encompassing all entities operating in Vietnam, regardless of domestic or foreign origin. This includes Vietnamese and foreign businesses; Government agencies and organizations; Individuals collecting or processing personal data. Whether you're a local e-commerce platform or a foreign social media company, the Decree applies if your activities involve handling Vietnamese citizens' data.

1.2. Core Principles: The Guiding Light

The Decree establishes a framework based on several core principles that govern data protection practices. These principles serve as a roadmap for organizations to ensure responsible data stewardship:

  • Transparency: Individuals have the right to be informed about data collection practices, the purpose for which their data is used, and the identity of the data controller.
  • Lawfulness and Fairness: Personal data collection must be lawful, fair, and relevant to the stated purposes.
  • Purpose Limitation: Data collection and processing must be restricted to the specific purposes outlined and communicated to individuals.
  • Data Minimization: Organizations should only collect and process the minimum amount of personal data necessary for the intended purpose.
  • Accuracy: Data controllers have a responsibility to ensure the accuracy and completeness of collected personal data.
  • Data Security: Implementing appropriate technical and organizational measures to protect personal data from unauthorized access, disclosure, alteration, or destruction is crucial.
  • Accountability: Data controllers are accountable for complying with the Decree and ensuring the protection of personal data.

1.3. Key Provisions: Empowering Individuals

The Decree empowers individuals with a robust set of rights regarding their data. Understanding these rights is essential for businesses to develop compliant data protection practices:

  • Right to Know: Individuals have the right to be informed when their data is collected and for what purpose.
  • Right to Consent: Consent for data processing must be freely given and based on a clear understanding of how the data will be used.
  • Right to Access and Correction: Individuals can access their data, review it for accuracy, and request corrections if necessary.
  • Right to Withdraw Consent: Individuals can revoke their consent at any time, and the data controller must facilitate this process.
  • Right to Data Erasure: Individuals have the right to request the deletion of their data under certain circumstances.
  • Right to Restrict Processing: Individuals can limit the use of their data for specific purposes.
  • Right to Complaint and Legal Action: Individuals can file complaints and initiate legal action against entities that violate their data privacy rights.

By understanding these core principles and key provisions, you can build a solid foundation for crafting a compliant personal data protection policy for your business in Vietnam. Remember, this is just the first step. The next sections will delve into the responsibilities of data controllers and provide practical guidance on creating your policy.

 

2. Key Rights of Data Subjects (Individuals)

The Decree empowers individuals with a significant degree of control over their data. This section dives deeper into these key rights, allowing you to understand how individuals can interact with your data collection and processing practices.

2.1. Right to Know: Transparency is Key

Individuals have the fundamental right to be informed when their data is being collected. This transparency fosters trust and allows them to make informed decisions about their data privacy. Your business policy should clearly outline:

  • What data you collect: Be specific about the types of personal data you collect from individuals (e.g., name, email address, phone number).
  • How you collect data: Explain the methods you use to collect data, such as website forms, cookies, or offline registration processes.
  • Why you collect data: Communicate the purposes for which you use the collected data (e.g., order fulfillment, marketing communications, customer service).

2.2. Right to Consent: Empowering Choice

The Decree emphasizes the importance of informed consent. Individuals have the right to decide whether or not to provide their data. Here's what you need to consider:

  • Valid Consent: Consent must be freely given with a clear understanding of the information mentioned above (data collected, purpose of use, data controller).
  • Form of Consent: While the Decree doesn't specify a format, a clear and easily accessible method, such as a checkbox accompanied by a user-friendly explanation, is considered best practice.

2.3. Right to Access and Correction: Ensuring Accuracy

Individuals have the right to access the data held by your organization. This allows them to verify its accuracy and completeness. Your data protection policy should address how individuals can:

  • Request access: Provide a clear and convenient mechanism for individuals to submit access requests.
  • Review data: Ensure a user-friendly process for individuals to access and review their data.
  • Request corrections: Establish a procedure for individuals to request corrections to inaccurate or incomplete data.

2.4. Right to Withdraw Consent: Respecting Choice

The Decree acknowledges that an individual's decision to share their data can evolve. Individuals have the right to withdraw their consent for data processing at any time. Your policy should detail how individuals can:

  • Easily revoke consent: Provide a simple and accessible method for individuals to withdraw their consent.
  • Data processing after withdrawal: Outline how you will handle previously collected data after consent is withdrawn (e.g., anonymization, deletion).

2.5. Right to Data Erasure: The Right to be Forgotten

Under certain circumstances, individuals have the right to request the deletion of their data. Your policy should address:

  • Criteria for erasure: Specify the situations when individuals can request data deletion (e.g., withdrawal of consent, the purpose of processing no longer applies).
  • Deletion process: Outline the procedure for handling data erasure requests effectively and within a reasonable timeframe.

2.6. Right to Restrict Processing: Limiting Data Use

Individuals have the right to limit the use of their data for specific purposes. Your policy should encompass how individuals can:

  • Specify limitations: Allow individuals to express their preferences regarding how their data can be used (e.g., limiting marketing communications).
  • Respect limitations: Outline how you will comply with requests to restrict data processing for specific purposes.

2.7. Right to Complaint and Legal Action: Ensuring Accountability

The Decree empowers individuals to hold organizations accountable for data protection violations. Individuals have the right to:

  • File complaints: Provide a clear mechanism for individuals to report suspected violations of their data privacy rights.
  • Seek legal action: Individuals can initiate legal proceedings against organizations that infringe upon their data privacy rights.

By recognizing and respecting these key rights of data subjects, you can build trust and foster a culture of data privacy within your organization. The next section will explore the responsibilities of data controllers (businesses) under the Decree.

 

3. Responsibilities of Data Controllers (Businesses)

Vietnam's Decree No. 13/2023/ND-CP ("Decree") places significant responsibilities on data controllers (businesses) to ensure the lawful and secure processing of personal data. This section outlines the key areas where businesses must demonstrate their commitment to data protection compliance.

3.1. Compliance with the Decree: The Cornerstone

As a data controller, your primary responsibility is to ensure all your data collection and processing activities adhere to the provisions of the Decree. This includes:

  • Reviewing current practices: Evaluate your existing data collection and processing practices to identify areas that may require adjustments to comply with the Decree.
  • Developing internal procedures: Establish clear internal procedures that govern data collection, processing, storage, and security within your organization.
  • Regular reviews and updates: Continuously review and update your practices to reflect any changes in the Decree or best practices in data protection.

3.2. Transparency and Notice: Building Trust

Transparency is crucial for building trust with individuals. Your data protection policy should communicate:

  • The types of personal data you collect: Be specific about the data you collect from individuals.
  • The purposes of data processing: Clearly outline how you will use the collected personal data.
  • The legal basis for processing: Explain the legal justification for collecting and processing personal data (e.g., consent, contractual necessity).
  • Your contact information: Provide easily accessible contact details for individuals to raise inquiries or submit requests regarding their data.

3.3. Security Measures: Safeguarding Data

The Decree emphasizes the importance of data security. You have a responsibility to implement appropriate technical and organizational measures to protect personal data from:

  • Unauthorized access: Employ security measures to prevent unauthorized individuals from accessing personal data.
  • Disclosure: Protect data from unauthorized disclosure.
  • Alteration: Safeguard data from unauthorized modification.
  • Destruction: Implement measures to prevent accidental or unlawful destruction of personal data.

3.4. Data Retention: Balancing Need and Security

The Decree promotes data minimization, meaning you should only collect and retain personal data for as long as necessary for the stated purposes. Your policy should address:

  • Retention periods: Specify how long you will retain different types of personal data.
  • Data deletion procedures: Outline clear procedures for deleting personal data when it's no longer required.

3.5. Responding to Requests: Respecting Individual Rights

The Decree empowers individuals with various rights regarding their data. You must establish procedures for handling requests related to:

  • Access: Provide a user-friendly mechanism for individuals to access and review their data.
  • Correction: Establish a process for individuals to request corrections to inaccurate or incomplete data.
  • Deletion: Outline a procedure for handling data erasure requests effectively and within a reasonable timeframe.
  • Restriction of processing: Develop a system to comply with requests to limit the use of personal data for specific purposes.

 

4. Crafting Your Policy

The Decree necessitates a robust personal data protection policy for businesses operating in the country. This section serves as a practical guide to crafting a policy that fosters trust and ensures compliance with the Decree.

4.1. Essential Elements of Your Policy:

  • Introduction: Briefly explain the purpose and scope of the policy.
  • Definitions: Define key terms like "personal data," "data processing," and "data subject" clearly and understandably. This ensures everyone is on the same page regarding terminology, as well as preventing confusion down the line.
  • Data Collection Practices: Describe the types of personal data you collect from individuals, the methods of collection (e.g., website forms, social media interactions), and the legal basis for processing (e.g., consent, contractual necessity).
  • Purposes of Data Processing: Clearly outline the specific purposes for which you use the collected personal data (e.g., order fulfillment, marketing communications, customer service).
  • Data Sharing and Disclosure: Explain under what circumstances you may share or disclose personal data to third parties. This includes obtaining consent from individuals when necessary.
  • Data Security Measures: Describe the technical and organizational safeguards in place to protect personal data from unauthorized access, disclosure, alteration, or destruction. Examples include encryption, access controls, and regular security assessments.
  • Data Retention: Specify how long you will retain different types of personal data and your data deletion procedures. This demonstrates adherence to the principle of data minimization. 
  • Individual Rights: Outline the rights of data subjects under the Decree (as explained in Section 2) and how they can exercise these rights (e.g., access requests, correction requests). Provide clear and accessible methods for individuals to submit such requests.
  • Changes to the Policy: Inform users about how you will communicate any changes to the policy. This fosters transparency and allows individuals to stay informed.

4.2. Additional Considerations:

  • Cross-border Data Transfers: If you transfer data outside Vietnam, ensure compliance with the specific requirements outlined in the Decree. This may involve additional procedures and documentation.
  • Compliance and Training: Develop internal compliance procedures to ensure all your staff understand and adhere to data protection best practices. Regular training on the Decree and your company policy is essential.

4.3. Crafting a User-Friendly Policy:

  • Use clear and concise language, that is easy for individuals to understand.
  • Avoid legal jargon or "legalese" and technical terms whenever possible.
  • Present information in a well-organized and easy-to-navigate format.
  • Make the policy readily available on your website and any other platforms where you collect personal data.

By incorporating these elements and considerations, you can create a comprehensive and compliant personal data protection policy that fosters trust with individuals and demonstrates your commitment to data privacy in Vietnam.

 

5. Additional Considerations

While a well-crafted policy based on the core principles of the Decree is a strong foundation, here are some additional considerations to strengthen your data protection approach in Vietnam:

Data Protection Impact Assessments (DPIAs): The Decree recommends conducting DPIAs for data processing activities that pose a high risk to individuals' rights and freedoms. A DPIA helps identify and mitigate potential risks associated with data processing. Consider conducting DPIAs for activities involving:

  • Sensitive personal data (e.g., health information, religious beliefs)
  • Large-scale data collection or processing
  • Data profiling for automated decision-making

Data Breach Notification: While the Decree doesn't explicitly require data breach notification, it's good practice to implement a process for identifying, reporting, and responding to data breaches. This demonstrates your commitment to data security and transparency.

Record-Keeping: Maintain clear and accurate records of your data processing activities. This includes:

  • The types of personal data collected
  • The purpose of processing
  • The categories of data subjects
  • The recipients of the data (if any)
  • The retention periods for data

These records will be crucial for demonstrating compliance with the Decree and facilitating responses to data subject requests.

  • Staying Updated: The data protection landscape is constantly evolving. Regularly monitor regulatory changes in Vietnam and update your policy accordingly. Consider subscribing to updates from relevant government agencies or industry associations.
  • International Compliance: If your organization operates globally, ensure your data protection policy aligns with other relevant data privacy regulations, such as the EU's General Data Protection Regulation (GDPR).
  • Vendor Management: When working with third-party vendors who process personal data on your behalf, implement robust vendor management practices. Ensure they have appropriate security measures in place and comply with the Decree's requirements.

By incorporating these additional considerations, you can create a comprehensive and future-proof data protection program that fosters trust with individuals and positions your organization as a leader in data privacy compliance in Vietnam. Remember, data protection is an ongoing process, not a one-time fix. Regularly review and update your policy and practices to ensure continued compliance with the Decree and evolving best practices.

 

6. Conclusion

The Decree marks a significant step towards a more robust data protection environment. By understanding the core principles, respecting individual rights, and fulfilling your responsibilities as a data controller, you can develop a compliant personal data protection policy.

This guide has equipped you with the knowledge to craft a policy that fosters trust with individuals, demonstrates your commitment to data privacy, and positions your organization for success in Vietnam's dynamic digital landscape. Remember, staying informed about regulatory updates and adopting a continuous improvement approach is crucial for ensuring long-term compliance. By prioritizing data protection, you can build trust with individuals and contribute to a more responsible digital future for Vietnam.

If you need further explanation on this subject, please don't hesitate to contact us through email at lienhe@luatminhkhue.vn or phone at: +84986 386 648—lawyer To Thi Phuong Dzung.