Data Subject Complaints in Vietnam: Steps for Resolution

1. When a Data Subject Might Lodge a Complaint

Vietnam's PDPD empowers individuals (data subjects) with control over their personal information. This control extends to the right to lodge complaints with the relevant authorities if they believe an organization is violating their data privacy rights. Here are some situations where a data subject might consider filing a complaint:

• Unlawful Processing: If an organization processes a data subject's personal information without a valid legal reason, the individual may file a complaint. This could involve situations where the organization collects data without the individual's consent or uses the data for purposes beyond what they originally agreed to.
• Exceeding Permitted Purposes: The PDPD allows organizations to process personal data only for specific, clearly defined purposes communicated to the data subject at the time of collection. If an organization uses the data for a different purpose, the data subject has the right to complain.
• Obstructed Access or Rectification: Data subjects have the right to access their personal data held by organizations and to request corrections if the information is inaccurate or incomplete. If an organization fails to comply with a reasonable data access or rectification request, the data subject might lodge a complaint.
• Denial of Erasure Right: Under certain circumstances, the PDPL grants individuals the right to have their personal data erased. If an organization denies a legitimate erasure request, the data subject can file a complaint to enforce this right.
• Other Privacy Violations: The PDPD outlines various data privacy rights for individuals. If an organization engages in any practice that violates these rights, such as inadequate data security measures or unauthorized data disclosure, the data subject can potentially file a complaint.

It's important to note that the PDPD doesn't require individuals to exhaust all other options before filing a complaint. If they have concerns about an organization's data handling practices, they have the right to bring their case to the relevant authorities

2. Complaint Resolution Process (Possible Steps)

Vietnam's PDPD establishes a framework for resolving data subject complaints. However, the exact process might vary depending on the specific circumstances and the authorities involved. Here's a breakdown of the general potential steps involved:

1. Pre-Complaint Communication (Optional):

This initial step isn't mandatory, but it can sometimes lead to a faster resolution without involving the authorities. The data subject may attempt to address the issue directly with the organization. This could involve:

• Contacting the Data Protection Officer (DPO): Many organizations are required to appoint a DPO who is responsible for overseeing data privacy compliance. The data subject can reach out to the DPO and explain their concerns about how their personal data is being handled.
• Internal Grievance Procedures: Some organizations have established internal procedures for handling data subject complaints. The data subject can review these procedures and submit a formal complaint through the designated channels.

If the pre-complaint communication is unsuccessful or the data subject prefers to bypass this step, they can proceed with a formal complaint submission.

2. Formal Complaint Submission:

This is the official process of bringing a complaint to the attention of the relevant authorities. The complaint might need to be submitted in writing and could include details such as:

• The data subject's name and contact information for clear identification and communication purposes.
• The name of the organization against which the complaint is filed, ensures the authorities know who to investigate.
• A clear and concise description of the alleged violation. This should outline the specific actions of the organization that the data subject believes are in breach of the PDPD.
• Supporting evidence (optional, but highly recommended). This could include copies of emails, screenshots, or any documentation that strengthens the data subject's case.

The specific format and submission method for formal complaints might vary depending on the chosen authority. Some authorities might have online complaint forms, while others might require complaints to be submitted in person or by mail.

3. Authority Investigation:

Upon receiving the formal complaint, the relevant authority will assess its validity. If they determine the complaint warrants further investigation, they will delve deeper into the matter. This investigation might involve:

• Requesting Additional Information: The authority might need more details from both the data subject and the organization to understand the situation fully. This could involve requesting additional documents or statements.
• Investigative Measures: Depending on the nature of the complaint, the authority might conduct various investigative measures. This could involve reviewing the organization's data processing policies and procedures or interviewing relevant personnel within the organization.

The specific course of the investigation will depend on the complexity of the complaint and the discretion of the authority.

4. Mediation (Optional):

In some cases, the authority might propose mediation between the data subject and the organization. This could involve a facilitated discussion aimed at reaching a mutually agreeable solution that addresses the data subject's concerns and ensures compliance with the PDPD. Mediation can be a faster and less confrontational approach compared to a formal ruling.

5. Ruling and Enforcement:

Following the investigation (and potential mediation), the authority will issue a ruling on the complaint. This ruling could take several forms:

• Dismissal of the Complaint: If the authority finds no evidence of a PDPL violation, they might dismiss the complaint.
• Corrective Order: If the organization is found to be in breach of the PDPL, the authority might issue a corrective order. This order would require the organization to take specific actions to address the violation, such as deleting data or providing access to the data subject.
• Administrative Fines: The PDPL empowers authorities to impose administrative fines on organizations for non-compliance. The severity of the fine might depend on the nature and severity of the violation.

Understanding the potential steps involved in the complaint resolution process can empower both data subjects and organizations. Data subjects can navigate the process of seeking redress for their data privacy concerns, while organizations can prepare for potential investigations and ensure their data handling practices are compliant with the PDPD.

3. Relevant Authorities in Vietnam

Vietnam's PDPD distributes the responsibility for handling data subject complaints amongst various authorities depending on the nature of the alleged violation. Here's a breakdown of some potential authorities you might encounter:

1. Authority of Information Technology (Bộ Thông tin và Truyền thông - BCTT):

• Central Authority: The BCTT serves as the central authority with overall responsibility for data privacy enforcement in Vietnam. They play a key role in overseeing the implementation of the PDPL and handling complex or high-profile complaints.
• Complaint Types: The BCTT would likely handle complaints that:
  • Involve multiple organizations or have widespread impact.
  • Raise complex legal issues regarding data privacy interpretation.
  • Fall outside the jurisdiction of more specific sectoral regulators.

2. Provincial Departments of Information and Technology (Sở Thông tin và Truyền thông):

• Local Authority: These provincial departments act as local authorities responsible for data privacy enforcement within their respective jurisdictions.
• Complaint Types: Provincial departments might handle complaints that:
  • Focus on data privacy violations by organizations located within their province.
  • Involve less complex legal issues compared to those handled by the BCTT.

3. Other Relevant Authorities:

In some instances, depending on the specific nature of the complaint, other sectoral regulators might get involved:

• Example: If a complaint relates to healthcare data, the Ministry of Health might be included in the investigation alongside the BCTT or relevant provincial department.

Determining the Right Authority:

While the specific lines of responsibility might evolve over time, here are some general pointers to help determine the appropriate authority for a complaint:

• Consult the BCTT Website: The BCTT website might offer guidance on how to identify the relevant authority based on the nature of the complaint.
• Start with Local Authorities: In most cases, it's advisable to first approach the provincial Department of Information and Technology for your area. They can assess the complaint and determine if it falls within their jurisdiction or needs to be escalated to the BCTT.

By understanding the distribution of responsibilities among these authorities, data subjects can file their complaints with the most appropriate body, ensuring a swifter and more targeted investigation into their concerns

4. Recommendations for Organizations

Vietnam's PDPD empowers individuals with control over their personal data and the right to lodge complaints if they believe their rights have been violated. To minimize the risk of data subject complaints and ensure compliance with the PDPD, organizations can take several proactive steps:

• Implement Robust Data Governance: Establish clear and comprehensive policies and procedures for data collection, processing, storage, and disposal. These procedures should align with the PDPD's requirements and outline:
  • Lawful Basis for Processing: Identify the legal justification for collecting and processing personal data (e.g., consent, contractual necessity).
  • Purpose Limitation: Specify the clear and specific purposes for which the data will be used and obtain consent for those purposes.
  • Data Minimization: Collect only the personal data necessary for the identified purposes and avoid collecting excessive data.
  • Data Security Measures: Implement appropriate technical and organizational safeguards to protect personal data from unauthorized access, disclosure, alteration, or destruction.
  • Data Retention Periods: Establish clear guidelines for how long you will retain personal data and ensure it's deleted when no longer necessary for processing purposes.
• Train Employees on Data Privacy: Equip your employees with a thorough understanding of their data privacy obligations and best practices for handling personal data. Training should cover topics like:
  • Individual Data Rights: The rights granted to data subjects under the PDPL, such as access, rectification, erasure, and objection.
  • Data Security Protocols: The specific procedures employees should follow to safeguard personal data and prevent breaches.
  • Data Breach Response: The steps employees should take in case of a data security incident.
• Respond Promptly to Data Subject Requests: The PDPD mandates timely responses to data subject requests for access, rectification, or erasure of their personal data. Having a clear procedure in place and dedicated personnel to handle these requests efficiently demonstrates respect for individual rights and helps avoid potential complaints.
• Maintain Clear Communication: Transparency is key. Develop and maintain a clear and accessible Data Privacy Policy outlining how you collect, use, and protect personal data. This policy should be readily available on your website and in any communication where you collect personal data. Additionally, be prepared to answer questions from data subjects regarding their information and your data handling practices.

By implementing these recommendations, organizations can establish a strong foundation for data privacy compliance. This proactive approach minimizes the risk of data subject complaints, fosters trust with individuals and demonstrates your commitment to protecting their personal information. Remember, a data-centric culture that prioritizes data privacy is not only legally compliant but also builds stronger relationships with your customers and stakeholders.

5. Conclusion