Table Of Contents

1. Governing Texts

Vietnam's personal data protection landscape has undergone a significant shift with the introduction of Decree 13/2023/ND-CP (PDPD). This decree serves as the cornerstone for data privacy regulations in the country, but it doesn't exist in isolation. Before the PDPD, a complex web of laws addressed personal data, albeit in a fragmented manner. Understanding these governing texts provides context for the PDPD and highlights its role in unifying data protection practices.

Pre-Decree Landscape: A Patchwork of Regulations

Personal data protection wasn't entirely absent before the PDPD. Several existing laws offered scattered protections. These included:

  • The Civil Code 2015: Established the right to privacy and personal secrets as fundamental rights.
  • The Law on Cyber Information Security No. 24/2018/QH14: Focused on data security measures for online information systems.
  • Sectoral Laws: Specific industries like telecommunications and finance had their own data protection regulations.

This fragmented approach created inconsistencies and challenges in enforcing data privacy. The PDPD aims to address these issues by providing a unified framework.

The PDPD: A Centralized Authority

The PDPD supersedes previous fragmentted regulations, establishing a clear and comprehensive set of data protection principles. It incorporates best practices from existing laws and international standards. Key aspects of the PDPD include:

  • Broadened Scope: The PDPD applies to both domestic and foreign entities processing personal data in Vietnam or involving Vietnamese citizens' data.
  • Clear Definitions: The PDPD defines personal data (basic and sensitive) and processing activities, providing clarity for organizations.
  • Legal Bases for Processing: The decree outlines lawful reasons for processing personal data, such as consent, contractual necessity, and public interest.
  • Data Subject Rights: Individuals have the right to be informed, access, and rectify their personal data.

Interplay with Other Laws

The PDPD doesn't entirely negate the role of existing laws. Some regulations, particularly those related to data localization and mandatory physical establishment requirements, are addressed in Decree 53/2022/ND-CP. Understanding the interplay between the PDPD and these supplementary decrees is crucial for ensuring compliance.

 

2. Scope of Application

The PDPD represents a significant leap forward in Vietnam's data privacy landscape. One of its defining features is its broad scope of application, encompassing a wide range of actors and activities related to personal data processing. Understanding this scope is crucial for organizations and individuals alike.

Beyond Borders: Reaching Domestic and Foreign Entities

The PDPD transcends geographical limitations. It applies to the following entities, regardless of their location:

  • Vietnamese Organizations and Individuals: This includes businesses, government agencies, and Vietnamese citizens within or outside Vietnam.
  • Foreign Entities Operating in Vietnam: Foreign companies with a physical presence in Vietnam and processing personal data there fall under the PDPD's purview.
  • Foreign Entities Processing Vietnamese Data: Even without a physical pressence in Vietnam, foreign companies processing the personal data of Vietnamese citizens are subject to the PDPD's regulations.

This extensive reach reflects Vietnam's commitment to protecting the privacy of its citizens' data, regardless of where it's processed.

Who is Impacted? Data Controllers, Processors, and Data Subjects

The PDPD doesn't just target specific organizations. It defines various roles within the data processing ecosystem:

  • Data Controllers: Entities that determine the purposes and methods of personal data processing (e.g., social media platforms collecting user data).
  • Data Processors: Entities that process data on behalf of a controller (e.g., cloud storage providers).
  • Data Subjects: Individuals whose personal data is being processed (e.g., users on social media platforms).

By clearly defining these roles and their respective obligations under the PDPD, the decree promotes accountability and transparency in personal data handling.

What is Considered Personal Data?

The PDPD moves beyond simply protecting names and addresses. It defines personal data as electronic information that can identify a natural person, either alone or combined with other data. This definition encompasses:

  • Basic Personal Data: Includes name, date of birth, address, phone number, and ID numbers.
  • Sensitive Personal Data: More private data categories like political opinions, religious beliefs, medical information, and biometric information.

The PDPD imposes stricter requirements for processing sensitive personal data compared to basic information.

 

3. Key Definitions

Decree 13/2023/ND-CP, or the Personal Data Protection Decree (PDPD), introduces a comprehensive framework for safeguarding personal information in Vietnam. Understanding the key definitions within the PDPD is crucial for navigating its complex landscape. Let's delve into some of the most important terms:

  • Personal Data: The PDPD defines personal data as information stored electronically that can be used to identify a specific individual. This information can exist in various forms, including symbols, text, numbers, images, or sounds. The key factor is that the data, alone or combined with other data, can pinpoint a particular person.
  • Basic Personal Data: This category encompasses commonly collected information like name, date of birth, phone number, email address, and identification numbers. These details are typically used for purposes like customer identification, account management, and service delivery.
  • Sensitive Personal Data: The PDPD recognizes a category of data deemed more private and requiring stricter safeguards. This includes information related to an individual's political opinions, religious beliefs, health records, biometric data (fingerprints, facial recognition), and information about their sexual orientation or union membership.

Beyond Data: The PDPD also defines key roles within the data processing ecosystem:

  • Data Controller: The entity that determines the purpose and methods for processing personal data. This could be a social media platform collecting user data or a bank storing customer information.
  • Data Processor: An entity that processes personal data on behalf of a controller. For instance, a cloud storage provider might be considered a data processor for a company that stores customer data on their platform.
  • Data Subject: The individual whose personal data is being processed. In the social media platform example, the users would be considered data subjects.

Understanding these roles and how they interact is essential for ensuring compliance with the PDPD. Data controllers hold the primary responsibility for ensuring lawful processing, while data processors must adhere to the controllers' instructions and implement appropriate security measures. Data subjects have specific rights under the PDPD, such as the right to access and rectify their personal information.

 

Vietnam's Personal Data Protection Decree (PDPD) regulates how organizations can collect, use, and store personal information. A crucial aspect of this regulation is the concept of "legal bases for processing." These bases essentially provide legitimate reasons for organizations to handle personal data.

Building Trust: Foundations for Processing

The PDPD outlines several legal bases that allow organizations to process personal data. These bases establish a foundation of trust between data controllers (those who determine how data is used) and data subjects (individuals whose data is processed). Here's a breakdown of the key legal bases:

  • Consent: This remains a cornerstone for processing personal data. Consent must be freely given, informed (subjects understand what data is collected, how it's used, etc.), and specific for the intended processing purpose. The PDPD emphasizes verifiable consent, meaning organizations must be able to demonstrate that consent was obtained.
  • Contractual Necessity: In some cases, processing personal data may be essential for fulfilling contractual obligations. For example, an online store may need to collect billing and shipping information to deliver products.
  • Legal Obligations: Organizations are sometimes required by law to collect and process personal data. This could involve tax regulations or legal proceedings where data is required as evidence.
  • Legitimate Interests: The PDPD recognizes that organizations may have legitimate reasons to process personal data beyond specific contracts or legal mandates. However, these interests cannot override the fundamental rights and freedoms of data subjects. A strong justification for processing is crucial under this basis.

Balancing Interests: Considerations for Legitimate Interests

Utilizing the "legitimate interest" base requires careful consideration. The PDPD emphasizes a balancing test:

  • Purpose: The purpose for processing data must be legitimate and clearly defined. For instance, processing data for targeted advertising may be considered legitimate, while processing data for unrelated marketing campaigns might not be justified.
  • Necessity: There should be no other less intrusive way to achieve the same purpose. Organizations must demonstrate that processing personal data is truly necessary.
  • Data Subject's Rights: The processing should not excessively impact the data subject's privacy rights. Organizations must demonstrate a fair balance between their interests and the individual's right to privacy.

Additional Bases: Public Interest and Vital Interests

The PDPD also acknowledges situations where processing personal data serves a broader public interest or protects vital interests:

  • Public Interest: Processing data for national security, disaster relief, or public health initiatives may be justified under this basis.
  • Vital Interests: Protecting the life or health of a data subject or another individual may necessitate processing personal data without consent.

 

5. Key Principles in Vietnam's PDPD

The PDPD of Vietnam establishes a robust framework for safeguarding personal information. Underpinning this framework are eight core principles that guide the processing of personal data. These principles ensure transparency, accountability, and respect for individual privacy.

  • Lawfulness: Personal data processing must have a legal basis as defined by the PDPD (consent, contractual necessity, etc.). Organizations cannot collect or use personal data without justification.
  • Transparency: Data subjects have the right to be informed about how their data is being processed. This includes the purpose of processing, the categories of data collected, and the entities involved. Organizations must provide clear and accessible information.
  • Purpose Limitation: Personal data can only be processed for the specific purposes outlined at the time of collection. Organizations cannot use data for purposes unrelated to the initial justification.
  • Data Minimization: The PDPD emphasizes collecting only the personal data necessary for the intended processing purpose. Organizations should avoid collecting excessive or irrelevant data.
  • Accuracy: The PDPD requires data controllers to take reasonable steps to ensure the accuracy and completeness of personal data. Data subjects have the right to rectify any inaccurate information.
  • Integrity and Confidentiality: Organizations must implement appropriate security measures to protect personal data from unauthorized access, disclosure, alteration, or destruction. Data confidentiality and integrity are paramount.
  • Storage Limitation: Personal data can only be stored for as long as necessary to fulfill the processing purpose. Organizations must have clear data retention policies and securely delete data upon reaching the retention limit.
  • Accountability: The data controller ultimately bears responsibility for ensuring compliance with the PDPD principles. This includes demonstrating compliance through documentation and data processing records.

Aligning with International Standards

These principles closely resemble those established in other major data privacy regulations like the EU's General Data Protection Regulation (GDPR). This alignment reflects Vietnam's commitment to international best practices in personal data protection.

Impact on Organizations

Understanding these core principles is crucial for organizations operating in Vietnam. By adhering to these principles, organizations can:

  • Build trust with data subjects.
  • Minimize the risk of data breaches and regulatory sanctions.
  • Foster a transparent and accountable data processing environment.

 

6. Controller and Processor Obligations

The Personal Data Protection Decree of Vietnam establishes a shared responsibility model for safeguarding personal data. This model assigns specific obligations to both data controllers (who determine how data is used) and data processors (who process data on behalf of controllers). Understanding these obligations is crucial for ensuring compliance with the PDPD.

Data Controllers: In the Driver's Seat

Data controllers hold the primary responsibility for ensuring personal data is processed lawfully and ethically. Their obligations include:

  • Transparency: Data controllers must inform data subjects about the processing activities, the purpose of processing, and the categories of data collected.
  • Legal Basis: Controllers must have a valid legal basis (consent, contract, etc.) for processing personal data.
  • Security: Implementing appropriate technical and organizational measures to protect personal data from unauthorized access, disclosure, alteration, or destruction is a key responsibility.
  • Data Subject Rights: Controllers must fulfill data subjects' rights, such as the right to access, rectify, and erase their personal data.
  • Data Processing Records: Maintaining records of processing activities, including the purpose, data categories, and recipients, is crucial for demonstrating compliance.
  • Data Protection Impact Assessments (DPIAs): Controllers must conduct DPIAs to assess the risks associated with processing certain types of personal data (e.g., sensitive data).
  • Appointing a Data Protection Officer (DPO): For organizations processing sensitive data or high volumes of personal data, appointing a DPO is necessary to oversee data protection compliance.

Data Processors: Working Within the Framework

While not as extensive as controller obligations, data processors also have essential responsibilities:

  • Compliance with Controller Instructions: Processors must process data only according to the controller's documented instructions.
  • Security Measures: Processors are required to implement appropriate technical and organizational measures to ensure data security.
  • Sub-processors: If a processor intends to engage sub-processors, they must obtain the controller's prior consent.
  • Data Breach Notification: Processors must notify the controller promptly if they experience a data breach.
  • Returning or Erasing Data: At the end of the processing service or upon controller instruction, processors must return or erase personal data unless legal retention obligations exist.

Shared Accountability: A Collaborative Approach

The PDPD emphasizes a collaborative approach between controllers and processors. Controllers should select processors with a strong track record of data security and ensure their contracts clearly outline processing activities and responsibilities. Processors should maintain open communication with controllers and promptly address any concerns regarding data handling practices.

Consequences of Non-Compliance

Failure to comply with the PDPD's obligations can result in significant consequences for both controllers and processors. These may include administrative fines, corrective orders, and even suspension of business activities.

 

7. Conclusion

Vietnam's Personal Data Protection Decree (PDPD) marks a significant step forward in safeguarding personal information within the country. The decree establishes a comprehensive framework built upon a foundation of existing laws and international best practices. By delineating the scope of application, key definitions, legal bases for processing, and core principles, the PDPD provides a clear roadmap for organizations and individuals navigating the evolving data privacy landscape.

The shared responsibility model, assigning distinct obligations to data controllers and processors, fosters accountability and transparency throughout the data processing ecosystem. Furthermore, the PDPD empowers data subjects with control over their personal information through clearly defined rights. While challenges remain, such as ensuring compliance across sectors and effectively enforcing the regulations, the PDPD signifies Vietnam's commitment to protecting its citizens' data privacy in the digital age. By fostering collaboration between organizations, regulators, and individuals, Vietnam can build a robust data governance environment that promotes responsible data practices and empowers a thriving digital economy.

If you need further explanation on this subject, please don't hesitate to contact us through email at lienhe@luatminhkhue.vn or phone at: +84986 386 648—lawyer To Thi Phuong Dzung.