Vietnam Data Privacy: Responding to Erasure Requests

1. Understanding the Right to Erasure under PDPD

Vietnam's Personal Data Protection Decree (PDPD), implemented in July 2023, grants individuals significant control over their personal information. A key element of this control is the "right to erasure," empowering individuals to request the deletion of their personal data held by organizations. This right applies under specific circumstances outlined in the PDPD. Here's a closer look at these scenarios:

• Withdrawal of Consent: If you, as a data controller, collect and process personal data based on an individual's consent, they have the right to withdraw that consent at any time. Following such withdrawal, they can request the erasure of their data. This reinforces the principle of user control over their information and ensures you only process data with the individual's explicit permission.
• Unlawful Processing: The PDPD establishes strict guidelines for data processing activities. If an individual believes your processing of their data violates these guidelines (e.g., processing data beyond the originally stated purpose without legal justification), they can request erasure. This right safeguards individuals from unauthorized or unlawful data processing practices.
• Fulfilled Processing Purpose: Data collection often occurs for a specific purpose, like completing a transaction or providing a service. Once that purpose has been fulfilled (e.g., after a purchase is completed), the individual has the right to request the erasure of their data. This ensures you don't retain personal information longer than necessary.
• Objection to Processing: The PDPD acknowledges that individuals might have specific reasons to object to the processing of their data. For instance, they might object to targeted marketing campaigns based on their personal information. In such cases, the right to erasure might apply, requiring you to delete their data unless you can demonstrate compelling legitimate grounds for overriding their objection.

Understanding these circumstances empowers you, as a data controller, to anticipate potential erasure requests and implement procedures for handling them efficiently. It's also crucial to remember that the right to erasure is not absolute. The PDPD recognizes exceptions where you might not be obligated to fulfill an erasure request. We'll explore these exceptions in a later section.

2. Responding to Erasure Requests: A Step-by-Step Guide

Vietnam's PDPD empowers individuals with the right to erasure, but as a data controller, you also have specific obligations regarding how you respond to such requests. Here's a breakdown of the key steps to follow for a clear and compliant process:

1. Acknowledge Receipt:

• Promptness is key. Upon receiving an erasure request, acknowledge receipt within a reasonable timeframe. This timeframe isn't explicitly defined in the PDPD, but aiming for a few business days demonstrates respect for the individual's rights and avoids unnecessary delays. An acknowledgment can be sent via email or another preferred communication channel.

2. Assess the Request:

• Don't hit delete just yet. Carefully evaluate the legitimacy of the request based on the grounds for erasure outlined in the PDPD (covered in section 1). This might involve reviewing your internal data processing policies, the purpose for which the data was collected, and whether the individual's request falls under one of the four scenarios.

3. Communicate Your Decision:

• Transparency is crucial. Inform the individual about your decision to either fulfill or reject the erasure request within a reasonable timeframe. This timeframe again isn't strictly defined, but following best practices for responding to data access requests is recommended. Aiming for a response within 30 days is a good benchmark.
• Your communication should be clear and concise. Explain the reasons behind your decision, whether it's fulfilling the request based on a legitimate erasure ground or rejecting it due to a PDPD exception (which we'll cover later).

Here's an additional tip: Consider offering an explanation of their appeal rights if you reject the erasure request. This demonstrates transparency and allows the individual to pursue further action if they believe your decision is incorrect.

By following these steps, you can establish a clear and efficient process for responding to erasure requests. Remember, promptness, communication, and transparency are key to building trust and ensuring compliance with the PDPD.

3. Exceptions to the Right to Erasure

The right to erasure under Vietnam's PDPD empowers individuals, but it's not absolute. The PDPD recognizes some exceptions where you, as a data controller, might not be obligated to fulfill an erasure request. Here's a closer look at these exceptions:

• Compliance with Legal Obligations:
  • Certain laws or regulations might mandate that you retain personal data for a specific period. For instance, tax regulations might require you to retain financial transaction data for several years. In such cases, you can deny the erasure request while still fulfilling your legal obligations.
• Public Interest Archiving:
  • The PDPD acknowledges the importance of data preservation for historical, scientific, or statistical purposes. If the individual's data is deemed necessary for archiving in the public interest, you can deny the erasure request. However, this doesn't grant you unrestricted access to the data. You might be required to anonymize the data by removing any personally identifiable information (PII) before using it for these purposes. This ensures the individual's privacy is protected while the data's historical or research value is preserved.
• Other Legal Grounds:
  • The PDPD allows for some flexibility in specific situations. There might be other legal grounds where erasure might not be required, but these scenarios should be carefully assessed on a case-by-case basis. Consulting with a legal professional specializing in Vietnamese data privacy law is recommended if you encounter such situations.

It's important to remember that even when an exception applies and you deny an erasure request, you should still communicate your decision clearly to the individual. Explain the legal reasons behind your decision and, if applicable, outline the data retention period or the public interest purpose for which the data needs to be retained.

By understanding these exceptions, you can ensure you're responding to erasure requests in a way that balances the individual's right to privacy with your legal obligations and legitimate business interests.

4. Fulfilling an Erasure Request

If you've assessed an erasure request and determined it falls under a legitimate ground outlined in the PDPD, it's time to take action. Here's what fulfilling an erasure request entails:

• Deletion from Your Systems: This is the core aspect. Implement appropriate measures to erase the individual's personal data from your IT systems and databases. The specific methods will depend on your data storage infrastructure, but it should involve permanently deleting all identifiable data points associated with the individual.
• Third-Party Processors: If you involve third-party data processors in storing or handling the individual's data, you also need to take steps to ensure they erase the data from their systems. This might involve issuing clear instructions to the processors outlining the erasure request and your expectation for data deletion.

Here are some additional considerations for a comprehensive erasure process:

• Data Backups: Personal data might also be present in backup systems. Ensure these backups are also updated to reflect the erasure request and remove the individual's data. However, data retention policies for backups might have specific requirements, so consult with your IT team to determine the most appropriate approach while adhering to compliance.
• Audit Logs: Data deletion activities are often logged for auditing purposes. While the individual's personal data should be erased from the main operational systems, some anonymized data points might be retained within audit logs to demonstrate the erasure process was completed. This helps ensure accountability and demonstrates compliance in case of audits.

By following these steps, you can effectively fulfill erasure requests and ensure the individual's personal data is deleted from your systems and those of any involved third-party processors. Remember, thoroughness and attention to detail are crucial to ensure complete erasure and avoid inadvertent retention of personal data.

5. Response Timeframe

The Vietnamese PDPD doesn't explicitly define a strict timeframe for responding to erasure requests. However, establishing a clear and reasonable timeframe demonstrates respect for the individual's right to privacy and avoids unnecessary delays. Here's how to approach this aspect:

Drawing Guidance from Existing Practices:

The PDPD might not specify a timeframe for erasure requests, but it does outline timeframes for responding to data access requests. Referencing these established timeframes can provide a helpful guideline. For data access requests, the PDPD recommends a response timeframe of no later than 30 days from receipt of the request.

Prioritizing Efficiency and Transparency:

Aiming to respond to erasure requests within 30 days is a good benchmark. This timeframe allows you to conduct a proper assessment of the request's legitimacy while providing a prompt response to the individual.

Communicating Delays:

In some cases, fulfilling a complex erasure request within 30 days might not be feasible due to the nature of the data or the involvement of multiple third-party processors. If you anticipate a delay, communicate this clearly to the individual within the initial 30-day timeframe. Explain the reason for the delay and provide a revised timeframe for your response. Transparency throughout the process helps manage the individual's expectations and demonstrates your commitment to fulfilling the request.

It's important to remember that the timeframe is just one aspect. While a prompt response is essential, prioritizing a thorough assessment to ensure you're fulfilling legitimate requests and complying with exceptions is equally important.

6. Conclusion