Vietnam’s Personal Data Protection Decree: Overview, Key Takeaways, and Context
Author: Kat MH Hille
The following is a guest post to the FPF blog from Kat MH Hille, an attorney with expertise in corporate, aviation, and data protection law. She graduated with a J.D. from the University of Iowa, School of Law, and has extensive experience practicing law in both the United States and Vietnam (contact: https://www.linkedin.com/in/katmhh/). The guest blog reflects the opinion of the author only. Guest blog posts do not necessarily reflect the views of FPF.
On April 17, 2023, the Vietnamese Government promulgated the Decree of Personal Data Protection (Decree), which was initially published as a draft on February 9, 2021 and went through several revisions. Before the Decree’s issuance, personal data protection in Vietnam was governed by 19 different laws and regulations, resulting in a fragmented legal framework. The Decree aims to fill these gaps and provide a comprehensive and uniform approach to personal data protection in Vietnam, extending safeguards for personal data to over 97 million people.
This post provides an overview of the Decree, including key dates, context, legal effects, requirements and how they fare with other comprehensive data protection law regimes around the world. Building on this foundation, certain key provisions and notable features of the Decree that warrant attention, including:
- A prohibition on the sale and purchase of personal data through any means unless otherwise permitted by law.
- The recognition of “Personal Data Controllers and Processors” as a distinct legal entity, with a mixed nature.
- A strict purpose limitation principle that doesn’t allow for other uses of personal data than for the “registered purposes”.
- Location data, creditworthiness, and financial data are protected as sensitive data, among other categories.
- The Decree does not include “legitimate interests” among the lawful grounds for processing personal data, but it includes a permission related to personal data made public through legal means.
- A specific clarification that silence or lack of response from the data subject does not constitute valid consent.
- Increased transparency notices about personal data processed for advertising and marketing purposes.
- Access requests require hefty documentation from data subjects, but they must be responded to within 72 hours – so do correction and deletion requests.
- Data Transfer Assessments and a registration with the competent authority are requirements for all cross-border data transfers.
- The lack of a prescriptive list of fines and sanctions.
- Enforcement entrusted to an existing Government agency.
These provisions will be discussed in detail below.
The Decree is significant despite its lower status in Vietnam’s hierarchy of laws
As personal data protection is a new and developing area of law in Vietnam, Vietnam’s first legislative instrument on personal data protection takes the form of a “decree,” which is ranked lower in Vietnam’s statutory hierarchy than a code or law, and it is the result of executive action. A benefit of enacting a decree is that it can be done so more easily, without the need for approval from the National Assembly. Nevertheless, the Vietnamese Government’s goal is to ultimately enact a comprehensive and robust law for effective and enforceable personal data protection in 2024, according to a Decision issued by the Prime Minister in January 2022.
However, the Decree’s status means that in the event of conflicting regulations on the same issue, codes and laws would take precedence over the Decree. That said, the Decree remains the first comprehensive personal data protection regulation in Vietnam. Despite its lower legal status, the Decree still carries significant weight and impact in regulating personal data protection in Vietnam, and those who fail to comply with its provisions will still face legal consequences.
The Decree incorporates a unique blend of global standards and Vietnamese characteristics
Like other data protection laws inspired by the European Union (EU)’s General Data Protection Regulation (GDPR), the Decree sets out the responsibilities of organizations and individuals that process personal data, as well as the rights of individuals over their personal data.
However, the Decree also includes unique provisions that are specific to Vietnam’s context, such as a prohibition on the sale and purchase of personal data through any means, unless otherwise provided by law (Article 3.4), which may have significant consequences on the activity of data brokers and other businesses engaged in commodification of personal data. Additionally, organizing the collection, transfer, purchase, or sale of personal data without the consent of the data subject or the act of establishing software systems, as well as implementing technical measures for these purposes constitutes a violation of the Decree.
The Decree introduces the concept of “Personal Data Controllers and Processors,” which are entities or individuals that function both as Personal Data Controllers and Personal Data Processors. This definition is unique to the Decree and distinguishes it from other data protection laws around the world that typically only recognize the separate categories of Personal Data Controllers and Personal Data Processors. While the inclusion of Personal Data Controllers and Processors is meant to provide greater clarity and precision in defining the roles and responsibilities of different actors involved in personal data processing, it may actually add unnecessary complexity to the already complex landscape of privacy laws. This is because a single entity could be classified as both a Personal Data Controller and a Personal Data Processor depending on the specific definition being used, making it difficult to navigate and comply with the requirements of different privacy laws across different jurisdictions.
Further, the enacted Decree does not include a specific fine structure for violation of the Decree (the 2021 draft of the Decree proposed specific fines for single violations of the Decree, including fines of up to 5% of a personal data processor’s revenue for the most serious violations). Rather, the enacted Decree outlines a general provision that violators may be subject to disciplinary action, administrative penalties, or criminal prosecution, depending on the seriousness of the offense.
Furthermore, compared with the 2021 draft of the Decree, the final Decree does not provide for the establishment of a personal data protection commission to enforce the regulation. Rather, the Decree assigns responsibility for enforcing its requirements to an existing agency within the Ministry of Public Security (MPS), the Cybersecurity and High-Tech Crime Prevention Department (A05).
While MPS will need to clarify key provisions in subsequent regulations, the Decree creates the first comprehensive foundation to govern data processing activities in Vietnam. The Decree will take effect on July 1, 2023, giving organizations only two months to make the necessary adjustments to their business and operations in order to comply with the new regulations. Significant aspects of the Decree are explored below in greater detail.
2. The (extra)territorial scope introduces a nationality criterion for covered entities
The Decree applies to Vietnamese agencies, organizations, and individuals (whether based within or outside of Vietnam), and to foreign agencies, organizations, and individuals that are either based in Vietnam or that are based overseas and directly participate in or are otherwise involved in personal data processing activities in Vietnam.
Note that “personal data processing” covers a wide range of activities in relation to personal data, including collection, recording, analysis, verification, storage, alteration, disclosure, combination, access, retrieval, erasure, encryption, decryption, copying, sharing, transmission, provision, transfer, and deletion, as well as other related actions (Article 2.7).
There is still ambiguity as to the distinction between being “involved in” and “directly participating in” personal data processing activities, as well as the level of involvement with such activities that would bring a party within the scope of the Decree. Clarity on these issues through further regulations or guidance would be useful, especially considering that many third-party service providers or software vendors may arguably have some involvement in processing personal data.
3. The Decree recognizes a slightly different set of covered actors than other data protection laws
The Decree covers four categories of parties who process personal data:
- “Personal Data Controllers” (PDCs) are organizations or individuals that determine the purposes and means of personal data processing. Personal Data Controllers have the most obligations under the Decree.
- “Personal Data Processors” (PDPs) are organizations or individuals that process personal data on behalf of a Personal Data Controller under a contract or agreement with the Personal Data Controller.
- “Personal Data Controllers and Processors” (PDCPs) are organizations or individuals that are simultaneously Personal Data Controllers and Personal Data Processors.
- “Third Parties” (TPs) are any organization or individual authorized to process personal data other than Data Subjects, Personal Data Controllers, Personal Data Processors, or Personal Data Controllers and Processors.
In recognizing a distinction between controllers and processors, the final Decree removes ambiguity that was present in the 2021 draft of the Decree, which only provided for two categories of actors: personal data processors and third parties.
4. New processing principles, such as “no sale and purchase of personal data by any means”
The Decree outlines eight principles that govern data processing activities, which are similar to those recognized by the GDPR, including lawfulness, transparency of processing, purpose limitation, data minimization, accuracy, storage limitation, and appropriate measures to ensure the security of personal data. However, there are some notable differences.
Sale or Purchase of Personal Data: The Decree takes a more stringent stance than the GDPR by explicitly prohibiting the sale and purchase of personal data in any form, unless otherwise permitted by law. However, another provision in the Decree states that the act of “setting up software systems, technical measures or organization of the … purchase and sale of personal data without the consent of the data subject” is a violation (Article 22). Read together, the two provisions appear to imply that the purchase or sale with consent from the data subject could be permissible. Due to its ambiguity, further clarification is needed.
This stringent prohibition is a direct response to the numerous cases of personal data misuse that have occurred in Vietnam in recent years, including identity theft, financial fraud, intrusive advertising, and the exploitation of vulnerable individuals. A report showed that in 2022 alone, more than 17 million pieces of personal data were illegally harvested and sold for fraud and each personal data entry has been traded 987 times per day. However, the inclusion of a strict prohibition may conversely have a significant impact on industries that rely heavily on the use of personal data to drive innovation and business growth. It is possible that future circulars or guidelines may provide more clarity on this issue, including potential exceptions or allowances for certain use cases.
Notwithstanding this broad prohibition, PDCs and PDCPs may still share personal data with others if they obtain the data subject’s consent to do so, except when such sharing could harm national defense, national security, or public order and safety or could affect the safety or physical or mental health of others (Article 14). However, business entities and individuals providing marketing, product launching, and advertising services may only utilize personal data of their customers collected through their own business activities for conducting such services, if they obtain the data subject’s consent (Article 21).
Purpose Limitation: The Decree imposes a stricter purpose limitation compared to the GDPR, which allows for additional processing if it is compatible with the original purpose. Under the Decree, personal data can only be processed for the specific purposes that have been “registered” or “declared” by the PDC, PDP, PDCP, or TP. This requires these entities to ensure that their data processing activities do not deviate from or expand upon the registered and declared purposes. However, it is important to note that the Decree does not provide any guidance on how processing purposes are to be registered.
5. Covered data: broad definition of sensitive personal data, and stricter accountability rules for its processing
The Decree provides a broad definition of personal data, aligned with other comprehensive data protection laws. It defines personal data as any information that is expressed in the form of symbol, text, digit, image, sound or in similar forms in an electronic environment that is associated with a particular natural person or helps identify a particular natural person. Personally identifiable information means any information that is formed from the activities of an individual and, when used with other maintained data and information, can identify such particular natural person.
The Decree categorizes personal data into two groups: basic personal data and sensitive personal data, and includes an additional set of rules for the latter.
Basic personal data includes the following forms of personal data:
- A person’s name(s);
- A person’s date of birth, death, or having gone missing;
- A person’s gender;
- A person’s place of birth or residence;
- A person’s nationality;
- An image of an individual;
- A number associated with a person, such as a telephone number or a number in an official document, such as an identity card number, driver’s license number, etc.;
- A person’s marital status;
- Information about a person’s family relationships;
- Information about the individual’s online accounts or activities; and
- Any other types of personal data that do not qualify as sensitive personal data.
Sensitive personal data is defined as personal data related to an individual’s privacy, a breach of which would directly affect the individual’s legitimate rights and interests.
The Decree provides a non-exhaustive list of types of personal data that would be considered sensitive, including:
- A person’s political or religious views;
- Information about a person’s health status or private life that is included in a person’s medical record (other than information about a person’s blood type);
- Information relating to a person’s racial or ethnic origin;
- Information about an inherited or acquired genetic characteristics of an individual;
- Information about an individual’s physical attributes and biological characteristics;
- Information about an individual’s sex life or sexual orientation;
- Data about crimes and offenses that are collected and stored by law enforcement agencies;
- Customer information of credit institutions, foreign bank branches, payment intermediary service providers, and other authorized organizations;
- Information about the location of an individual that has been obtained through location services; and
- Any other information that is subject to legal requirements to implement specific security measures.
The list of sensitive personal data provided is more extensive than the GDPR’s definition of sensitive personal data. It includes types of data such as customer information from financial institutions and location data obtained through location services. As non-cash transactions and targeted advertising become increasingly prevalent in Vietnam, these types of data are frequently collected by most businesses. As a result, a wider range of entities, including small and medium businesses, may be subject to sensitive personal data protection requirements due to the broad scope of the list.
The Decree imposes more stringent protection measures for sensitive personal data than for basic personal data. For instance, regulated entities that process sensitive personal data must specifically notify data subjects of any processing of their sensitive personal data. Organizations that are covered by the Decree also must designate a department within their organization and appoint an officer which will be responsible for overseeing the protection of sensitive personal data and communicating with the A05.
Nevertheless, it is important to note that small, medium, and start-up enterprises are given a grace period of 2 years from their establishment to comply with these sensitive data requirements, unless such enterprises are directly engaged in processing personal data (Article 43). To qualify for the exemption, companies in agriculture, forestry, aquaculture, industrial, and construction sectors must have fewer than 200 employees and annual revenue below 200 billion Vietnamese dong (equivalent to approximately 8.7 million USD) or total capital below 100 billion Vietnamese dong (approximately 4.3 million USD), while commercial and service sector companies must have fewer than 100 employees and annual revenue below 300 billion Vietnamese dong (approximately 13 million USD) or total capital below 100 billion Vietnamese dong (approximately 4.3 million USD) in accordance with Decree No. 80/2021/ND-CP (2021) on Elaboration of Articles of the Law on Provision of Assistance for Small and Medium Enterprises.
6. Legal bases for processing personal data: no “legitimate interests,” but introducing “publicly disclosed” personal data
The Decree recognizes six legal bases for processing personal data, namely:
- Where valid consent for processing personal data is obtained from the data subject;
- In cases of emergency where personal data must be processed immediately to protect life or health of the data subject or others;
- Where the personal data is publicly disclosed in accordance with the law;
- Where a competent state agency processes personal data:
- In a state of emergency relating to national defense and security, social order and safety, major disasters, or dangerous epidemics;
- When there is a risk of threat to national security and defense that has not yet reached the level of declaring a state of emergency; or
- To prevent and combat riots, terrorism, crimes, and violations of the law;
- Where personal data is processed to fulfill contractual obligations of the data subject with relevant agencies, organizations, or individuals as provided by law; and
- Where personal data is processed to serve the operations of state agencies as prescribed by specialized laws.
Additionally, under Article 18 of the Decree, competent governmental agencies may obtain personal data from audio and video recording activities in public places without the consent of data subjects. However, when conducting recording activities, the authorized agencies and organizations are responsible for informing data subjects that they are being recorded.
Notably, the Decree does not provide a “legitimate interests” lawful ground like the GDPR. Nevertheless, legitimate interests are recognized in other provisions of the Decree. In particular, Article 8 stipulates “Prohibited Acts,” including processing personal data to create information that affect “legitimate rights and interests of other organizations and individuals”.
As for “valid consent”, there are several conditions that must be met when obtaining it, pursuant to Article 11 of the Decree:
- The consent must be freely given and fully informed.
- The consent must be explicitly and specifically expressed. This can be done in writing, orally, or through other clear actions, such as checking a consent box, sending a text message, or selecting technical consent settings. The consent must also be given in a format that can be printed, copied, or verified, meaning that it must be able to be saved and documented for future reference.
- When making a request for consent, the PDC and the PDCP must list out the types of personal data, the purposes for which consent is sought, organizations and individuals processing personal data and the rights and obligations of data subjects. The consent applies only to the specific purpose(s) stated. This language suggests that catch-all consent to all purposes is not allowed.
- Furthermore, partial or conditional consent is allowed, but silence or lack of response from the data subject does not constitute valid consent. This appears to preclude implied or deemed forms of consent.
- Consent for processing the personal data of a missing or deceased person may be obtained from the person’s spouse, children, or parents. If none of these individuals are available, valid consent cannot be obtained (Article 19).
The given consent remains valid until it is withdrawn by the data subject or until a competent state agency requests otherwise in writing. PDCs and PDCPs bear the burden of proof in case of a dispute regarding the lack of consent from a data subject.
Data subjects may request to withdraw their consent to processing of their personal data (Article 12). When a data subject does so, the PDC or PDCP must inform the data subject of any potential negative consequences or harms from the withdrawal of consent.
If the data subject still wishes to proceed, all parties involved in processing the personal data, including the PDC or PDCP and any PDPs or TPs, must cease processing the personal data. There is no set time frame for fulfilling this obligation, but it should be done within a reasonable period of time.
The withdrawal of consent must be in a format that can be printed, copied in written form, or verified electronically. The withdrawal of consent shall not render unlawful any data processing activities that were lawfully performed based on the consent given prior to the withdrawal.
FPF Training: The EU’s Proposed AI Act
The EU’s Artificial Intelligence (AI) Act is in the final stages of adoption in Brussels, and will be the first piece of legislation worldwide regulating AI. Join us for an FPF Training virtual session to learn about the act’s extraterritorial reach, the legal implications for providers and deployers of AI, and more.
7. The rights of the data subject include transparency and control rights, but also rights to legal remedies
Article 9 of the Decree provides data subjects with 11 rights over their personal data, which are linked to corresponding obligations on entities that process personal data:
- Right to be informed about the processing activities involving their personal data.
- Right to consentor withhold consent to the processing of their personal data.
- However, if a data subject chooses to provide consent for the processing of their personal data, the data subject is responsible for ensuring that any information provided is accurate and complete (Article 10).
- Right to access their personal data in order to view, correct, or request correction of the data.
- Right to withdraw consent to the processing of their personal data.
- Right to delete their personal data or request that such data be deleted
- Right to restrict processing of their personal data by request.
- Right to be provided with a copy of their personal data or port their personal data to another entity.
- Right to object to use or disclosure of their personal data for advertising and marketing purposes.
- Right to make complaints and denunciations and/or commence legal action according to law.
- Right to claim damages according to law where data subjects’ rights under personal data protection regulations have been violated, unless parties agree to the contrary, or as otherwise provided by law.
- Right to request orders for protection of their rights under relevant provisions of the Civil Code, the Decree, and other laws. Available orders under Article 11 of Vietnam’s Civil Code include termination of the violating act, public apology or rectification, performance of civil obligations, compensation, or reversal of a violating decision.
Note that all of these rights are subject to exceptions provided by the Decree or other relevant laws.
7.1. Transparency requirements include detailed notices and access rights on a tight deadline
According to Article 11 and 13, before processing a data subject’s personal data, a PDC or PDCP must provide a notification to the data subject containing the following information:
- The types of personal data being processed;
- The purpose(s) for processing the data;
- The means of processing data;
- The organizations or individuals involved in processing of the data;
- The data subject’s rights and obligations under the Decree;
- Potential consequences and harms from processing;
- The duration of processing, including the start and end dates; and
- Where personal data is processed for advertising and marketing purposes, the content, method, form, and frequency of product marketing (Article 21).
However, such notification is not required when personal data is being processed by a competent state authority or if the data subjects have been fully informed of, and have given valid consent to, the processing of their personal data.
Data subjects have the right to request that PDCs and PDCPs provide them with a copy of their personal data or share a copy of their personal data to a third party acting on their behalf (Article 14). The PDC or PDCP must fulfill such a request within 72 hours of receiving it.
The request must be submitted in the Vietnamese language and made in a standardized format as set out in the Appendix to the Decree. The request must include the requestert’s full name, residential address, national identification number, citizen identification card number, or passport number; fax number, telephone number, and email address (if any); and the form of access and the reason and purpose for requesting the personal data. The data subject must also specify the name of the document, file, or record to which their request pertains (Article 14.6). This requirement can impose a significant burden on data subjects as they may not always be fully aware of which documents or records their personal data is contained within. Additionally, the complexity of data processing can further complicate matters and make it difficult for the data subject to identify the relevant documents.
It is important to note that, unlike the GDPR, the Decree does not require a PDC or PDCP to provide data subjects with comprehensive information about the processing of their personal data in a concise, transparent, intelligible, and easily accessible form, using clear and plain language.
Moreover, there are certain circumstances in which a PDC or PDCP are not required to provide the data subject with a copy of their personal data. These include where:
- Such provision may threaten national defense, national security, or social order and safety;
- Such provision may endanger the safety, physical, or mental health of others; or
- The data subject has not given consent for the disclosure or authorized a representative to receive their personal data.
7.2. The Decree provides for an absolute right to object to processing, as well as correction and deletion rights
A PDC or PDCP must promptly fulfill a data subject’s request to access their personal data, correct their personal data, or have their personal data corrected, according to Article 15.
The PDP and any third party shall be authorized to edit the personal data of the data subject only after obtaining written consent from the PDC and PDCP and ensuring that the data subject has given their consent.
If the PDC or PDCP is unable to fulfill the request due to technical or other reasons, the PDC or PDCP must notify the data subject within 72 hours.
If a data subject requests that the processing of their personal data be restricted or otherwise objects to the processing of their personal data, the PDC or PDCP must respond to the request within 72 hours of receiving it (Article 9).
One important difference between this requirement and the one in the GDPR is that the Decree does not provide any exceptions to this requirement. Under the GDPR, a controller may be able to demonstrate compelling legitimate grounds that override the interests, rights, and freedoms of the data subject, or may be able to claim that they need the data for the establishment, exercise, or defense of legal claims.
According to Article 16, the PDC or PDCP must delete personal data about a data subject within 72 hours of a request by the data subject, if:
- The personal data is no longer necessary for the purpose to which the data subject consented;
- The data subject withdraws consent for processing of the personal data;
- There is no lawful reason to continue processing the personal data;
- The personal data is processed for a purpose other than one to which the data subject has consent or is otherwise is processed unlawfully; or
- Deletion of the personal data is required by law.
Personal data shall be deleted irretrievably by the PDC, PDCP, PDP, and/or TP if it was processed for improper purposes or the consented purpose(s) has been fulfilled, if storage is no longer necessary, or if the entity responsible for the data has dissolved or terminated business operations due to legal reasons.
Like the GDPR, the Decree recognizes certain exceptions to the right to delete personal data, such as where:
- The law prohibits deletion of the personal data;
- Continued processing of the personal data is necessary for legal, statistical, or scientific research purposes; or
- The personal data is processed by a competent government agency for lawful purposes or in emergency situations that threaten life, health, or safety.
However, unlike the GDPR, personal data that has been lawfully made available to the public is also exempt from the right to deletion (Article 18). As a result, the PDC or PDCP may reject a data subject’s request to delete personal data that has become public, regardless of whether there are any other lawful grounds for retaining such data. This differs from the GDPR, which does not provide exceptions based solely on the public availability of data.
8. Obligations of Controllers and Processors, from written processing agreements to data security and accountability obligations
PDPs are under an obligation to only receive personal data from a PDC after signing an agreement on data processing with the PDC and only process the data within the scope of that agreement (Article 39). The Decree also provides that personal data must be deleted or returned to the PDC upon completion of the data processing.
8.1. Data security and data breach notification requirements
The Decree has dedicated data security requirements for PDCs. For instance, Article 38 asks them to implement organizational and technical measures, as well as appropriate security and confidentiality measures to ensure that personal data processing activities are conducted lawfully. They also need to review and update these measures as necessary, and record and store a log of the system’s personal data processing activities.
Appropriate security measures are also relevant in the PDC – PDP relationship, as PDCs must select a suitable PDP for specific tasks and only work with a PDP that has in place appropriate protection measures. Interestingly, both PDCs and PDPs have a distinct obligation to cooperate with the MPS and competent state agencies by providing information for investigation and processing of any violations of the laws and regulations on personal data protection.Organizations and individuals involved in personal data processing must implement measures to protect personal data and prevent unauthorized collection of personal data from their systems and service devices. Article 22 of the Decree also prohibits the use of software systems, technical measures, or the organization of activities for the unauthorized collection, transfer, purchase, or sale of personal data without the consent of the data subject.
Under Article 23 of the Decree, in the event of a violation of personal data protection regulations, both the PDC and the PDP, or PDCP, are required to promptly inform the A05. The notification must be made no later than 72 hours after the violation occurred. If the notification is delayed, the reason for the delay must be provided. The current wording in the Decree is broad and without further clarifications and guidance it could be interpreted as meaning a notification is required for any violation of the Decree, not just for data breaches.
The notification must include a detailed description of the violation, such as the time, location, act, organization or individual involved, types and amount of personal data affected, contact details of those responsible for protecting personal data, potential consequences and damages of the violation, and measures taken to resolve or minimize harm. If it is not feasible to provide a complete notification at once, it can be done incrementally or progressively.
However, Decree 13 does not provide a specific procedure for A05 to handle complaints related to personal data protection violations. Further guidance or clarifications may be issued in the future.
8.2. “Impact Assessment Reports” that have to be made available for inspection
Article 24 of the Decree requires PDCs and PDCPs to compile an impact assessment report (IAR) from the commencement of personal data processing and make the report available for inspection by the A05 within 60 days thereafter.
The IAR must contain:
- Information and contact details of the PDC or PDCP and its data protection officer(s);
- Details of the types of personal data being processed and the purpose for doing so;
- Identities of recipients of the data (including those outside of Vietnam);
- The circumstances of any cross-border data transfers of the data;
- A description of measures implemented to protect the data;
- The time frame for processing and deletion of data; and
- An evaluation of the impact and potential risks associated with the processing of personal data.
PDPs are also required to compile an IAR. However, the required content is slightly different, reflecting the difference in roles between PDCs/PCDPs and PDPs. For instance, the Decree requires a PDP to provide a description of the processing activities and types of personal data processed, rather than stating the purpose(s) for processing the data.
9. Cross-Border Data Transfers have a legal definition and a registration requirement
Article 25 of the Decree defines a cross-border transfer of personal data as:
- The transfer of personal data of Vietnamese citizens to a location outside of Vietnam; or
- The use of a location outside of Vietnam to process the personal data of Vietnamese citizens.
This definition includes the:
- Transfer of personal data to overseas organizations for processing; and
- Processing of personal data using automated systems located outside of Vietnam (note that Article 2.13 of the Decree defines automated personal data processing as the electronic processing of personal data to analyze, evaluate, and predict the behaviors, habits, preferences, reliability, tendencies, capacities, and locations of an individual).
In the absence of further specification and relying on a literal reading of the wording in Article 25, a possible interpretation of this definition is that processing outside of Vietnam the personal data of Vietnamese citizens who live outside Vietnam would also qualify as a cross-border data transfer under the Decree. If this interpretation is correct, it would mean that all foreign organizations or individuals processing personal data outside of Vietnam would be subject to the Decree’s “cross-border data transfer” requirements even if there is no actual border of Vietnam involved, insofar as they process the personal data of Vietnamese citizens. It should be noted that the scope of the Decree, as stipulated in Article 1.2, only applies to foreign agencies, organizations, and individuals that are in Vietnam or that directly participate or are involved in the personal data processing activities in Vietnam. This ambiguity may be clarified in a guidance document in the future.
Before a covered entity may transfer personal data out of Vietnam, the Decree requires that the entity must:
- Undertake a data transfer assessment (DTA);
- Apply to the A05 by submitting a copy of the DTA together with a form specified in the Decree to the Department within 60 days from the date of processing;
- Provide further information to the A05 if the application is complete or if any information is incorrect; and
- Notify the Department after the data transfer has taken place successfully.
The DTA must contain the following information:
- Information and contact details of the transferrer and receiver of the personal data of Vietnamese citizens;
- The full name and contact details of the organization and/or individual that is in charge of the transferrer;
- Descriptions and explanations of the purposes for the transfer;
- Descriptions and clarification of the type of personal data to be transferred;
- The measures applied to comply with the Decree’s requirements to protect personal data;
- Assessment of the impact of personal data processing, the potential consequences and damage, and measures to reduce or eliminate such risk or harm;
- Details of the consent of the data subject given with a clear understanding of the feedback mechanism and complaint procedures available in the event of incidents or requests; and
- A binding contract between the transferer and the receiver specifying the responsibilities of the parties involved regarding the personal data processing.
In light of the consent disclosure required as part of the DTA and in the absence of further regulatory guidance, it seems that consent is the only basis for cross-border transfers. In addition to all requirements for a valid consent, in the context of cross-border transfers, the consent shall include a clear explanation of the feedback mechanism and the available procedures for lodging complaints in the event of incidents or requests, ensuring a comprehensive understanding for the individuals involved.
The MPS will conduct inspection of the DTA annually unless a violation, data incident, or leakage occurs. The MPS may cease transfers in cases where:
- Personal data is found to be used for activities that violate the interests and national security;
- The transfer fails to comply with requirements for the DTA; or
- Loss or leakage of the personal data of Vietnamese citizens occurs.
It should be noted that data localization is separately governed under Decree No. 53/2022/ND-CP, which implements the Law on Cybersecurity. The decree applies to both domestic and foreign companies operating in Vietnam’s cyberspace, specifically those providing telecom, internet, and value-added services that collect, analyze, or process private information or data related to their service users. According to the decree, these companies must store the data locally and have a physical presence in Vietnam. They are also required to retain the data for a minimum of 24 months. The types of personal data subject to localization include “(i) personal information of cyberspace service users in Vietnam in the form of symbols, letters, numbers, images, sounds, or equivalences to identify an individual; (ii) data generated by cyberspace service users in Vietnam, including account names, service usage timestamps, credit card information, email addresses, IP addresses from the last login or logout session, and registered phone numbers linked to accounts or data; (iii) data concerning the relationships of cyberspace service users in Vietnam, such as friends and groups with whom these users have connected or interacted.” (Article 26, Decree 53). The governing authority responsible for these regulations is A05 as well.
However, it remains unclear from the provided information whether personal data falling within the scope of Decree 53 can be transferred cross-border after fulfilling all requirements, including obtaining valid consents from data subjects. It is possible that the regulations are strictly interpreted to prohibit cross-border transfers for such types of data.
10. Specific Requirements for Children Personal Data
Like the GDPR, Article 20 of the Decree provides special protection for children’s personal data, with a focus on safeguarding their rights and best interests. However, the age threshold for obtaining valid consent differs between the two laws. In Vietnam, the Decree requires the consent of a parent or legal guardian and of children aged seven or older, while the GDPR only allows individuals over 16 to give consent independently for processing of their personal data.
It is important to note that in Vietnam, children under the age of 16 are not considered to have legal capacity, meaning that they cannot legally enter into contracts on their own behalf except in exceptional cases. As such, the effect of the child’s consent absent that of a parent or legal guardian is not entirely clear, although the requirement to obtain consent from the child was likely included in the Decree to reflect the child’s opinion on the processing of their personal data.
PDCs, PDPs, PDCPs, and TPs must verify the age of children before processing their personal data. However, the Decree does not explicitly provide an age verification process. Processing of children’s personal data must cease, and the personal data must be deleted irretrievably, where:
- The processing is not for a purpose covered by valid consent;
- The purpose for processing the personal data has been completed;
- The child’s parent or legal guardian withdraws their consent for processing of the child’s data; or
- There is a request to do so from a competent state authority that can provide sufficient evidence that the processing has a negative impact on children’s rights and interests.
The Decree states that only the child’s parent or legal guardian can withdraw consent for the processing of the child’s data, leaving it unclear whether the child can revoke their consent and have their data deleted if they wish to do so.
Vietnam’s new Decree on Personal Data Protection marks a significant milestone in protecting personal data in the country. The Decree introduces key concepts and principles of personal data protection, and sets out specific requirements for data processors and controllers. It also establishes a regulatory framework for obtaining consent for data processing activities, cross-border data transfers, and children data protection, which can contribute to safeguarding the privacy and security of individuals’ personal data.
While the Decree addresses many of the current challenges facing personal data protection in Vietnam, there are still gaps that need to be addressed in forthcoming guiding documents, including the lack of a specific procedure for handling complaints related to personal data protection violations, the conflicting provisions on the sale of personal data need to be clarified, the impact of cross-border data transfers and clear guidelines and requirements for such transfers and a more defined fine structure. It should also provide guidance on automated processing and establish regulations for biometric data. As Vietnam continues to develop its data protection laws, it is important for the law to address key issues such as automated personal data processing, biometrics or facial recognition, global data transfer baseline standards, and the need to balance business development with data protection.
In conclusion, the country’s commitment to personal data protection and privacy is a crucial step in the digital age. As Vietnam continues to strengthen its data protection framework, it will be interesting to see how it aligns with, and how it contributes to emerging frameworks in the region and around the world.
Editors: The success of this article would not have been possible without the dedicated efforts of Dominic Paulger, Josh Lee Kok Thong, and Isabella Perera, as well as the tremendous encouragement of Dr. Gabriela Zanfir-Fortuna from the Future of Privacy Forum.