On April 17, 2023, Vietnam issued its long-awaited, first-ever comprehensive data privacy law, Decree No. 13/2023/ND on the Protection of Personal Data (Decree). The Decree will take effect on July 1, 2023, without any transition period. All Vietnamese and foreign businesses located in Vietnam or carrying out data processing activities in Vietnam must comply with the Decree.
The issuance of the Decree follows an extensive and protracted series of public consultations and numerous rounds of review of its proposed text since the release of a first draft in February 2021. The final text of the issued Decree is currently only available in the Vietnamese language.
To Whom Does the Decree Apply?
The Decree applies to: (i) any Vietnamese agency, organization or individual; (ii) any foreign agency, organization or individual in Vietnam; (iii) any Vietnamese agency, organization or individual operating abroad; and (iv) any foreign agency, organization or individual that processes personal data in Vietnam.
What Types of Data Are Covered by the Decree?
The Decree distinguishes between “basic personal data” and “sensitive personal data”. Specifically, basic personal data includes an individual’s: (i) full name, middle name and birth name and any other name (if any); (ii) date of birth and the date on which they might have become deceased or became missing; (iii) gender; (iv) place of birth, place of birth registration, place of permanent or temporary residence, hometown, contact address; (v) nationality; (vi) image; (vii) phone number, national identification numbers, medical insurance card number; (viii) marital status; (ix) family relationship details (such as their parents and/or children); and (x) digital account details and online activities.
In contrast, sensitive personal data is any personal data that, when violated, will directly affect an individual’s legitimate rights and interests, including their: (i) political views, religious views; (ii) health status, medical records (excluding blood type); (iii) racial or ethnic origin; (iv) inherited or acquired genetic characteristics; (v) physical attributes and biological characteristics; (vi) sex life, sexual orientation; (vii) criminal records; (viii) information held by credit institutions, foreign banks, payment intermediary service providers, and other authorized organizations; and (ix) location data identified through location services.
What Principles Does the Decree Set Forth?
The Decree is centered around eight principles for personal data processing, namely: (i) lawfulness, (ii) transparency, (iii) purpose limitation, (iv) data minimization, (v) accuracy, (vi) integrity, confidentiality, and security, (iv) storage limitation, and (viii) accountability.
What Rights Do Data Subjects Have?
Under the Decree, data subjects are accorded the right, subject to applicable law, to: (i) know how their personal data is being processed; (ii) consent to their data being processed; (iii) access their data (where access must be granted within 72 hours from the request being received) and have their data corrected (where any reason for not correcting data in accordance with a request must be given to the data subject within 72 hours from their request); (iv) withdraw their consent; (v) have their data deleted; (vi) restrict or object to data processing (and their request must be complied with no later than 72 hours from the receipt of request); (vii) bring complaints, initiate lawsuits and claim damages for contraventions of the Decree.
In relation to access requests, these must be written in Vietnamese, and must contain the requesting individual’s: (i) full name, residential address, national identification number, and contact details; (ii) data that is to be provided and format; and (iii) reasons for the request.
Are There Specific Requirements for Consent and Notice to be Valid?
A number of unique provisions are relevant to the provision of consent by data subjects. For instance, consent must be expressed in a format that can be printed, reproduced in writing, including in electronic or verifiable formats. Any silence or the lack of a response by a data subject does not constitute consent. However, the Decree explicitly recognizes that partial or conditional consent can be valid. For any processing of sensitive personal data, the data subject must be informed that their data to be processed is sensitive personal data.
In a similar vein, the Decree prescribes that notices to data subjects must meet certain content requirements, such as any consequences or damage that the data subject might not expect, but are likely to occur, as well as the start and end times of the processing.
Are There Mandatory Breach Reporting Requirements?
Yes. If an organization detects a breach of any of the Decree’s provisions, it must notify the Ministry of Public Security, Department of Cybersecurity and High-Tech Crime Prevention (AO5) within 72 hours after the violation occurs, using a prescribed Form No. 03 which is an Appendix to the Decree. An explanation must accompany any late notification. The notification must include: (i) a description of the nature of the breach, including its time, place, nature, parties involved, and types and volume of personal data affected; (ii) the contact details of a data protection officer; (iii) the possible consequences from the breach; and (iv) any remedial measures taken. Such notification may be made in phases.
Is There a Requirement to Conduct an Impact Assessment?
Yes, and this must include: (i) information on and the contact details of controller and processor (if any); (ii) the full names and contact details of the controller’s and processor’s data protection officers; (iii) purposes of the data processing; (iv) types of data being processed; (v) recipients of the data, including those outside of Vietnam; (vi) any outbound transfers of data from Vietnam; (vii) the period of time in which the data is processed and when it will be deleted; (viii) a description of security measures applied to protect the data; and (ix) an assessment of the benefits of processing the data, any risks or harms, and measures taken to mitigate such risks or harms.
Such assessments must be available for inspection and evaluation by the Ministry of Public Security and an original sent to the AO5 in the form specified as Form No. 04 in the Appendix to the Decree within 60 days from the date of processing of the data. Changes also must be notified to these bodies using Form No. 05 in the Appendix to the Decree.
What Are the Requirements or Restrictions for Transferring Personal Data Overseas From Vietnam?
A transfer impact assessment must be done for outbound transfers of personal data from Vietnam that must include: (i) the full contact details of each of the exporter and importer and any other parties involved in the transfer; (ii) the objectives of the transfer; (iii) the types of personal data being transferred; (iv) the security measures applied for the protection of the data; (v) an assessment of the impact of such processing and any measures taken to mitigate any risks or harms; and (vi) the consent of data subjects and any feedback or complaint mechanisms available to them. The Decree also requires that there be a legally binding document that sets out the exporter’s and importer’s responsibilities with respect to the transfer of data from Vietnam overseas.
These documents must be submitted in their originals to the AO5 using Form No. 06 in the Appendix to the Decree within 60 days from the date of processing of the data. The exporter also must notify the same Ministry department by text once the data transfer has taken place.
The Ministry of Public Security has powers to stop transfers of personal data out of Vietnam where: (i) the data is used for activities that violate the interests and national security of Vietnam; (ii) the transfer requirements in the Decree are not complied with; or (iii) to prevent any unintended disclosure or loss of personal data of Vietnamese citizens.
Other Noteworthy Provisions
There are special provisions for data processing related to marketing and advertising. Specifically, these activities require the data subject’s consent and, provided that such data subject knows what the products are and the content, method, format and frequency of such advertising or marketing.
The Decree stipulates that Vietnam will develop an international cooperation mechanism to facilitate the effective enforcement of personal data protection laws and participate in mutual legal assistance in the protection of personal data of other countries, including potential investigation assistance and information exchange with other authorities.
There appear to be certain duties that the Decree imposes on data subjects, such as having to protect their own personal data, respecting the data of others, and participating in the prevention and combating any contraventions of the Decree.
What Are the Repercussions of Contravening the Decree?
If an organization violates the Decree, it may be subject to disciplinary action, administrative sanctions or criminal penalties, based on regulations to be issued under the Decree.
What Does This Mean for Your Business?
Suffice it to say, as this is the republic’s first comprehensive privacy law that will apply to all manner of personal data processing in Vietnam, the Decree will undoubtedly have considerable and wide-reaching implications on companies that have operations or a business presence in Vietnam. What is particularly important is that the implementation date of July 1, 2023, without any grace period does not give much time for affected businesses to prepare for compliance. The rigorous impact assessments and cross-border transfer documentation required by the Decree are especially significant, as they will likely take substantial time to prepare. Therefore, it is strongly recommended that if you are a business that is impacted by this new law act, you should act expediently in complying with the Decree ahead of the July 1 deadline. Should you require assistance or support, please contact the author of this blog post or your relationship partner at SPB.
Disclaimer: While every effort has been made to ensure that the information contained in this article is accurate, neither its authors nor Squire Patton Boggs accepts responsibility for any errors or omissions. The content of this article is for general information only, and is not intended to constitute or be relied upon as legal advice.