New decree on Personal Data Protection

PrintMailRate-it
Vietnam has issued a new decree on Personal Data Protection - Decree No. 13/2023/ND-CP on the Protection of Personal Data was issued on 17 April 2023 (“PDPD”), and took effect on July 1, 2023. The PDPD applies to both local and foreign entities that collect and/or process personal data of individuals residing in Vietnam or being Vietnamese nationals. 
    
  • SCOPE OF APPLICATION: It applies to both local and offshore entities that handle personal data of individuals residing in Vietnam or Vietnamese nationals; 
  • BROAD DEFINITION OF PERSONAL DATA: The PDPD defines personal data broadly to include any forms of information that can be used to identify an individual. It also classifies personal data into two categories: general personal data and sensitive personal data;
  • PRINCIPLES: The PDPD sets out principles for Personal Data Protection, which follow a similar approach like the data protection principles stipulated in the EU's General Data Protection Regulation (the "GDPR"): Lawfulness, Individuality, Transparency, Minimization, Data Quality, Limited Use, Security and Confidentiality and Accountability; 
  • VALID CONSENTS: Companies handling per-sonal data should obtain valid consents. This means that companies must obtain a documented consent of the individual before collecting or using their personal data. The consent must be freely given, specific, informed, and unambiguous. The data subject's silence or non-response is not considered as a “consent”;
  • MANDATORY REQUIREMENTS TO CONDUCT THE IMPACT ASSESSMENT: The PDPD also re-quires companies that handle personal data to conduct Impact Assessments of their data processing activities, including for any transfers of relevant Data out of Vietnam. These assessments must be submitted to the Ministry of Public Security and the Department of Cybersecurity and Hi-tech Crime Prevention;
  • MANDATORY REQUIREMENTS TO CONDUCT THE TRANSFER IMPACT ASSESSMENT: For outbound transfers of personal data from Vietnam, a transfer impact assessment must be carried out. These assessments must also be submitted to the Ministry of Public Security and the Department of Cybersecurity and Hi-tech Crime Prevention.
  • More detailed implementation and enforcement regulations are not yet available, but it seems likely that companies violating the provisions of the PDPD may be fined up to 5 percent of their annual turnover
   

What to do: 

Companies that process personal data should review their policies and procedures to comply with the new regulation.  This includes ensuring that they have a process for obtaining valid consents, conducting Impact Assessments, Transfer Impact Assessment, as well as protecting per-sonal data from unauthorized access, use, disclosure, or destruction.

From The Newsletter

Contact

Contact Person Picture

Hanh Pham

Associate Partner

+84 28 7307 2788

Send inquiry

Skip Ribbon Commands
Skip to main content
Deutschland Weltweit Search Menu