PERSONAL DATA PROTECTION

In response to the growing importance of personal data protection in the digital age, Vietnam enacted a comprehensive legal framework with Decree 13/2023/ND-CP on 17 April 2023 (“Decree 13”) laying the groundwork. The related legal framework is still under development, with a draft Decree on administrative sanctions in the field of cybersecurity (“Draft Decree”) and the draft Law on Data that has garnered significant attention and received various opinions.  

This Brochure provides an overview of the key aspects of personal data protection and the current situation regarding its implementation, and Key Highlights of the Draft Decree, to help businesses and individuals navigate this evolving legal landscape.

Specific provisions on prohibited acts:

Decree 13 stipulates prohibited acts including processing personal data in violation of legal provisions, especially actions that generate information and data against the State, affecting national security, social order, and the legitimate rights of other organizations and individuals.

Organizations and individuals engaged in marketing and advertising services are only allowed to use personal data with the explicit consent of the data subjects. The data processing must ensure that customers are fully informed about the content, method, and frequency of product introductions​​.

Points for Enterprises to Note:

  • Data Subjects are entitled to request Data Controllers/Data Processors/Data Controllers cum Processors to provide, correct, or delete their personal data.
  • Data processing requires notification and consent from the data subject, except in special cases such as emergencies related to national defense, disease, or disaster.
  • Consent is to be presented under a form that is printable and copyable in writing, including electronic or verifiable formats. Decree 13 also specifically requires the consent of the Data Subject to be expressed clearly in text, in voice, by ticking the consent box, consent syntax via text message, selecting consent technical settings, or via any other actions which express likewise.
  • The silence or not responding to the Data Subject could not be deemed as their consent.
  • Enterprises are one of the main subjects targeted by Decree 13 in the implementation of personal data processing activities. According to the regulations of Decree 13, businesses need to pay attention to several administrative procedures, including
  • Assessment of Personal Data Processing Impact;
  • Assessment of Cross-border Transfer of Personal Data (for enterprises involved in transferring data abroad);
  • Notification of Violations of Personal Data Protection (if any found).
  • The specialized agency responsible for personal data protection is the Department of Cybersecurity and High-Tech Crime Prevention under the Ministry of Public Security. This department is tasked with assisting the Ministry of Public Security in implementing state management of personal data protection.

Current Situation of Personal Data Protection’s Implementation

Since Decree 13 was effective, organizations and individuals are aware of the requirements and implications of this Decree in their legally compliant systems. However, it is still in the early stages of understanding these applications, and a vital need to turn awareness into action is becoming more necessary since the Draft Decree on Administrative Sanctions and Draft Law on Data will soon be effective and the management mechanism of competent state agencies will be more complete and stricter.

Additionally, establishing the necessary infrastructure for compliance, such as appointing Data Protection Officers and implementing technical measures, has been a challenge for some organizations, especially small and medium-sized enterprises. Small and medium-sized enterprises will need to evaluate and revise their current processes to meet the requirements of Decree 13 on personal data management. This includes ensuring the rights of data subjects and filing the application for Assessment of Personal Data Processing Impact and Assessment of Cross-border Transfer of Personal Data for transferring data abroad.

Implementing the requirements of Decree 13 requires significant resources, both in terms of time and financial investment, which some organizations may find burdensome. Some businesses face challenges in investing in technology and training human resources while developing internal personal data processing procedures. Furthermore, businesses will face risks related to personal data protection mechanisms and be subject to sanctions from the competent authorities.

Key Highlights of the Draft Decree

The draft Decree will regulate administrative violations, forms of sanctions, sanction levels, and remedial measures for each administrative violation, the subjects subject to sanctions, the authority to make records and impose sanctions, and specific fines for administrative violations in the field of cybersecurity.

Expected administrative violations in the field of cybersecurity will be divided into five groups:

  • Violations of regulations on ensuring information security.
  • Violations of regulations on personal data protection.
  • Violations of regulations on preventing and combating cyber-attacks.
  • Violations of regulations on implementing cybersecurity protection activities.
  • Violations of regulations on preventing and combating the misuse of cyberspace, information technology, and electronic means to violate laws on social order and safety.

Specific to regulations regarding the violations of regulations on personal data protection, the Draft Decree gives certain acts that correspond to the obligations regulated under Decree 13, such as failing to obtain the consent of data subjects, failing to notify personal data processing, failing to delete and destroy data, failing to issue internal regulations on personal data protection as required by law, and violations of personal data protection in marketing services, product introductions, and advertising (first-time violations) which will lead to a monetary fine up to VND 200 million. Non-compliance actions such as (i) failing to submit an application for assessment of personal data processing impact or (ii) failing to submit an application for assessment of cross-border transfer of personal data within the statutory period may be subject to fines ranging from VND 140 million to VND 200 million.

Notably, the Draft Decree also stipulates the aggravating details and gives the perspective of monetary sanctions, taking an example (i) failing to submit an application for assessment of personal data processing impact or (ii) failing to apply for assessment of cross-border transfer of personal data within the statutory period may not only be fined up to VND 200 million but also:

  • Be fined with the amount multiplied by 02 times if the violations cause reveal, loss of personal data, or the transfer of personal data of Vietnamese citizens from 100,000 to less than 1,000,000 people.
  • Be fined with the amount multiplied by 05 times if the violations cause reveal, loss of personal data, or the transfer of personal data of Vietnamese citizens from 1,000,000 to less than 5,000,000 people.
  • Be fined equal to 3% to 5% of the total revenue of the previous fiscal year in Vietnam for acts of revealing, losing personal data, or transferring personal data of over 5,000,000 Vietnamese citizens.

Besides the monetary sanctions, Remedial measures below may apply:

  • The deprivation of the right to use licenses on business lines requiring personal data collection from 01 month to 03 months
  • Confiscate evidence and means of administrative violations for violations
  • Suspension or temporary suspension of personal data processing from 01 month to 03 months for violations
  • Expel from the territory of the Socialist Republic of Vietnam for foreigners who commit violations

Key Highlights of the Draft Law on Data

The draft Law on Data provides detailed regulations on building, developing, processing, and managing data; applying science and technology in data processing; the national consolidated database; the national data center; data products and services; state management of data; and the responsibilities of agencies, organizations, and individuals involved in data activities.

The draft Data Law also details activities related to data such as data collection, digitization, and creation; ensuring data quality; data classification; data storage; data combination, adjustment, and update; data governance; data disclosure; data transfer abroad; and identifying and managing risks arising from data processing that such terminology stated in Decree 13 without definition.

Conclusion

It is evident that the regulations concerning personal data protection are becoming increasingly stringent, necessitating that enterprises strictly adhere to personal data protection measures. Agencies, organizations, and individuals that violate personal data protection regulations can be subject to disciplinary action, administrative sanctions, or criminal prosecution depending on the severity of the violation. Accordingly, enterprises need to pay special attention and establish personal data protection measures, and timely prepare impact assessment reports as required by law.

Disclaimer

This Brochure  contains only brief notes and includes legislation in force as of July 2024. The information herein is general and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one is entitled to rely on this information, and no one should act on such information without appropriate professional advice obtained after a thorough examination of the particular situation.

Contact us:

Nguyen Thi Quynh Nhu (Ms. Nhu) 

Managing Partner 

Book a meeting with us

Emailnhu.ntq@erudituslegal.com

Websitewww.erudituslegal.com