Vietnam's Draft Personal Data Protection Law: A Leap Towards Stricter Safeguards
01/10/2024 09:00
On 24 September 2024, the Ministry of Public Security of Vietnam (MPS) released a Draft Personal Data Protection Law (Draft PDPL) for public consultation. While the Draft PDPL shares many similarities with Decree No.13/2023/ND-CP of the Government dated 17 April 2023 on personal data protection (Decree 13), the Draft PDPL introduces more stringent requirements to strengthen the legal framework for personal data protection. In this legal update, we will highlight notable new provisions under the Draft PDPL.
1. Extended scope of application
Compared to Decree 13, the Draft PDPL explicitly extends its scope to include agencies, organisations and individuals that collect and process personal data of foreigners within the territory of Vietnam.
2. Introduction of new concepts
The Draft PDPL introduces several new concepts, such as [IT] developers relating to personal data protection, personal data protection organisations (PDP Service Organisations), personal data protection experts (PDP Experts), organisations certifying eligibility for personal data protection (PDP Certification Organisations), organisations providing credit ranking service on personal data protection (PDP Credit Ranking Organisations), etc.
3. Tighter consent rules
The Draft PDPL explicitly prohibits including conditions that require data subjects to consent to the transfer of their personal data for services unrelated to the original purposes of data collection.
Additionally, the Draft PDPL establishes that the parent company, its subsidiaries, and each entity within a group are independently responsible for the protection of personal data, and the consent provided to a parent company does not extend to its subsidiaries automatically, and vice versa.
4. Detailed regulations for personal data protection in specific sectors
The Draft PDPL presents new data protection requirements applicable to various activities, including big data processing, artificial intelligence (AI), cloud computing, employee supervision and recruitment, finance and banking, health and insurance, execution of contracts with data subjects, location data, social media and over-the-top services, and biometrics.
These new requirements are essential to protect human rights in an increasingly digital landscape. For instance, in the field of AI, organisations are required to inform data subjects about the processing of their personal data through automated systems and provide clear explanations of how algorithms and AI technologies may impact upon the rights and legitimate interests of data subjects. The Draft PDPL also clarifies the responsibilities of cloud service providers in personal data protection, such as these providers must disclose information about their data protection personnel and departments when handling sensitive personal data, and they shall also comply with regulations on preparing personal data processing impact assessment dossiers.
Notably, the provisions on employee supervision and recruitment explicitly permit the use of technological and technical measures to monitor employees, provided that specific rules are followed. These rules include, among others, employers are required to transparently disclose information about the monitoring measures, technologies employed, and the nature of the monitoring in the personal data processing impact assessment dossiers, and employees must be informed of and consent to such monitoring. These provisions effectively address a gap present in Decree 13, which does not specify the use of technological measures for employee monitoring.
5. New regulations regarding the use of personal data in business activities
The Draft PDPL introduces new regulations in Chapter IV governing business activities relating to personal data protection which would result in new administrative procedures to qualify and approve the implementation of the relevant business activities in the future. Specifically, it introduces new business activities related to personal data protection (PDP Related Services) as follows:
(i) PDP Service Organisation: an organisation which has satisfied certain conditions, including but not limited to, having at least one (1) PDP Expert who has obtained a certificate of eligibility for technological and/or legal capacity (as the case may be), can submit an application dossier to the relevant authority to obtain the approval for providing the services of a PDP Service Organisation – that is to be designated as a personal data protection department by the personal data controller, the personal data controller and processor, the third party, the transferor of personal data of Vietnamese citizens abroad, the recipient of personal data of Vietnamese citizens (collectively, the Relevant Parties), as the case may be.
Under the Draft PDPL, it appears that PDP Service Organisations are required to be involved in the processing and transferring of personal data of Vietnamese citizens abroad of the Relevant Parties (except for micro-enterprises, small enterprises, medium-sized enterprises, and startups within two (2) years upon establishment). If this is the case, it would create a burden for enterprises when they need to engage the PDP Service Organisations for the relevant activities.
(ii) PDP Certification Organisation: an organisation, which satisfies certain conditions under the Draft PDPL, can submit an application dossier to the relevant authority to obtain the approval for providing the services relating to assessing, inspecting, confirming, and granting the relevant eligibility certificates to the PDP Service Organisations and PDP Experts.
(iii) PDP Credit Ranking Organisation: an organisation, which satisfies certain conditions under the Draft PDPL, can submit an application dossier to the relevant authority to obtain the approval for providing services relating to assessing, examining, confirming, and rating the level of creditworthiness of an entity regarding personal data protection such as PDP Service Organisations, providers of personal data processing services, personal data controller, personal data controller and processor.
(iv) Providers of personal data processing services are also required to obtain the relevant approval for providing these services under the Draft PDPL.
The requirements, application dossiers, and timeline in relation to the licensing procedures to obtain approvals for providing PDP Related Services are expressly outlined under the Draft PDPL. At this stage, it is unclear how the Government would further elaborate these provisions to regulate the business activities of the PDP Related Services providers.
6. Application dossiers for data processing impact assessment and transfer of personal data abroad (Application Dossiers)
Under the Draft PDPL, the application dossiers for data processing impact assessment must include the information of the PDP Organisation and the PDP Expert, rather than only the information of the organisation or individual assigned to perform personal data protection tasks as required by Decree 13. The application dossier for transfer of personal data of Vietnamese citizens abroad also requires the same.
Furthermore, in comparison to Decree 13, the Draft PDPL requires the inclusion of two (2) additional documents in the application dossiers for data processing impact assessment, i.e. the description and assessment of the current state of compliance with legal regulations on personal data protection and the credit rating document for personal data protection.
Notably, the Draft PDPL offers greater clarity than Decree 13 when clarifying that personal data is considered to be transferred abroad in the following circumstances:
(i) sharing personal data with recipients outside the territory of the Socialist Republic of Vietnam;
(ii) sharing personal data at conferences, seminars, meetings, or discussions held abroad;
(iii) sending documents or emails containing personal data to recipients located outside the territory of the Socialist Republic of Vietnam;
(iv) publishing personal data on the internet in a manner that allows individuals outside the territory of the Socialist Republic of Vietnam to access it;
(v) providing personal data to organisations, enterprises, or individuals for the purpose of conducting business activities;
(vi) supplying personal data to fulfill legal obligations abroad or in accordance with the laws of the host country.
It is required under the Draft PDPL that the Application Dossiers must be updated every six (6) months and immediately updated in specific circumstances (e.g., upon the merger or dissolution of the company, change of PDP Organisation, PDP Experts, etc.).
7. Templates for relevant request/notification/assessment applications
The Draft PDPL is silent on the forms included in the personal data processing impact assessment dossier and personal data transfer impact assessment dossier. Therefore, it remains unclear whether or not, upon the enactment of the Draft PDPL, the existing forms under Decree 13 would still be used, or if the MPS would issue a new decree to provide these forms, or if there would be no standard forms for related requests/notifications/assessment applications.
The Draft PDPL is expected to be finalised and take effect from 1 January 2026. Though there is no explicit provision in the current Draft PDPL indicating that it will replace Decree 13, we expect that it will. Given that this is only the initial version of the Draft PDPL, it is common practice for multiple revisions to be released following feedback from relevant stakeholders before the final version is completed.
Click here to download: Legal Update - Vietnam's Draft Personal Data Protection Law: A Leap Towards Stricter Safeguards
This material provides only a summary of the subject matter covered, without the assumption of a duty of care by Frasers Law Company.
The summary is not intended to be nor should be relied on as a substitute for legal or other professional advice.