The Draft Proposal on the Request for the Development of a Decree on Personal Data Protection by the Ministry of Public Security in 2020 states that Vietnam is one of the countries with the most extensive development and utilization of the Internet in the world.  The number of Internet users in Vietnam has exceeded 64 million, accounting for over two-thirds of the population (66%), representing an increase of over 19% compared to 2018, and ranks 13th in the world in terms of the number of users.  Due to the urgent need to manage, ensure protection, and address violations of laws regarding personal information, the Government of Vietnam has emphasized the importance of establishing a legal framework to regulate and enforce these objectives.  On April 17, 2023, the Vietnamese Government officially approved the first-ever decree on personal data protection in its history, namely Decree No. 13/2023/NĐ-CP (“the Decree“).

The scope of regulation regarding this Decree includes individuals and organizations both within and outside the country directly involved in or related to the processing of personal data in Vietnam.

Some important points mentioned in this Decree are as follows:

The Decree introduces several new definitions

Personal data is classified into two categories: basic personal data and sensitive personal data.

Basic personal data includes: (i) full name, (ii) date of birth, (iii) gender, (iv) place of birth, contact address; (v) nationality; (vi) individual image; (vii) phone number, personal identification number; (viii) marital status; (ix) information about family relationships; (x) information about the individual’s digital accounts; personal data on the Internet; (xi) other information related to a specific individual or helps identify a specific individual.

Sensitive personal data includes (i) political and religious opinions; (ii) health status and private information recorded in medical records; (iii) racial or ethnic origin; (iv) inherited or acquired genetic characteristics of an individual; (v) personal physical attributes, biological characteristics; (vi) personal life, sexual orientation; (vii) criminal data; (viii) personal location data; (ix) customer information of credit institutions/branches of foreign banks/intermediary payment service providers and other authorized organizations.

At the same time, the Decree classifies the relevant entities regarding personal data as follows:

  • “Data Controller” is an organization or individual that determines the purposes and means of processing personal data.
  • “Data Processor” is an organization or individual that processes personal data on behalf of the Data Controller through a contract or agreement.
  • “Data Controller and Processor” refers to organizations or individuals that simultaneously determine the purposes, means, and directly processes personal data.
  • “Third-Party” refers to organizations or individuals outside the above-mentioned entities who are authorized to process personal data.

The Decree specifies several prohibited actions related to personal data

  • Processing personal data in violation of legal provisions;
  • Processing personal data to create information or data that is against the Socialist Republic of Vietnam;
  • Processing personal data to create information or data that affects national security, social order and safety, and the legitimate rights and interests of other organizations and individuals;

Based on the above-prohibited actions, it is evident that Vietnamese law focuses particularly on the processing of personal data by entities.  Therefore, after this Decree comes into effect, “Data Processors,” “Data Controllers and Processors,” and “Third Parties” authorized to process personal data will need to exercise greater caution in their activities and ensure strict compliance with this Decree.  Their responsibilities are more significant than other regulated entities under this Decree.

The consent of the data subject

According to the Decree, the consent of the data subject is only valid and recognized when the data subject voluntarily and fully understands the following: (i) the types of personal data being processed; (ii) the purposes of processing the personal data; (iii) the organizations or individuals processing the personal data; (iv) the rights and obligations of the data subject.

Furthermore, Article 11.3 of the Decree states that for consent to be recognized, it must be clearly and specifically expressed in writing, orally, by ticking a consent box, through a consent message, selecting technical settings for consent, or through another action that demonstrates consent.

Importantly, Article 11.6 of the Decree emphasizes that silence or non-response by the data subject should not be considered consent.  This is a new and notable point as, in other legal contexts, silence or non-response within a certain time limit can be deemed as consent, particularly in commercial transactions.

In addition, the Decree also specifies certain cases where the processing of data can be carried out without the consent of the data subject.  Article 17 of this Decree stipulates the following cases non-consensual processing of data:

  • In cases of an emergency requiring immediate processing of relevant personal data to protect the life or health of the data subject or others;
  • The public disclosure of personal data as regulated by law;
  • The processing of data by competent state agencies in urgent situations related to national defense, national security, social order and safety, major disasters, or dangerous epidemics; situations where there is a risk to the security or national defense, but do not amount to the declaration of a state of emergency; and prevention and control of riots, terrorism, crimes, and violations of the law;
  • To fulfill contractual obligations between the data subject and relevant organizations, agencies, or individuals;
  • To serve the activities of state agencies as stipulated by specialized laws.

Transfer of personal data abroad

In cases where the entities specified in this Decree need to transfer personal data abroad, the Data Transferring Party shall be responsible for the following:

  • Prepare a dossier for assessing the impact of transferring personal data abroad.
  • Ensure that the dossier for assessing the impact of transferring personal data abroad is always available to serve the inspection and evaluation activities of the Ministry of Public Security.  Simultaneously, submit one original copy of the dossier to the Ministry of Public Security (Department of Cybersecurity and High-Tech Crime Prevention) using Form 06 in the Appendix of this Decree within 60 days from the date of processing the personal data.
  • After a successful data transfer, the Data Transferring Party shall send a notification to the Ministry of Public Security (Department of Cybersecurity and High-Tech Crime Prevention) containing information about the data transfer and contact details of the responsible organization or individual in writing.
  • If it is discovered that the transferred personal data is used in activities that (a) violate the interests or national security of the Socialist Republic of Vietnam, or (b) the Data Transferring Party does not comply with the provisions of paragraphs 5 and 6 of this Article, or (c) result in incidents of disclosure or loss of personal data of Vietnamese citizens, the Ministry of Public Security has the right to request the Data Transferring Party to cease the transfer of personal data abroad.

Effective Date

The decree will take effect from July 1, 2023.  Except for data processing companies and large enterprises, small, medium-sized, and startup enterprises will have the option to be exempted from appointing individuals and departments responsible for personal data protection within two years from the date of establishment.  As can be seen, the purpose of this decree is primarily to address the inappropriate activities and business plans of data processing companies and the methods of handling, managing, and controlling internal data of large enterprises currently operating in Vietnam.

However, it is difficult to predict and ensure whether all businesses in the market will comply with this decree, considering the relatively high costs and efforts required to meet its requirements.  This will be even more challenging for long-established businesses that already have a stable organizational structure.  On the other hand, it is believed that this decree will ultimately bring positive impacts to the operations of large businesses both within and outside the country.

Overall, we can expect a more standardized and predictable business environment where everyone can be assured that their personal information will be protected by law.

Remember to follow the updated information on our website. When needed, feel free to contact us for further guidance: letran@corporatecounsels.vn.