On April 17, 2023, the Government of Vietnam published its Personal Data Protection Decree (PDPD). The first draft of the PDPD was issued back in 2021 and has since been through a public consultation resulting in the final text that will enter into effect on July 1, 2023.
Despite the short window for the PDPD’s entry into effect, there is no transitional period meaning that organizations covered by the PDPD will have little over two months to develop a privacy program in compliance with the law’s new requirements. Like many modern privacy laws, the PDPD contains requirements for privacy notices, privacy risk assessments, and data subject rights as well as offering grounds for valid consent and certain scenarios where consent can be withdrawn. Keep reading for an overview of Vietnam’s PDPD and some of its key requirements.
What are the key compliance areas of the PDPD?
Scope of application
Before looking at the compliance requirements of the PDPD you should first assess whether the PDPD will apply to your business. The law’s scope of application includes:
Vietnamese agencies, organizations, and individuals
Foreign agencies, organizations, and individuals in Vietnam
Vietnamese agencies, organizations, and individuals operating abroad
Foreign agencies, organizations, and individuals processing personal data in Vietnam
If your business falls under one of the above definitions, then there are several new requirements that you will need to comply with ahead of the July 1 entry into effect. Start-ups, micro-enterprises, and small and medium enterprises (SMEs) have the right to choose to be exempt from the PDPD’s regulations for the first two years of operation from the date of registration unless they are directly involved in personal data processing activities.
Personal data and sensitive personal data
Similarly, it is important to understand what the PDPD means by “personal data” and “sensitive personal data”. Personal data includes information including:
Name of the data subject, including full name, middle name, birth name, or any other name
Date of birth, death, or date an individual might have become missing
Gender
Place of birth and birth registration
Place of permanent or temporary residence including hometown and contact address
Nationality
Image
Phone number, national identification number, or medical insurance card number
Marital status
Family relationship details including parents and children
Digital account details and online activities
The PDPD defines sensitive personal data as personal data that, when violated, will directly affect an individual's legitimate rights and interests. This includes information relating to:
Political and religious views
Health status and medical records (excluding blood type)
Racial or ethnic origin
Genetic characteristics, physical attributes, and biological characteristics
Sex life and sexual orientation
Criminal records held by law enforcement agencies
Customer information of credit institutions
Location data
Privacy notices
Covered organizations will be required to present a privacy notice to data subjects before processing personal data. The PDPD outlines specific information that needs to be included in the privacy notice, this includes:
Purposes of the processing activity
Types of personal data that will be collected for the purposes of processing
Information third parties that will be involved in the activity
Unexpected consequences and damage that are likely to occur
Time frames of the data processing activity
PDPD privacy notices should be formatted in a manner that data subjects can print or reproduce in writing. There are certain circumstances where a privacy notice is not required including where personal data is being processed by a state agency for purposes in accordance with the law.
Risk assessments
Data controllers have a requirement to conduct a data protection impact assessment before starting a processing activity. Additionally, controllers are required to keep records of these impact assessments, which should be accessible for auditing purposes and sent to the Ministry of Public Security within 60 days from the date of processing of personal data.
Impact assessment must include details relating to:
The purpose of processing personal data
The types of personal data to be processed
The third parties receiving personal data
The transfer of personal data internationally
Processing timeframes
Estimated time to delete or destroy personal data
The data protection measures applied
The assessment of the benefits of the processing activity
The consequences or unwanted damage that is likely to occur
The measures to reduce or eliminate such risk or harm
Data subject rights
The PDPD provides a broad range of rights to data subjects, many of which are common under modern privacy laws.
PDPD data subject rights include:
Right to know - Data subjects have the right to know about processing activities that involve their personal data
Right to consent - Data subjects have the right to give and withdraw consent for the processing of their personal data, except in the case where consent is not needed under Article 17
Right to access - Data subjects have the right to access to view, correct, or request correction of their personal data
Right to withdraw consent - The data subject is entitled to withdraw their consent
Right to deletion - The data subject can request to have their personal data deleted
Right to restrict data processing - Data subjects can limit the processing of their personal data, restriction of processing should be carried out within 72 hours after the request is made
Right to object to data processing - The data subject has the right to object to the processing or disclosure of personal data for advertising and marketing purposes. Requests should be fulfilled within 72 hours
Right to complain, denounce and initiate lawsuits – Data subjects have the right to complain, denounce or initiate a lawsuit in accordance with the law
Right to claim damages – Data subjects have the right to claim damages in accordance with the law when there is a violation of the PDPD involving their personal data
Right to self-defense - Data subjects have the right to protect themselves according to the provisions of the Civil Code
Valid consent
Valid consent of the data subject is required for all processing activities under the PDPD. There are several exceptions where processing personal data is permitted without consent such as in the vital interests of the data subject, where processing is necessary for compliance with the law, or to fulfill a contractual obligation.
Consent can only be considered valid when the data subject voluntarily and clearly knows the following:
The type of personal data being processed (or type of sensitive personal data, where applicable)
The purposes of processing
The third parties that will process personal data
Their rights under the PDPD
Consent must be clear and specific and given through affirmative action such as in writing, by voice, or by ticking a consent box, among other things. Silence or inactivity is not considered as valid consent under PDPD and data subjects may give partial or conditional consent.
Other notable provisions
The PDPD also includes a range of other responsibilities for data controllers, data processors, and third parties. These include conditions for cross-border transfer of personal data such as transfer impact assessments and post-transfer notifications. The PDPD also includes rules for processing personal data obtained through audio and video recording activities in public places and the processing of children’s personal data.
Other requirements include protecting personal data in the context of marketing services and advertising products and the measures to protect sensitive personal data include assigning a data protection officer.
How can businesses prepare?
As with most modern privacy laws, the best place to start when preparing your privacy program is to conduct a data discovery exercise to understand what data you have and where it is stored. Classifying and mapping this personal data against the provisions of new laws will help you to visualize data flows, identify third parties, and ensure requirements are met in compliance with the law such as data transfer requirements.
In the case of the PDPD, you should ensure that you understand what types of information fall under the definitions of personal data and sensitive personal data as well as ensure you have the correct consent or implementing methods for collecting valid consent in preparation for the PDPD’s entry into effect.
Privacy notices will be one of the most outwardly visible areas of compliance with the PDPD. Ensuring your web properties are displaying the correct notice that fulfills the criteria set out by the PDPD will be essential for transparency and accountability with the law.
The PDPD introduces a broad range of data subject rights, therefore you should ensure that you have the correct methods of the intake of these requests and that you are set up and ready to fulfill them. Linking your subject rights fulfillment process with your data map will help you to ensure that all instances of personal data relating to the data subject can be easily found and relayed against the different types of request.
To prepare for PDPD impact assessment requirements, you should begin to develop a risk assessment template that takes into account all of the required information and assessment criteria. You can build your assessment from scratch or use a pre-built template that can fulfill risk assessment templates of several laws. Additionally, the PDPD requires you to perform a transfer impact assessment when transferring data outside of Vietnam. Therefore, it is vital to have a robust process in place for completing risk assessments and have a solid understanding of your personal data processing activities.
Speak to an expert today to learn more about how the OneTrust Privacy & Data Governance Cloud can help you get prepared for the Vietnam PDPD ready for July 1.
