Key points of the draft Decree include:

• Clear definitions/concepts are provided in the draft Decree, e.g. “basic personal data”, “sensitive personal data”, “data subject’ and “data processer”.

• Regulations on processing/controlling personal data are detailed, e.g. access, disclosure, process, storage, deletion, and destruction of personal data.

• Several measures to protect personal data are required, e.g. administrative, technical and physical measures to be conducted by data processors, as well as inspection, examination and control via registration/administrative penalties to be conducted by the state authority.

• Personal Data Protection Commission (“PDPC”) is proposed to be set up (by the Ministry of Public Security) for acting as the national data protection state authority.

• Registration: One of the data processing requirements is the registration of sensitive personal data with the PDPC. The data processers are also required to obtain approval from the PDPC for cross-border transfer of personal data.

• Penalties:

o Fine of VND50m - VND100m for violations against the regulations on personal data processing or on measures to protect personal data

o Fine of up to 5% of revenue for heavy violations

o Additional sanctions may also be imposed, e.g. suspension of the processing of personal data from one to three months or revoking the ‘licence’ for processing sensitive personal data and/or cross-border transfer of personal data

These proposed regulations are in line with international standards, such as the EU’s General Data Protection Regulation (GPDR). Once ratified, the coming Decree will change significantly the current legal framework on personal data protection in Vietnam