Special Alert | Draft Decree Personal Data Protection Released by the Ministry of Public Security for Public Comments

Indochine Counsel

Vietnam's personal data protection rules are scattered across a number of laws with many of the provisions unclear and lacking clarity. The Ministry of Public Security has proposed a draft decree with more complete regulation as well as a Personal Data Protection Committee, an independent body under the government.

The rules in respect of personal data protection have been stipulated and scattered in a number of laws of Vietnam such as the Civil Code, the Law on Protection of Consumers’ Rights, the Cybersecurity Law, the Law on Cyber Information Security, etc. Many of the provisions in those laws are unclear and overlapped without any precise and effective mechanism for understanding personal data protection. This lack of clarity has caused the treatment of personal data in Vietnam to become extremely insecure and the data itself vulnerable.

For that reason, the Ministry of Public Security (the “MPS”) has proposed a draft decree on personal data protection. The draft was released on 9 February 2021 (the "Draft Decree") for public comments. There are many important statutory definitions in relation to personal data that have been given, such as the separation of personal data into basic personal data and sensitive personal data for which a data processor is required to adapt protection requirements for processing. The Draft Decree provides more complete regulations on mechanisms of personal data protection, as well as a proposal to establish a Personal Data Protection Committee (the “PDP Committee”) which would be an independent body under the government of Vietnam.

The Draft Decree requires a data owner’s consent prior to processing and disclosing such data except in the following cases:

  1. If specified by law;
  2. For the sake of national security, social order and safety;
  3. If specified by law to be an emergency, a threat to life or seriously affecting the health of that data owner or public health;
  4. For the purpose of investigation and handling an act in violation of laws;
  5. In compliance with the regulations in international agreements or treaties to which Vietnam is a member specifying the processing of personal data without such data owner's consent; or
  6. For scientific research or statistics in encrypted form which is to be de-identified and replaced with a code.

A data owner's consent will be considered effective provided that such consent is given voluntarily and is clearly informed of: the type of personal data processed, the purpose of processing, the objects to be processed and shared, the conditions for transferring or sharing personal data to third parties, and the data owner’s rights related to the processing of his or her personal data. In addition, such consent must be presented in a form that is capable of being printed or reproduced in writing. A data owner's silence or non-response to a personal data processor's request for permission to process data is not considered sufficient to be considered consent.

For children under the age of 16, this consent must be given by their parent or guardian prior to processing any personal data of that child.

For sensitive personal data, in addition to the request for the data owner’s consent, a personal data processor must register with the PDP Committee before proceeding.

In addition to consent, personal data processors must notify the data owners of any changes to the contents of their consent, except for the following cases:

  • The data owner has fully agreed with the contents and activities of processing personal data;
  • The processing of personal data is required by laws, international agreements, international treaties;
  • The processing of personal data does not affect the rights and interests of that data owner and notification on such processing to that data owner is impossible; and
  • For the purpose of scientific research or statistics.

The Draft Decree is the first statutory instrument in Vietnam to specifically regulate the cross-border transfer of personal data of Vietnamese citizens. Prior to transferring such data outside of the territory of Vietnam a personal data processor is required to comply with the following conditions:

  • Obtain the data owner’s consent;
  • Retain the original personal data in Vietnam;
  • Provide a written document proving the country/territory/area of destination has a regulation on personal data protection at the same or higher level than the regulations in Vietnam; and
  • Obtain the written consent of the PDP Committee.

Notwithstanding the aforementioned conditions, personal data may be transferred out of the territory of Vietnam in the following cases:

  • The data owner’s consent for such transfer;
  • A written consent of the PDP Committee;
  • A personal data processor's commitment on personal data protection; and
  • A personal data processor's commitment on applying the personal data protection measures.

In executing the cross-border transfer of personal data, the data processor must set up a system for recording the history of data transfers within for three years which may be inspected and assessed every year by the PDP Committee.

In comparison with Decree No. 15/2020/ND-CP of the Government dated 3 February 2020 stipulating the administrative sanctions against violating acts in the sectors of postal services, telecommunications, radio frequencies, information technology and electronic transactions, monetary penalties for similar acts as proposed in the Draft Decree is two to five times higher. There is also a monetary fine of 5% of the total revenue of the violating processor in Vietnam for repeated offences in exceeding the prescribed number of time.

Finally, the Draft Decree proposes to establish important supporting tools for enhancing personal data protection such as building and operating a national information portal for personal data protection, publishing a list of agencies and organizations processing personal data, and issuing a standard for assessing the reliability of personal data protection of agencies and organizations involved in personal data processing activities.

The Draft Decree is now in the stage of collection of public opinion for consideration for the two months following its publication.

Please Login or Register for Free now to view all updates and articles

In addition to free-to-view updates and articles, you can also subscribe to the full Legal Centrix Vietnam Service including access to:

  • Overview notes on the law
  • Thousands of high quality translations of legislation covering all key business areas
  • Legal and tax updates
  • Articles on important legal and tax issues
  • Weekly email alerts
  • Sophisticated web platform and search

Legal Centrix is trusted by top law and accounting firms.

Indochine Counsel

Established in October 2006, Indochine Counsel is a leading commercial law firm in Vietnam. Offering services throughout Vietnam, Indochine Counsel is ideally positioned to assist international investors and foreign firms to navigate the legal landscape in one of Asia's most dynamic and exciting countries. We also take pride in our services offered to domestic clients in searching for opportunities abroad. With over 45 lawyers and staff in two offices, Ho Chi Minh City and Hanoi, Indochine Counsel offers expertise in a dozen practice areas and provides assistance throughout the entire life cycle of your business.

Based on the principles of Excellence, Professionalism and Ethical Lawyering, Indochine Counsel strives to give clients quality service in a timely manner. Our lawyers have been trained all over the globe and have experience with both local and international law firms. Indochine Counsel takes pride in its people and works hard to ensure that they have the support and training necessary to work at the peak of excellence.

Indochine Counsel’s objective is to provide quality legal services and add value to clients through effective customized legal solutions that work specifically for the client. The firm represents local, regional and international clients in a broad range of matters including transactional work and cross-border transactions. The firm’s clients are diverse, ranging from multinational corporations, foreign investors, banks and financial institutions, securities firms, funds and asset management companies, international organizations, law firms to private companies, SMEs and start-up firms.

Click here to view the author's profile

Author

Related Content

Tags

  • Vietnam
  • Internet & Social Media
  • Data Protection & Privacy

Recent updates

Cookies On
Our Website
We use cookies on our website. To learn more about cookies, how we use them on our site and how to change your cookie settings please click here to view our cookie policy. By continuing to use this site without changing your settings you consent to our use of cookies in accordance with our cookie policy.