|
No.
|
Provisions
|
Comments
|
Recommendations
|
|
Provisions on applicable subjects
|
|
1)
|
Article 2.2(a) provides that the dependent units of an enterprise are the applicable subjects of the 3rd Draft Decree
|
This provision may not be consistent with Article 3.4 of Decree 118/2021 of the Government dated 23 December 2021 detailing the Law on administrative violations handling, as amended (Decree 118/2021).
Under Article 3.4 of Decree 118/2021, the dependent units of an enterprise (e.g., the representative office, branch) are only subject to administrative penalties if committing administrative violations beyond the authorization scope or period by the legal entities or not under their direction, control, assignment and approval.
|
To clarify in which case the dependent unit will be subject to administrative penalties under the 3rd Draft Decree to be consistent with Decree 118/2021 (e.g., Article 2.2(b) of Decree 122 of the Government dated 28 December 2021 on administrative penalties on planning and investment sector clearly provides so)
|
|
2)
|
Article 2.2(dd) provides that foreign enterprises or branches, representative offices or business locations of foreign enterprises providing services including, among others, content provision services in cyberspace (dịch vụ cung cấp nội dung trên không gian mạng) are the applicable subjects of the 3rd Draft
|
a) It is not clear whether the “content provision services in cyberspace” and “value-added services in cyberspace” under Articles 26.2 and 26.3 of the Law on Cybersecurity 2018 are the same or whether the service under Article 2.2(dd) of the 3rd Draft Decree is a new type of service.
b) If this is a new type of service, it is not clear what specific services are covered under this type since the 3rd Draft Decree, the Law on Cybersecurity 2018 and Decree 53 of the Government dated 15 August 2022 detailing the Law on Cyber Security 2018 (Decree 53/2022) do not provide for the definition of this service
|
To clarify or remove this type of service for consistency
|
|
3)
|
Article 2.2(e) provides that the organizations and enterprises providing information content in cyberspace service (dịch vụ nội dung thông tin trên không gian mạng) are the applicable subjects of the 3rd Draft Decree
|
It is not clear what specific services are covered under this type since the 3rd Draft Decree, the Law on Cybersecurity 2018 and Decree 53/2022 do not provide for the definition of this service
|
To clarify or remove this type of service for consistency
|
|
Provisions on the fine level
|
|
4)
|
Article 5.2 provides that the fine level of an administrative violation could be up to 5% of the revenue of the preceding fiscal year or the profit earned from administrative violations of the violating organization or individual in the Vietnamese market
|
a) This fine level may exceed the maximum fine level under Article 24.1(dd) of the Law on Administrative Violations Handling 2012 (i.e., VND 200 million for the cybersecurity sector applicable to organizations)
b) It is not clear whether this fine level should be calculated on the revenue of a group of undertakings
|
To clarify these issues
|
|
Provision of administrative sanction for acts also specified in the Criminal Code
|
|
5)
|
Article 6.2 provides that: “For a case that is accepted and settled by an authority conducting the criminal proceedings, but then there is a decision not to initiate a criminal case, […] within 03 days from the date of issuance of the decision, […]”
|
It should be “03 business days” and “the date that the decision takes effect” to be consistent with Article 63.1 of the Law on Administrative Violations Handling 2012
|
To amend this provision for consistency with Article 63.1 of the Law on Administrative Violations Handling 2012
|
|
Violation of the rights of the data subject
|
|
6)
|
Article 15.1(e) imposes an administrative penalty on the failure of the personal data controller, personal data controlling and processing party in deleting personal data as requested within 48 hours after the request of the data subject
|
It is not consistent with Article 16.5 of Decree 13 of the Government dated 17 April 2023 on personal data protection (Decree 13/2023), which requires this obligation to be implemented within 72 hours after the request of the data subjects
|
To amend this provision for consistency with Article 16.5 of Decree 13/2023
|
|
7)
|
Article 15.1(h) imposes an administrative penalty on the failure by the personal data controller, personal data controlling and processing party in providing personal data within 48 hours after the request of the data subject
|
It is not consistent with Article 14.3 of Decree 13/2023, which requires this obligation to be implemented within 72 hours after the request of the data subject
|
To amend this provision for consistency with Article 14.3 of Decree 13/2023
|
|
8)
|
Article 15.2 imposes an administrative penalty on the failure by the personal data controller, personal data controlling and processing party to prevent or limit the disclosure of the personal data or the use of personal data for advertising or marketing purposes within 48 hours after the request of the data subject
|
It is not consistent with Article 9.8(b) of Decree 13/2023, which requires this obligation to be implemented within 72 hours after the request of the data subject
|
To amend this provision for consistency with Article 9.8(a) and 9.8(b) of Decree 13/2023
|
|
Violation of provisions on the data subject’s consent
|
|
9)
|
Article 16
|
Lack of administrative penalties on the failure to express consent in a format that can be printed and/or reproduced in writing, including in electronic or verifiable formats, which is required under Article 11.5 of Decree 13/2023
|
To supplement this penalty for this violation
|
|
10)
|
Article 16.1(b) imposes an administrative penalty if “the consent of the data subject is not expressed clearly for the data subject to freely consent to the personal data processing”
|
The wording of this provision is confusing and may be duplicated with Article 16.1(dd) of the 3rd Draft Decree
|
To enhance clarity, it is proposed to amend this provision as follows :
“To force the data subject to consent to the data processing or prevent the data subject from being fully informed of the necessary contents for giving consent as regulated”
|
|
11)
|
Article 16.2(c) provides that the personal data controller, personal data controlling and processing party does not prove or refuse to prove that the data subject has consented to the personal data processing
|
This provision is duplicated with Article 16.1(h) of the 3rd Draft Decree
|
To remove this provision
|
|
Violations of provisions on consent withdrawal
|
|
12)
|
Article 17
|
Lack of administrative penalties on the failure to express the withdrawal of consent in a format that can be printed and/or reproduced in writing, including in electronic or verifiable formats, which is under Article 12.2 of Decree 13/2023
|
To supplement the penalty for this violation
|
|
Violation of provisions on providing personal data
|
|
13)
|
Article 19
|
Lack of administrative penalties the data controller, data controlling and processing party’s failure to:
(i) notify and guide the requesting organization or individual to request the competent authority; or
(ii) expressly notify its inability to provide such personal data
If the requested personal data are not under its authority.
This is an obligation under Article 14.8(b) of Decree 13/2023
|
To supplement the penalty for this violation
|
|
14)
|
Article 19.1(a) imposes an administrative penalty on the act of “providing personal data to the data subject, personal data owned by or under control of the organization when the data subject has not consented to act on behalf of him/her”
|
The wording of this provision is quite confusing
|
To enhance clarity, it is proposed to amend this provision as follows :
“providing personal data of the data subject, personal data owned by or under control of the organization to other organizations, individuals when the data subject has not consented to act on behalf of him/her”
|
|
Violation of provisions on storage, deletion and destruction of personal data
|
|
15)
|
Article 21.2 imposes an administrative penalty on the act of “personal data must be deleted in accordance with the provisions of law”
|
The wording of this provision is quite confusing
|
To enhance clarity, it is proposed to amend this provision as follows :
“To continue processing personal data that must be deleted in accordance with the provisions of law”
|
|
Violation of provision on notifying violation of regulations on personal data protection
|
|
16)
|
Article 25
|
Lack of administrative penalty on failure to make a minutes on confirmation of the occurrence of the act violating provisions on personal data protection, which is required under Article 23.5 of Decree 13/2023
|
To supplement the penalty for this violation
|
|
Violation of provision on cross-border transfer of personal data
|
|
17)
|
Article 27
|
Lack of administrative penalty on failure to suspend the transfer of personal data overseas as requested by the MPS, which is required under Article 25.8 of Decree 13/2023
|
To supplement the penalty for this violation
|
|
18)
|
Article 27.1(b), 27.1(c) and 27.1(d)[1]
|
These provisions are duplicated with Article 27.1(a) of the 3rd Draft Decree
|
To remove these provisions
|
|
Violation of provision on cyberattacks prevention and combat
|
|
19)
|
Article 29
|
Lack of administrative penalty on the information system administrators’ failure to apply technical measures to prevent and avoid the acts prescribed in sub-clauses (a), (b), (c), (d) and (e) of Article 18.1 of the Law on Cybersecurity 2018 with respect to information systems within their managerial scope.
|
To supplement the penalty for this violation
|
|
Violation of provision on prevention of and dealing with dangerous cybersecurity situations.
|
|
20)
|
Article 31
|
Lack of administrative penalty administrative on failure to apply measures to deal with a dangerous cybersecurity situation including:
(i) sending a notice to relevant agencies, organizations and individuals (as required under Article 21.3(b) of the Law on Cybersecurity 2018); and
(ii) analyzing and assessing information about and forecasts of the possibility and the scope of effect and the level of damage caused by such dangerous situations (as required under Article 21.3(d) of the Law on Cybersecurity 2018)
|
To supplement the penalties for such violations
|
|
Violation of provision on guarantees relating to cyber-information security
|
|
21)
|
Article 35.1(d) imposes an administrative penalty on the provision of services on telecom networks, the Internet and other value-added services to organizations and individuals who upload in cyberspace information with the contents prescribed in Article 16.1 – 16.5 of the Law on Cybersecurity 2018
|
This provision is not consistent with Article 26.2(c) of the Law on Cybersecurity 2018 since it lacks the wording “when requested not to provide by the Cybersecurity Task Force under the MPS or by a competent agency under the Ministry of Information and Communications.”
|
To supplement such wording for consistency
|
|
22)
|
Article 35.1(dd) imposes an administrative penalty on owners of websites and social networks that do not have a server system located in Vietnam to satisfy the inspection, examination, storage and supply of information at the request of competent state agencies or to settle complaints. customer complaints against the provision of the specified service.
|
This provision is not consistent with the Law on Cybersecurity 2018 and Decree 53/2022 since offshore entities are required to set up branches, representative offices in limited cases but not setting up a server system in Vietnam under Article 26.3 of the Law on Cybersecurity 2018 and Article 26 of Decree 53/2022.
Administrative penalties on offshore enterprises’ failure to set up branches or representative offices have already been provided under Article 39 of the 3rd Draft Decree
|
To remove this provision
|
|
Violation of provisions on child protection in cyberspace
|
|
23)
|
Article 37.2(b) imposes an administrative penalty on posting, distributing, sharing, storing, exchanging, using information, images and sounds with pornographic, depraved, violent contents related to children
|
This provision is duplicated with Article 37.2(a) of the 3rd Draft Decree
|
To remove this provision
|
|
Violation of provisions on data storage, the establishment of branches or representative offices in Vietnam
|
|
24)
|
Article 39
|
Lack of administrative penalty on failure to remain branches or representative offices within the required period
|
To supplement the penalty for this violation
|
