1. Introduction
In the current era of rapid digital and economic transformation, the protection of personal data has become an urgent priority. The Government has recently introduced the Draft Law on Personal Data Protection (the Draft Law), aiming to establish a comprehensive legal framework to address the limitations of Decree No. 13/2023/ND-CP (Decree 13), effective as of 1 July 2023, and respond to practical requirements for personal data management. This Draft Law, expected to take effect in 2026, is designed to provide a more robust legal foundation for protecting the privacy and personal data. The article below highlights notable updates in the Draft Law.
2. Key notable points in the Draft Law compared to Decree 13
2.1. Definition of Data Protection Officer (DPO)
Decree 13 mentioned the need for personnel responsible for data protection within enterprises without giving the definition of this position. The new Draft Law introduces the role of Personal Data Protection Officer in Article 2.17. Accordingly, DPO is a person appointed by the Controller, the Controller and Processor, the Third Party, the party transferring personal data abroad, or the recipient of personal data of Vietnamese citizens to serve as a personnel responsible for personal data protection.
Compared to the GDPR, the Draft Law imposes stricter requirements on DPO qualifications. This individual must possess expertise in technology and/or legal knowledge related to personal data protection, as specifically detailed in the Data Protection Impact Assessment and the Data Transfer Impact Assessment.
2.2. Inclusion of sensitive personal data
One notable addition to the Draft Law, as compared to Decree 13, is the inclusion of sensitive data categories related to land, particularly information on land users, as stated in Article 2.4. Land data not only includes location and area but may also contain personal details about land use rights, ownership, legal status, or agreements between parties. This addition underscores the sensitivity of land data, as it may have significant implications for owners’ rights and assets and could be exploited in illegal transactions, disputes, or land fraud.
2.3. New parties involved in personal data protection
The Draft Law proposes definitions of several new parties involved in data protection activities in Articles 2.14, 2.15, 2.19, and 2.21. These parties include Personal Data Protection Organization, Data-Related Developer, Certified Data Protection Organization, and Data Protection Credit Rating Organization. Specifically:
- Personal Data Protection Organization: An organization appointed by by the Controller, the Controller and Processor, the Third Party, the party transferring personal data abroad, or the recipient of personal data of Vietnamese citizens to specialize in personal data protection.
- Data-Related Developer: Individuals or organizations involved in developing programs, applications, software, and IT systems related to collecting, processing, and storing personal data.
- Certified Data Protection Organization: An organization certified and authorized by a specialized data protection agency, with the capacity to assess and audit other organizations’ abilities to protect personal data. These organizations can issue Certificates of Eligibility to Personal Data Protection Organizations or DPOs.
- Data Protection Credit Rating Organization: An organization certified and authorized by a specialized data protection agency with the capability to assess and rate the trustworthiness of organizations and businesses in terms of data protection practices.
The introduction of the Certified Data Protection Organization and Data Protection Credit Rating Organization represents a novel approach when compared to international frameworks. For instance, in Singapore, certification for data protection organizations falls under the Data Protection Trustmark, managed by the Infocomm Media Development Authority. However, no equivalent role to the Data Protection Credit Rating Organization exists in other jurisdictions. The establishment of these roles underscores the law’s commitment to high standards in personal data protection, fostering enhanced awareness of its significance. Collectively, these roles contribute to a coordinated framework among entities committed to safeguarding personal data.
2.4. Protection of personal data in economic groups
For large businesses operating under a parent-subsidiary group structure, each company, including parent companies and subsidiaries, holds independent responsibility for data protection under the provisions of Article 3.4 of the Draft Law. Data subject consent granted to one company does not imply consent for all companies within the economic group to process the personal data.
2.5. Prohibition on the illegal sales of personal data
In comparison with Decree 13, Article 8 of the Draft Law once again emphasizes a strict prohibition on unauthorized activities involving the collection, processing, transfer, and sale of personal data. Currently, the unauthorized sale of personal data is increasingly complex, with methods becoming more sophisticated. In the year of 2023, the buying and selling of personal data, including sensitive information, continued to grow alarmingly. The Ministry of Public Security discovered and took action in 16 cases of personal data leaks and sales involving state secrets and internal information on online platforms, with data openly traded on sites such as BreachedForums, Telegram, and Facebook.
Therefore, it is expected that stricter sanctions will be imposed for violations, contributing to the deterrence of illegal practices.
2.6. Protection of personal data in marketing and advertising activities
Marketing and advertising activities today often rely on personal data to increase efficiency and reach potential customers. However, the collection and sharing of such data pose various issues, including misuse, unauthorized sharing, and lack of transparency. The risks are particularly high when advertising companies use third-party agencies for marketing efforts, increasing the likelihood of data breaches.
To address these concerns, the Draft Law in comparison with Decree 13, introduces a new requirement according to Article 21 and 22 that organizations and individuals are prohibited from outsourcing marketing activities without the user’s explicit consent. Furthermore, advertising organizations must give users the option to refuse the sharing of their data under various circumstances, enhancing control and security over personal information.
2.7. Protection of personal data in cloud computing
Currently, the demand for storing and processing personal data on cloud platforms is rapidly increasing, but this trend also introduces significant security risks. Such risks include exposure to cyberattacks, data leaks, and unauthorized access to users’ personal information.
Article 25 of Draft Law mandates that organizations and individuals enter into contracts or agreements with cloud service providers to ensure compliance with Vietnam’s data protection laws. These contracts must specify the responsibilities of each party, particularly regarding the protection of sensitive data and designating personnel or departments responsible for data protection. Additionally, organizations must prepare a data impact assessment report for personal data processed on the cloud to ensure legal compliance and minimize risks associated with data processing and storage.
2.8. Protection of personal data in financial, banking, and credit activities
Article 27 of Draft Law stipulates a strict prohibition on the sale or unauthorized transfer of credit information between financial and credit institutions. It further prohibits the sharing or transmission of financial and credit data of individuals among financial and credit organizations without explicit consent. Additionally, using an individual’s credit information for credit scoring or creditworthiness assessments without their consent is not allowed.
This provision addresses a growing issue where confidential credit information is traded in private online groups, involving data from multiple institutions. By establishing a firm legal basis, these regulations aim to support stricter enforcement actions and mitigate future violations.
2.9. Protection of personal data related to health and insurance information
Addtionally, Article 28 of Draft Law recognizes health-related information as a particularly sensitive category of personal data due to its highly private nature. To reinforce the importance of protecting this data, the Draft Law specifies that organizations and individuals operating in the healthcare sector are prohibited from sharing personal health data with health care service providers or health insurance entities, except when there is a written request from the data subject.
2.10. Updating the impact assessment dossiers for personal data transferred abroad
Compared to Decree 13, Article 46 of the Draft Law requires that the impact assessment files related to the processing and cross-border transfer of personal data be updated every six months, or immediately upon any significant changes. This regulation is designed to ensure that the information remains accurate and fully reflects all modifications in the management of personal data.
The Draft Law also outlines specific cases that necessitate immediate updates to the assessment files, including situations such as company dissolution or merger, any changes in details concerning the organization responsible for data protection or the appointed DPO, changes in the company’s business lines or introduction of new services, or the discontinuation of services or products related to personal data as previously registered in the impact assessment records.
3. Conclusion
With a target implementation date of 2026, the Draft Law introduces robust security protocols and establishes comprehensive guidelines to support responsible data processing practices. In anticipation of this, it is essential that detailed regulations on data protection violations are issued. Enterprises should proactively consider preparatory measures to ensure compliance with these evolving standards.
Disclaimer: This Legal Update is intended to provide updates on the Laws for information purposes only, and should not be used or interpreted as our advice for business purposes. LNT & Partners shall not be liable for any use or application of the information for any business purpose. For further clarification or advice from the Legal Update, please consult our lawyer: Mr Ngo Thanh Hai at hai.ngo@lntpartners.com