You are using an outdated browser and your browsing experience will not be optimal. Please update to the latest version of Microsoft Edge, Google Chrome or Mozilla Firefox. Install Microsoft Edge

June 8, 2023

More Clarity on Vietnam’s New Data Protection Requirements

At a conference organized by Vietnam’s Ministry of Public Security (MPS) on June 7, 2023, government officials provided more guidance on the recently issued Personal Data Protection Decree (PDPD), which is set to take effect on July 1, 2023.

Key takeaways included the following:

  • A national portal on personal data protection for online submission of notifications and registrations will be launched before July 1, 2023. The MPS also plans to issue templates for data processing impact assessments (DPIAs) and transfer impact assessments (TIAs) in the near future.
  • The PDPD requires data controllers, data processors, and data controller-processors to prepare a DPIA at the start of personal data processing. The MPS clarified that the DPIA is expected to be prepared and submitted once. Only changes to its content would require submission of an updated DPIA.
  • Both DPIAs and TIAs (which are for cross-border data transfers) must be prepared in Vietnamese.
  • Since the sale and purchase of personal data is strictly prohibited unless explicitly permitted by law, the MPS has handled approximately 14 cases involving unlawful trading of personal data, including sensitive data. Under the PDPD, sensitive data has a broader definition than under the GDPR (the European Union’s General Data Protection Regulation), and also includes location data, creditworthiness, and personal financial data.
  • Consent is not a legal basis for the trading of personal data, including sensitive data.
  • The 72-hour timeline for responding to a data subject’s request does not mean 72 working or business hours. Rather, it means 72 actual consecutive hours.
  • Any organization transferring the personal data of Vietnamese citizens outside of Vietnam must comply with the PDPD, regardless of the organization’s location.
  • For organizations incorporated overseas that must comply with the PDPD, there is no requirement to appoint a local representative (unlike the GDPR)—but appointment of a data protection officer (DPO) may be required.

As the enforcement for non-SMEs is fast approaching, businesses connected with personal data arising from Vietnam should familiarize themselves with the PDPD requirements and conduct a compliance gap analysis to ensure their PDPD compliance readiness.