You are using an outdated browser and your browsing experience will not be optimal. Please update to the latest version of Microsoft Edge, Google Chrome or Mozilla Firefox. Install Microsoft Edge

February 25, 2021

Vietnam Issues New Draft Decree on Personal Data Protection

Subscribe to Updates

On February 9, 2021, Vietnam’s Ministry of Public Security (MPS) finally released the full text of the Draft Decree on Personal Data Protection (the “Draft”) for public consultation, after having released an outline in December 2019, with an ambitious goal for the Draft to be promulgated and take effect on December 1, 2021.

The Draft is divided into six chapters and 30 articles, providing comprehensive coverage of personal data protection and some brand-new requirements. Notable contents of the Draft include the following:

  1. Re-categorization of personal data into basic personal data and sensitive personal data;
  2. New data processing requirements, including new legal bases for data processing and disclosure without consent; specification of the forms of consent; regulations for data processing for research and statistical purposes and automated data processing; and time limits for data retention;
  3. New data protection measures, including de-identification/encryption requirements, appointment of data protection officers, data accessibility from government authorities, and registration for processing of sensitive data and cross-border transfer of data;
  4. Establishment of a new Personal Data Protection Commission (PDPC) under the MPS; and
  5. New administrative sanctions for violations, including fines of up to 5% of the revenues earned from violating activities.

Among the various newly introduced requirements proposed in the Draft, Article 20 (Registration of Processing of Sensitive Personal Data) and Article 21 (Cross-Border Transfer of Personal Data) are notably problematic, and seem infeasible for the operation of various businesses and industries.

Article 20 – Registration of Processing of Sensitive Personal Data 

The Draft’s Article 20 requires that sensitive personal data be registered with the PDPC prior to processing. The scope of sensitive personal data as defined in the Draft ranges from specific types of data such as gender, biometrics, criminal records, and location to very broad concepts such as political and religious views and social relationships.

Among the required contents of the registration application for processing of personal data is an impact assessment report that clearly points out the potential harm to data subjects due to such proposed processing and measures to manage, minimize, or eliminate such harm. The PDPC will process the applications within 20 working days from the date of receipt of a valid application, which means the date that all information and documents provided in the application are acceptable to the officers in charge.

Although the government’s intent is to protect persons and entities covered by the Draft from any improper and harmful processing of their personal data—a laudable goal—this registration requirement potentially creates a huge impact on businesses in terms of time, costs, and administrative procedures. In reality, almost every company, whether local or overseas entity, needs to process its employees’ sensitive data (such as health data, criminal records, etc.) for various legitimate purposes. To be eligible to do so under the Draft, companies will have to prepare and submit applications to the PDPC for approval. Not only will this impose significant costs on companies in terms of time, money, and human resources, but it is highly doubtful that the PDPC would have sufficient resources to process the expected volume of applications within the specified timeline.

Article 21 – Cross-Border Transfer of Personal Data

Similarly, Article 21 of the Draft requires that, before transferring Vietnamese citizens’ personal data out of Vietnam, the following four conditions be fulfilled: (i) consent must be obtained from the data subjects; (ii) the original data must be stored in Vietnam; (iii) the data transferor must have proof that the recipient country has personal data protection at a level equal to or higher than the level specified in the Draft; and (iv) a written approval for transfer must be obtained from the PDPC.

The Draft provides an exemption to the foregoing requirement, when there is (a) consent from the data subject, (b) approval from the PDPC, (c) a commitment from the data processor to protect the data, and (d) a commitment from the data processor to apply measures to protect the data. (It is unclear from the wording of the Draft whether the data transferor needs to meet one or all of these criteria to be eligible for the exemption, but presumably all four must be met.)

In order to obtain a written approval from the PDPC, an application must again include an impact assessment report with an assessment of potential harm and measures to manage, minimize or eliminate such harm. The PDPC has 20 working days from the date of submission to process applications for approval.

It is apparent that these requirements in Article 21 could create a barrier to trade and the flow of data, and increase cost, time, and human resources requirements for companies across many industries. For example, there are a significant number of multinational companies operating in Vietnam that need to regularly process personal data, and they usually process such data in a selected country outside of Vietnam or use cloud services with physical servers located outside of Vietnam. This practice is very common for many industries, including e-commerce, banking, travel, education, health care, etc. If all companies sending personal data overseas have to store data in Vietnam, it would create huge costs and additional work and overhead for them. Moreover, the process for applying for approval from the PDPC would unavoidably delay transactions and data transfers, which usually need to be processed instantly.

The Draft is open for public consultation from February 9 to April 9, 2021, and merits the urgent attention of industries, associations, and businesses to share comments with the MPS in order to develop legislation which is effective as well as feasible for implementation, balancing data subjects’ rights with the smooth operation of business.

As the effective date for this legislation could come later this year, it is also important for companies to get a head start on evaluating data transfers and processing within their own organization, and start formulating plans.

For further information about the Draft, please contact us at [email protected].

Related Professionals

Industries

Technology

Location

RELATED INSIGHTS​

March 27, 2024
Two notifications on the cross-border transfer of personal data, issued by Thailand’s Personal Data Protection Committee (PDPC), came into effect on March 24, 2024. These notifications, which we detailed in a previous update, set out the criteria governing the cross-border transfer of personal data offshore, specifically focusing on situations where appropriate personal data protection standards are in place. Of particular importance is the role of binding corporate rules (BCRs) in enabling the cross-border transfer of personal data among affiliated businesses or within the same group of undertakings. The implementation of BCRs requires a comprehensive review and approval process by the Office of the PDPC, strictly in accordance with the criteria set out in one of the two notifications. With the notifications now fully enforceable, the Office of the PDPC has begun accepting BCRs for review. Data controllers and data processors intending to adopt BCRs as a means for transferring data to offshore affiliates or group companies must initiate the BCR submission process promptly. Failure to comply with PDPA requirements concerning the cross-border transfer of personal data could result in substantial penalties. Organizations involved in cross-border personal data transfers should be proactive in complying with the prescribed criteria to avoid these regulatory penalties and maintain the data protection standards mandated by the PDPA. For more information on these cross-border personal data transfer regulations, or on any aspect of complying with Thailand’s data protection laws, please contact Nopparat Lalitkomon at [email protected], Gvavalin Mahakunkitchareon at [email protected], or Wilin Somya at [email protected].
Read More
March 27, 2024
The Bank of Thailand (BOT) has opened a public comment period on their consultation paper titled “Criteria for Supervising Virtual Banks” from March 19, 2024, to April 17, 2024. The consultation paper reveals that the BOT intends to apply traditional commercial bank supervisory standards to virtual banks. However, the BOT also explains that the wholly digital nature of the services offered by virtual banks necessitates additional regulatory supervision. Additional Supervisory Criteria for Virtual Banks Financial business group: If a virtual bank is within the same financial business group as other financial institutions, its parent company must structure the virtual bank to be under its own sole consolidated financial business group. After the virtual bank has undergone the “restricted phase” in its initial years of operation (see below), other financial institutions within the group are prohibited from extending credit to or engaging in transactions similar to lending activities with the virtual bank. Shareholding structure: If the increase in the financial institution system capital is higher than the actual capital injection resulting from the bank’s shareholding structure, the BOT aims to issue an additional regulation to supervise the capital of the virtual bank and financial institution system to prevent double counting. Operational risk: Virtual banks must not use a trademark or logo that bears resemblance to or implies association with other financial institutions or financial institution groups. Governance: Virtual banks must have at least one director and chief technology officer (CTO) with at least three years of experience in IT or digital service. Additionally, the CTO must work full-time for the virtual bank and may not be an employee of another legal entity. Restriction on related lending and related-party transactions: Virtual banks must obtain prior unanimous approval from their boards of directors before engaging in transactions with major shareholders or businesses
Read More
March 27, 2024
Last year, the government of Vietnam issued the Personal Data Protection Decree (PDPD), which took effect on July 1, 2023. The Department of Cybersecurity and High-Tech Crime Prevention and Control (referred to as “A05”) under the Ministry of Public Security (MPS) is tasked with implementing and enforcing the requirements under the PDPD. While a decree on sanctioning provisions for noncompliance with the PDPD is still pending issuance, further movements from the MPS/A05 indicate that it aims to start conducting its first inspections into PDPD compliance. This is the first time that companies and government agencies have been officially questioned by the MPS about their compliance with the PDPD. The purposes of this inspection program are (1) to evaluate the compliance status of a group of selected companies and government agencies and to understand challenges in complying with the PDPD requirements; (2) to propose sanctions for noncompliance; and (3) to collect information and comments for the development of the upcoming Personal Data Protection Law—not to spot noncompliance with the PDPD specifically. This round of inspection includes a number of companies in 14 sectors (including e-commerce, aviation, telecom, banking and finance, intermediary payment, insurance, gaming, education, healthcare, real estate, data processing services, ride hailing, etc.). The companies targeted by this inspection program must: (1) submit a report on compliance to the MPS/A05 by May 30, 2024 (this report is different from the data protection impact assessment (DPIA)/transfer impact assessment (TIA) submission requirements); and (2) coordinate with the MPS/A05 on any further investigation actions from June to August 2024. The inspection results will be available by September 2024. Key information to be reported includes, among others: (1) a description of the activities and measures carried out to implement the PDPD (such as protecting data subjects’ rights, performing administrative procedures, preventing violations, etc.)
Read More
March 18, 2024
Vietnam’s new Telecom Law 2023 was promulgated on November 24, 2023, and will take effect on July 1, 2024, for most telecom services. For three newly introduced telecom services—OTT telecom services, internet data center services, and cloud computing services—implementation and compliance will be delayed until January 1, 2025. These new services will be explored briefly below. The Ministry of Information Communication (MIC) is currently in the process of developing a number of decrees and circulars that will detail the implementation of the Telecom Law 2023, including one main decree that guides the new law in general. This decree is scheduled for prompt promulgation to coincide with the law’s effective date of July 1, 2024. The draft version of this decree, dated February 22, 2024 (“Draft Decree”), was shared for consultation with international organizations, associations, and enterprises by the Vietnam Telecom Agency (VNTA) in early March 2024 to gather feedback. The Draft Decree is expected to undergo further revisions before being sent to relevant state agencies for input and submission to the Ministry of Justice for assessment by the end of March 2024. The MIC anticipates submitting the subsequent version to the government by April 15, 2024.   New Telecom Services: OTT Telecom Services, IDC Services, and Cloud Computing Services In comparison to the Telecom Law 2009, the Telecom Law 2023 has three new telecom services: Basic telecommunications services on the internet (OTT telecom services) are defined as services whose primary functions including the sending, transmission, and receipt of information between two persons or a group of people using telecommunications services on the internet (Article 3.8 of the Telecom Law 2023). By incorporating the term “primary functions” into the definition, the Telecom Law 2023 aims to exclude services such as ride-hailing platforms where the primary function is transportation, not telecom
Read More

Contact

We have seven offices in six countries
across Southeast Asia.

Contact Us

Careers

We are always seeking great people to grow
our amazing team.

Join Us

Networks

© 2023 Tilleke & Gibbins International Ltd. All rights reserved.

© 2020 Tilleke & Gibbins International Ltd. All rights reserved.

Privacy Policy

| Legal Notice