You are using an outdated browser and your browsing experience will not be optimal. Please update to the latest version of Microsoft Edge, Google Chrome or Mozilla Firefox. Install Microsoft Edge

February 8, 2023

Vietnam’s Personal Data Protection Decree Takes Important Step Toward Issuance

Subscribe to Updates

Government Approves Legislative Dossier

On February 7, 2023, the Vietnamese government issued Resolution No. 13/NQ-CP (“Resolution 13”) to approve the latest version of the draft Personal Data Protection Decree (“Draft PDPD”)—a draft which has not yet been made public.

Similar to Resolution No. 27/NQ-CP issued in March 2022 approving the previous version of the Draft PDPD (“Resolution 27”), Resolution 13 stipulates the different cases where data subjects’ consent is exempted for processing personal data. Most of these lawful bases are similar to those under Resolution 27—except for the fourth case, which is brand new—with some changes for better clarity.

According to Article 1 of Resolution 13, personal data can be processed without consent in the following five cases:

(1) The processing is to protect the life and health of the data subject or others in an emergency situation. Data Controllers, Data Processors, Parties Controlling and Processing Personal Data, and Third Parties are responsible for proving this case;

Remarks: Vietnamese law, including the prior published version of the Draft PDPD, has never used the terms “data controller”, “data processor,” and “parties controlling and processing personal data.” The inclusion of these terms suggests that the latest version of the Draft PDPD has adopted the GDPR-like concepts of “data controller” and “data processor.” However, until the latest version of the Draft PDPD can be assessed, it is uncertain how these concepts are defined and whether they are fully in line with GDPR definitions.

(2) The disclosure of personal data is in accordance with the law;

(3) The processing of data is performed by competent state agencies in the event of a state of emergency related to national defense, national security, social order and safety, major disaster, or dangerous epidemic; when there is a threat to security and national defense but not to the extent that a state of emergency must be declared; or when the processing is to prevent and combat riots and terrorism, crime, and law violations in accordance with law;

Remarks: This expands the list of situations where the data subject’s consent is exempted compared to a similar criterion in Resolution 27, which simply mentioned “national defense and security requirements.”

(4) The processing is to fulfill the contractual obligations of the data subject with relevant agencies, organizations, and individuals as prescribed by law;

Remarks: Under current legislation, consent is exempted when personal data is used for signing, modifying, or performing a contract to use information, products, and services in the network environment between the data subject and an IT/e-commerce trader/service provider. This basis for consent exemption is stipulated under the Information Technology Law and Decree 52 on E-Commerce.

This new basis under Resolution 13 has been broadened to include the processing of personal data for performing any types of contracts involving the data subject as a party. These contracts may include employment contracts and contracts for purchase of goods/services outside the IT/e-commerce context.

The Draft PDPD seems to have adopted the lawful basis under Article 6.1(b) of GDPR: “processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.” Interestingly, the basis of processing for “legitimate interests of the controller or third party” under the GDPR does not appear in Resolution 13. As the Vietnamese legislator has always refused to adopt this basis into the Vietnamese data protection regime, it is unlikely to be covered by the Draft PDPD.

The wording of this newly added criterion is rather broad and subjective. It is unclear what could be considered necessary to “fulfill the contractual obligations,” and whether this criterion could be interpreted broadly enough to cover “legitimate interests” of the employer/service provider when implementing contractual obligations with data subjects.

If there is no further guidance on this criterion, we believe that it would be open to the authority’s discretion in interpretation and the arguments of the parties on a case-by-case basis.

(5) The processing is to serve the activities of state agencies prescribed by sector-specific laws.

Remarks: Resolution 27 included the criterion “the processing is for competent state agencies’ investigation and handling of law violations,” which has been removed from Resolution 13. It could be argued, however, that this criterion under Resolution 13 is sufficiently broad to cover the same cases.

Review by the National Assembly

Following the issuance of Resolution 13, on February 8, 2023, the National Assembly’s Committee for Defense and Security held a plenary meeting to review and discuss the newly approved Draft PDPD. According to media reports recapping the discussion, most of the delegates attending the meeting believed that this version of the Draft PDPD had been prepared quite thoroughly, with due consideration of opinions contributed by other state agencies and the public during the consultancy phase. However, given the significance of the PDPD, which covers novel issues that have rarely been tested in practice, the Draft PDPD was still subject to extensive comments from the delegates in the meeting, and possible further review by the Committee for Defense and Security.

What’s Next for the Draft PDPD?

Resolution 13 approves the content of the government’s report on the Draft PDPD, the report on collecting and considering opinions of the Standing Committee of the National Assembly, and the content of the latest version of the Draft PDPD; and assigns the Minister of Public Security, on behalf of the government, to report on and consult with the Standing Committee on the Draft PDPD. This means the resolution works as direction and approval of principles for key issues so that the Ministry of Public Security can complete the Draft PDPD for the Standing Committee’s approval before its eventual promulgation.

According to Article 2 of Resolution 13, as the next step, the Minister of Public Security will have to consult the Standing Committee of the National Assembly on the new version of the Draft PDPD. No specific timeline for promulgation has been announced. Following the review session by the Committee for Defense and Security, the Ministry of Public Security will need to consider the opinions of the delegates in the session and update the Draft PDPD accordingly, before submitting it to the Standing Committee.

Related Professionals

Industries

Technology

Location

RELATED INSIGHTS​

April 4, 2024
On March 18, 2024, the president of the Supreme Court of Thailand announced the establishment of a specialized Technology Crime Division within the Criminal Court of Thailand. This represents a significant commitment to cybercrime within the Thai judiciary and a step forward in Thailand’s ability to investigate cybercrime. The rise in cybercrime investigations in recent years has made it increasingly difficult for Thailand’s traditional criminal courts to consider and issue enforcement orders in support of ongoing investigations in a timely manner. The new Technology Crime Division addresses this challenge. This new division has jurisdiction over cybercrime and technology-related crime, fraud or extortion using computers, and criminal offenses relating to personal data protection laws. In addition, this new division has jurisdiction over all requests from competent law enforcement officers seeking court orders under the Computer Crimes Act B.E. 2550, the Personal Data Protection Act B.E. 2562, and the Cybersecurity Act B.E. 2562. The Technology Crime Division will have trainees and judges with expertise in technology and cybercrime—not only to facilitate expert prosecution of cybercrime but also to offer critical and time-sensitive support to law enforcement investigations of alleged cybercrime. The Technology Crime Division is not yet operational. The president of the Supreme Court is expected to announce the division’s opening date in the coming months. For more details on Thailand’s measures for dealing with cybercrime, please contact Michael Ramirez at [email protected] or Piyawat Vitooraporn at [email protected].
Read More
March 29, 2024
Thailand’s Cybersecurity Regulating Committee (CRC) released a notification under the Cybersecurity Act on February 22, 2024, setting key operational obligations for critical information infrastructure (CII) organizations. The notification takes effect on June 20, 2024. CII organizations are state or private entities that carry out services related to national security, public services, banking and finance, information technology and telecommunications, transportation and logistics, energy and public utilities, or public health. CII organizations will be identified by the National Cyber Security Committee (NCSC) and notified of their status. The key obligations of CII organizations are laid out below. Reporting to the National Cyber Security Agency (NCSA) CII organizations must provide the following to the NCSA: A list of executive and operational staff, along with emergency contacts who can be reached within 60 minutes in the event of a cyber threat. The NCSA must be notified of any updates to this list within 15 days following any changes. A list of internal departments or individuals who are the responsible persons, owners, and holders of the computer systems, along with emergency contacts who can be reached within 60 minutes in the event of a cyber threat. The NCSA must be notified of any updates to this list at least 7 days prior to any changes (or within 15 days after the change if there is a necessary reason). Policies, Guidelines, and Procedures As specified in the National Cyber Security Committee (NCSC) guidelines, CII organizations must prepare the following internal documents by June 20, 2025: Cybersecurity practice guidelines, consisting of an inspection plan, risk assessment, and incident response plan. Cybersecurity standards framework, consisting of measures for risk identification, risk prevention, threat detection and monitoring, incident responses, and resilience and recovery. CII organizations must also prepare the following: Mechanisms, procedures, and steps for monitoring and detecting
Read More
March 29, 2024
Vietnam’s Ministry of Public Security (MPS) is drafting two reports to present to the government in May 2024 to advocate for the development and adoption of a Law on Personal Data Protection. These reports include an assessment of the policy impact of the proposal to develop a personal data protection law, and an assessment of the current state of social relations related to personal data protection. Decree No. 13/2023/ND-CP on Personal Data Protection (PDPD), adopted in April 2023, became the first comprehensive legal instrument on data protection in Vietnam. When the National Assembly was debating its text and adoption in 2022 and 2023, questions were raised as to the status of this new regulation and the legality to adopt a decree before a law. In accordance with the public announcements made throughout the development of the PDPD assuring that a law would be developed at a later stage, the MPS is now advocating for the development of a Personal Data Protection Law and has drafted the two reports pursuant to the Law on the Promulgation of Legal Documents. The main arguments advanced by the MPS in the two reports are as follows: As the right to privacy is enshrined in the Constitution, any restrictions thereof must be made through a law and not a decree. The MPS is notably referring to the lawful basis for processing and limited exceptions to consent under the PDPD. This may be a sign that the MPS intends to widen the exceptions to consent under the new law. The definitions of “personal data” and “personal data protection” need to be harmonized to consolidate the regulatory framework. The MPS indicates that there are 69 legal documents directly related to “personal data protection” in Vietnam with more than 10 different definitions, while “personal information” appears in
Read More
March 28, 2024
Recently, Vietnam has witnessed a dramatic increase in cyber fraud, causing significant financial losses and posing a grave threat to both Vietnamese and foreign entities. With the increasing reliance on digital technology and the widespread adoption of online platforms, the country has become fertile ground for cybercriminals to exploit vulnerabilities and conduct various fraudulent activities. This article aims to present an overview of addressing cyber fraud in Vietnam and offers practical advice for businesses to safeguard themselves from becoming victims of such illicit activities.
Read More

Contact

We have seven offices in six countries
across Southeast Asia.

Contact Us

Careers

We are always seeking great people to grow
our amazing team.

Join Us

Networks

© 2023 Tilleke & Gibbins International Ltd. All rights reserved.

© 2020 Tilleke & Gibbins International Ltd. All rights reserved.

Privacy Policy

| Legal Notice