Vietnam: Government publishes Personal Data Protection Decree
The Government of Vietnam issued, on 17 April 2023, Decree No.13/2023/ND on the Protection of Personal Data ('PDPD'), following public consultation and the release of the first draft in February 2021. In particular, the PDPD highlights personal data protection responsibilities for:
- Vietnamese and foreign agencies, organisations, and individuals in Vietnam;
- Vietnamese agencies, organisations, and individuals operating abroad; and
- foreign agencies, organisations, and individuals directly participating in, or related to, personal data processing activities in Vietnam.
Further, the PDPD defines terms including 'basic personal data', 'sensitive personal data', 'personal data processing', 'personal data controller' and 'personal data processor', 'consent', and 'third party', among others. In addition, the PDPD outlines personal data processing principles, including lawfulness, transparency, purpose limitation, data minimisation, accuracy, confidentiality, accountability, and storage limitation. Likewise, the PDPD stipulates data subject rights, including the right to be informed, consent, access, opt-out, erasure, restriction of processing, object, data portability, complain, claim damages, and self-defence.
However, the PDPD also notes circumstances where personal data may be processed without the consent of the data subject, such as in cases where it is necessary to protect the life and health of the data subject, where disclosure is conducted in accordance with the law, and where processing is conducted to fulfil contractual obligations or in the event of a state of emergency. Moreover, the PDPD details further requirements for data subjects' consent regarding the advertisement of products, and the transfer, purchase, and sale of personal data.
More specifically, the PDPD outlines obligations for organisations processing personal data, including:
- providing privacy notices;
- conducting impact assessments for the processing of personal data and when transferring data personal data abroad;
- implementing organisational and technical measures and appropriate safety and security measures;
- recording and logging personal data processing;
- concluding a contract or agreement on data processing with data processors; and
- appointing personnel in charge of personal data protection when processing sensitive personal data.
Notably, the PDPD also specifies requirements for the processing of personal data of persons declared missing or deceased, children's personal data, and personal data obtained from audio and video recording activities in public places.
Finally, the PDPD clarifies that micro, small, medium-sized, and start-up enterprises have the right to choose to be exempted from the PDPD for the first two years of registration when establishing a business.
The PDPD enters into effect on 1 July 2023.
You can read the PDPD, only available in Vietnamese, here.