Vietnam: A focus on outbound data transfer under the newly issued personal data protection regulations
It has been almost 60 days since the enactment of the Vietnam Government's Decree No. 13/2023/ND-CP on the Protection of Personal Data (PDPD), the country's first comprehensive legislative instrument governing personal data protection, and thus the deadline for outbound data transfer impact assessments (OTIA) submissions is approaching. By adopting the PDPD's broad extraterritoriality, Vietnam's Government has set a bold goal to effectively safeguard Vietnamese citizens' rights and interests over their personal data. Therefore, businesses, particularly multinational corporations frequently involved with the international transfer of personal data, must be aware of how the PDPD regulates their transfer activities.
This Insight article provides a comprehensive look at the outbound transfer of personal data, and related requirements, including the matters necessary for the compilation of OTIA, as well as differences between OTIA and data processing impact assessments (DPIA) under the PDPD, allowing businesses to take note of some key compliance takeaways.
Outbound data transfer
Under the PDPD, outbound data transfer is the act of using cyberspace, electronic devices, equipment, or other means to transfer the personal data of a Vietnamese citizen to a location outside the territory of Vietnam or using a location outside the territory of Vietnam to process personal data of a Vietnamese citizen. This includes the following cases:
- organizations, enterprises, or individuals transfer the personal data of Vietnamese citizens to overseas organizations, enterprises, or their management departments for processing in accordance with the purposes for which a Vietnamese citizen has consented; and
- processing personal data of a Vietnamese citizen using automated systems located outside the territory of Vietnam by data controllers, data processor-controllers, or data processors in accordance with the purposes for which such Vietnamese citizen has consented.
The PDPD limits the scope of data subjects and personal data to be safeguarded to Vietnamese citizens (bearing Vietnamese nationality) and their personal data only. As a result, the international transfer of personal data of non-Vietnamese individuals is not considered to fall within the scope of outbound data transfer under the PDPD.
The PDPD provides for two models of outbound data transfer: overseas transfer of personal data from a Transferor to an offshore Transferee, and overseas transfer of personal data to a data controller's or data processor's automated processing system located outside Vietnam.
In the former model, at least two main parties are involved, including a Transferor and a Transferee, with the transferee being offshore. For instance, a Vietnamese subsidiary of an Italian company transfers its Vietnamese employees' personal data to its Italian headquarters for processing under the parent company's global HR management system.
On the other hand, in the latter model, the involvement of both the Transferor and the Transferee is not necessary, as long as the personal data is transferred (even by data subjects) to and processed in the data controller's or data processor's automated system. In this case, the data controllers or the data processors are considered the Transferors. For instance, a UK company offering goods and services to Vietnamese users directly collects Vietnamese users' personal data during their use of an application and then processes it in a US-based server. In this case, the Transferee seems to be absent.
In its current state, the definition of outbound data transfer is not clear enough to address all cases of outbound data transfer, including subsequent international transfers of personal data. For example, continuing the Italian example above, it is not clear whether it would be considered an outbound data transfer under the PDPD if the Italian parent company further transfers the Vietnamese citizens' personal data stored in Italy to its data processor in France.
Conditions for outbound data transfer
To conduct an outbound data transfer, the Transferors, being data controllers, data processors, or third parties, must satisfy the following conditions:
- preparation of an OTIA dossier and compliance with OTIA-related requirements under the PDPD; and
- notifying the Department of Cybersecurity and Hi-tech Crime Prevention (A05) under the Ministry of Public Security of Vietnam (MPS) in writing of data transfer information, including contact details of in-charge individuals and/or organizations after completion of the transfer.
Outbound data transfer impact assessment (OTIA) and related requirements
The PDPD requires the Transferor to conduct an OTIA and comply with other OTIA-related requirements in all cases of outbound transfer of personal data without exception.
As a condition for outbound transfer, the PDPD mandates the Transferor to prepare an OTIA dossier having the following compulsory contents:
- information and contact details of the Transferor and Transferee;
- full name and contact details of the in-charge personal data protection department and individual of the Transferor;
- description and explanation of the objectives of the personal data processing activities of Vietnamese citizens after the transfer;
- types of personal data to be transferred outbound;
- description and statement on compliance with the PDPD;
- details of the applied measures for the protection of personal data;
- assessment of the impact of personal data processing; potential consequences, unwanted damage, and measures to reduce or eliminate such risk or damage;
- consent of the data subjects satisfying requirements under the PDPD on the basis of knowing clearly the mechanism for feedback and complaints when an incident or a demand arises; and
- a binding document showing the commitment and responsibility between the Transferor and the Transferee about personal data processing.
Form and language
The MPS has recently issued a set of prescribed impact assessment forms, including an OTIA form, that is available in the National Public Services Portal. The OTIA dossier must be submitted in writing and Vietnamese.
The recently issued form provides detailed guidance on the OTIA content; however, this guidance is not clear enough for businesses to understand and compile the OTIA content under the PDPD. Notably, the OTIA prescribed form requires some detailed information and impact assessments that might create significant burden to the Transferor to complete, including information and contact details of all third parties receiving the data (along with copies of the relevant contracts), as well as impact assessment involving various aspects of the outbound transfer (e.g., its impact on data subject's rights and benefits, economic impact, social impact, impact on administrative procedure, impact on the legal system, and impact on the national security of Vietnam).
The original OTIA dossier and enclosures must be submitted to A05 within 60 days from the commencement date of data processing. For businesses that conducted outbound transfer of personal data prior to July 1, 2023, they must complete the OTIA dossier and submit it within 60 days from July 1, 2023.
The Transferor may submit the OTIA dossier either in person at the A05 office, electronically via the National Portal on Personal Data Protection (to be announced by MPS soon), or by post to A05's address. Within 10 working days from the submission, A05 will confirm and provide the submission result to the Transferor.
If the OTIA is either incomplete or erroneous, MPS (A05) will require the Transferor to modify and/or supplement it accordingly within 10 days from the date of request.
For clarity, compiling an OTIA is not considered a registration obligation for the Transferor, but rather a necessity for the post-examination and management purpose of MPS. Nevertheless, for compliance purposes, where an entity plans to transfer the personal data of Vietnamese citizens overseas, it must ensure the duly and in-time submission of the OTIA dossier to MPS (A05) as discussed above. Although the PDPD does not require Transferees to compile an OTIA or follow any procedures to receive transferred personal data, they still must comply with other obligations vested in them, depending on their role after such receipt (e.g., as a data controller or data processor). This may include compiling and submitting the DPIA.
Update and resubmission
The Transferor must keep the OTIA up-to-date. In the event of any changes to the previously submitted OTIA, the Transferor must submit an updated OTIA dossier to MPS (A05) in the same method as the original submission.
Availability and inspection
The OTIA must always be available for examination and assessment by MPS (A05). Depending on the circumstances, the MPS will determine the inspection of outbound data transfers once a year. Additionally, the MPS will further conduct inspections in cases of violations of regulations on personal data protection or in cases of leakage or loss of personal data of Vietnamese citizens.
The MPS shall require the Transferor to suspend the transfer in the following cases:
- the transferred data is used in activities violating the interests and/or national security of Vietnam;
- the Transferor does not update or modify the OTIA when there are changes to the contents thereof, or per the request of MPS (A05); or
- there is a leakage or loss of personal data of Vietnamese citizens.
OTIA v. DPIA
Data controllers or data processors who process personal data safeguarded under the PDPD are required to compile a DPIA. Both the DPIA and OTIA are considered measures for MPS to manage and control data protection compliance in Vietnam. Although they share some similarities, such as the same management authority, formality, language, submission procedure, submission timeline, update, resubmission, and availability requirements, their requisite dossiers contrast in several material aspects, as shown in the table below.
Given the tight compliance deadline, businesses falling under the purview of the PDPD, particularly those heavily relying on personal data for daily operations, are recommended to take swift action to prepare the OTIA and submit it to MPS (A05) within the required time period to avoid any risks of being penalized. Furthermore, the Government of Vietnam is working on a third version of a draft decree on handling non-compliance with the PDPD requirements. The official enactment date of this decree remains uncertain, and the MPS (A05) might consider taking up more relaxed enforcement of the PDPD for a while so that the governed subjects are able to get themselves familiar with these new regulations, unless obvious and serious non-compliance is found.
Therefore, as a practical solution under the current situation, where the OTIA form requires a large amount of information and the submission deadline is forthcoming, businesses should prioritize the punctuality of submission and accept certain imperfections in their first OTIA dossiers.
 In addition to Vietnam-based entities, the PDPD applies to foreign entities (located outside Vietnam's territory) that directly participate in or relate to personal data processing in Vietnam. There is no official guidance on how to interpret the applicable regulations, so current perspectives are unofficial, including those on the processing of Vietnamese citizens' personal data. As this scope might be unrealistically broad, in practice, it appears that there is no way but to consider whether to comply with the PDPD in light of the degree of risks caused by the data processing.
 This is a unique actor compared to other jurisdictions. Under Article 2.11 of the PDPD, it means a data controller who directly process personal data. For the purpose of simplicity, unless otherwise emphasized, we treat this actor as data controller herein.