Vietnam has taken a significant step towards increasing the protection of personal data by implementing the 13/2023/ND-CP Decree on Personal Data Protection (“PDP Decree”), that came into effect on 1 July 2023. What does this mean for your business?
SMEs and startups benefit from a two-year grace period for the enforcement of specific provisions (providing they are not operating in the personal data processing business).
This legislation aims to ensure the privacy and security of data subjects in the digital age and Vietnam is participating in actively protecting data rights.
Find more about its key provisions and implications below.
Scope of Application of the PDP
The PDP Decree has an extraterritorial application. It applies to all individuals and organizations involved in personal data processing activities in Vietnam, regardless of their nature or nationality.
New Definitions and Principles for Data protection
The PDP Decree provides clarity by defining notions such as “basic personal data”, “sensitive personal data”, “data controller”, and “personal data processing”. By doing so, it distinguishes the different roles that data handlers have.
In addition, it introduces the principles of lawfulness, transparency, purpose limitation, data minimization, accuracy, confidentiality, accountability, and storage limitation, that must serve as guidelines when processing personal data.
Data Subject Rights
The PDP Decree expands the rights of data subjects in respect of the processing of their personal data, namely the right to give and withdraw consent, to access, update and erase their information, to be aware of data processing activities, and to object to data processing. Entities have the duty to respond promptly to such requests.
Consent for Data sharing
The PDP Decree emphasizes the importance of obtaining data subjects’ consent for the collection and use of their personal data. It prescribes more detailed requirements on this matter.
Consent is valid only if data subjects are informed about the purpose, scope and duration of data processing activities and their rights and obligations, allowing them to exercise control over their personal data. The PDP Decree also describes situations where processing personal data is permitted without such consent.
Protective Measures
The PDP Decree requires businesses to implement internal security measures e.g., encryption, access controls, and regular audits, in order to prevent personal data from being compromised.
Cross-Border Data transfers
Under the PDP Decree, when transferring personal data abroad, transferors must gather the mandatory elements to prepare an impact assessment dossier, which is subject to inspection by the relevant authority. Organizations must also ensure that the recipient country has a satisfying level of data protection.
The enforcement of the PDP Decree in Vietnam is expected to strengthen security and prevent data breaches that may affect data subjects’ rights and interests, and therefore enhance trust when using or collecting personal data.
You can talk with us to mitigate any risks related to the Personal Data Protection in Vietnam.
If you appreciate our content, you will also appreciate other Vietnam articles: