VIETNAM’S NEW LAW ON DATA PROTECTION
With its upcoming personal data protection law, Vietnam is poised to follow the worldwide trend towards more strict data protection rules. The rule, primarily affected by the General Data Protection Regulation of the EU (GDPR), will contain new cookie authorization requirements for organisations operating in Vietnam. Vietnam released its long-awaited, extensive information security law, Resolution No. 13/2023/ND on the safeguarding of personal data (Decree), on April 17, 2023. The decree will go into force without a transition period on July 1, 2023. The decree pertains to all Vietnamese and international companies operating in Vietnam or undertaking data processing operations in Vietnam.
In this blog, we will discuss the main provisions that relate to the data protection bill of Vietnam.
TO WHOM THE NEW LAW APPLIES:
Before moving on with the provision, let’s check to whom this legislation shall apply:
any of the Vietnamese agencies, organisations, or individuals;
any overseas agency, organisational structure, or individual in Vietnam;
any Vietnamese agency, organisation, or person functioning internationally; and
any external agency, organisation, or individual processing personal data in Vietnam
PRINCIPLES SET FORTH BY THE LAW
The Decree is based on eight personal data processing principles, which are as follows:
3. Objective limitation
4. Minimising information
6. Honesty, secrecy, and safety
7. Retention constraints
DEFINITION OF BASIC PERSONAL DATA AND SENSITIVE PERSONAL DATA
The Decree defines “basic personal data” and “sensitive personal data” and provides for a detailed segments that is to be included. The basic personal data specifically comprises an individual’s:
a. full name, middle name, birth name, and any other names (if any);
b. date of birth and the date they might have died or gone missing;
c. sexual orientation;
d. the location of being born, place of registration of birth, place of either permanent or interim residence, hometown, address
e. country of origin
d. telephone number, nationwide identification numerals, and health insurance card number;
e. marital status;
Sensitive personal data, on the other hand, is any information about an individual that, if breached, will directly harm an individual’s fundamental interests and rights, including their:
1. political and religious beliefs;
2. health status and medical records (except bloodstream type);
3. race or ethnic background-origin;
4. passed down through generations or acquired genetic features;
5. physical and biological features;
6. sex life and gender identity;
7. criminal documents;
8. knowledge held by financial institutions, international financial institutions, payment intermediary providers, and 9. other authorised organisations; and
10. geographic location information identified through
TRANSFER OF DATA INTERNATIONALLY
Transferring sensitive information about Vietnamese nationals overseas necessitates the creation of an appropriate effect assessment, which includes a description of the reasons, the aims of transmitting the data outside, and the data subjects’ necessary consent. A documented data transfer contract with the foreign company receiving the data must also be included in the impact assessment. Dossiers, including impact evaluations, must be accessible for review inside the organisation. Within 60 days after the date of personal data processing, one copy must be given to the Minister of Public Security. The PDPD provides the form necessary for this sort of impact evaluation. Organisations must additionally update their impact assessments in the event of modifications and provide updated information to the Department of Public Security. In the event of non-compliance with the PDPD, the Department of the Ministry of Public Security possesses the authority to inspect data transfers overseas and may prevent additional transfers.
MANDATORY BREACH REQUIREMENT
Suppose an organisation discovers a violation of any of the Decree’s stipulations. In that case, it must inform the Ministry of Public Security, the Ministry of Cybersecurity, and High-Tech Enforcement (AO5) within 72 hours of the occurrence, using Form No. 03, which is an Appendix to the Decree. Any late notice must be accompanied by an explanation.
The letter of notification must consist of:
1. a description of the nature of the incident, including the time, location, nature, participants that are involved, and types and amounts of data regarding individuals affected;
2. the contact information for a data protection officer;
3. the potential consequences of the breach; and
4. any corrective actions are taken. This notification might be given in stages.
Organisations have to conduct an individual data security impact assessment within sixty days of the beginning of data processing. This must be completed in line with the PDPD form, which includes details regarding the data processor and the data control-cum-processor. The Ministry of Public Safety (Department of Security and Modern Technology Crime Prevention and Prevention) will evaluate the effect assessment. If the scope of private information processed by organisations changes, the impact assessment must be amended or updated.
OTHER NOTABLE PROVISION
1. There are distinctive provisions for marketing and advertising data processing. These operations, in particular, require the data subject’s consent, provided that the data subject is aware of the goods being sold and the content, manner, structure, and regularity of such advertisement or marketing.
2. According to the Decree, Vietnam is going to create an international cooperation mechanism to facilitate the effective enforcement of personal data protection laws as well as engage in bilateral legal support in the safeguarding of particular data of other nations, including potential investigation assistance as well as data exchange with other governments.
3. The Decree seems to impose certain responsibilities on data subjects, such as protecting their private information, protecting the data for others, and cooperating in preventing and bringing charges for any violations.
To summarise, the Decree will surely have substantial and broad implications for firms with operations or a corporate presence in Vietnam since it is the republic’s first comprehensive privacy regulation that will apply to every manner of private information processing in Vietnam. What’s more, the effective deadline of July 1, 2023, and the lack of a grace period leave impacted firms with little time to plan for compliance. The extensive impact evaluations and cross-border transfer documents needed by the decree are especially noteworthy because they will almost certainly take a long time to produce. Take the first step towards a secure your organization’s data by scheduling a call with our privacy expert team at Tsaaro Consulting today.