New Decree on Protection of Personal Data in Vietnam and Comparison with GDPR

Please click here to download the pdf version.

On 17 April 2023, the Government issued Decree 13 on personal data protection (Decree 13/2023). Decree 13/2023 marks a significant milestone as the first comprehensive legal document that governs the protection of personal data in Vietnam. As compared to the draft decree on personal data protection (Draft Decree), Decree 13/2023 has been significantly improved to incorporate key aspects necessary to protect personal data to align with the General Data Protection Regulation (GDPR). In this post, we will discuss key issues under Decree 13/2023 while comparing it to the Draft Decree and GDPR. This post is written by Trinh Phuong Thao and edited by Nguyen Quang Vu.

1.         Things to be done by 1 July 2023

Ideally, before 1 July 2023, both onshore and offshore entities involving in collecting and/or processing personal data of Vietnamese individuals or foreign individual residing Vietnam should do the following:

  • having proper consents from the relevant data subject (see 7);

  • if it is a data controller, having a contract with the relevant data processor (see 4);

  • determining whether it deals with basic personal data or sensitive personal data;

  • preparing and submitting an assessment of the impact of personal data processing to the Ministry of Public Security (MPS) (see 10);

  • preparing and submitting an assessment of the impact of offshore transferring personal data to the MPS (see 11);

  • setting up system to protect the safety and confidentiality of the personal data which it collects or processes; and

  • setting up a personal data protection department and a data compliance officer if it deals with sensitive personal data.

Decree 13/2023 only exempts small and medium enterprises or start ups from complying with certain requirements until 1 July 2025.

One key missing ingredient though is the potential penalty which may apply in case of non-compliance. Accordingly, currently, Decree 13/2023 has no teeth in enforcing the above requirements. Unlike Decree 13/2023, the GDPR has clear penalties and fines applicable to violations of the GDPR.

Read MoreInfo
Comment
Written by Nguyen Quang Vu On In ,

General Obligations of A Foreign Company Conducting Business in Vietnam’s Cyberspace

Only a limited subset of foreign companies providing services over in Vietnam’s cyberspace are subject to data localisation requirements in Vietnam under the recent Decree 53/2022. However, any foreign company providing services in Vietnam’s cyberspace will need to comply other obligations under the Law on Cybersecurity 2018 and its implementing regulations. These obligations include, among other things, the following:

· To give warnings of the possibility of a loss of cybersecurity during use of the services in cyberspace provided by such enterprise and to provide guidelines on preventive measures;

· To formulate plans and solutions to quickly respond to cybersecurity incidents;

· To immediately deal with any security weaknesses or vulnerabilities, malicious codes, cyberattacks, cyber intrusions/infringements or other security risks;

· When a cybersecurity incident occurs, to immediately implement appropriate emergency plans and response measures, and at the same time provide a report thereon to the Cybersecurity Task Force of Vietnam;

· To apply technical solutions and other necessary measures to ensure security during the process of collecting information;

· To prevent the risk of revelation, damage to or loss of data;

Read MoreInfo
Comment
Written by Nguyen Quang Vu On In

Decree 53/2022 implementing the Law on Cybersecurity in Vietnam

In August 2022, the Government issued Decree 53/2022 to implement various provisions of the Law on Cyber Security 2018 (LCS 2018). We summarise below certain key points of Decree 53/2022:

  • Data localization: Decree 53/2022 provides more detailed guidance on data localization in Vietnam. Please see our separate blog on this issue here.

  • Using cryptography (“mật mã”) to protect network information: If necessary for the national security, safety and order of society or protecting legitimate rights and benefit of others, the authority could request related individuals/organizations to encrypt information not considered as State secret before storing, transmitting on the Internet;

Read MoreInfo
Comment
Written by Nguyen Quang Vu On In ,

Decree 53/2022 - Further guidance on data localisation in Vietnam

Introduction

In August 2022, the Government issued Decree 53/2022 providing, among other things, further guidance on data localization requirements in Vietnam. Article 26.3 of the Law on Cyber Security 2018 (LCS 2018) provides for a general data localization requirement. However, due to the lack of implementing regulations, such provision is not enforced in practice for several years. The new guidance under Decree 53/2022 will likely make the law enforceable in practice from 1 October 2022. In this post, we discuss some salient points of the data localization requirements under Decree 53/2022. This post is written by Trinh Phuong Thao and edited by Nguyen Quang Vu.

Read MoreInfo
Comment
Written by Nguyen Quang Vu On In ,