Data protection and privacy frameworks are increasingly being developed globally. This is particularly the case in Asia: in the past two years, several key jurisdictions, including China, India, Indonesia and Vietnam have either introduced their jurisdiction’s first-ever comprehensive data protection laws or are updating and reforming their existing privacy laws. These regulations are very much influenced by, or borrow concepts from, the EU General Data Protection Regulation (“GDPR”) and set a high standard of compliance for organisations processing personal data.
Below is a snapshot of China, India, Indonesia, Singapore and Vietnam national approaches to privacy prepared by our Asia data privacy task force.
- Chine – Personal Information Protection Law (PIPL)
- Inde – Digital Personal Data Protection Act (DPDPA)
- Indonesie – Personal Data Protection Law (PDPL)
- Singapour – Personal Data Protection Act (PDPC)
Our Asia data privacy task force. At DS Avocats, we have developed a strong expertise in data protection issues in Asia, enabling us to assist our clients in the development of their operations while taking into account their data compliance obligations. Our knowledge of the GDPR also allows us to bridge the needs of European based headquarters and the local subsidiary in China, India, Indonesia, Singapore and Vietnam.
On 17 April 2023, the Government issued Decree 13/2013/ND-CP on Personal Data Protection (“DPDP”) providing a comprehensive and uniform approach to data protection in Vietnam. The DPDP took effect on 1 July 2023.
A combination between international trend and local governance
Heavily influenced by the GDPR, the DPDP provides a clearer definition of personal data (basic and to-be-considered sensitive ones), responsibility of organisations and individuals that process personal data, as well as the rights of individuals over their personal data.
Despite being influenced by the GDPR, the DPDP provides some unique provisions such as the prohibition of the sale and purchase of personal data through any means, unless otherwise provided by law. This is expected to have a huge effect on the activity of data brokers and other businesses engaged in commodification of personal data. The DPDP also does not recognise the principle of “legitimate interests”.
Children Personal Data Protection
Like the GDPR, the DPDP provides special protection for children’s personal data. However, there’s a difference between the laws in the age threshold for obtaining valid consent. In Vietnam, the DPDP requires the consent of a parent or legal guardian of children aged 7 or older (nothing on age verification), while the GDPR only allows individuals over 16 to give consent independently for processing of their personal data.
The DPDP states that only the child’s parent or legal guardian can withdraw consent for the processing of the child’s data. Though, it remains unclear if the child himself/herself can revoke his/her consent and have his/her data deleted.
Requirements for Cross-Border Transfers of Personal Data
A Dossier of Impact Assessment for a Cross-Border Transfer of Personal Data is to be created before any cross-border transfer of data takes place. This Dossier must also be submitted to Department of Cybersecurity and Hi-Tech Crime Prevention (“DCHCP”) relative to the Ministry of Public Security (“MPS”) within 60 days of the date of processing of the data.
The Vietnamese Ministry of Public Security reserves the right to halt a personal data transfer if: (i) the transferred data is used for activities violating the national interest and security of Vietnam; (ii) the transferor does not comply with requests to supplement the impact assessment dossier; or (iii) there is an incident of leakage or loss of personal data of Vietnamese citizens—it seems this may be applied even if there is no fault of the transferor.
Implication for business
The DPDP regulates data protection in parallel to certain specific legal instruments also regulating data governance in Vietnam such as the Law on Cybersecurity (and its data localization requirements). It is critical for companies to understand and identify their new obligations under the DPDP and assess steps to be taken to comply with the DPDP.
Summary of the DPDP
| Legislation | Decree No. 13/2023/ND-CP dated 17 April 2023 on protection of personal data |
| Authority | Ministry of Public Security (Department of Cybersecurity and Hi-tech Crime Prevention) |
| Scope of application | Vietnamese individuals and organizations (including those operating offshore) and also to foreign entities operating in Vietnam, or directly engaging in or relating to personal data processing activities of Vietnamese citizens. |
| Parties involved in processing data | Personal data controller: organization or individual that decides purposes and means of processing personal data Personal data processor: organization or individual that processes data on behalf of the Personal Data Controller via a contract or agreement with the Personal Data Controller Personal data controlling and the processing entity: organization or individual that jointly decides purposes and means, and directly processes personal data |
| Definition of personal data | Information in the form of symbols, scripts, numbers, images, sounds or any other similar form in the electronic environment, which pertains to a particular individual or facilitates the identification of a particular individual. Personal data includes “basic personal data” and “sensitive personal data” |
| Personal data protection principles | 8 principles: 1. The personal data shall be processed as prescribed by law. 2. The data subject shall be entitled to receive information related to the processing of his/her personal data, unless otherwise provided for by law. 3. The personal data shall be processed for the purposes that have been registered and declared by the Personal Data Controller, the Personal Data Processor, the Personal Controlling And The Processing Entity and the Third Party. 4. The collected personal data shall be appropriate for the scope and purposes of processing. The purchase or sale of personal data shall be prohibited in any form, unless otherwise provided for by law. 5. The personal data shall be updated and added for the processing purposes. 6. The personal data shall be protected and secured throughout the processing. To be specific, the personal data shall be protected from violations against regulations on protection of personal data and prevention of loss, destruction or damage caused by incidents and use of technical measures. 7. The personal data shall be stored within a period of time that is appropriate for the processing purposes, unless otherwise provided for by law. 8. The Personal Data Controller and the Personal Controlling And The Processing Entity shall comply with the rules for data processing in accordance with the laws and prove their compliance. |
| Rights of the person concerned | 11 rights : 1. Right to be informed 2. Right to consent 3. Right of access to personal data 4. Right to withdraw consent 5. Right to erase personal data 6. Right to limit processing 7. Right to obtain personal data 8. Right to object to processing 9. Right to lodge a complaint and take legal action 10. Right to claim damages 11. Right to self-defense |
| Requirement for consent | The consent of the data subject shall be granted to all activities in the processing of his/her personal data, unless otherwise provided for by law The consent of the data subject is valid until the data subject has other decisions or the competent authority makes written request. The withdrawal of consent shall not affect the lawfulness of the processing to which consent was given before it is withdrawn. |
| Measures to ensure protection of personal data | General protection: Managing and technical measures from the parties relating to the personal data, plus the competent government. Additional measure for sensitive data: Assignment of data protection department and a data protection officer within the organization/entity |
| Impact assessment on data processing | The data controller, data processor, and data controlling and processing entity are required to prepare and report the application dossier for assessing the impact of personal data processing the MPS. Such dossier should be submitted to the DCHCP of the MPS within 60 days of the start of personal data processing. Any related updates or changes should also be reported. |
| Cross-border transfer of data and impact on assessment on overseas transfer | Definition of “cross-border transfer of data”: An act of using cyberspace, electronic devices, equipment, or other forms to transfer personal data of a Vietnamese citizen to a location outside the territory of the SRV or using a location outside the territory of the SRV to process personal data of a Vietnamese citizen. To be specific: a. An organization, enterprise or individual transfers personal data of a Vietnamese citizen to an overseas organization, enterprise or management department in order to process the data for the purposes agreed upon by the data subject; b. The personal data of a Vietnamese citizen is processed by automatic systems outside the territory of the Socialist Republic of Vietnam of the Personal Data Controller, Personal Data Controlling And The Processing Entity, Personal Data Processor for the purposes agreed upon by the data subject. Condition on cross-border transfer of data: • Data subject’s consent is obtained • A transfer impact assessment dossier is inspected and evaluated by DCHCP of the MPS (within 60 days of the transfer) • A written notification to the DCHCP must be submitted after the data is transferred successfully. |
| Breach notification | • Timeline: 72 hours from the time of breach event (lateness must be accompanied with explanation) • Authority to receive notification: DCHCP of the MPS |
| Penalties | • Discipline • Administrative sanction • Criminal punishment |
