Key Updates on the Vietnam Decree of Personal Data Protection

The Vietnamese government has recently rolled out the Decree of Personal Data Protection (13/2023/ND-CP) on April 17, 2023 which will comes into effect on July 1, 2023. The government recognizing the significance to safeguard the privacy and security of personal information has introduced a raft of changes in the abovesaid decree. The decree aims to offer a comprehensive protection by compiling all the relevant provisions regarding personal data protection contained in 19 different legislations. In this article, we will navigate through the piece of legislation and highlight the notable changes brought by the decree.

The scope of the said decree applies to all individual, organizations and entities which are involved in collecting, utilizing and processing personal data within the territory of Vietnam. Furthermore, the decree has defined the term ‘Personal Data’ and further classified the differences between ‘basic personal data’ and ‘sensitive personal data’, a breach of ‘sensitive personal data’ would directly jeopardized the right and interest of an individual. The decree has provided a non-exhaustive list to clarify the particulars which considered as ‘sensitive personal data’. It imposes a rigorous standard of protocol to protect the abovesaid ‘sensitive personal data’.

Besides that, the decree has specified the prohibition to sales and purchase of personal data in any form. This initiative is to tackle the issue of identity theft and unauthorized intrusive advertising which has been rampant throughout the recent years. In addition, the decree has attempted to outline the individual rights of data subjects which are as follows:

i) Right to access

ii) Right to be informed

iii) Right to delete data

iv) Right to complain, denounce and initiate legal proceedings and claim damages

v) Right to request provision of data

vi) Right to withdraw consent

vii) Right to object use or disclosure

viii) Right to restrict processing

On top of that, the decree goes on the regulate cross-border data transfer. It has listed down guidelines that must be adhered by the organisations/entities before they transferring data out of the territory of Vietnam. It requires them to undertake a ‘Data Transfer Assessment’, the Ministry of Public Security of Vietnam will conduct a review annually to ensure the organization/entities have adhered to the guidelines layout in the decree. If there is any breaches detected by the ministry, for example the transfer of data has violated the interest of the general public or national security, the Ministry is entitled to terminate the data transfer.

In a nutshell, the government’s effort to regulate the law regarding to personal data protection is undisputedly beneficial to the country. However, it is submitted that the decree has adopted wordings that are unnecessarily wide that make the decree vague and unambiguous. We anticipate that the relevant authorities will issue specific guidelines to rectify the abovesaid issue.