• Instgram
  • LinkeIn
  • Lexologoy

Vietnam: HIGHLIGHTS OF DRAFT LAW ON PERSONAL DATA PROTECTION

2024年10月16日(水)

We published a newsletter regarding highlights of draft law on personal data protection in Vietnam. To view PDF version, please click the following link.

HIGHLIGHTS OF DRAFT LAW ON PERSONAL DATA PROTECTION

 

<HIGHLIGHTS OF DRAFT LAW ON PERSONAL DATA PROTECTION>

15 October 2024
One Asia Lawyers Vietnam Office

I. Introduction

On April 17, 2023, Vietnam took a significant step toward safeguarding personal data with the promulgation of Decree No. 13/2023/ND-CP (“Decree 13”). This was the nation’s first legal normative document specifically addressing personal data protection.
In September 2024, the Ministry of Public Security took the next step by introducing a Draft Law on Personal Data Protection (“PDPL Draft”) which is expected to be in 2026.
Let’s glance through the highlights below for a glimpse of Vietnam’s orientation in this field.
Stay tuned for updates as Vietnam continues refining its personal data protection landscape!

II. Highlights in the PDPL Draft on Personal Data Protection

1. Detailing the personal data protection obligations in various business sectors

While Decree 13 only makes the personal data protection obligations of marketing and advertising services exclusive[1], the PDPL Draft has also addressed other business sectors with specified compliance regulations on personal data processing activities as follows:[2]

● Cloud Computing

  • Add a personal data protection clause to the cloud service contract (if any).


● Labor Recruitment and Supervision

  • Foreign companies recruiting Vietnamese employees in Vietnam must (i) Comply with Vietnamese personal data protection laws and (ii) Have written agreements with the investing company regarding the processing of employee data.
  • The company may only apply technological and technical monitoring measures during the employees’ work if the employees are fully aware of and agree to the monitoring.


● Finance and Banking

  • Do not buy, sell, or unlawfully transfer credit information, or send clear copies of financial and credit data between institutions.
  • Credit information assessment results for the data subject must be in the form of Pass/Fail, Yes/No, True/False, or a scoring scale based on data collected directly from customers by financial institutions.


● Execution of contracts with individuals

  • Adding content related to personal data protection in service contracts with individuals, including the employment contract.


● Location data

  • Tracking through radio frequency identification (RFID) tags and other technologies shall not be applied unless there is clear consent from the data subject or a legal requirement.


● Social media, and over-the-top (OTT) services

  • The abroad social media providers and the OTT service providers must protect the personal data of Vietnamese when engaging in the Vietnamese market.
  • It is not allowed to request a photo of the citizen ID or ID card as a factor for account verification


● Big Data/Artificial Intelligence/Health and Insurance/Biometrics

In short, with the exception of Artificial Intelligence which may operate under the opt-out regime, the PDPL Draft mandates that all other sections adhere strictly to an opt-in regime.

2. Promulgating the requirement of the Data Protection Officer (“DPO”)

In Decree 13, the DPO is vaguely mentioned as a person or department in charge of sensitive personal data protection without specifying the requirements[3].
The Draft Law has first introduced and defined some crucial concepts related to the DPO with the respective standard requirements.

One notable area of ambiguity in the PDPL Draft is its silence on which entities are obliged to appoint a DPO and must hire a DPO Expert or not.

However, the PDPL Draft allows using the outsoursing DPO service through the Organization DPO Service.

 
DPO concepts
Personal Data Protection Expert
In Vietnamese: Chuyên gia bảo vệ dữ liệu cá nhân
(“DPO Expert”)[4]
Personal Data Protection Organization
In Vietnamese: Tổ chức bảo vệ dữ liệu cá nhân
(“DPO Organization”)[5]
Personal Data Protection Organization Business
In Vietnamese: Kinh doanh dịch vụ Tổ chức bảo vệ dữ liệu cá nhân
(“DPO Service Organization”)[6]
Subject
Individuals
Entities operating in technology, legal services, or consultancy related to technology or legal matters.
Same as Organization DPO
Education
Holds at least an associate degree in security, information safety, cybersecurity, or law.
Have at least 01 DPO Expert.
 
Same as Organization DPO
Certification
– Complete a course in certifying sufficient legal or/and technological competency
– Obtain the respective DPO Certifications.
None
– Holds a personal data protection credit rating of at least “Satisfactory”. This credit rating shall be conducted by a professional credit rating enterprise.[7]
– Be licensed to provide the DPO services.


In addition to the DPO Service Organization, the new relevant services are first introduced in this PDPL Draft:

  • DPO Certification Organization[8]
  • Personal Data Protection Credit Ranking Organization[9]
  • Providers of personal data processing services[10]


All the new personal data protection services above fall under the conditional business list with sub-licenses and specified conditions, as provided in the PDPL Draft.

3. To-do list for each company under PDPL Draft.

The PDPL Draft states that both Vietnamese and foreigners within Vietnam’s territory are data subjects, and Decree 13 can not provide explicit regulation.
Notably, the PDPL Draft clarifies the various circumstances in which it is considered to be transferred abroad from sharing personal data, sending via email, disclosing, or providing, regardless of its purposes.[11]
In addition, the PDPL Draft requires updating the impact assessment report for personal data processing and the impact assessment report for transferring personal data abroad every 6 months and immediately upon the following events:[12]

  • Changes in the information about the Personal Data Protection Organization and the Data Protection Officer
  • When new business sectors or services arise
  • Upon the merger or dissolution of the company.


Basically, the PDPL Draft has no significant impact on the ongoing PDPD compliance works in accordance with Decree 13 in the notification, consent requirement, ensuring the 72-hour-settlement in specified rights, and the dossiers of the personal data protection impact assessment, and the outbound transfer impact assessment.

Finally, the PDPL Draft is expected to be finalized (which may be adjusted compared with this initial version) and take effect on January 01st, 2026. In the meantime, the enterprise should continue the personal data protection compliance works provided in Decree 13, at least the essential regulations preparation.

Please contact us to get the specified personal data protection assessment to suit your business courses.
We are dedicated to delivering valuable, cost-effective solutions that minimize disruptions to business operations and technical environments.

—–

[1] Article 21 Decree 13
[2] Article 23 to 32 PDPL Draft
[3] Article 28.2 Decree 13
[4] Article 2.17 and Article 38 PDPL Draft
[5] Article 2.15 and Article 36 PDPL Draft
[6] Articled 2.16 and Article 37 PDPL Draft
[7] Article 41 PDPL Draft
[8] Article 2.19 and Article 40 PDPL Draft
[9] Article 42 PDPL Draft
[10] Article 43 PDPL Draft
[11] Article 45 PDPL Draft
[12] Article 46 PDPL Draft