More Clarity on Vietnam’s New Data Protection Requirements

At a conference organized by Vietnam’s Ministry of Public Security (MPS) on June 7, 2023, government officials provided more guidance on the recently issued Personal Data Protection Decree (PDPD), which is set to take effect on July 1, 2023.

Key takeaways included the following:

A national portal on personal data protection for online submission of notifications and registrations will be launched before July 1, 2023. The MPS also plans to issue templates for data processing impact assessments (DPIAs) and transfer impact assessments (TIAs) in the near future.
The PDPD requires data controllers, data processors, and data controller-processors to prepare a DPIA at the start of personal data processing. The MPS clarified that the DPIA is expected to be prepared and submitted once. Only changes to its content would require submission of an updated DPIA.
Both DPIAs and TIAs (which are for cross-border data transfers) must be prepared in Vietnamese.
Since the sale and purchase of personal data is strictly prohibited unless explicitly permitted by law, the MPS has handled approximately 14 cases involving unlawful trading of personal data, including sensitive data. Under the PDPD, sensitive data has a broader definition than under the GDPR (the European Union’s General Data Protection Regulation), and also includes location data, creditworthiness, and personal financial data.
Consent is not a legal basis for the trading of personal data, including sensitive data.
The 72-hour timeline for responding to a data subject’s request does not mean 72 working or business hours. Rather, it means 72 actual consecutive hours.
Any organization transferring the personal data of Vietnamese citizens outside of Vietnam must comply with the PDPD, regardless of the organization’s location.
For organizations incorporated overseas that must comply with the PDPD, there is no requirement to appoint a local representative (unlike the GDPR)—but appointment of a data protection officer (DPO) may be required.
As the enforcement for non-SMEs is fast approaching, businesses connected with personal data arising from Vietnam should familiarize themselves with the PDPD requirements and conduct a compliance gap analysis to ensure their PDPD compliance readiness.

By Tilleke & Gibbins, Vietnam, a Transatlantic Law International Affiliated Firm.

For further information or for any assistance please contact vietnam@transatlanticlaw.com

Disclaimer: Transatlantic Law International Limited is a UK registered limited liability company providing international business and legal solutions through its own resources and the expertise of over 105 affiliated independent law firms in over 95 countries worldwide. This article is for background information only and provided in the context of the applicable law when published and does not constitute legal advice and cannot be relied on as such for any matter. Legal advice may be provided subject to the retention of Transatlantic Law International Limited’s services and its governing terms and conditions of service. Transatlantic Law International Limited, based at 42 Brook Street, London W1K 5DB, United Kingdom, is registered with Companies House, Reg Nr. 361484, with its registered address at 83 Cambridge Street, London SW1V 4PS, United Kingdom.