Month: November 2023

The issue of personal data processing is getting hotter than ever in this digital age with increasing cases where large conglomerate or even national governments being accused of utilizing citizen’s personal data without consent. This trend makes no exception in Vietnam.

On 17 April 2023, Decree No. 13/2023/ND-CP on personal data protection (PDPD) was officially issued by the Vietnamese Government. The long-awaited and controversial decree is set to be the first ever legal document with comprehensive regulations on both personal data and its protection in Vietnam. With an exception being the grace period of 2 years for SMEs, after 1 July 2023, the PDPD will be applicable to all entities located in Vietnam and/or outside Vietnam but directly conducting activities in relation to the processing of personal data in Vietnam. We outline below some key terms and foundation of the PDPD:

I. The Basic: New Decree on Personal Data Protection and Cross-Border Provision of Data

1. Definition

Personal data means data about an individual under all forms (symbol, letter, number, image, etc.), or relating to the identification or possible identification of a particular individual. Personal data is comprised of two tranches: (i) Basic personal data includes name, date of birth, blood type, marriage status and most notably, data that reflects activity or history of activity of an individual on cyberspace; and (ii) Sensitive personal data concerning political opinion, health, financial details (credit history, income level…), social relationships and data considered by laws as specific and require necessary security measures.

Personal data processing is broadly defined as one or more acts having an impact on personal data, including collection, record, analysis, storage, change, disclosure, access right, extraction, withdrawal, encryption, decryption, delivery, deletion, cancelation and other related acts.

Automatic personal data processing is defined as a form of personal data processing carried out by electronic means to evaluate, analyze and predict the activities of a specific person, such as habits, preferences, level of trust, behavior, location, trends, capacity and other circumstances.

Similar to the famous EU’s General Data Protection Regulation, the PDPD introduces the concept of “Personal data controller” and “Personal data processor” and a whole new concept of “Personal data controlling and processing entity” (Entities).

Personal data controller refers to an organization or individual that decides purposes and means of processing personal data. Personal data processor refers to an organization or individual that processes data on behalf of the Personal data controller via a contract or agreement with the Personal data controller. Meanwhile, Personal data controlling and processing entity refers to an organization or individual that jointly decides purposes and means, and directly processes personal data.

2. Consent and Exception

Generally, the PDPD strictly regulates that a data owner must give his/ her consent prior to any processing and disclosing such data, except for the five following limited cases:
• Under emergency situations to protect life and health of the data owner or others;
• Lawful disclosures;
• Processing by competent state authorities for national defense and security, disasters, fatal disease;
• Contractual obligations; and
• Activities of state authorities as stipulated under specified laws.

When requesting to process personal data, the data owner’s silence or unresponsiveness does not constitute approval. The data owner can agree only to a part of the request or approve the request with attached conditions. The data owner’s consent must be displayed in a format that is printable and copy-able in writing. Also, consent is only valid in case the data subject clearly and voluntarily knows (i) the type of personal data to be processed; (ii) the purpose of data processing; (iii) the allowed entities to process personal data; and (iv) their rights and obligations.

With regard to sensitive personal data, the data owner must be fully informed of the nature of the data to be processed. In case of dispute, the burden of proof lies on the data processor.

3. Prior to any processing activity regarding sensitive personal data, the data owner must be notified, except when:

• The data owner knows and fully consents to the contents;
• The personal data is processed by the competent state agency with a view to serving operations by such agency as prescribed by law;
• The personal data shall be processed to protect the life and health of the data subject or others in an emergency situation;
• Disclosure of personal data is in accordance with the law;
• Processing of personal data by competent regulatory authorities in the event of a state of emergency regarding national defense, security, social order and safety, major disasters, or dangerous epidemics; when there is a threat to security and national defense but not to the extent of declaring a state of emergency; to prevent and fight riots and terrorism, crimes and law violations according to the provisions of law ;
• The personal data shall be processed to fulfill obligations under contracts the data subjects with relevant agencies, organizations and individuals as prescribed by law;
• The personal data shall be processed to serve operations by regulatory authorities as prescribed by relevant laws;
• Competent agencies and organizations making audio and video recording and process personal data obtained from audio or video recording activities in public places in order to protect national security, social order and safety, legitimate rights and interests of organizations and individuals as prescribed by law.

4. Personal data processors have an obligation to notify the data owner prior to their processing, except for the following:

• The data owner has fully agreed with the contents and activities of processing personal data;
• The personal data shall be processed to protect the life and health of the data subject or others in an emergency situation;
• Disclosure of personal data in accordance with the law.
• Processing of personal data by competent regulatory authorities in the event of a state of emergency regarding national defense, security, social order and safety, major disasters, or dangerous epidemics; when there is a threat to security and national defense but not to the extent of declaring a state of emergency; to prevent and fight riots and terrorism, crimes and law violations according to the provisions of law ;
• The personal data shall be processed to fulfill obligations under contracts the data subjects with relevant agencies, organizations and individuals as prescribed by law;
• The personal data shall be processed to serve operations by regulatory authorities as prescribed by relevant laws;

5. Cross-border transfer of personal data of Vietnamese citizens must satisfy all following three conditions:

• The data owner consented the transfer;
• Original data is stored in Vietnam;
• A personal data transfer impact assessment records shall be provided by the Parties transferring data abroad (including Personal data controllers, Personal data processors and controllers, Personal data processors, third parties).

The PDPD requires the Entities to make available and submit the dossier on personal data protection impact to the Department of Cyber Security and High-Tech Crime Prevention in case of processing personal data and transferring personal data abroad within a timeframe of 60 days from the processing date. While it is clearly a new obligation applicable to the Entities, the implementation of such obligation is anticipated to be time-consuming for both organizations and relevant state authorities.

6. Penalties for violation of personal data protection rules:

• Monetary fines range from VND 50 million to VND 100 million;
• Penalties under Criminal Code;
• Additional penalties: Suspend the processing of personal data up to 3 months, deprive the right to use written consent issued by the Personal Data Protection Committee to process sensitive personal data and cross-border transfer of data, forcible payment of money gained from committing acts of violation.

Multiple violations of personal data protection regulations by a personal data processor in Vietnam can result in a maximum penalty of 5% of total revenue of the data processor in addition to the aforementioned penalties.

II. Vietnam’s Commitments under the EVFTA and the CPTPP

Data protection and relevant issues play an important part in shaping digital economy. The PDPD is one of several legal instruments that have been developed in Vietnam so that it can be more aligned with international standards. The PDPD is the first consolidated set of regulations concerning personal data protection.

Vietnam’s commitments on data privacy under the CPTPP is mainly discussed under Chapter 14 (E-commerce). Article 14.11 provides that data must be allowed to be transferred cross-border except in cases where to prevent such would serve a legitimate public policy objective, provided that the measure “is not applied in a manner which would constitute a means of arbitrary or unjustifiable discrimination or a disguised restriction on trade; and does not impose restrictions on transfers of information greater than are required to achieve the objective.”. Article 14.13 imposes the same conditions on data localization on each party to the agreement.

While Chapter 8 of the EVFTA covers issues of trade, services, and e-commerce, it does not contain any immediate commitments on issues of e-commerce, data protection, or data localization other than that it calls for the formation of a committee to develop unified principles and regulatory regimes as far as these are concerned.

III. Preliminary Guidance on Practical Handling

The PDPD provides several obligations of the party processing and disclosing personal data, thus it is critical for employers/ enterprises (the “Employer” or “Enterprise”) to consider and adopt all those obligations into its internal rules and contracts/ agreements with third parties.

1. Internal Labor Rules and Labor Contracts

It is required for the Employer to adapt all relevant obligations in relation to personal data over its employees, staff, directors, etc. as well as those in relation to the Employer’s customers, members and their staff into the Employer’s internal labor rules/ codes and collective labor agreement (if any). This is to ensure that its employees and staff shall comply with those personal data related obligations.

Otherwise, there is a very high risk that the Employer shall be fully responsible for the unpermitted processing and disclosing made by its employees without necessary tools to address such violations. In addition, it is advisable to state clearly in the labor contracts with the employees that they must comply with requirements on personal data protection promulgated by the Employer and the applicable law.

In addition, it is advisable to negotiate and agree with the employees in the relevant labor contracts about the possible data processing made by the Employer again such employees’ personal data for the purpose of employment such as tax information, CVs, health information, etc. This would very likely prevent the future claims from the Employer’s employees over unpermitted processing of employees’ personal data. We will advise in detail if desired subject to the final Decree.

2. Contract/ Agreement with Customers/ Members

It is advisable for the Enterprise and Employer to consider, renegotiate and update all current and future contracts/ agreements between the Enterprise and its customers/ members that the Enterprise and Employer is entitled to disclose/ process a specific list of personal data and the customers/ members agree to give consents for such disclosure/ processing. The Enterprise should, with our support if desired, build a clear list and procedure for collecting, storing, disclosing and otherwise processing personal data of customers/ members.

***
Please do not hesitate to contact Dr. Oliver Massmann at omassmann@duanemorris.com if you have any questions. Dr. Oliver Massmann is the General Director of Duane Morris Vietnam LLC.

1. What are the three central/federal government entities that have conducted the largest procurements by volume in Vietnam in the last three years? Please, list the three procuring entities in the order of importance.
In my experience, the three largest procuring entites are Ministry of Health, Ministry of Industry and Trade, Ministry of Transport

Procuring Entity Sector – Ministry of Health
1.1 Please identify the most common sector purchased by the procuring entity
Goods

Procuring Entity Sector – Ministry of Industry and Trade
1.1 Please identify the most common sector purchased by the procuring entity
Goods

Procuring Entity Sector – Ministry Transport
1.1 Please identify the most common sector purchased by the procuring entity
Works

1.2 Is any of the three procuring entities that you have selected a State-Owned Enterprise or an Independent Authority?
Yes

1.3 Does any of these SOEs or Independent Authorities have a specific public procurement regulatory frame work compared to the other centralized/federal procuring entities?
Yes

2. Please provide a list of laws, regulations, and other binding materials (including guidelines and manuals) that regulate public procurement in Vietnam.
• Law No. 43/2013/QH13 on Bidding (Law on Bidding)
• Law No. 49/2014/QH13 on Public Investment
• Law No. 64/2020/QH14 on Investment in the form of Public – Private Partnership
• Law No. 03/2022/QH15 amending and supplementing some of articles of Law on Public Investment, Law on Investment in the form of public-private partnership, Law on Investment, Law on Housing, Law on Bidding, Law on Electricity, Law on Enterprises, Law on Consumption Tax Special and the Law on Execution of Civil Judgments.
• Decree No. 95/2020/ND-CP guiding the procurement under the Comprehensive and Progressive Agreement for Trans-Pacific Partnership
• Decree No. 09/2022 ND-CP amending and supplementing some articles of Decree No. 95/2020/ND-CP guiding the implementation of procurement under the CPTPP, the EVFTA and the UKVFTA
• Decree No. 63/2014/ND-CP detailing the implementation of several provisions of the Bidding Law on the selection of contractor
• Decree No. 25/2020/ND-CP detailing the implementation of several provisions of the Bidding Law on the selection of investors
• Decree No. 21/2022/TT-BKHDT detailing the preparation of bidding documents for non-consulting services for bidding packages within the scope of the CPTPP, the EVFTA and the UKVFTA
• Decree No. 20/2022/TT-BKHDT detailing the preparation of bidding documents for consulting services for bidding packages within the scope of the CPTPP, the EVFTA and the UKVFTA
• Circular 09/2022/TT-BYT detailing the sample invitation to bid for procurement of herbal ingredients and traditional medicines at public health facilities
• Circular 12/2022/TT-BKHDT detailing the preparation of bidding documents for the procurement of goods for bidding packages within the scope of the CPTPP, the EVFTA and the UKVFTA
• Circular No. 15/2022/TT-BKHDT detailing the preparation of bidding documents for construction and installation for bidding packages within the scope of the CPTPP, the EVFTA and the UKVFTA
• Circular 08/2022/TT-BKHDT detailing the provision and posting of information on bidding and contractor selection on the National Procurement Network System
• Circular No. 09/2022/TT-BGTVT guiding some contents on methods and criteria for evaluating bids for investor selection under the public-private partnership method and the form of a build-operate-transfer contract in the transport sector
• Circular No. 23/2021/TT-BGTVT guiding the formulation, approval and publication of the list of projects; methods and criteria for evaluating bids and bidding for selection of investors in specialized aviation service works at airports and aerodromes
• Circular 22/2021/TT-BGTVT detailing methods and criteria for evaluating bids to select investors to implement projects on dredging seaport waters and inland waterways in combination with product recovery
• Circular No. 06/2020/TT-BKHDT guiding the implementation of Decree No. 25/2020/ND-CP detailing the implementation of a number of articles of the Law on Bidding on investor selection
• Circular 15/2020/TT-BYT promulgating the List of drugs for bidding, the List of drugs for concentrated bidding, and the List of drugs eligible for price negotiation.
• Circular No. 14/2020/TT-BYT promulgating some contents in bidding for medical equipment at public medical facilities
• Circular 15/2019/TT-BYT regulating on drug bidding at public health facilities
• Circular No. 10/2015/TT-BKHDT detailing the contractor selection plan
• Circular No. 19/2015/TT-BKHDT detailing the preparation of appraisal report during the contractor selection period
• Circular No. 23/2015/TT-BKHDT detailing the preparation of evaluation report of bid dossier
• Circular No. 16/2016/TT-BKHDT guiding the preparation of pre-qualification dossier, bidding dossier for the investor carrying land use projects

3. Specific instruments applicable to a sector (goods, services or works):
• Decree No. 21/2022/TT-BKHDT detailing the preparation of bidding documents for non-consulting services for bidding packages within the scope of the CPTPP, the EVFTA and the UKVFTA
• Decree No. 20/2022/TT-BKHDT detailing the preparation of bidding documents for consulting services for bidding packages within the scope of the CPTPP, the EVFTA and the UKVFTA
• Circular 09/2022/TT-BYT detailing the sample invitation to bid for procurement of herbal ingredients and traditional medicines at public health facilities
• Circular 12/2022/TT-BKHDT detailing the preparation of bidding documents for the procurement of goods for bidding packages within the scope of the CPTPP, the EVFTA and the UKVFTA
• Circular No. 15/2022/TT-BKHDT detailing the preparation of bidding documents for construction and installation for bidding packages within the scope of the CPTPP, the EVFTA and the UKVFTA
• Circular No. 23/2021/TT-BGTVT guiding the formulation, approval and publication of the list of projects; methods and criteria for evaluating bids and bidding for selection of investors in specialized aviation service works at airports and aerodromes
• Circular 22/2021/TT-BGTVT regulating on methods and criteria for evaluating bids to select investors to implement projects on dredging seaport waters and inland waterways in combination with product recovery
• Circular 15/2020/TT-BYT promulgating the List of drugs for bidding, the List of drugs for concentrated bidding, and the List of drugs eligible for price negotiation.
• Circular No. 14/2020/TT-BYT promulgating a Circular stipulating a number of contents in bidding for medical equipment at public medical facilities
• Circular 15/2019/TT-BYT regulating on drug bidding at public health facilities

4. Does the regulatory framework establish value thresholds for determining procedural or regulatory aspects of the procurement process?
Yes (Articles 2.2 and 3.2, Law on Bidding)

5. Is there an operational central electronic public procurement (e-procurement) portal in Vietnam?
Yes (https://muasamcong.mpi.gov.vn)
6. Is the central e-procurement portal used by all the procuring entities?
Yes

7. Please complete the table below based on the features available in the central electronic public procurement portal
Yes, fully digitized Yes, but hard copy documents must be submitted No

Registering as a vendor x
Accessing notices on procurement opportunities x
Accessing bidding documents x
Asking a procuring entity for clarifications x
Submitting tenders x
Submitting bid security with electronic validation x
Bid opening x
Virtual workspace to manage tender procedures (including operative tools for members of the evaluation committee) x
Notification of decisions (clarifications, awards, contract signing, etc.) x
Accessing award decisions (including their rationale) x
Submitting performance guarantee with electronic validation x
Contract signing x
Accessing contracts x
Accessing contract amendments x
Submitting invoices to the procuring entity x
Module for framework agreement management x
E-catalogue of approved suppliers x
Green catalogue x
E-reverse auction module x
E-contract management and implementation module x
Receiving payments from the procuring entity x
Applying for vendor eco-certifications/eco-labels x
Access to specifications, standards, or criteria for eco-labels and environmentally preferable goods and services x

8. Are the features supported by the central e-procurement portal available for procurements of goods, works, and services?
Yes

9. For the following types of data, please select if there is a data portal that provides open access to such information in machine readable format:
Yes No
Data on tenders (including description, dates, category of spending, estimated value, contracting authority, and identification of bidders) x
Data on tenders (including description, dates, category of spending, estimated value, contracting authority, and identification of bidders) x
Data on suppliers x

10. Link to the webpage with data
https://muasamcong.mpi.gov.vn/web/guest/contractor-selection?render=index

11. Are there any main procuring entities for which data on contracts and tenders is not published on the open access data portal?
No.

12. Are gender-disaggregated data on firms that have participated in tenders collected by the central e-procurement portal?
No.

13. Does the regulatory framework require procuring entities to use standard bidding/tender documents when preparing a tender?
Yes, but with some exception.

14. Circumstances the use of model bidding/tender documents is not required.
Based on sector of procurement (Article 4, Circular No. 08/2022/TT-BKHDT)

15. Do these standard bidding documents contain sustainability clauses?
Yes, in all model documents

16. Does the regulatory framework define minimum content requirements for procurement plans?
Yes. (Article 35, Law on Bidding)

17. Do the minimum content requirements for procurement plans include a gender dimension?
No.

18. According to the regulatory framework, which of the following tools must be used when a procuring entity prepares to estimate the contract value of the new procurement opportunity?
Regulations are silent on this matter

19. Is there a legal mandate for the development and implementation of special programs to engage innovative and emerging suppliers?
No.

20. Does the regulatory framework establish open procurement as a default method for tendering a contract?
Yes, but with some exception.

21. Circumstances exceptions to the general rule of using open procurement are provided in the regulatory framework.
Based on the value of procurement and based on the entity conducting the procurement (Articles 21, 22, 23, 24, 26, 26, Law on Bidding)

22. Does the regulatory framework designate specific tendering procedures for innovation procurement?
No

23. Does the regulatory framework provide incentives for preparing bids with environmentally-friendly components?
No.

24. Does the regulatory framework impose any participation or award restrictions on foreign firms?
Yes, in some public tenders

25. If the restrictions apply only in some public tenders, please identify the parameter in which these restrictions are applicable:
Sector (Article 15, Law on Bidding).

26. Does the regulatory framework require foreign firms to have partnerships with domestic firms to be eligible to participate in a tender?
Yes, in some public tenders (Article 5.1(h), Law on Bidding)

27. Does the regulatory framework require foreign firms to own (fully or partially) subsidiaries in the domestic economy to be eligible to participate in a tender?
No. (Article 5.1, Law on Bidding)

28. Does the regulatory framework prohibit splitting contracts for the purpose of circumventing thresholds for open tendering?
Yes (Article 89.6(k), Law on Bidding)

29. According to the regulatory framework, which of the following documents need to be made publicly available?
Yes, for all contracts Yes, except for low value contracts No
Procurement plans x
Tender notices x
Tender documents (project specific) x
Award decisions Yes x
Contracts x
Contract amendments x
Subcontractors x

30. Please provide the legal basis for all the key materials listed in the table above:
Article 8, Law on Bidding; Article 9, Law on Investment in the form of Public – Private Partnership

31. Does the regulatory framework set a minimum timeframe between advertisement of a tender notice and a submission deadline?
Yes, for all procurement procedures (Article 12.1(b), Law on Bidding)

32. According to the regulatory framework, how should clarification requests from potential bidders be communicated?

Required to communicate answers to all bidders (Article 77.1, Law on Bidding; Article 51.4, Decree No. 35/2021/ND-CP; Article 14.2(c), Decree No. 63/2014/ND-CP)

33. In practice, how many days would usually pass between bid opening, and contract signing (i.e., the time in which all tenderers, participants and relevant parties are notified of the award decision and the awardee can start implementing the contract) for the following scenarios:
Days to complete a procurement of a works contract in an open procedure valued above the threshold for international procurement: 210
Days to complete the procurement of a services contract in a restricted procedure with limited competition, valued below the threshold for international procurement: 210
Days to complete the prequalification of supplier: 0
Days to complete an electronic auction: 45
Days to complete a Framework agreement with a competitive second stage: 0

34. Does the regulatory framework establish criteria for identifying abnormally low bids?
Yes, but only in some procurement procedures (Articles 117.6 and 117.9, Decree No. 63/2014/ND-CP)

35. According to the regulatory framework, which award criteria must be used in bid evaluations for high-value procurement?
Lowest price, Project life cycle cost, Total cost of ownership, Value for money, Most economically advantageous tender, Sustainability (Article 12, Decree 63; Articles 39 – 41, Law on Bidding)

36. Please indicate whether Lowest price must be used for some or all procurement sectors.
No, applicable to some.

37. Please indicate whether Project life cycle cost must be used for some or all procurement sectors.
No, applicable to some.

38. Please indicate whether Total cost of ownership must be used for some or all procurement sectors.
No, applicable to some.

39. Does the regulatory framework explicitly recommend the preference to use Most Economically Advantageous tender criteria over lowest price criteria?
Yes, but only in some procurement procedures
.
40. According to the regulatory framework, should the procuring entity provide a reference price in tender documents?
Yes, but only in some procurement procedures.

41. Does the regulatory framework include gender-specific provisions that promote gender equality in public procurement?
Yes (Article 14.3, Law on Bidding)

42. Does the regulatory framework outline a designated procedure for awarding contracts based on a framework agreement where contracts are awarded following a competitive two-stage process?
No, only one stage is competitive (Article 65, Law on Bidding)

43. Which of the small and medium-sized enterprise preferential treatment approaches are included in the regulatory framework?
None (Article 6 Decree No. 63/2014/ND-CP, Article 14.2.c Bidding Law)

44. Does the regulatory framework mandate communication of an award decision?
Yes, to all bidders (•Articles 42.3, 43.2, 11.8(d), 11.8(dd), Law on Bidding)

45. Is there a mandatory standstill period between the public notice of award and contract signing to allow unsuccessful bidders challenge the decision?
No.

46. Does the regulatory framework establish a timeframe within which a procuring entity must process a payment once an invoice is received?
Yes, for all contracts (Articles 94, 95, 96, 97, 98, Decree No. 63/2014/ND-CP)

47. Does the regulatory framework allow firms to claim interest on late payments (or any similar contractual penalty) if the government does not pay within the legally established timeframe?
Yes (Article 94.1, Decree No. 63/2014/ND-CP)

48. How often does the government pay late payment interest (or any similar contractual penalty) in the event that it fails to meet the payment deadline?
Government often pays late payment interest.

49. Does the regulatory framework designate a specialized and independent authority to receive procurement challenges filed by firms on decisions issued by the procuring entities?
Yes, specialized (Articles 91 and 92, Law on Bidding)

50. Does an aggrieved bidder have the right to appeal decisions on challenges made by the authority that receives procurement challenges?
Yes (Articles 92.1(c), 92.2(c), 92.3(c), 92.4(c), Law on Bidding)

51. Are there any legally binding time limits to resolve a procurement challenge?
Yes, for all types of challenges (Article 92, Law on Bidding)

52. Is there a legal recourse for an aggrieved bidder experiencing delays in either challenge or review processes?
Yes, for all types of challenges (Articles 91.1(b) and 91.2, Law on Bidding)

***

Please do not hesitate to contact Dr. Oliver Massmann at omassmann@duanemorris.com if you have any questions. Dr. Oliver Massmann is the General Director of Duane Morris Vietnam LLC.