The issue of personal data processing is getting hotter than ever in this digital age with increasing cases where large conglomerate or even national governments being accused of utilizing citizen’s personal data without consent. This trend makes no exception in Vietnam.
On 17 April 2023, Decree No. 13/2023/ND-CP on personal data protection (PDPD) was officially issued by the Vietnamese Government. The long-awaited and controversial decree is set to be the first ever legal document with comprehensive regulations on both personal data and its protection in Vietnam. With an exception being the grace period of 2 years for SMEs, after 1 July 2023, the PDPD will be applicable to all entities located in Vietnam and/or outside Vietnam but directly conducting activities in relation to the processing of personal data in Vietnam. We outline below some key terms and foundation of the PDPD:
I. The Basic: New Decree on Personal Data Protection and Cross-Border Provision of Data
1. Definition
Personal data means data about an individual under all forms (symbol, letter, number, image, etc.), or relating to the identification or possible identification of a particular individual. Personal data is comprised of two tranches: (i) Basic personal data includes name, date of birth, blood type, marriage status and most notably, data that reflects activity or history of activity of an individual on cyberspace; and (ii) Sensitive personal data concerning political opinion, health, financial details (credit history, income level…), social relationships and data considered by laws as specific and require necessary security measures.
Personal data processing is broadly defined as one or more acts having an impact on personal data, including collection, record, analysis, storage, change, disclosure, access right, extraction, withdrawal, encryption, decryption, delivery, deletion, cancelation and other related acts.
Automatic personal data processing is defined as a form of personal data processing carried out by electronic means to evaluate, analyze and predict the activities of a specific person, such as habits, preferences, level of trust, behavior, location, trends, capacity and other circumstances.
Similar to the famous EU’s General Data Protection Regulation, the PDPD introduces the concept of “Personal data controller” and “Personal data processor” and a whole new concept of “Personal data controlling and processing entity” (Entities).
Personal data controller refers to an organization or individual that decides purposes and means of processing personal data. Personal data processor refers to an organization or individual that processes data on behalf of the Personal data controller via a contract or agreement with the Personal data controller. Meanwhile, Personal data controlling and processing entity refers to an organization or individual that jointly decides purposes and means, and directly processes personal data.
2. Consent and Exception
Generally, the PDPD strictly regulates that a data owner must give his/ her consent prior to any processing and disclosing such data, except for the five following limited cases:
• Under emergency situations to protect life and health of the data owner or others;
• Lawful disclosures;
• Processing by competent state authorities for national defense and security, disasters, fatal disease;
• Contractual obligations; and
• Activities of state authorities as stipulated under specified laws.
When requesting to process personal data, the data owner’s silence or unresponsiveness does not constitute approval. The data owner can agree only to a part of the request or approve the request with attached conditions. The data owner’s consent must be displayed in a format that is printable and copy-able in writing. Also, consent is only valid in case the data subject clearly and voluntarily knows (i) the type of personal data to be processed; (ii) the purpose of data processing; (iii) the allowed entities to process personal data; and (iv) their rights and obligations.
With regard to sensitive personal data, the data owner must be fully informed of the nature of the data to be processed. In case of dispute, the burden of proof lies on the data processor.
3. Prior to any processing activity regarding sensitive personal data, the data owner must be notified, except when:
• The data owner knows and fully consents to the contents;
• The personal data is processed by the competent state agency with a view to serving operations by such agency as prescribed by law;
• The personal data shall be processed to protect the life and health of the data subject or others in an emergency situation;
• Disclosure of personal data is in accordance with the law;
• Processing of personal data by competent regulatory authorities in the event of a state of emergency regarding national defense, security, social order and safety, major disasters, or dangerous epidemics; when there is a threat to security and national defense but not to the extent of declaring a state of emergency; to prevent and fight riots and terrorism, crimes and law violations according to the provisions of law ;
• The personal data shall be processed to fulfill obligations under contracts the data subjects with relevant agencies, organizations and individuals as prescribed by law;
• The personal data shall be processed to serve operations by regulatory authorities as prescribed by relevant laws;
• Competent agencies and organizations making audio and video recording and process personal data obtained from audio or video recording activities in public places in order to protect national security, social order and safety, legitimate rights and interests of organizations and individuals as prescribed by law.
4. Personal data processors have an obligation to notify the data owner prior to their processing, except for the following:
• The data owner has fully agreed with the contents and activities of processing personal data;
• The personal data shall be processed to protect the life and health of the data subject or others in an emergency situation;
• Disclosure of personal data in accordance with the law.
• Processing of personal data by competent regulatory authorities in the event of a state of emergency regarding national defense, security, social order and safety, major disasters, or dangerous epidemics; when there is a threat to security and national defense but not to the extent of declaring a state of emergency; to prevent and fight riots and terrorism, crimes and law violations according to the provisions of law ;
• The personal data shall be processed to fulfill obligations under contracts the data subjects with relevant agencies, organizations and individuals as prescribed by law;
• The personal data shall be processed to serve operations by regulatory authorities as prescribed by relevant laws;
5. Cross-border transfer of personal data of Vietnamese citizens must satisfy all following three conditions:
• The data owner consented the transfer;
• Original data is stored in Vietnam;
• A personal data transfer impact assessment records shall be provided by the Parties transferring data abroad (including Personal data controllers, Personal data processors and controllers, Personal data processors, third parties).
The PDPD requires the Entities to make available and submit the dossier on personal data protection impact to the Department of Cyber Security and High-Tech Crime Prevention in case of processing personal data and transferring personal data abroad within a timeframe of 60 days from the processing date. While it is clearly a new obligation applicable to the Entities, the implementation of such obligation is anticipated to be time-consuming for both organizations and relevant state authorities.
6. Penalties for violation of personal data protection rules:
• Monetary fines range from VND 50 million to VND 100 million;
• Penalties under Criminal Code;
• Additional penalties: Suspend the processing of personal data up to 3 months, deprive the right to use written consent issued by the Personal Data Protection Committee to process sensitive personal data and cross-border transfer of data, forcible payment of money gained from committing acts of violation.
Multiple violations of personal data protection regulations by a personal data processor in Vietnam can result in a maximum penalty of 5% of total revenue of the data processor in addition to the aforementioned penalties.
II. Vietnam’s Commitments under the EVFTA and the CPTPP
Data protection and relevant issues play an important part in shaping digital economy. The PDPD is one of several legal instruments that have been developed in Vietnam so that it can be more aligned with international standards. The PDPD is the first consolidated set of regulations concerning personal data protection.
Vietnam’s commitments on data privacy under the CPTPP is mainly discussed under Chapter 14 (E-commerce). Article 14.11 provides that data must be allowed to be transferred cross-border except in cases where to prevent such would serve a legitimate public policy objective, provided that the measure “is not applied in a manner which would constitute a means of arbitrary or unjustifiable discrimination or a disguised restriction on trade; and does not impose restrictions on transfers of information greater than are required to achieve the objective.”. Article 14.13 imposes the same conditions on data localization on each party to the agreement.
While Chapter 8 of the EVFTA covers issues of trade, services, and e-commerce, it does not contain any immediate commitments on issues of e-commerce, data protection, or data localization other than that it calls for the formation of a committee to develop unified principles and regulatory regimes as far as these are concerned.
III. Preliminary Guidance on Practical Handling
The PDPD provides several obligations of the party processing and disclosing personal data, thus it is critical for employers/ enterprises (the “Employer” or “Enterprise”) to consider and adopt all those obligations into its internal rules and contracts/ agreements with third parties.
1. Internal Labor Rules and Labor Contracts
It is required for the Employer to adapt all relevant obligations in relation to personal data over its employees, staff, directors, etc. as well as those in relation to the Employer’s customers, members and their staff into the Employer’s internal labor rules/ codes and collective labor agreement (if any). This is to ensure that its employees and staff shall comply with those personal data related obligations.
Otherwise, there is a very high risk that the Employer shall be fully responsible for the unpermitted processing and disclosing made by its employees without necessary tools to address such violations. In addition, it is advisable to state clearly in the labor contracts with the employees that they must comply with requirements on personal data protection promulgated by the Employer and the applicable law.
In addition, it is advisable to negotiate and agree with the employees in the relevant labor contracts about the possible data processing made by the Employer again such employees’ personal data for the purpose of employment such as tax information, CVs, health information, etc. This would very likely prevent the future claims from the Employer’s employees over unpermitted processing of employees’ personal data. We will advise in detail if desired subject to the final Decree.
2. Contract/ Agreement with Customers/ Members
It is advisable for the Enterprise and Employer to consider, renegotiate and update all current and future contracts/ agreements between the Enterprise and its customers/ members that the Enterprise and Employer is entitled to disclose/ process a specific list of personal data and the customers/ members agree to give consents for such disclosure/ processing. The Enterprise should, with our support if desired, build a clear list and procedure for collecting, storing, disclosing and otherwise processing personal data of customers/ members.
***
Please do not hesitate to contact Dr. Oliver Massmann at omassmann@duanemorris.com if you have any questions. Dr. Oliver Massmann is the General Director of Duane Morris Vietnam LLC.