The issue of personal data processing is getting hotter than ever in this digital age with increasing cases where large conglomerate or even national governments being accused of utilizing citizen\u2019s personal data without consent. This trend makes no exception in Vietnam.<\/p>\n
So far, the Ministry of Public Security (the “MPS”) has finally prepared a Draft Decree on personal data protection (\u201cDraft Decree\u201d). The Draft Decree was shared on 9 February 2021 for public comments. We outline below some key terms and foundation of the Draft Decree:<\/p>\n
I. The Basic: New Draft Decree on Personal Data Protection and Cross-Border Provision of Data<\/strong><\/p>\n 1. Definition<\/strong><\/p>\n Personal data means data about an individual, or relating to the identification or possible identification of a particular individual. Personal data is comprised of two tranches: (i) Basic personal data includes name, date of birth, blood type, marriage status and most notably, data that reflects activity or history of activity of an individual on cyberspace; and (ii) Sensitive personal data concerning political opinion, health, financial details (credit history, income level\u2026), social relationships and data considered by laws as specific and require necessary security measures.<\/p>\n Personal data processing is broadly defined as one or more acts having an impact on personal data, including collection, record, analysis, storage, change, disclosure, access right, extraction, withdrawal, encryption, decryption, delivery, deletion, cancelation and other related acts. Generally, the Draft Decree strictly regulates that a data owner must give his\/ her consent prior to any processing and disclosing such data, except for the following limited cases: When requesting to process personal data, the data owner\u2019s silence or unresponsiveness does not constitute approval. The data owner can agree only to a part of the request or approve the request with attached conditions. The data owner\u2019s consent must be displayed in a format that is printable and copy-able in writing.<\/p>\n With regard to sensitive personal data, the data owner must be fully informed of the nature of the data to be processed. In case of dispute, the burden of proof lies on the data processor.<\/p>\n 3. Prior to any processing activity regarding sensitive personal data, the processing party must register this activity with the Personal Data Protection Committee,which is an independent body to be established under the government of Vietnam,except when:<\/strong> 4. Personal data processors have an obligation to notify the data owner prior to their processing, except for the following:<\/strong> 5. Cross-border transfer of personal data of Vietnamese citizens must satisfy all following four conditions:<\/strong> 6. Penalties for violation of personal data protection rules:<\/strong> II. Preliminary Guidance on Practical Handling<\/strong><\/p>\n Because the Draft Decree would be amended, thus our analysis and comments hereof is preliminarily made in nature (i.e., subject to change according to the final adopted Decree).<\/p>\n As a rule of thumb, the Draft Decree provides several obligations of the party processing and disclosing personal data, thus it is critical for employers\/ enterprises (the \u201cEmployer\u201d or \u201cEnterprise\u201d) to consider and adopt all those obligations into its internal rules and contracts\/ agreements with third parties. <\/p>\n 1. Internal Labor Rules and Labor Contracts<\/strong><\/p>\n It is required for the Employer to adapt all relevant obligations in relation to personal data over its employees, staff, directors, etc. as well as those in relation to the Employer\u2019s customers, members and their staff into the Employer\u2019s internal labor rules\/ codes and collective labor agreement (if any). This is to ensure that its employees and staff shall comply with those personal data related obligations. <\/p>\n Otherwise, there is a very high risk that the Employer shall be fully responsible for the unpermitted processing and disclosing made by its employees without necessary tools to address such violations. In addition, it is advisable to state clearly in the labor contracts with the employees that they must comply with requirements on personal data protection promulgated by the Employer and the applicable law.<\/p>\n In addition, it is advisable to negotiate and agree with the employees in the relevant labor contracts about the possible data processing made by the Employer again such employees\u2019 personal data for the purpose of employment such as tax information, CVs, health information, etc. This would very likely prevent the future claims from the Employer\u2019s employees over unpermitted processing of employees\u2019 personal data. We will advise in detail if desired subject to the final Decree. <\/p>\n 2. Contract\/ Agreement with Customers\/ Members<\/strong><\/p>\n It is advisable for the Enterprise and Employer to consider, renegotiate and update all current and future contracts\/ agreements between the Enterprise and its customers\/ members that the Enterprise and Employer is entitled to disclose\/ process a specific list of personal data and the customers\/ members agree to give consents for such disclosure\/ processing. The Enterprise should, with our support if desired, build a clear list and procedure for collecting, storing, disclosing and otherwise processing personal data of customers\/ members. <\/p>\n ***<\/p>\n Please do not hesitate to contact the author Dr. Oliver Massmann under omassmann@duanemorris.com. Dr. Oliver Massmann is the General Director of Duane Morris Vietnam LLC, Member to the Supervisory Board of PetroVietnam Insurance JSC and the only foreign lawyer presenting in Vietnamese language to members of the NATIONAL ASSEMBLY OF VIETNAM.<\/p>\n","protected":false},"excerpt":{"rendered":" The issue of personal data processing is getting hotter than ever in this digital age with increasing cases where large conglomerate or even national governments being accused of utilizing citizen\u2019s personal data without consent. This trend makes no exception in Vietnam. So far, the Ministry of Public Security (the “MPS”) has finally prepared a Draft … <\/p>\n
\n
\n2. Consent and Exception<\/strong><\/p>\n
\n\u2022\tAs provided by the applicable law;
\n\u2022\tFor the sake of national security, social order and safety;
\n\u2022\tIn case of an emergency, a threat to life or seriously affecting the health of that data owner or public health as provided by applicable law; and
\n\u2022\tIn accordance with the Law on Press and not resulting in economic, honorable, spiritual or material damage to the data owner;
\n\u2022\tFor investigation and handling an act in violation of laws;
\n\u2022\tAs allowed by the regulations in international agreements or treaties to which Vietnam is a member; or
\n\u2022\tScientific research or statistics in encrypted form that is to be de-identified and replaced with a code.
\nHowever, Article 6.3 of the Draft Decree restricts that it is not permitted to disclose personal data that are of sensitive nature.<\/p>\n
\n\u2022\tPersonal data is processed to serve the prevention, detection, investigation and handling of violations of the law;
\n\u2022\tTo carry out health care functions of health facilities and social security of state agencies;
\n\u2022\tServing judicial functions of the Court;
\n\u2022\tFor research, archival or statistical purposes of state agencies or scientific research organizations<\/p>\n
\n\u2022\tThe data owner has fully agreed with the contents and activities of processing personal data;
\n\u2022\tThe processing of personal data is regulated by laws, international agreements, international treaties;
\n\u2022\tThe processing does not affect the rights and interests of the data owner and it is not possible to notify the data owner;
\n\u2022\tFor scientific research and statistics collection.<\/p>\n
\n\u2022\tThe data owner consented the transfer;
\n\u2022\tOriginal data is stored in Vietnam;
\n\u2022\tRegulations on personal data protection at the receiving country are of equal or higher level compared to Vietnam\u2019s regulations;
\n\u2022\tThere is a written approval from the Personal Data Protection Committee.<\/p>\n
\n\u2022\tMonetary fines range from VND 50 million to VND 100 million;
\n\u2022\tAdditional penalties: Suspend the processing of personal data up to 3 months, deprive the right to use written consent issued by the Personal Data Protection Committee to process sensitive personal data and cross-border transfer of data, forcible payment of money gained from committing acts of violation.
\nMultiple violations of personal data protection regulations by a personal data processor in Vietnam can result in a maximum penalty of 5% of total revenue of the data processor in addition to the aforementioned penalties.<\/p>\n