On the 17th of April the Vietnamese government published the Decree on Personal Data Protection (“PDPD”). The new regulation will come into effect on 1 July 2023. Prior to that date every business organization should perform a gap analysis between the current state of the data protection measures and the new requirements introduced by the PDPD.
As of the 1st of July 2023 the business entities will need to, among other things:
- Have the valid consent of the individual persons to process their personal data (in accordance with the new PDPD requirements);
- Have appropriate internal procedures, agreements between data controllers and data processors, and required technical measures to meet the PDPD requirements.
- Assess whether the data it processes can be deemed sensitive;
- Prepare data protection impact assessments (in the way prescribed by PDPD) which must be submitted to the Ministry of Public Security.
- Prepare data protection impact assessments in relation to cross-border data transfers (these must also be submitted to the Ministry of Public Security);
Selected key points of the PDPD include:
- New definitions/concepts e.g. “basic personal data”, “sensitive personal data”, “data processor” and “data controller”;
- Data protection principles – Personal data should be processed in accordance with the principles of lawfulness, transparency, purpose limitation, data minimization, accuracy, integrity, confidentiality and accountability.
- Data subject notification – Data subjects must be notified about, among other things, the type of personal data that are collected, the purpose of collection and organisations that have access to the data etc;
- Data subject consent - The consent of the data subject is required to process personal data. The consent must be expressly made (silent default consent is not allowable) and can be partial or conditional. The data subject has the right to access and review his/her personal data. If the data subject withdraws consent, then the relevant personal data must be deleted within 72 hours.
- Damage claims – Data subjects have the right to claim damages if their rights, as stated in the PDPD are infringed. Also, PDPD makes it illegal to collect, transfer, or sell personal data without the data subject’s consent.
- Incident notification - Within 72 hours from a data breach or other violation of the PDPD, the personal data controller and the personal data controller cum processor are obliged to notify the Ministry of Public Security of the incident (including the measures taken to minimise the incident’s consequences) using the form provided in the PDPD.
- Impact Assessment - Within 60 days of the date of data processing, organisations are required to prepare a personal data protection impact assessment. This must be done in accordance with the form provided in the PDPD, including information on the data controller and the data controller-cum-processor. The impact assessment is subject to evaluation by the Ministry of Public Security (Department of Cybersecurity and High-Tech Crime Prevention and Control). The impact assessment needs to be amended/updated in case of any changes in the extent of the personal data processed by organisations.
- Transfer of personal data abroad: Transfer of personal data of Vietnamese citizens abroad requires preparation of a relevant impact assessment including a description of reasons, the purposes of transferring the data abroad and relevant consent of the data subjects. The impact assessment must also include a written data transfer agreement with the foreign entity which receives the data. Dossiers with impact assessments must be available for inspection at the organisation. One copy needs to be sent to the Ministry of Public Security within 60 days from the date of processing of personal data. The PDPD provides the form required for this type of impact assessment. Organisations are also required to update their impact assessment in case of changes (and send an update to the Ministry of Public Security). The Ministry of Public Security has the right to inspect the transfer of data abroad and may prohibit further transfers in case of noncompliance with PDPD.
- Protective measures – Every organisation needs to promulgate internal procedures on the protection of personal data in line with the PDPD requirements. There are also requirements in relation to network security systems and the ability to delete personal data within the 72 hour time window. The PDPD provides for a higher level of protective measures applicable in the case of organisations that process sensitive data and children’s data.
- Sanctions - Lack of compliance with the PDPD may result in:
- Administrative sanctions for noncompliance with the PDPD.
- Criminal sanctions for certain acts infringing the right to privacy.
- Suspension of certain activities e.g. suspension of data transfer abroad.
Who will be impacted by PDPD? Every company that processes personal data in Vietnam and abroad if a foreign entity processes personal data of Vietnamese residents.
How we can help
Starting from 1 July 2023 when Vietnam’s Personal Data Protection Decree (PDPD) comes into effect, companies will not only need to have the new regulations implemented internally but also care for the ongoing compliance with the regulations (eg. data protection impact assessments).
PDPD framework support
- PDPD implementation in the organisation
- Inventory of personal data processing processes
- Gap analysis
- Risk analysis and Data Protection Impact Assessment
- Preparation of documents, procedures, analyses
- IT/SEC adaptation, i.a. by development of documentation for data processing and organisational and technical measures for personal data protection
- Post implementation audit
- PDPD implementation methodology
- Check completeness of records of processing activities and records of all categories of processing activities
- Review business processes for data processing security
- Transborder transfers
- Identification of areas where personal data are processed outside Vietnam
- Development of rules and requirements for secure data transfer outside Vietnam
- Drafting contractual clauses and other important documents to ensure the full transfer compliance with the PDPD
Maintaining compliance with PDPD
- Permanent system of internal controls in the PDPD context
- Risk radar for the Management Board
- Periodic post-implementation audits
- Support for the Data Protection Officer
- Support during exercising the data subjects rights
- Vendor’s verification and third party risk management
- Impact analysis of new activities, processes
- Update of documents, procedures
- Privacy by design for new business solutions
- Data Lifecycle Management
- Reconfiguration/ improvement of the existing IT security solutions
- Analysis of validity related to implementation of new IT security solutions
- Awareness raising – trainings
- Support during relevant Authority controls / inspections
Security incidents
- Pro-active incident management
- Analysis of vulnerability to incidents and examining the effectiveness of security
- Legal and information security support, investigation services in breach response
- Support in communication with the relevant local authorities and data subjects
PDPD training
Please contact us directly if your company is keen to:
- Build and increase awareness about the regulation requirements,
- Give your employees practical skills necessary for work and secure personal data handling
