On April 17, 2023, the Government of Vietnam published its Personal Data Protection Decree (PDPD). The first draft of the PDPD was issued back in 2021 and has since been through a public consultation resulting in the final text that will enter into effect on July 1, 2023.
Despite the short window for the PDPD’s entry into effect, there is no transitional period meaning that organizations covered by the PDPD will have little over two months to develop a privacy program in compliance with the law’s new requirements. Like many modern privacy laws, the PDPD contains requirements for privacy notices, privacy risk assessments, and data subject rights as well as offering grounds for valid consent and certain scenarios where consent can be withdrawn. Keep reading for an overview of Vietnam’s PDPD and some of its key requirements.
What are the key compliance areas of the PDPD?
Scope of application
Before looking at the compliance requirements of the PDPD you should first assess whether the PDPD will apply to your business. The law’s scope of application includes:
If your business falls under one of the above definitions, then there are several new requirements that you will need to comply with ahead of the July 1 entry into effect. Start-ups, micro-enterprises, and small and medium enterprises (SMEs) have the right to choose to be exempt from the PDPD’s regulations for the first two years of operation from the date of registration unless they are directly involved in personal data processing activities.
Personal data and sensitive personal data
Similarly, it is important to understand what the PDPD means by “personal data” and “sensitive personal data”. Personal data includes information including:
The PDPD defines sensitive personal data as personal data that, when violated, will directly affect an individual's legitimate rights and interests. This includes information relating to:
Covered organizations will be required to present a privacy notice to data subjects before processing personal data. The PDPD outlines specific information that needs to be included in the privacy notice, this includes:
PDPD privacy notices should be formatted in a manner that data subjects can print or reproduce in writing. There are certain circumstances where a privacy notice is not required including where personal data is being processed by a state agency for purposes in accordance with the law.
Data controllers have a requirement to conduct a data protection impact assessment before starting a processing activity. Additionally, controllers are required to keep records of these impact assessments, which should be accessible for auditing purposes and sent to the Ministry of Public Security within 60 days from the date of processing of personal data.
Impact assessment must include details relating to:
Data subject rights
The PDPD provides a broad range of rights to data subjects, many of which are common under modern privacy laws.
PDPD data subject rights include:
Valid consent of the data subject is required for all processing activities under the PDPD. There are several exceptions where processing personal data is permitted without consent such as in the vital interests of the data subject, where processing is necessary for compliance with the law, or to fulfill a contractual obligation.
Consent can only be considered valid when the data subject voluntarily and clearly knows the following:
Consent must be clear and specific and given through affirmative action such as in writing, by voice, or by ticking a consent box, among other things. Silence or inactivity is not considered as valid consent under PDPD and data subjects may give partial or conditional consent.
Other notable provisions
The PDPD also includes a range of other responsibilities for data controllers, data processors, and third parties. These include conditions for cross-border transfer of personal data such as transfer impact assessments and post-transfer notifications. The PDPD also includes rules for processing personal data obtained through audio and video recording activities in public places and the processing of children’s personal data.
Other requirements include protecting personal data in the context of marketing services and advertising products and the measures to protect sensitive personal data include assigning a data protection officer.
How can businesses prepare?
As with most modern privacy laws, the best place to start when preparing your privacy program is to conduct a data discovery exercise to understand what data you have and where it is stored. Classifying and mapping this personal data against the provisions of new laws will help you to visualize data flows, identify third parties, and ensure requirements are met in compliance with the law such as data transfer requirements.
In the case of the PDPD, you should ensure that you understand what types of information fall under the definitions of personal data and sensitive personal data as well as ensure you have the correct consent or implementing methods for collecting valid consent in preparation for the PDPD’s entry into effect.
Privacy notices will be one of the most outwardly visible areas of compliance with the PDPD. Ensuring your web properties are displaying the correct notice that fulfills the criteria set out by the PDPD will be essential for transparency and accountability with the law.
The PDPD introduces a broad range of data subject rights, therefore you should ensure that you have the correct methods of the intake of these requests and that you are set up and ready to fulfill them. Linking your subject rights fulfillment process with your data map will help you to ensure that all instances of personal data relating to the data subject can be easily found and relayed against the different types of request.
To prepare for PDPD impact assessment requirements, you should begin to develop a risk assessment template that takes into account all of the required information and assessment criteria. You can build your assessment from scratch or use a pre-built template that can fulfill risk assessment templates of several laws. Additionally, the PDPD requires you to perform a transfer impact assessment when transferring data outside of Vietnam. Therefore, it is vital to have a robust process in place for completing risk assessments and have a solid understanding of your personal data processing activities.