On 9 February 2021, the Ministry of Public Security (MPS) released the new draft of the Decree, expected to take effect on December 1, 2021. The Decree governs personal data and the processing, provisions on personal data protection, handling of personal data breaches; and responsibility for personal data protection of agencies, organizations and individuals. It applies to agencies, organizations and individuals involved in personal data. A PDP Committee of 6 official will be established to supervise and ensure compliance with the Law. Proposed effective date: 01 December 2021.
Personal Data Processor is defined as a legal entity or a natural person, [or] a branch of a foreign company or state authority or local authority that processes personal data. Under Article 4 of the Decree, offshore Personal Data Processors may be required to appoint a representative in Vietnam.
Registration with the PDP Committee which should issue a written permission for:
- Sensitive personal data processing
- Cross-border transfer of personal data (consent, storage in Vietnam, regulations with the same or a higher level of protection) No exception to registration requirement is provided. The data processor must develop a system to store data transfer history for 3 years.
Application of measures for personal data protection to:
- Ensure the confidentiality, integrity and availability of personal data;
- De-identify and encrypt personal data;
- Store, copy, extract and protect its personal data processing history.
Committee on Personal Data Protection
The data processor must develop and issue their own set of personal data protection regulations, that would be appraised by the PDP Committee before they are published.
A new government agency called the Committee on Personal Data Protection that would basically oversee and govern the compliance of the subjects covered under this Draft Decree.
The Ministry of Public Security (MPS) can appoint no more than six members to the Committee upon the cabinet’s approval.
The Committee is closely tied to the MPS Department of Cybersecurity and Hi-Tech Crimes Prevention as it is headquartered at the department and chaired by the department’s head officer.
Notably, the PDP Committee would inspect and examine compliance with personal data protection regulations per company no more than twice a year. However, if the PDP Committee believes there is a violation of personal data protection regulations, additional inspection/examination would be conducted.
For violations in relation to rights of the data subjects:
- VND 50 million to VND 80 million (approximately USD 2,100 to USD 3,500); or
- Up to 5% of the total revenue generated in Vietnam for third-time repeated violation
For violations in relation to cross-border transfer of personal data, registration of sensitive personal data processing:
- VND 80 million to VND 100 million (approximately USD 3,500 to USD 4,400); or
- Up to 5% of the total revenue generated in Vietnam for second-time repeated violation.
- Suspension of data processing for one to three months
- Revocation of the written permission for sensitive data processing and cross-border data transfer.
- Broad scope of application
- Article 20 (Registration of processing of sensitive personal data) and Article 21 (Cross-Border transfer of personal data) provide a overly strict compliance procedure for regular business activities
- Permit required for processing sensitive personal data
- Data Processors should implement a system for the storage of data transfer history for a 3-year period
- No grace period is provided so far
- Two types of personal data: basic and sensitive
- A maximum fine of 5% of the total revenue generated in Vietnam
- The draft decree is expected to take effect on December 1, 2021
Personal Data is defined as data about information in the form of symbols, [alphabetic] letters, numbers, images, sounds or other similar forms that belongs to an individual. This definition is more general and broader in scope than the definition under sectoral laws and regulations such as the Law on Cyber Information Security or Decree No. 52/2013/ND-CP on E-commerce.
Basic personal data includes information about personal identification, such as name, date of birth, place of birth, address, nationality, ethnicity, marital status, and ID number. One thing, however, is unclear: “data containing online activities and history.”
Sensitive personal data includes political and religious opinions; health, genes, sex, biometrics; finances; sexual life; residence; social networking; and others.
Processing of personal data means one or more actions having impact on personal data, including collecting, recording, analyzing, storing, changing, disclosing, authorizing access to, retrieving, revoking, encrypting, decrypting, copying, transferring, deleting, and destroying personal data or other related actions.
Data Subject end users or other individuals whose data are collected
Data Controller: the Decree does not provide a definition
Data Processor: processes data on instruction. a domestic or foreign agency, organization or individual who conducts the activities of personal data processing.
Third party: a domestic or foreign agency, organization or individual who receives personal data, and/or is engaged in the activities of personal data processing but are neither a personal data processor nor a data subject