The draft Decree on Personal Data Protection was recently circulated for public discussion. Many of the draft provisions are similar to those in the European GDPR, addressing matters such as cross-border data transfer and appointment of data protection officers. Fines for non-compliance can reach up to 5% of annual turnover.

25 Mar 2021



The entry into force of the European Union’s General Data Protection Regulation (GDPR) in May 2018 was a wake-up call for companies in Vietnam which have business relationships with EU-based companies or employ EU citizens. The main reason was because the GDPR has extraterritorial effect under which the supervisory authority of each Member State of the EU is empowered to penalise non-EU companies violating the GDPR while having business transactions with EU individuals or companies.

With the Vietnam-EU Free Trade Agreement that took effect in August 2020, it is not a surprise but a welcomed move from the Vietnamese Government when it recently circulated the draft Decree on Personal Data Protection (DPDP) for public consultation.

The DPDP is drafted by the Ministry of Public Security of Vietnam (MPS) and is proposed to take effect from 1 December 2021. Once adopted, it will become the first-ever unified regulation on personal data protection in Vietnam.

Using a model similar to the GDPR in sanctioning the non-compliance activities, being the highest level of fine might be calculated based on the annual turnover of the violator of the preceding financial year, the DPDP is foreseen to have a significant impact on all businesses operating in Vietnam, especially foreign-invested companies which often have cross-border data transfer activities.

Through this legal update, we would like to give you a heads-up on certain points worth noting in the draft DPDP.

1. Personal Data Protection Committee

The personal data protection committee (PDPC) is an independent governmental body to be established under the auspice of MPS. The PDPC will function as the supervisory authority which oversees personal data protection activities in Vietnam. Some of its duties include:

- develop and run a national portal of personal data protection;

- approve data privacy policies of companies and organisations before they are rolled out;

- examine registration dossiers for the processing of sensitive personal data and transferring personal data cross border and requesting the MPS to approve or reject the registration dossiers;

- request the MPS to inspect suspected violations in personal data protection activities or to sanction the violations;

- issue guidelines to implement the DPDP; and

- propose inspection plans to the MPS which might be conducted maximum twice a year, save for the case of a manifest violation.

2. Sensitive Personal Data

2.1 Definition

The definition of sensitive personal data is introduced for the first time in Vietnam by the MPS to distinguish between that and the definition of basic personal data. Sensitive personal data includes genetic and biometric data, data concerning health, gender, sexual orientation, financial status and income, criminal records, location and social relations of an individual.

According to the draft DPDP, the list of sensitive personal data is not an exhaustive one as any signature data of a person which requires high level of confidentiality and special protection of the laws will be considered as sensitive personal data. Due to this special characteristic of the sensitive personal data, any processor wishing to process such data must register the data with the PDPC in advance, save for certain exceptional circumstances.

2.2 Registration

The registration process would take maximum 20 working days from the date the PDPC receives a sufficient registration dossier.

2.3 Fine

Violation of the registration requirement might expose the processor to a fine of up to VND 100 million (~ USD4,300).

2.4 Impact

Fintech companies, banks, hospitals, fitness centres and healthcare clinics would be the first ones that would get hit by this regulation when the DPDP takes effect.

3. Cross-Border Transfer of Personal Data

3.1 General

According to the draft DPDP, cross-border transfer of personal data of Vietnamese citizens is restricted to a large extent. Specifically, cross-border transfer is conditional upon the satisfaction of the following 4 elements:

- the data subject consented to the transfer;

- the original data is stored in Vietnam;

- the country or the state where the data recipient is based offers the same or a higher level of data protection in comparison with Vietnam; and

- the PDPC approves the transfer.

Although the draft DPDP sets out 1 exception where the cross-border transfer would be permissible without satisfying the 4 aforesaid elements, the prerequisites for this exceptional case need to be clarified in the subsequent drafts of the DPDP as they are still very obscure in this draft.

It is worth noting that in respect to the 4th element as set forth above, it would take maximum 20 working days to obtain an approval from the PDPC after a sufficient registration dossier is lodged.

3.2 Fine

Violation of the aforesaid requirement regarding cross-border transfer might expose the data transferor to a fine of up to VND 100 million (~USD4,300).

3.3 Impact

As foreign-invested companies, and branches and representative offices of foreign investors in Vietnam often involve in multiple cross-border transfer activities pertaining to personal data of employees, suppliers and customers, these subjects should start reviewing and updating their current data privacy policies to stay in line with the new regulation.

4. Additional Requirements for Companies and Organisations

4.1 Data Protection Officer

Similar to the concept of data controller in the GDPR, the draft DPDP requires a company or organisation which conducts data processing to

a. set up or designate an internal department to function as a personal data protection department; and

b. appoint a data protection officer.

The main responsibilities of the personal data protection department and the data protection officer are to supervise data protection activities within the organisation and to be the contact point for liaison with the PDPC. The contact details of such department and officer must be notified to the PDPC.

4.2 Internal Policies on Personal Data Protection

The draft DPDP also requires a company or organisation which conducts data processing to issue

a. a policy on personal data protection and applicable templates in implementation of the DPDP; and

b. internal regulations governing the process of handling complaints and whistle-blowing reports with regard to personal data protection.

4.3 Retention of Records of Cross-border Transfer

Last but not least, the draft DPDP requires a company or organisation which conducts cross-border transfer of personal data to store the records containing timing of the transfer, recipient identity and contact details, and nature and volume of the data transferred within 3 years from the date of the transfer.

5. Penalties Against Violations

The draft DPDP sets out different types of administrative sanctions against violations of personal data protection, e.g. monetary penalty, suspension of personal data processing, or revocation of the rights for processing sensitive personal data and cross-border transfer of personal data. Some of which have been mentioned under sections 2.3 and 3.2. Of note, similar to GDPR, the draft DPDP proposes to apply a very severe fine, being 5% of the total revenue in Vietnam to violators of the DPDP.

6. Conclusion

Although the draft DPDP is still in the process of being completed, given the fact that it is proposed to take effect in December 2021, both local and foreign-invested companies should develop an action plan as soon as possible to address new requirements imposed by the DPDP, e.g. an internal policy regarding data protection; setting up a department and appointing a data protection officer to oversee and censor data processing activities within the company. This might require the involvement and collaboration of different departments in a company such as Legal and Compliance, HR, IT and Finance. Companies and organisations operating in Vietnam should keep the developments of the draft DPDP on the radar in the coming months.

Contact information

Should you have any questions, please feel free to contact our lawyers at the below email addresses and contact numbers.

Mark Oakley / Managing Partner

+84 (0) 8 6810 0510

Minh Nguyen / Senior Associate

+84 (0) 7 7865 3936

© 2021 ACS Legal Vietnam Company Limited – All rights reserved

This legal update is not an advice and should not be treated as such.

Open in pdf: GDPR-like Draft Decree on Data Protection Introduced