The entry into force of the European Union’s General Data Protection Regulation (GDPR) in May 2018 was a wake-up call for companies in Vietnam which have business relationships with EU-based companies or employ EU citizens. The main reason was because the GDPR has extraterritorial effect under which the supervisory authority of each Member State of the EU is empowered to penalise non-EU companies violating the GDPR while having business transactions with EU individuals or companies.
With the Vietnam-EU Free Trade Agreement that took effect in August 2020, it is not a surprise but a welcomed move from the Vietnamese Government when it recently circulated the draft Decree on Personal Data Protection (DPDP) for public consultation.
The DPDP is drafted by the Ministry of Public Security of Vietnam (MPS) and is proposed to take effect from 1 December 2021. Once adopted, it will become the first-ever unified regulation on personal data protection in Vietnam.
Using a model similar to the GDPR in sanctioning the non-compliance activities, being the highest level of fine might be calculated based on the annual turnover of the violator of the preceding financial year, the DPDP is foreseen to have a significant impact on all businesses operating in Vietnam, especially foreign-invested companies which often have cross-border data transfer activities.
Through this legal update, we would like to give you a heads-up on certain points worth noting in the draft DPDP.
The personal data protection committee (PDPC) is an independent governmental body to be established under the auspice of MPS. The PDPC will function as the supervisory authority which oversees personal data protection activities in Vietnam. Some of its duties include:
- develop and run a national portal of personal data protection;
- approve data privacy policies of companies and organisations before they are rolled out;
- examine registration dossiers for the processing of sensitive personal data and transferring personal data cross border and requesting the MPS to approve or reject the registration dossiers;
- request the MPS to inspect suspected violations in personal data protection activities or to sanction the violations;
- issue guidelines to implement the DPDP; and
- propose inspection plans to the MPS which might be conducted maximum twice a year, save for the case of a manifest violation.
The definition of sensitive personal data is introduced for the first time in Vietnam by the MPS to distinguish between that and the definition of basic personal data. Sensitive personal data includes genetic and biometric data, data concerning health, gender, sexual orientation, financial status and income, criminal records, location and social relations of an individual.
According to the draft DPDP, the list of sensitive personal data is not an exhaustive one as any signature data of a person which requires high level of confidentiality and special protection of the laws will be considered as sensitive personal data. Due to this special characteristic of the sensitive personal data, any processor wishing to process such data must register the data with the PDPC in advance, save for certain exceptional circumstances.
The registration process would take maximum 20 working days from the date the PDPC receives a sufficient registration dossier.
Violation of the registration requirement might expose the processor to a fine of up to VND 100 million (~ USD4,300).
Fintech companies, banks, hospitals, fitness centres and healthcare clinics would be the first ones that would get hit by this regulation when the DPDP takes effect.
According to the draft DPDP, cross-border transfer of personal data of Vietnamese citizens is restricted to a large extent. Specifically, cross-border transfer is conditional upon the satisfaction of the following 4 elements:
- the data subject consented to the transfer;
- the original data is stored in Vietnam;
- the country or the state where the data recipient is based offers the same or a higher level of data protection in comparison with Vietnam; and
- the PDPC approves the transfer.
Although the draft DPDP sets out 1 exception where the cross-border transfer would be permissible without satisfying the 4 aforesaid elements, the prerequisites for this exceptional case need to be clarified in the subsequent drafts of the DPDP as they are still very obscure in this draft.
It is worth noting that in respect to the 4th element as set forth above, it would take maximum 20 working days to obtain an approval from the PDPC after a sufficient registration dossier is lodged.
Violation of the aforesaid requirement regarding cross-border transfer might expose the data transferor to a fine of up to VND 100 million (~USD4,300).
As foreign-invested companies, and branches and representative offices of foreign investors in Vietnam often involve in multiple cross-border transfer activities pertaining to personal data of employees, suppliers and customers, these subjects should start reviewing and updating their current data privacy policies to stay in line with the new regulation.
Similar to the concept of data controller in the GDPR, the draft DPDP requires a company or organisation which conducts data processing to
a. set up or designate an internal department to function as a personal data protection department; and
b. appoint a data protection officer.
The main responsibilities of the personal data protection department and the data protection officer are to supervise data protection activities within the organisation and to be the contact point for liaison with the PDPC. The contact details of such department and officer must be notified to the PDPC.
The draft DPDP also requires a company or organisation which conducts data processing to issue
a. a policy on personal data protection and applicable templates in implementation of the DPDP; and
b. internal regulations governing the process of handling complaints and whistle-blowing reports with regard to personal data protection.
Last but not least, the draft DPDP requires a company or organisation which conducts cross-border transfer of personal data to store the records containing timing of the transfer, recipient identity and contact details, and nature and volume of the data transferred within 3 years from the date of the transfer.
The draft DPDP sets out different types of administrative sanctions against violations of personal data protection, e.g. monetary penalty, suspension of personal data processing, or revocation of the rights for processing sensitive personal data and cross-border transfer of personal data. Some of which have been mentioned under sections 2.3 and 3.2. Of note, similar to GDPR, the draft DPDP proposes to apply a very severe fine, being 5% of the total revenue in Vietnam to violators of the DPDP.
Although the draft DPDP is still in the process of being completed, given the fact that it is proposed to take effect in December 2021, both local and foreign-invested companies should develop an action plan as soon as possible to address new requirements imposed by the DPDP, e.g. an internal policy regarding data protection; setting up a department and appointing a data protection officer to oversee and censor data processing activities within the company. This might require the involvement and collaboration of different departments in a company such as Legal and Compliance, HR, IT and Finance. Companies and organisations operating in Vietnam should keep the developments of the draft DPDP on the radar in the coming months.
Should you have any questions, please feel free to contact our lawyers at the below email addresses and contact numbers.
Mark Oakley / Managing Partner
+84 (0) 8 6810 0510
Minh Nguyen / Senior Associate
+84 (0) 7 7865 3936
This legal update is not an advice and should not be treated as such.
Open in pdf: GDPR-like Draft Decree on Data Protection Introduced
If you would like to receive an update on latest developments, please subscribe to our newsletter