Please click here to download the pdf version.

On 17 April 2023, the Government issued Decree 13 on personal data protection (Decree 13/2023). Decree 13/2023 marks a significant milestone as the first comprehensive legal document that governs the protection of personal data in Vietnam. As compared to the draft decree on personal data protection (Draft Decree), Decree 13/2023 has been significantly improved to incorporate key aspects necessary to protect personal data to align with the General Data Protection Regulation (GDPR). In this post, we will discuss key issues under Decree 13/2023 while comparing it to the Draft Decree and GDPR. This post is written by Trinh Phuong Thao and edited by Nguyen Quang Vu.

1.         Things to be done by 1 July 2023

Ideally, before 1 July 2023, both onshore and offshore entities involving in collecting and/or processing personal data of Vietnamese individuals or foreign individual residing Vietnam should do the following:

• having proper consents from the relevant data subject (see 7);

• if it is a data controller, having a contract with the relevant data processor (see 4);

• determining whether it deals with basic personal data or sensitive personal data;

• preparing and submitting an assessment of the impact of personal data processing to the Ministry of Public Security (MPS) (see 10);

• preparing and submitting an assessment of the impact of offshore transferring personal data to the MPS (see 11);

• setting up system to protect the safety and confidentiality of the personal data which it collects or processes; and

• setting up a personal data protection department and a data compliance officer if it deals with sensitive personal data.

Decree 13/2023 only exempts small and medium enterprises or start ups from complying with certain requirements until 1 July 2025.

One key missing ingredient though is the potential penalty which may apply in case of non-compliance. Accordingly, currently, Decree 13/2023 has no teeth in enforcing the above requirements. Unlike Decree 13/2023, the GDPR has clear penalties and fines applicable to violations of the GDPR.

In August 2022, the Government issued Decree 53/2022 to implement various provisions of the Law on Cyber Security 2018 (LCS 2018). We summarise below certain key points of Decree 53/2022:

• Data localization: Decree 53/2022 provides more detailed guidance on data localization in Vietnam. Please see our separate blog on this issue here.

• Using cryptography (“mật mã”) to protect network information: If necessary for the national security, safety and order of society or protecting legitimate rights and benefit of others, the authority could request related individuals/organizations to encrypt information not considered as State secret before storing, transmitting on the Internet;

Introduction

In August 2022, the Government issued Decree 53/2022 providing, among other things, further guidance on data localization requirements in Vietnam. Article 26.3 of the Law on Cyber Security 2018 (LCS 2018) provides for a general data localization requirement. However, due to the lack of implementing regulations, such provision is not enforced in practice for several years. The new guidance under Decree 53/2022 will likely make the law enforceable in practice from 1 October 2022. In this post, we discuss some salient points of the data localization requirements under Decree 53/2022. This post is written by Trinh Phuong Thao and edited by Nguyen Quang Vu.