It is hard to get through a month without updating you on a new privacy law that may impact you: On April 17, 2023, the Vietnamese Government issued a new data privacy regulation. The Decree of Personal Data Protection”, hereinafter referred to as the “PDPD” aims to protect the personal data of almost 100 million Vietnamese people.
If you have customers from Vietnam, if your website attracts visitors from Vietnam, or if you are involved in the processing of Vietnamese personal data, the new law will likely apply to you.
Previously, the protection of personal data was addressed across 19 different laws and regulations. The new Decree aims to bring a unified approach to the protection of personal data of Vietnamese.
Interestingly, the new data privacy regulation in Vietnam is not a law passed by the National Assembly; it is a Decree issued by the Government. Therefore, it is lower in status compared to a Law. However, violating the Decree can still expose you to serious consequences, including criminal prosecution and monetary fines.
In this article, we will help you understand Vietnam’s PDPD and how you can comply with its key requirements.
Does Vietnam’s data privacy law apply to you?
Even if you are based outside of Vietnam, the PDPD may apply to you if the following three criteria are met:
1) Material scope criterion
If you process personal data, this criterion will be met. Under the PDPD personal data covers information that is associated with a specific person or helps to identify a specific person. As for the meaning of “processing,” it refers to a wide range of activities such as collection, use, storage, transfer, sharing, and publishing.
2) Territorial scope criterion
The following types of processing activities will fall under the scope of the PDPD:
Vietnamese companies, entities, and government agencies will be subject to the law even if they process personal data outside of Vietnam
Organizations outside of Vietnam will have to comply with the PDPD if they process the personal data of Vietnamese nationals
If personal data is processed within the territory of Vietnam, the PDPD will apply.
3) Personal scope criterion
If you are involved in the processing of data that is capable of identifying Vietnamese data subjects, you will fulfill this criteria. For instance, if you are a SAAS vendor and your customers use your platform to process the personal data of Vietnam citizens, you may fulfill this criteria. However, the boundaries of the phrase “involved in are not clearly defined in the decree. Therefore, a further decree or government guidance that explains this criterion can be expected.
Key Definitions under the Vietnam Data Privacy Law
Similar to the EU General Data Protection Regulation(GDPR), Vietnam’s new data privacy law distinguishes between data controllers and data processors. Furthermore, it also defines “sensitive data” and requires organizations to comply with stricter requirements when it comes to handling sensitive data.
These are the key definitions you need to be aware of:
Basic personal data: It refers to information such as name, nickname, date of birth, location of birth, nationality, phone number, email address, and marriage status.
Sensitive data: Sensitive data categories are listed in a non-exhaustive way. Therefore, other categories may also be considered as sensitive data. Under the PDPD, sensitive data includes political opinions, genetic information, sexual orientation, criminal records, certain financial information, and live location.
Personal Data Controller: It refers to entities that decide the purposes and manners of the processing of personal data.
Personal Data Processor: It refers to entities that process personal data on behalf of personal data controllers.
Personal Data Controller and Personal Data Processor: Unlike the GDPR, the PDPD states that an entity can be both a personal data controller and a personal data processor at the same time.
What are Vietnam data privacy law’s key requirements and how to comply?
Vietnam's Data privacy law imposes a variety of obligations on both personal data controllers and personal data processors. Since addressing all requirements would be beyond the scope of this article, we will walk you through the main requirements you must know.
Identify a lawful basis to collect and process personal data
The PDPD identifies six legal bases you may rely on:
Valid consent from individuals in accordance with the conditions set by the law.
Contractual necessity to fulfill contractual obligations of the data subject
When the personal data has been publicly disclosed
Interests of the data subject in case of an emergency to protect the health and life of the data subject
To serve the activities of government agencies as specified by relevant sectoral laws
Processing of data by competent public bodies in the event of emergencies relating to national defense, national security, social order and safety, major disasters, and dangerous epidemics; where there is a threat to national security and defense, but not to the extent of declaring a state of emergency; preventing and combating riots, terrorism, preventing and combating crime and breaches of the law.
As you can infer from this list, Consent, and Contractual necessity are likely to be the primary bases for collecting and processing the personal data of Vietnamese individuals.
Furthermore, it is important to note that the PDPD does not include a “legitimate interests” basis, unlike similar data privacy laws such as GDPR.
The sale or purchase of personal data is prohibited
Vietnam’s new data privacy law prohibits the purchase and sale of personal data, subject to the limited circumstances permitted by Law.
These exceptions include the sharing of personal data with the consent of the individuals. Furthermore, it is likely that valid consent can justify the sale or purchase of personal data. However, further guidance on these exceptions is to be expected.
You can only collect and process personal data for the “registered” and “declared” purposes. However, it is not described how organizations register the purposes for the processing of personal data.
Furthermore, you cannot expand upon the declared purposes by claiming that another purpose is “compatible” with the original purpose.
If you process sensitive data, more stringent requirements to comply with
When you collect and process sensitive data such as live location data, criminal data, financial information, or data concerning sexual orientation, you need to comply with additional rules. For instance, you need to specifically inform individuals about the collection and processing of their sensitive data.
Considering that most businesses process payments through their online platforms and collect financial data, which is categorized as sensitive data, they would need to notify all their customers of the processing of this data.
Data subject rights
The Vietnam data protection law requires you to respond to and satisfy data subject rights including:
The right to be informed: Data subjects are informed of the processing of their personal data
The right to access personal data: Data subjects have access to consult, modify, or request rectification of their personal data
The right to withdraw consent: The data subject has the right to withdraw his or her consent
The right to delete personal data: The data subject has the right to delete or request the deletion of his/her personal data
The right to restrict processing: Data subjects may obtain restrictions on the processing of their personal data
The right to object to the processing of personal data: The data subject has the right to object to the processing of his/her personal data in order to prevent or limit the disclosure or use of personal data for advertising and marketing purposes
The right to claim damages: Data subjects have the right to claim compensation for damages in the event of a breach of the rules on the protection of their personal data.
Right to provide data : The data subject may ask the personal data controller, the personal data controller and the data processor to provide his or her own personal data
The right to lodge a complaint, to denounce and to take legal action.
Under the PDPD, personal data controllers must notify data breaches to the Cyber Security department within 72 hours of becoming aware of the breach.
Personal data controllers are required to report data breaches as soon as they become aware.
How to obtain consent under Vietnam's data privacy law
Given that the Vietnam Data Protection Law does not allow you to rely on “legitimate interests” ground unlike the EU GDPR, consent is highly likely to be the most appropriate basis to collect data in most instances, alongside contractual necessity.
For instance, when you use advertising cookies and analytics tools such as Google Analytics, you collect the personal data of your website visitors. Therefore, you will need to obtain prior consent from your website visitors. Another instance where you might need prior consent is the sale, purchase, or transfer of your personal data.
When you rely on the consent of the individuals, you will need to fulfill certain conditions to obtain valid consent:
Consent must be informed and must be provided freely. This requires that data subjects are provided with information about what personal data is processed, specific purposes of processing, their rights and obligations in relation to their data, and who processed personal data.
Consent must be expressly expressed. This requires the data subject to take a positive action such as ticking a box, configuring settings, or sending an email or an SMS.
Appropriate measures must be put in place to record and save each consent provided by data subjects.
A mechanism for data subjects to withdraw their consent must be available.
To summarize, you need to implement a consent management mechanism to collect, manage, and document consent provided by data subjects so that you can comply with the Vietnam Data Protection Law. This can be done with a Consent Management Platform (CMP):
Penalties for non-compliance in Vietnam's PDPD
If you fail to comply with any of the requirements of the new Vietnam Data Privacy Law, you may face disciplinary measures, administrative sanctions, or criminal proceedings.
Under the PDPD, there are different monetary fines for each violation. For instance, if you fail to obtain the consent of the individuals before collecting their data, you may face a fine of up to 850$ (VND 20 million)
If you use personal data outside of the specified purposes or without consent, you may face a fine of up to approximately $2,560.
If you fail to comply with the rules in relation to the safety and/or confidentiality of personal data such as email and phone numbers, you may face criminal sanctions such as warnings, monetary fines, and even prison sentences of up to 3 years.
GDPR vs. Vietnam’s data privacy law
Key differences between the Vietnam Data Privacy Law and the EU GDPR can be summarized as follows:
Under the EU GDPR, “legitimate interest” is one of the bases you can rely on to collect and process personal data. However, the Vietnam Data Privacy Law does not contain such a legal basis.
Under the EU GDPR, sensitive data is defined more narrowly. For instance, financial information is not considered sensitive data. However, the Vietnam law has a broader definition of sensitive data and includes such data as sensitive.
Vietnam Data Protection Law explicitly prohibits the purchase and sale of personal data, subject to limited exceptions. However, the GDPR does not have any blanket prohibition on the sale or sharing of personal data.
Under the EU GDPR, data controllers can process personal data for “compatible purposes.” However, Vietnam Data Protection Law requires that data controllers process personal data only for declared and registered purposes.
How Didomi can help
If you want to ensure compliance with Vietnam’s PDPD requirements and safely handle Vietnamese data, you must start by relying on a legal basis to justify your data processing activities. Consent is one of the primary legal bases, and it can justify the use of third-party advertising, personalization, and profiling cookies alongside social media plugins.
On top of that, obtaining valid consent can also allow you to purchase, sell, and share personal data in compliance with the Vietnam Data Protection Law.
Therefore, you must obtain consent that fulfills the criteria set by the Vietnam Data Protection Law. With a Consent Management Platform (CMP), you can collect consent in a compliant manner and keep a record of it all.
Get in touch with our team to discuss your privacy challenges and find out how our solutions can help you turn data privacy into a business opportunity, and how Didomi focuses on addressing regulations and assisting companies around the world:
Frequently Asked Questions (FAQ)
When does the new Vietnam Data Protection Law become enforceable?
Vietnam Data Protection Act (PDPD) came into force on July 1, 2023.
Is there a grace period for compliance with the PDPD?
No, the two-month grace period has passed and the PDPD has become enforceable on July 1, 2023.
Is consent the only legal basis to process personal data under PDPD?
No, the PDPD defines six legal bases to process personal data, including consent and contractual necessity. However, consent is highly likely to be the primary basis for processing personal data because legitimate interest is not recognized as a legal basis.
Are there criminal penalties for non-compliance with the PDPD?
Yes, if you fail to comply with the rules in relation to the safety and/or confidentiality of personal data such as email and phone numbers, you may face disciplinary measures, administrative sanctions, or criminal proceedings.
What is sensitive data under the PDPD?
Sensitive data categories are listed in a non-exhaustive way. Therefore, other categories may also be considered as sensitive data. Under the New Decree, sensitive data includes political opinions, genetic information, sexual orientation, criminal records, certain financial information, and live location.