Skip to main content

On-demand webinar coming soon...

Blog

Vietnam publishes long-awaited Personal Data Protection Decree

The Government of Vietnam publishes the PDPD two years after it was first introduced

Robb Hiscock
Senior Content Marketing Specialist, CIPP/E, CIPM
April 19, 2023

Vietnamese flags in front of an office building

On April 17, 2023, the Government of Vietnam published its Personal Data Protection Decree (PDPD). The first draft of the PDPD was issued back in 2021 and has since been through a public consultation resulting in the final text that will enter into effect on July 1, 2023. 

Despite the short window for the PDPD’s entry into effect, there is no transitional period meaning that organizations covered by the PDPD will have little over two months to develop a privacy program in compliance with the law’s new requirements. Like many modern privacy laws, the PDPD contains requirements for privacy notices, privacy risk assessments, and data subject rights as well as offering grounds for valid consent and certain scenarios where consent can be withdrawn. Keep reading for an overview of Vietnam’s PDPD and some of its key requirements. 

 

What are the key compliance areas of the PDPD?

 

Scope of application

Before looking at the compliance requirements of the PDPD you should first assess whether the PDPD will apply to your business. The law’s scope of application includes: 

  • Vietnamese agencies, organizations, and individuals

  • Foreign agencies, organizations, and individuals in Vietnam

  • Vietnamese agencies, organizations, and individuals operating abroad

  • Foreign agencies, organizations, and individuals processing personal data in Vietnam

     

If your business falls under one of the above definitions, then there are several new requirements that you will need to comply with ahead of the July 1 entry into effect. Start-ups, micro-enterprises, and small and medium enterprises (SMEs) have the right to choose to be exempt from the PDPD’s regulations for the first two years of operation from the date of registration unless they are directly involved in personal data processing activities.

 

Personal data and sensitive personal data

Similarly, it is important to understand what the PDPD means by “personal data” and “sensitive personal data”. Personal data includes information including: 

  • Name of the data subject, including full name, middle name, birth name, or any other name

  • Date of birth, death, or date an individual might have become missing

  • Gender

  • Place of birth and birth registration

  • Place of permanent or temporary residence including hometown and contact address

  • Nationality

  • Image

  • Phone number, national identification number, or medical insurance card number

  • Marital status

  • Family relationship details including parents and children

  • Digital account details and online activities

     

The PDPD defines sensitive personal data as personal data that, when violated, will directly affect an individual's legitimate rights and interests. This includes information relating to:

  • Political and religious views

  • Health status and medical records (excluding blood type) 

  • Racial or ethnic origin

  • Genetic characteristics, physical attributes, and biological characteristics

  • Sex life and sexual orientation

  • Criminal records held by law enforcement agencies

  • Customer information of credit institutions

  • Location data

 

Privacy notices

Covered organizations will be required to present a privacy notice to data subjects before processing personal data. The PDPD outlines specific information that needs to be included in the privacy notice, this includes:

  • Purposes of the processing activity

  • Types of personal data that will be collected for the purposes of processing

  • Information third parties that will be involved in the activity

  • Unexpected consequences and damage that are likely to occur

  • Time frames of the data processing activity

     

PDPD privacy notices should be formatted in a manner that data subjects can print or reproduce in writing. There are certain circumstances where a privacy notice is not required including where personal data is being processed by a state agency for purposes in accordance with the law.

 

Risk assessments

Data controllers have a requirement to conduct a data protection impact assessment before starting a processing activity. Additionally, controllers are required to keep records of these impact assessments, which should be accessible for auditing purposes and sent to the Ministry of Public Security within 60 days from the date of processing of personal data.

Impact assessment must include details relating to:

  • The purpose of processing personal data

  • The types of personal data to be processed

  • The third parties receiving personal data

  • The transfer of personal data internationally 

  • Processing timeframes 

  • Estimated time to delete or destroy personal data

  • The data protection measures applied 

  • The assessment of the benefits of the processing activity

  • The consequences or unwanted damage that is likely to occur

  • The measures to reduce or eliminate such risk or harm 

 

Data subject rights

The PDPD provides a broad range of rights to data subjects, many of which are common under modern privacy laws. 

PDPD data subject rights include:

  • Right to know - Data subjects have the right to know about processing activities that involve their personal data

  • Right to consent - Data subjects have the right to give and withdraw consent for the processing of their personal data, except in the case where consent is not needed under Article 17 

  • Right to access - Data subjects have the right to access to view, correct, or request correction of their personal data

  • Right to withdraw consent - The data subject is entitled to withdraw their consent

  • Right to deletion - The data subject can request to have their personal data deleted

  • Right to restrict data processing - Data subjects can limit the processing of their personal data, restriction of processing should be carried out within 72 hours after the request is made

  • Right to object to data processing - The data subject has the right to object to the processing or disclosure of personal data for advertising and marketing purposes. Requests should be fulfilled within 72 hours

  • Right to complain, denounce and initiate lawsuits – Data subjects have the right to complain, denounce or initiate a lawsuit in accordance with the law

  • Right to claim damages – Data subjects have the right to claim damages in accordance with the law when there is a violation of the PDPD involving their personal data

  • Right to self-defense - Data subjects have the right to protect themselves according to the provisions of the Civil Code

 

Valid consent

Valid consent of the data subject is required for all processing activities under the PDPD. There are several exceptions where processing personal data is permitted without consent such as in the vital interests of the data subject, where processing is necessary for compliance with the law, or to fulfill a contractual obligation. 

Consent can only be considered valid when the data subject voluntarily and clearly knows the following:

  • The type of personal data being processed (or type of sensitive personal data, where applicable)

  • The purposes of processing 

  • The third parties that will process personal data

  • Their rights under the PDPD

     

Consent must be clear and specific and given through affirmative action such as in writing, by voice, or by ticking a consent box, among other things. Silence or inactivity is not considered as valid consent under PDPD and data subjects may give partial or conditional consent. 

 

Other notable provisions

The PDPD also includes a range of other responsibilities for data controllers, data processors, and third parties. These include conditions for cross-border transfer of personal data such as transfer impact assessments and post-transfer notifications. The PDPD also includes rules for processing personal data obtained through audio and video recording activities in public places and the processing of children’s personal data. 

Other requirements include protecting personal data in the context of marketing services and advertising products and the measures to protect sensitive personal data include assigning a data protection officer.

 

How can businesses prepare?

As with most modern privacy laws, the best place to start when preparing your privacy program is to conduct a data discovery exercise to understand what data you have and where it is stored. Classifying and mapping this personal data against the provisions of new laws will help you to visualize data flows, identify third parties, and ensure requirements are met in compliance with the law such as data transfer requirements.  

In the case of the PDPD, you should ensure that you understand what types of information fall under the definitions of personal data and sensitive personal data as well as ensure you have the correct consent or implementing methods for collecting valid consent in preparation for the PDPD’s entry into effect. 

Privacy notices will be one of the most outwardly visible areas of compliance with the PDPD. Ensuring your web properties are displaying the correct notice that fulfills the criteria set out by the PDPD will be essential for transparency and accountability with the law. 

The PDPD introduces a broad range of data subject rights, therefore you should ensure that you have the correct methods of the intake of these requests and that you are set up and ready to fulfill them. Linking your subject rights fulfillment process with your data map will help you to ensure that all instances of personal data relating to the data subject can be easily found and relayed against the different types of request. 

To prepare for PDPD impact assessment requirements, you should begin to develop a risk assessment template that takes into account all of the required information and assessment criteria. You can build your assessment from scratch or use a pre-built template that can fulfill risk assessment templates of several laws. Additionally, the PDPD requires you to perform a transfer impact assessment when transferring data outside of Vietnam. Therefore, it is vital to have a robust process in place for completing risk assessments and have a solid understanding of your personal data processing activities.

Speak to an expert today to learn more about how the OneTrust Privacy & Data Governance Cloud can help you get prepared for the Vietnam PDPD ready for July 1. 


You may also like

Webinar

Privacy Management

India's DPDPA: What you need to know

In this webinar, legal experts discuss India's newly enacted comprehensive privacy law, the Digital Personal Data Protection Act, 2023 ('DPDPA') 

September 12, 2023

Learn more

Webinar

Privacy Management

New states, new dates: Preparing for Indiana, Montana, Tennessee and Florida state privacy laws

Join our expert panel where we examine upcoming privacy legislation in Indiana, Montana, Tennessee, and Florida and the key requirements of each law.

June 20, 2023

Learn more

Checklist

Privacy Management

The Revised FADP: 7 steps toward preparedness

Prepare for Switzerland’s Revised Federal Act on Data Protection (Revised FADP) when it comes into force on September 1, 2023 with our free compliance checklist.

June 15, 2023

Learn more

Webinar

Privacy Management

Saudi Arabia's PDPL latest amendments: Are you ready?

Join OneTrust and Deloitte Middle East as we cover the latest changes to Saudia Arabia's Personal Data Protection Law (PDPL) and what it means for organizations in the KSA region.

May 30, 2023

Learn more

Webinar

Privacy Management

GDPR turns 5: Celebrating data protection

Northern Europe panel - Join our panel of experts as they recap the GDPR, its key concepts, and what it means for organizations and compliance. 

May 25, 2023

Learn more

Webinar

Privacy Management

5 years of GDPR: Milestones, challenges, and opportunities

Eastern European panel - Watch our webinar as we look back on 5 years of the GDPR, AI, and their impact on Europe, the world, and your organization.

May 24, 2023

Learn more

Webinar

Privacy Management

Understanding Washington's My Health My Data Act

The Washington My Health My Data Act was signed into law on April 27, 2023 and will be enacted the following year. Join OneTrust DataGuidance and a team of legal experts and get the knowledge you need for compliance.

May 18, 2023

Learn more

Infographic

Privacy Management

Comparing Canada's privacy laws infographic

Download this infographic to compare provisions in Alberta, British Colombia, and Quebec with those found at a federal level in PIPEDA and those proposed under the Consumer Privacy Protection Act.

May 18, 2023

Learn more

Blog

Privacy & Data Governance

Comparing US privacy law exemptions infographic

Learn how to navigate the new US privacy law exemptions and see how they compare.

May 01, 2023

Learn more

Webinar

Privacy & Data Governance

Iowa joins US privacy landscape with a new law

OneTrust DataGuidance’s webinar discusses Iowa’s CDPA, its similarities to other US privacy laws, its implications on organizations, and steps for compliance.

April 10, 2023

Learn more

Webinar

Privacy Automation

OneTrust and Deloitte UK - Data transfers: Assessments & safeguards

OneTrust's Center of Excellence and Deloitte UK will discuss data transfers and GDPR compliance, covering the UK stance, ICO/EDBP guidance, and more.

April 04, 2023 1 min read

Learn more

eBook

Privacy Management

The 3 Priorities for DPOs in France: Gain Visibility, Take Action, Automate eBook | Resources | OneTrust

French DPOs should take three priorities into account when building their data protection and compliance programs and processes in 2023.

February 21, 2023

Learn more

eBook

Consent & Preferences

The ultimate guide to consent and preferences in the healthcare sector

Download the guide to learn more about how to use consent and preferences to elevate patient and customer experiences in the healthcare sector.

February 15, 2023

Learn more

eBook

Privacy & Data Governance

The Ultimate Guide to PIPEDA compliance eBook

Download this eBook to understand how to meet the requirements of Canada's Personal Information Protection and Electronic Documents Act (PIPEDA).

February 06, 2023

Learn more

eBook

Consent & Preferences

The ultimate guide to US opt-out requirements

Learn about the different opt-out requirements, such as a “Do Not Sell My Personal Information” in the US privacy landscape, and how to comply with them.

January 23, 2023

Learn more

Checklist

Consent & Preferences

8 steps to Quebec Law 25 compliance

Read our checklist to learn how to stay on top of Quebec Law 84, which introduces many new measures to Canada’s privacy landscape.

October 19, 2022

Learn more

Resource Kit

Consent & Preferences

Your marketer’s masterclass resource kit

OneTrust has created a range of resources to help marketing teams take a privacy-first approach that turns consumer trust into a competitive advantage.

September 06, 2022

Learn more

Resource Kit

Privacy Management

Your US privacy masterclass resource kit

These resources provide key information on US privacy law through blogs, webinars, and eBooks.

April 26, 2022

Learn more

Infographic

Privacy & Data Governance

Saudi Arabia Personal Data Protection Law (PDPL) overview

Learn more about Saudi Arabia's Personal Data Protection Law (PDPL) and what companies need to know for compliance.

February 24, 2022

Learn more

Infographic

Privacy & Data Governance

Employee rights under the CPRA

Download our infographic on employee rights under the CPRA to help prepare for the law's expansion in CPRA. 

December 07, 2021

Learn more

eBook

Privacy & Data Governance

The ultimate guide to CCPA compliance

The Ultimate Guide to CCPA Compliance eBook highlights key compliance areas of  the CCPA that you should consider when building a privacy program.

December 01, 2021

Learn more

Infographic

GDPR's 8 fundamental data subject rights

Download our GDPR's 8 Fundamental Data Subject Rights infographic and learn more about the individual rights guaranteed under the EU's major privacy law. 

August 27, 2021

Learn more

eBook

Privacy & Data Governance

10 steps to meeting the GDPR Article 30 requirement

Download this eBook and learn how to leverage data mapping for your GDPR Article 30 compliance program. 

July 22, 2021

Learn more

eBook

Privacy & Data Governance

Download this eBook for an overview of the Virginia Consumer Data Protection Act (CDPA) to understand what it means for organizations.

Download this eBook for an overview of the Virginia Consumer Data Protection Act (CDPA) to understand what it means for organizations.

July 22, 2021

Learn more

Webinar

Privacy & Data Governance

CCPA compliance masterclass

Watch our OneTrust CCPA Masterclass Series and learn how to prepare your organization for CCPA compliance.

Learn more