At Webinar: "Personal Data Protection in Vietnam and Cross-Border Transactions – What's New?" ASL LAW received very practical questions. In this article, ASL LAW would like to answer those questions.

Question 1: How do we exchange information regarding DPO with the local regulator? Is the National Portal on personal data protection launched already?

Until now, The Ministry of Public Security (MPS) has not issued the guidance of 05 administrative procedures for the personal data processors to fulfill their obligations under this Decree by July 01, 2023, including the administrative procedure for the impact assessment of the transfer of personal data abroad. The National Portal on personal data protection has not been launched. We will follow up and send you the detailed information after receiving an update from MPS.

Question 2: What's your opinion on how the consent of children from 7 will be considered sufficient? Thank you.

According to Article 20.2 of Decree 13/2023/ND-CP, in the case of children aged 7 years or older, the processing of children's personal data must have the consent of the children and the consent of the parents or guardians as prescribed, except in the case of prescribed in Article 17 of this Decree which allows the processing of personal data without consent in the following circumstances:

  • In emergencies, where relevant personal data must be immediately processed in order to protect the life or health of the data subject or others;
  • Where the disclosure of personal data is in accordance with the law;
  • When the processing of data is done by competent state agencies for national security or in the event of a national security emergency, social order and safety, major disasters, or dangerous epidemics; when there is a threat to national security or defense, but not to the extent of declaring a state of emergency; preventing and combating riots, terrorism, preventing and combating crimes and violations of law in accordance with the provisions of law;
  • To fulfill the contractual obligations of the data subject with relevant agencies, organizations, and individuals as prescribed by law; or
  • To serve the activities of state agencies as prescribed by sector-specific laws.

Question 3: Is the data of a legal corporate entity (i.e. the customer) subject to the provision of this decree?

According to the provisions of Article 2.1 of decree 13/2023/ND-CP regulates the personal information of Vietnamese citizens, all personal data such as information of customers, employees, etc who are Vietnamese will be subject to this Decree.

Question 4: If an organization conducting service for another organization which the service involves collecting personal data and this organization will later share sensitive data with the organization appointing them for the service, who is the data processor & controller in this case as the service provider also obtain personal data in order to provide the service

According to Article 2.9 of the Decree, The Personal Data Controller is defined as follows: "Personal Data Controller means an organization or individual that decides the purposes and means of processing personal data".

According to Article 2.10: the Personal Data Processor is defined as follows: "Personal Data Processor means an organization or individual that performs data processing on behalf of the Data Controller, through a contract or agreement with the Data Controller".

Therefore, the organization appointing the other organization to collect and process personal information will be deemed as The Personal Data Controller;

And the organization to collect and process personal information will be deemed as the Personal Data Processor.

Question 5: According to Point a, Clause 4, Article 13, the personal data processor does not need to notify the data subject if there is an agreement before the time of data collection. So with the data of old customers, can the bank agree on not having to notify them?

According to the guidance of the Ministry of Public Security at the Conference to disseminate Decree 13 on April 17, 2023, Personal data collected before the effective date of Decree No. 13/2023/ND-CP is still within the scope of the Decree. However, as we mentioned in the Webinar, in case the data is collected and processed before July 01, 2023, it is unnecessary to obtain consent from the data subject. However, other obligations still need to be observed.

Question 6: Is the data controller allowed to assess the personal credibility of the data subject based on data legally generated in the process of providing services to the data subject and share this assessment with credit organizations after obtaining the data subject's full and complete consent for the purpose, content, and recipient of the evaluation?

As stipulated, the data controllers and the data processors only use personal data for purposes that are consented to by the data subject. If they share or purchase personal data without permission, it will be banned.

Question 7: Our company's business is e-commerce in Vietnam and our whole system is stored in Singapore, our company doesn't have any storage system in Vietnam. Is our company the subject of "Outbound transfer of personal data"?

If the personal data which is controlled and processed by your company are information relating to Vietnamese citizens, your company will be subjected to Decree 13/2023/ND-CP and must comply with the provisions on "Outbound transfer of personal data".

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.