Vietnam: Personal Data Protection In Vietnam – Decree 13 – Frequently Asked Questions
by Russin & Vecchi's lawyers

¤ Does the new Decree 13 on "Personal Data" protection apply to us?

• Yes, if you're an entity or individual located in Vietnam and involved in data processing.
• Yes, if you're an entity or individual located offshore, but process data that originates in Vietnam or you process data relevant to Vietnamese nationals.

¤ What is "Personal Data"?

• Very little data is excluded from the definition of personal data. It includes customer information, buying habits, preferences and more; it includes employee data of almost every description. Personal data is divided into basic personal data and sensitive personal data, and each requires different protective measures.

¤ What types of personal data processing are regulated:

• Virtually all processing: collection, recording, analysis, storage, encryption and decryption, retrieval, granting access, copying, transferring, deletion, alteration, disclosure, verifying, combining.

¤ Who is covered or has a duty under Decree 13:

• Data subjects, Data controllers, Data processors and any third party who is involved with personal data processing.

¤ What rights do data subjects have?

• Right to give and withhold consent, the right to access, delete, update their personal data, the right to object to or restrict processing activities, the right to make claims and receive damages and the right to protect themselves.

¤ Do we need a data subject's consent to process her data?

• Yes–with some exceptions. Consent must be voluntary, specific, verifiable. Consent may be withdrawn or conditional. Data can be processed without consent.

¤ What are a Data Controller's obligations?

• Only work with qualified data processors, keep proper logs, notify authority in case of data breach, assist the data subjects to exercise their rights, implement appropriate measures, comply with authority, be liable for damages, perform and submit impact assessments.

¤ What are a Data Processor's obligations?

• Work only upon and in accordance with a data processing agreement, implement appropriate measures, delete or return data after completion, notify the data controller in case of data breach, be liable for damages, comply with authority, perform and submit impact assessments.

¤ Some key requirements:

• Impact assessments must be prepared, maintained and submitted for data processing and offshore transfer of data; appropriate technical, management, administrative measures must be considered and implemented; rules and regulations on protection of personal data must be developed and published; a data protection officer may be required; consent must be obtained for all processing activities including offshore transfer; a binding document is required for offshore transfer of data; data minimalization should be practiced.

* * *

Decree 13 comes into effect on 1 July 2023. The nature of compliance is deep. It is possible to build a consistent strategy of compliance, step by step and over a period of time.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.