The draft PDPL aims to provide a unified framework for the protection of personal data in Vietnam based on 4 policies.
On 24 September 2024, the Vietnamese Government published the Draft Personal Data Protection Law (“PDPL”) and the Draft Proposal on its website for public review and comments. The draft PDPL consists of 68 articles, divided into 7 chapters, aiming to provide a clear, detailed and unified legal framework for the protection of personal data in Vietnam based on four policies:
- Unify legal regulations on legal terms related to personal data and personal data protection;
- Specify the rights and obligations of data subjects;
- Complete regulations on personal data protection during data processing; and
- Complete regulations to ensure the conditions and measures for personal data protection.
The Draft PDPL incorporates all important principles under Decree No. 13/2023/ND-CP (“PDPD”) on Personal Data Protection, with many additions which are highlighted below:
- The protection of personal data covers a wider array of domains, including financial, banking, credit, and credit information activities[1]. It also encompasses the processing of big data, AI, cloud computing, employee monitoring and recruitment, and health and insurance information[2].
- Additionally, provisions on location data[3], biometric[4], social media and communication services provided through cyberspace[5] also outline the obligations and responsibilities of organizations operating, using, and collecting these types of data.
- Personal data protection and processing have become a business service under the Draft PDPL[6], with new definitions on data protection specialists, organizations and certificate mechanism. Personal and sensitive data protection will not be limited only to internal departments but can also come from those private sector providers.
- Introduction of a credit rating system to evaluate organizations providing personal data protection services[7].
- Updates to the impact assessments for data processing (“DPIA”) and cross-border transfer (“CTIA”), namely: a clearly defined cases for cross-border transferring of personal data, and bi-annual updates to these dossiers upon any changes. The dossiers must be updated immediately in cases of company dissolution or merger, changes about the Personal Data Protection Organization and Specialist, or changes to the business lines or services relating to personal data.
- New policies on research and development of personal data protection solutions, improvement on personal data protection capacity, education, training and dissemination of knowledge on personal data protection, and inspection on personal data protection activities.
The Draft PDPL is tentatively expected to be adopted by the National Assembly in May 2025 and take effect from 1 January 2026. It does not provide any transition period nor indicate whether it will replace the PDPD, or coexist with it. However, given the purpose of “Unifying legal regulations on legal terms related to personal data and personal data protection”, the PDPL will likely prevail over the PDPD and any existing provisions relating to personal data protection.
The Draft PDPL is open for public consultation until 24 November 2024.
For further information, please contact:
Huy Nguyen, Rouse
hnguyen1@rouse.com
[1] Article 27 of the Draft PDPL
[2] Article 28 of the Draft PDPL
[3] Article 30 of the Draft PDPL
[4] Article 32 of the Draft PDPL
[5] Article 31 of the Draft PDPL
[6] Article 37 of the Draft PDPL
[7] Article 41 of the Draft PDPL