After more than two years, the new Decree 13/2023/ND-CP on protection of personal data (“Decree 13”) will come into effect on July 1, 2023. Decree 13 will apply to both local and offshore entities engaged in personal data processing. While Decree 13 does reflect most of the comments and views from the business community, there are additional requirements applicable to businesses that process personal data. In comparison to the last draft, Decree 13 introduces several new and revised concepts.
Parties involved in processing Personal Data
Personal data is defined as information in the form of signs, texts, numbers, pictures, sounds and similar forms that exist in a digital environment and that refer either to a specific person or which, when combined with other data, identifies a specific person. Decree 13 still divides personal data into basic personal data and sensitive personal data, but new types of data are now included. For example, basic personal data now includes personal photos/images and other information that may not, itself, be sensitive personal data but can help identify a specific person. The term ‘sensitive personal data’ retains its definition and is information which if violated, the data subject’s legal rights and benefits may be damaged. It is notable that ‘gender identity’ is no longer included as sensitive personal data. These concepts are robust and comprehensive but at the same time provide the authorities with discretion to enlarge them.
Processing personal data is broadly defined. It is any activity which affects personal data, such as: collecting, writing, analyzing, confirming, storing, editing, publishing, combining, accessing, acquiring, retrieving, encrypting, decrypting, copying, sharing, transmitting, providing, transferring, deleting, and removing personal data.
Decree 13 introduces the new concept of ‘data controller’; it is a party that determines the purpose and method of processing personal data. ‘Data controller’ is a concept that has long existed in personal data regulations but its introduction as a Vietnamese legal concept indicates the Government’s intention to be in sync with global regulations. A ‘data processor’ is a party who directly processes personal data on behalf of the data controller as a result of an agreement with the data controller. A party can be both a ‘data controller’ and a ‘data processor’. Decree 13 also governs automated processing of personal data (using digital tools to process personal data to predict habits, hobbies, reliability, locations, tendencies, performance, and other aspects of a person). It also addresses the processing of personal data collected in public, processing personal data of missing or deceased persons or of children and processing personal data in advertising. The reach is quite broad.
Rights and Obligations of Data Controllers, Data Processors and Data Subjects
The Department of Cybersecurity and prevention of cyber-crimes (“A05 Department”) under the Ministry of Public Security will oversee the enforcement and application of personal data regulations, including Decree 13. A national portal on protection of personal data will be established to update new information on protection of personal data, receive notices of breach of personal data, and handle violations of personal data regulations.
A data controller is ultimately responsible when it processes the personal data of a data subject. It is required to implement organizational and technical measures together with security measures and be ready to prove that processing activities have been legally performed– including keeping a log of processing activities, only working with a data processor that has implemented appropriate security measures and notifying authorities in case of a breach. Interestingly, neither the data controller nor the data processor must notify the data subject in case of a personal data breach.
To process personal data a data processor must have a contract with a data controller. After processing is completed, the data processor must delete or return all personal data to the data controller. A party processing sensitive personal data must have a specialized department and qualified personnel to protect personal data and information and must make certain disclosures to the A05 Department. Of course, a party which both controls and processes personal data assumes the responsibilities and obligations of both the data controller and data processor.
Decree 13 gives a data subject the right to know, to give and withdraw consent, to access, to delete, to request to delete their personal data, to restrict processing activities, to provide personal data, to object to processing activities, to make claim, to receive compensation and to implement self-protection. But a data subject must provide complete and true personal data once she has given consent with specific input to process her personal data.
Impact Assessments and Cross-border transfer of Personal Data
Decree 13 requires both the data controller and the data processor to prepare a written impact assessment of their personal data processing activities (“PDP Impact Assessment”) and to provide the A05 Department with necessary details within 60 days of processing the data. The content of the PDP Impact Assessment of the data controller and data processor is different. The PDP Impact Assessment need not be approved by the A05 Department before personal data processing may begin. However, the A05 Department may require revisions.
Prior to an offshore transfer of personal data, the transferor must prepare an impact assessment (‘Transfer Impact Assessment’). Again, the Transfer Impact Assessment need not be approved by the A05 before personal data is transferred offshore. The A05 Department may, however, make annual inspections. This mechanism clarifies a major uncertainty in the previous draft.
The obligation to perform impact assessments will no doubt increase business costs for the entities involved. What remains unclear is how this obligation will apply to existing entities which will assume the role of data controllers and data processors under Decree 13. Additionally, the A05 Department may request that the impact assessment be supplemented if it deems an insufficiency. Decree 13 does not provide the consequences if a party fails to submit impact assessments or if it fails to update and revise an impact assessment after being requested to do so.
Under Decree 13, Vietnam’s regulations on cybersecurity and personal data protection have aligned much more closely to existing international regulations. However, many areas of Decree 13 still need clarification. It is anticipated that the Government will issue a decree on the enforcement of personal data regulations.
For further information, please contact:
Le Ton Viet, Russin & Vecchi