Personal Data Protection Decree enters into force on the 1st of July 2023 - are you prepared?
On the 17th of April the Vietnamese government published the Decree on Personal Data Protection (“PDPD”). The new regulation will come into effect on 1 July 2023. Prior to that date every business organization should perform a gap analysis between the current state of the data protection measures and the new requirements introduced by the PDPD.
As of the 1st of July 2023 the business entities will need to, among other things:
Have the valid consent of the individual persons to process their personal data (in accordance with the new PDPD requirements);
Have appropriate internal procedures, agreements between data controllers and data processors, and required technical measures to meet the PDPD requirements.
Assess whether the data it processes can be deemed sensitive;
Prepare data protection impact assessments (in the way prescribed by PDPD) which must be submitted to the Ministry of Public Security.
Prepare data protection impact assessments in relation to cross-border data transfers (these must also be submitted to the Ministry of Public Security);
Selected key points of the PDPD include:
New definitions/concepts e.g. “basic personal data”, “sensitive personal data”, “data processor” and “data controller”;
Data protection principles – Personal data should be processed in accordance with the principles of lawfulness, transparency, purpose limitation, data minimization, accuracy, integrity, confidentiality and accountability.
Data subject notification – Data subjects must be notified about, among other things, the type of personal data that are collected, the purpose of collection and organisations that have access to the data etc;
Data subject consent – The consent of the data subject is required to process personal data. The consent must be expressly made (silent default consent is not allowable) and can be partial or conditional. The data subject has the right to access and review his/her personal data. If the data subject withdraws consent, then the relevant personal data must be deleted within 72 hours.
Damage claims – Data subjects have the right to claim damages if their rights, as stated in the PDPD are infringed. Also, PDPD makes it illegal to collect, transfer, or sell personal data without the data subject’s consent.
Incident notification – Within 72 hours from a data breach or other violation of the PDPD, the personal data controller and the personal data controller cum processor are obliged to notify the Ministry of Public Security of the incident (including the measures taken to minimise the incident’s consequences) using the form provided in the PDPD.
Impact Assessment – Within 60 days of the date of data processing, organisations are required to prepare a personal data protection impact assessment. This must be done in accordance with the form provided in the PDPD, including information on the data controller and the data controller-cum-processor. The impact assessment is subject to evaluation by the Ministry of Public Security (Department of Cybersecurity and High-Tech Crime Prevention and Control). The impact assessment needs to be amended/updated in case of any changes in the extent of the personal data processed by organisations.
Transfer of personal data abroad: Transfer of personal data of Vietnamese citizens abroad requires preparation of a relevant impact assessment including a description of reasons, the purposes of transferring the data abroad and relevant consent of the data subjects. The impact assessment must also include a written data transfer agreement with the foreign entity which receives the data. Dossiers with impact assessments must be available for inspection at the organisation. One copy needs to be sent to the Ministry of Public Security within 60 days from the date of processing of personal data. The PDPD provides the form required for this type of impact assessment. Organisations are also required to update their impact assessment in case of changes (and send an update to the Ministry of Public Security). The Ministry of Public Security has the right to inspect the transfer of data abroad and may prohibit further transfers in case of noncompliance with PDPD.
Protective measures – Every organisation needs to promulgate internal procedures on the protection of personal data in line with the PDPD requirements. There are also requirements in relation to network security systems and the ability to delete personal data within the 72 hour time window. The PDPD provides for a higher level of protective measures applicable in the case of organisations that process sensitive data and children’s data.
Sanctions – Lack of compliance with the PDPD may result in:
Administrative sanctions for noncompliance with the PDPD.
Criminal sanctions for certain acts infringing the right to privacy.
Suspension of certain activities e.g. suspension of data transfer abroad.
Who will be impacted by PDPD? Every company that processes personal data in Vietnam and abroad if a foreign entity processes personal data of Vietnamese residents.
How we can help
Starting from 1 July 2023 when Vietnam’s Personal Data Protection Decree (PDPD) comes into effect, companies will not only need to have the new regulations implemented internally but also care for the ongoing compliance with the regulations (eg. data protection impact assessments).
PDPD framework support
Maintaining compliance with PDPD
Security incidents
PDPD training
PDPD framework support
PDPD implementation in the organisation
Inventory of personal data processing processes
Gap analysis
Risk analysis and Data Protection Impact Assessment
Preparation of documents, procedures, analyses
IT/SEC adaptation, i.a. by development of documentation for data processing and organisational and technical measures for personal data protection
Post implementation audit
PDPD implementation methodology
Check completeness of records of processing activities and records of all categories of processing activities
Review business processes for data processing security
Transborder transfers
Identification of areas where personal data are processed outside Vietnam
Development of rules and requirements for secure data transfer outside Vietnam
Drafting contractual clauses and other important documents to ensure the full transfer compliance with the PDPD
Maintaining compliance with PDPD
Permanent system of internal controls in the PDPD context
Risk radar for the Management Board
Periodic post-implementation audits
Support for the Data Protection Officer
Support during exercising the data subjects rights
Vendor’s verification and third party risk management
Impact analysis of new activities, processes
Update of documents, procedures
Privacy by design for new business solutions
Data Lifecycle Management
Reconfiguration/ improvement of the existing IT security solutions
Analysis of validity related to implementation of new IT security solutions
Awareness raising – trainings
Support during relevant Authority controls / inspections
Security incidents
Pro-active incident management
Analysis of vulnerability to incidents and examining the effectiveness of security
Legal and information security support, investigation services in breach response
Support in communication with the relevant local authorities and data subjects
PDPD training
Build and increase awareness about the regulation requirements,
Give your employees practical skills necessary for work and secure personal data handling