The EuroCham Digital Sector Committee has prepared this brief overview to help EuroCham members understand Vietnam’s new Personal Data Protection Decree (also known as Decree 13) and its implications for businesses.
This article provides essential insights into:
- How to comply with Decree 13
- Key differences between Decree 13 and the European General Data Protection Regulation (GDPR)
- The roles of data controllers and processors
- The requirements for Data Protection Impact Assessments and Cross-border Transfer Impact Assessments
- The potential sanctions for non-compliance
- The ongoing work of the EuroCham Digital Sector Committee to advocate for a business-friendly data protection framework in Vietnam
We encourage all EuroCham members to familiarise themselves with this important decree and to reach out to the Digital Sector Committee with any questions or concerns.
What is Vietnam’s Personal Data Protection Decree?
The Vietnamese Personal Data Protection Decree is part of a long-standing effort by the Vietnamese government to regulate the usage of digital technologies as it becomes a significant part of the economy. Placing the issue in an international context, Decree 13 echoes the GDPR, which has triggered a wave of regulations worldwide to frame the use of personal data. Although compliance with Decree 13 is facilitated for companies that have GDPR-compliant privacy management practises and policies, Decree 13 and the GDPR are not fully aligned and compliance with Decree 13 shall consider some significant differences and specific local requirements, such as requirements for cross border transfers and impact assessment reports.
Where to start?
Compliance with Decree 13, and more generally with all the data protection frameworks, is something businesses must address in the long run and necessitates a continuous effort. The starting point is to understand one’s system and all the personal data processed in it. Each data process must then be analysed to ensure it is compliant. This analysis ranges from cybersecurity (i.e., is the data safe or at risk of cyberattacks?), to operations (i.e., how the company handles consent?) via the governance with the requirement to nominate a Data Protection Officer (DPO).
Data Controller and Processor
It is important to understand that companies are held responsible for the personal data they process during their operations, whether it be through providing products or services to their customers, or through their relationship with their employees. They must commit to processing this data in a secure manner, while respecting privacy rights at all times. This responsibility notably includes a careful selection of the third parties the company shares its data with and the obligation to ensure that such third parties have sufficient measures and safeguards in place to protect the personal data. When a company is deciding which data is collected and how it is used, they are acting as the data controllers.
The company receiving the personal data from a data controller and tasked with processing the data as instructed by the data controller is acting as the data processor.
For example, a shoe seller (data controller) who collects customer data to offer promotions and relies on a marketing agency (data processor) to do so must, in principle, ensure the agency commits to using the customer data only for the purpose stipulated in the contract and within a secure framework.
The Data Protection Impact Assessment and the Cross-border Transfer Impact Assessment (DPIA/CTIA)
To comply with Decree 13, companies must gather all the above-mentioned into a specifically formatted dossier called DPIA/CTIA. These dossiers must be sent to the Department of Cybersecurity of the Ministry of Public Security (A05) for review. While the National Portal on Personal Data Protection (available at https://baovedlcn.gov.vn/) has been intended to allow for online submission of the DPIA/CTIA, this feature has not been launched yet. Hence, the dossiers are still being submitted in person to A05’s address or via post, at the time of publication of this article.
Sanction Decree
The Ministry of Public Security did not release and is still working on the official decree on sanctions at the time of publication of this article. Nonetheless, according to the latest available draft, non-compliant companies will be exposed to fines, and possibly the removal of their business licence in case of violation of their obligations pursuant to Decree 13.
We expect the Ministry of Public Security to issue the Sanction Decree by the end of 2024.
The Role of our Digital Sector Committee
For five years, we have been following the development of Decree 13 and affiliated regulation and continuously advised the Vietnamese authorities to make privacy regulation more business-friendly and aligned with existing foreign regulations for companies to comply without unreasonable burden and to protect the attractiveness of doing business on the Vietnamese market. Our long-term goal is to integrate the Vietnamese framework within the international standards, especially the GDPR, for European companies to capitalise on their effort in Europe to comply with Decree 13.
We welcome any support from the EuroCham business community to communicate any difficulties to the Digital Sector Committee for it to continue building a fruitful relationship with the Ministry of Public Security and contribute to fostering a positive business environment in Vietnam.
For more information or to share your experiences related to PDPD implementation and its impact, please contact:
- Danh Nguyen
- Sector Committee Coordinator
- Email: Danh.Nguyen@eurochamvn.org
