Financial Crime World

Vietnam’s Strict Data Protection Rules: What You Need to Know

======================================================

In an effort to protect the personal data of its citizens, Vietnam has implemented strict rules governing the processing of personal data by third-party agents and the transfer of such data to foreign countries.

Third-Party Agents Must Have a Contract with Data Controller

Under Vietnamese law, any third-party agent or data processor must have a contract with the data controller. However, there is no specific template or required provisions for such contracts. This means that companies processing personal data on behalf of others must ensure they have a comprehensive agreement in place.

Notice of Breach Laws

In the event of a breach of personal data protection regulations, the data processor must notify the data controller as soon as possible and the Cybersecurity Task Force (A05) within 72 hours. Notification can be made in stages if not all required information is available.

Transfer of Personal Data to Third Countries

Any party seeking to transfer personal data of Vietnamese citizens offshore must complete a cross-border transfer dossier, which includes key details such as:

  • Contact information
  • Objectives of the data processing
  • Measures for personal data protection

The agreement between the data transferor and recipient must also be submitted. The party transferring data must notify the A05 after the data transfer has been completed, including information on the transfer and contact details of the responsible parties.

Restrictions on Transfers to Third Countries

The Ministry of Public Security can request to stop personal data transfer if certain conditions are met, including:

  • The transferred data is used for activities violating the national interest and security of Vietnam
  • The transferor does not comply with requests to supplement the impact assessment dossier
  • There is an incident of leakage or loss of personal data of Vietnamese citizens

Captured Enterprises Must Store Certain Data in Vietnam

Under Decree 53, certain enterprises providing internet services in Vietnam (captured enterprises) are required to store certain users’ data (captured data) in Vietnam. This includes:

  • Personally identifiable information data
  • Data created by users in Vietnam
  • Data of a user’s relationship in Vietnam

Local and Foreign Enterprises Treated Differently

Decree 53 treats local and foreign enterprises differently. Local enterprises will be considered captured enterprises if they provide certain specified services in Vietnam, while foreign enterprises will only be considered captured enterprises in limited situations.

Personal Data That Amount to State Secrets Must Be Stored in Vietnam

Finally, personal data that amount to a state secret must also be stored in Vietnam. This includes:

  • Information on members of the People’s Army, People’s Public Security and intelligence agencies who are sent for training at home or abroad
  • Other sensitive information

Conclusion

Vietnam’s strict data protection rules aim to protect the personal data of its citizens and prevent breaches of national security. Companies processing personal data must ensure they comply with these regulations to avoid penalties and reputational damage.