Vietnam Introduces New Decree on Personal Data Protection

Effective from [date], the Vietnamese government has introduced a new decree aimed at strengthening personal data protection laws in the country. Decree 13/2023 replaces the previous draft decree and introduces several key changes to ensure the security of personal data.

The decree clarifies that “legitimate interest” must not override the interests or fundamental rights and freedoms of individuals requiring protection of their personal data. In addition, consent is required for processing personal data obtained from audio and video recordings in public locations for national security, social order, and safety purposes.

Special Cases

The decree also addresses special cases:

Processing of Personal Data of Missing or Deceased Persons: Requires the consent of family members.
Children’s Personal Data: Can be processed with parental consent, except in cases where the child is 7 years old or older, when both the child and their parents or guardian must give consent.

Notification Obligation

In case of a violation of regulations on personal data protection, data controllers and processing parties are required to notify the Ministry of Public Security (MPS) within 72 hours of detection. This notification obligation aligns with the European General Data Protection Regulation (GDPR).

Assessment of Impact

The decree introduces an assessment of impact requirement for all cases of personal data processing. Data controllers and processors must prepare a dossier including information on:

Cross-border transfer
Potential consequences
Measures to minimize harm

Cross-Border Transfer

The decree specifies procedures for cross-border transfer of personal data, requiring data transferors to maintain a dossier with required contents and notify the MPS within 60 days of the transfer. Unlike the GDPR, the decree does not impose restrictions on transferring personal data to third countries.

Measures for Ensuring Personal Data Protection

The decree requires measures to ensure personal data protection, including:

Management and technical measures implemented by entities related to personal data processing

Specialized Agency

The Department of Cybersecurity and Hi-tech Crime Prevention under the MPS will act as the specialized agency responsible for protecting personal data. This decision suggests that Vietnam views protection of personal data as a security issue rather than a civil right issue, differing from the GDPR’s requirement to establish an independent public authority.

Conclusion

The new decree aims to strengthen Vietnam’s personal data protection laws and ensure compliance with international standards. The decree comes into effect on [date] and applies to all organizations and individuals processing personal data in Vietnam.