Draft Law outlines legal framework for personal data protection

Comprising 69 articles arranged into seven chapters, the draft Law - considered an updated version of Decree 13/2023/ND-CP - would apply not only to Vietnamese agencies, organizations, and individuals, but also to foreign entities operating in Vietnam and foreign nationals residing in the country. In addition, foreign agencies, organizations, and individuals directly involved in the processing of personal data in Vietnam would also fall under the scope of this Law.

Requirements on consent of data subjects

The draft Law defines consent of a data subject as an explicit and voluntary expression indicating the subject’s permission for the processing of his personal data. Consent of the data subject is required for all activities involving the processing of personal data, unless otherwise stipulated by law.

Notably, personal data controllers or controllers-processors are prohibited from imposing mandatory conditions that compel data subjects to consent to the transfer of their personal data for purposes irrelevant to the original intent of collection. Data subjects may refuse such conditions without suffering any disadvantage.

Consent must be expressed through an affirmative action that clearly and specifically indicates approval, such as a written declaration, voice confirmation, ticking a “yes” box, sending a “yes” response via messaging platforms, selecting affirmative technical settings, or similar actions.

New entities involved in personal data protection

Under the draft Law, those involved in personal data protection include developers of personal data protection-related technologies; personal data protection organizations; personal data protection experts; organizations certifying compliance with personal data protection requirements; and entities providing personal data protection credit rankings.

Unlike Decree 13, the draft Law mandates the designation of personal data protection organizations and experts for processing both basic and sensitive personal data. However, microenterprises, small-sized enterprises, and startups would be exempt from this requirement during their first two years of operation. This exemption does not apply to businesses engaged in the processing of personal data.

The draft says that enterprises hire external service providers to act as personal data protection organizations. In such cases, these service providers must obtain at least a “pass” rating in personal data protection compliance assessments.

Personal data protection across sectors

To ensure the protection of personal data in labor recruitment and employee monitoring, the draft Law permits employers to request only information that is disclosed in recruitment materials or already included in employee profiles.

Foreign companies recruiting or processing personal data of Vietnamese employees residing and working in Vietnam must comply with Vietnam’s personal data protection regulations. They are required to sign agreements or contracts on data processing with Vietnam-based investment companies and provide these companies with copies of the employees’ personal data to ensure legal compliance.

With respect to financial and banking data, the draft Law prohibits the unlawful sharing or transfer of personal data among credit institutions, insurance companies, and intermediary payment service providers, as well as between such institutions and third parties, unless explicitly allowed by law. In addition, organizations and individuals collecting or storing health- or insurance-related personal data may not share such data with healthcare or insurance service providers without the written consent of the data subject.

The draft Law also outlines personal data protection requirements in the areas of big data, artificial intelligence, cloud computing, social media, and OTT (over-the-top) services, among others.

Cross-border transfer of personal data

Under the draft Law, transfer of Vietnamese citizens’ personal data abroad includes: (i) transfer of data currently stored in Vietnam to data storage systems located abroad; (ii) transfer of data to foreign organizations or individuals; and (iii) use of platforms based outside Vietnam for processing such data.

Entities transferring Vietnamese citizens’ personal data abroad must prepare a personal data transfer impact assessment dossier, which serves as a legal commitment regarding the processing of such data. This dossier must be readily available for inspection and evaluation by specialized agencies in charge of personal data protection.

Handling of violations of personal data protection regulations

Agencies, organizations, and individuals found to have violated personal data protection regulations may, depending on the severity of their violations, be subject to civil liability, disciplinary measures, administrative sanctions, or criminal prosecution.

Organizations or enterprises that breach personal data protection provisions may face administrative fines ranging from 1 percent to 5 percent of their total revenue in the previous fiscal year.

The Government is tasked with detailing specific penalties and fine brackets for each type of administrative violation.

By VLLF