Last year, the government of Vietnam issued the Personal Data Protection Decree (PDPD), which took effect on July 1, 2023. The Department of Cybersecurity and High-Tech Crime Prevention and Control (referred to as “A05”) under the Ministry of Public Security (MPS) is tasked with implementing and enforcing the requirements under the PDPD. While a decree on sanctioning provisions for noncompliance with the PDPD is still pending issuance, further movements from the MPS/A05 indicate that it aims to start conducting its first inspections into PDPD compliance.
This is the first time that companies and government agencies have been officially questioned by the MPS about their compliance with the PDPD. The purposes of this inspection program are (1) to evaluate the compliance status of a group of selected companies and government agencies and to understand challenges in complying with the PDPD requirements; (2) to propose sanctions for noncompliance; and (3) to collect information and comments for the development of the upcoming Personal Data Protection Law—not to spot noncompliance with the PDPD specifically.
This round of inspection includes a number of companies in 14 sectors (including e-commerce, aviation, telecom, banking and finance, intermediary payment, insurance, gaming, education, healthcare, real estate, data processing services, ride hailing, etc.). The companies targeted by this inspection program must: (1) submit a report on compliance to the MPS/A05 by May 30, 2024 (this report is different from the data protection impact assessment (DPIA)/transfer impact assessment (TIA) submission requirements); and (2) coordinate with the MPS/A05 on any further investigation actions from June to August 2024. The inspection results will be available by September 2024.
Key information to be reported includes, among others: (1) a description of the activities and measures carried out to implement the PDPD (such as protecting data subjects’ rights, performing administrative procedures, preventing violations, etc.) and their implementation results in practice; (2) assessment and analysis of the shortcomings and reasons, and the lessons learned; (3) a forecast of violations of data privacy law; and (4) recommendations and solutions to overcome the challenges in complying with the PDPD, including specific suggested contents to be included in the draft Personal Data Protection Law.
Due to the absence of the decree on sanctioning, it remains to be seen if and how the MPS/A05 will impose sanctions on companies that have not yet fully complied with the obligations under the PDPD, especially those related to DPIA/TIA submissions. Nevertheless, this is a good time for companies that have not complied with the PDPD to quickly fulfill their obligations under the PDPD before they are subject to the next round of investigation and/or enforcement.