You are using an outdated browser and your browsing experience will not be optimal. Please update to the latest version of Microsoft Edge, Google Chrome or Mozilla Firefox. Install Microsoft Edge

Search
Close this search box.
October 2, 2024

Vietnam’s Draft Personal Data Protection Law: An In-Depth Look

Subscribe to Updates

The first draft of Vietnam’s new Personal Data Protection Law (“Draft PDPL”) was released for public consultation on September 24, 2024, and is open for comments until November 24, 2024. (See further details here.) It is expected that the draft will be presented to the National Assembly before the end of 2024 and will be submitted for adoption in May 2025, with a tentative entry into force on January 1, 2026. As the Draft PDPL incorporates most of the provisions of Decree No. 13/2023/ND-CP on Personal Data Protection (“PDPD”), which has been the primary legal instrument on personal data protection since it took effect on July 1, 2023, it is likely that it will supersede the PDPD when it takes effect. [Please contact our Vietnam data protection team to request a detailed comparison of the Draft PDPL to the PDPD.]

Noting that there might be further changes to the draft once the public consultation period closes, the Draft PDPL proposes new specific requirements for a number of services. Some highlights of the current version include the following:

  • Marketing services: Although marketing services are already regulated under the PDPD, the Draft PDPL now recognizes that the use of personal data for marketing must comply with anti-spam regulations. The current draft does not clarify whether organizations are exempted from the consent requirement for the purpose of the initial call or message under the anti-spam regime. Marketing service providers are not allowed to outsource the services to another organization to perform or support the implementation of marketing business, which may prevent the sharing of personal data.
  • Behavioral advertising: Behavioral advertising (targeted personalized advertising based on a user’s activity or personal data) requires the consent of the data subject in a modifiable manner that allows the data subject to refuse to share data in different contexts. As with marketing services, advertising service providers may only use personal data collected through their business activities to provide their advertising services.
  • Big data processing: Organizations are free to utilize personal data on platforms where the data subjects have disclosed such data without any restrictions (which seems to allow the processing of any publicly available data, for as long as the data subjects do not restrict the use), as long as the collected data is only used for business activities in accordance with the law. The Draft PDPL specifies that the information registered for social network accounts or OTT services will not be considered public data, and cannot be processed without consent.
  • AI: Organizations are entitled to use personal data for research and development of machine-learning algorithms, artificial intelligence, and other automated systems, provided that notice is given to the data subjects (including explanations on the influence of the algorithm, artificial intelligence, or automated system on the legitimate rights and interest of the data subjects), and the data subjects are offered the right to opt out.
  • Cloud computing: The Draft PDPL now imposes the obligations on clients of cloud service providers to request that some content be included in the cloud computing contracts, notably that cloud service providers will only process their clients’ data for the benefit of and on behalf of the clients (which is very close to the definition of a data processor); compensation for damages must be clearly addressed; security, technical and organizational measures must be enumerated; technical measures are in place to ensure that the right to access data is reasonably decentralized, etc. In addition, cloud service providers must comply with impact assessment dossier requirements and with regulations on personal data protection in general; appoint a data protection department; request subcontractors to comply with regulations on personal data protection; and apply technical and organizational measures adequate to the scale and level of processing.
  • Labor and recruitment: When monitoring employees using technological and/or technical measures, organizations must ensure the rights and interests of the data subjects, particularly that the employees are aware of and consent to the monitoring, which must not be contrary to the law. The Draft PDPL confirms that employees must consent to the processing of their personal data — taking a different approach from the European Union and disregarding the argument that employees’ consent might not be voluntary considering the power imbalance with the employer. For intra-group sharing in a global employee database system, the legal entities must prove that the collection and processing of personal data is lawful, and the employees are responsible for the legality of the information provided. Further, the Draft PDPL indicates that the consent of the employees to share with one entity of the group does not mean the consent is given to the other entities of the group, which will be considered independently.
  • Financial, banking and credit information services: The sale and purchase of credit information is prohibited between financial institutions, credit institutions, and credit information institutions, as is the sending or transmission of unencrypted financial and credit data related to data subjects. Express consent is required to use the credit information of a data subject in credit scoring. The result of credit information assessment can only be binary (pass or fail; yes or no; true or false; etc.) or using a scale based on the database collected directly from the customers of the financial institutions, credit institutions, banks, or credit information institutions. De-identification measures must be applied at a specific stage of the processing. Credit information services/products can only be provided to financial institutions, banks, and credit institutions and when prescribed by law.
  • Health and insurance: Consent is mandatory for the collection and processing of health and insurance information. Organizations operating in the health sector may not provide personal data to healthcare providers or insurance providers, unless requested in writing by the data subject. This could hint that the data subject’s consent alone would not be sufficient in this case, and that the sharing of health information can only be initiated at the request of the data subject. For the sharing of health information in the context of reinsurance, any transfer must be clearly stated in the contract with the data subject.
  • Social network and communication services through cyberspace: Notification to the data subject on personal data processing must clearly state the content of personal data collected when installing or using the services, and organizations must refrain from collecting personal data outside the scope agreed with the user. Service providers are not allowed to request a photo of the ID card as an account authentication factor. Users must be allowed to opt out of cookies and have a “do-not-track” option. The service provider can only track the usage of its platform/OTT services with consent. When providing advertising or marketing services, notification must include information on the sharing of personal data and on the security measures that are applied. Calls and text messages must remain private—any recording or monitoring without the data subject’s consent is expressly stated as an illegal activity.
  • General B2C businesses: Contracts must now contain a clause on personal data protection clearly stating the responsibilities, rights and obligations of the parties.

The Draft PDPL also recognizes new services of (i) personal data protection trust rating organizations, and (ii) personal data protection organizations and experts (notably DPO-as-a-service), making it evident that outsourcing data protection departments and data protection officers (DPOs) is accepted.

Personal data protection trust rating organizations

Personal data protection trust rating organizations assess the ability of an organization to fully comply with the personal data protection regulations. The assessment will evaluate risk factors and their impact on the ability to satisfy personal data protection obligations, and will notably cover market and business environment risks, technological risks, governance risks, personnel risks, and financial risks. Results of the assessment are given in four rating levels—“high trust,” “trust,” “pass” and “failing”—and are reported to a “trust rating council” (a term which has not been defined in the Draft PDPL).

Organizations must satisfy certain eligibility requirements to obtain a certificate to provide trust rating services, including notably:

  • Registered capital of VND 5 billion or more;
  • Having at least one year of experience in personal data protection;
  • Employing at least three qualified personal data protection trust analysts.

Under the Draft PDPL, having a trust rating is mandatory for all organizations processing sensitive personal data. Considering the broad definition of sensitive personal data, which includes personal data that must be processed in an employment relationship (e.g., for salary payment purposes), this requirement will be practically applied to all organizations.

Personal data protection experts and organizations

A personal data protection expert (“PDP Expert”) is defined as a person with technological and/or legal capabilities appointed by a given processing entity to act as personal data protection person (i.e., data protection officer). PDP Experts must obtain a competence certificate from a certification organization whose role is to ensure that the PDP Experts are sufficiently qualified to undertake their roles. The Ministry of Public Security (MPS) will rely on licensed certification organizations to issue competence certificates to qualified PDP Experts who, at minimum, hold a college degree in a relevant field and have completed a data protection certification course.

A personal data protection organization (“PDPO”) is an entity that can be designated by a given data processing entity (including data controllers, data controller-processors, third parties, data transferors, and data recipients—but notably not data processors) as its personal data protection department. The PDPO provides personal data protection services to meet the needs of its appointing entity. The MPS will be in charge of issuing the license to the PDPO, subject to the PDPO hiring at least one technological and/or legal PDP Expert; engaging in functions, tasks, business lines, or domains related to technology and/or law; and obtaining a “pass” trust rating or higher.

The Draft PDPL imposes new requirements on businesses engaged in data processing services, which is now defined as a conditional business line (including any data processor engaged to process data for a data controller), notably to have at least one technological and legal expert (or one technology expert and one legal expert), register business lines related to technology or legal services or consultancy about technology or law related to personal data protection, and obtain a “pass” trust rating level or above.

Outlook

In sum, the Draft PDPL recognizes new data protection services with what seems to be an ambition to build trust (with the certification mechanism for PDP Experts and PDPOs and the trust rating organizations) and provide for sector-specific regulations on personal data protection. As the level of awareness in Vietnam regarding personal data protection remains low, these new service lines and sector-specific regulations might further contribute to the MPS’ efforts on capacity-building.

Related Professionals

Industries

Technology

Location

RELATED INSIGHTS​

December 15, 2023
As part of its membership in Lex Mundi, Tilleke & Gibbins has published an updated edition of its Guide to Doing Business in Thailand for 2023. This guide outlines the key factors for starting and operating a business in the Thai market. Issues covered include: Investment incentives Financial facilities Exchange controls Import and export regulations Structures for doing business Requirements for the Establishment of a Business Operation of the Business Cessation or Termination of the Business Labor legislation, relations, and supply Tax Immigration requirements This publication is part of Lex Mundi’s Country Guides series prepared by member firms in more than 100 jurisdictions worldwide. The guides serve as a useful resource for planning international business strategy and researching new markets. The full Guide to Doing Business in Thailand is available through the button below.
Read More
December 15, 2023
Vietnam’s new Law on Electronic Transactions No. 20/2023/QH15 (LOET 2023) was promulgated by the National Assembly on June 22, 2023, and will replace the existing Law on Electronic Transactions No. 51/2005/QH11 (LOET 2005) when it enters into effect on July 1, 2024. The LOET 2023 is aimed at facilitating transactions carried out in an electronic environment in all sectors. Derived from the fundamental principles of the LOET 2005, the LOET 2023 is similarly considered a framework law, developed based on the Model Law on E-Commerce of the United Nations Commission on International Trade Law (UNCITRAL). The main points of interest of the LOET 2023 are summarized below. 1. Scope of Application Unlike the LOET 2005, which explicitly excludes certain areas such as the issuance of certificates of land use rights and birth certificates from the scope of application, the LOET 2023 covers all areas without exception. However, the LOET 2023 will still not interfere with the regulations of substantive laws that stipulate the content, conditions, and forms of transactions in their respective areas (Article 1.2). The LOET 2023 also provides that it will only be applicable if other laws either allow or remain silent on the electronic execution of transactions; otherwise, if another law specifically does not permit a transaction to be carried out electronically, such law shall apply (Article 1.3). This emphasizes that the applicability of the LOET 2023 depends on the electronic readiness of specific sectors. 2. Enabling E-Transactions in All Sectors For traditional transactions or contracts to be legally valid, they typically require written documentation, the signatures of the involved parties, and the seals of organizations or companies, if required by substantive laws or common practice. Additionally, certain sectors mandate further steps like notarization or certification, such as in property transactions like house sales or inheritance
Read More
December 8, 2023
In a significant development on December 5, 2023, the Central Bank of Myanmar (CBM) issued Letter No. FE-1/2937 granting authorized dealer licensed banks (ADLBs) the authority to freely transact in foreign currency trades, buying and selling at the market exchange rate for Myanmar kyat (MMK) as proposed by buyers and sellers through online trading platforms. Offshore remittances, however, must comply with the remittance criteria set by the Foreign Exchange Supervisory Committee. The online trading platform Refinitiv, initiated in June 2022 under the CBM’s guidance, facilitates the buying and selling of foreign currency between ADLBs and between banks and customers. The initiative was implemented in accordance with CBM Letter No. FE-1/789, dated June 21, 2023. The platform’s inception saw the exchange rate set at over MMK 2,900 per USD 1. Then, in August 2023, the CBM ordered banks and traders to limit foreign exchange transactions to an approved online trading platform, again with the exchange rate fixed at MMK 2,900 per USD 1. Transactions outside of online trading platforms continue to be governed by the exchange rate set by the CBM of 2,100 MMK per USD 1. Conversion Rules for Exporters On December 6, 2023, the CBM issued Notification No. 26/2023 lowering the percentage of Myanmar companies’ export earnings in foreign currency subject to mandatory conversion into MMK from 50% to 35% at the current official exchange rate set by the CBM at USD 1 to MMK 2,100. This mandatory conversion must follow the requirements for mandatory conversion of foreign currency, which remain in effect. For more details on foreign exchange developments, or on any aspect of financial regulations in Myanmar, please contact Tilleke & Gibbins at [email protected].
Read More
November 27, 2023
The emergence of generative artificial intelligence (AI) has transformed the landscape for innovators and creators. As many legal practitioners have pointed out, it’s imperative for both developers of AI and artists using generative AI to understand the intricacies of intellectual property (IP) strategies so they can navigate this evolving terrain successfully. This article lays out some essential considerations relating to the major types of IP for both developers and creators in the realm of generative AI. IP Strategies for Developers of Generative AI Developers of generative AI technologies play a pivotal role in the innovation landscape. There are three overarching IP-related issues to consider: protecting their own intellectual property, mitigating the risk of violating other people’s IP rights, and IP commercialization. Key aspects of these concerns, along with suggested approaches for developers, are outlined below. Protecting IP Copyrights. One of the primary considerations for AI developers is the protection of AI-generated works, such as art and source code. The good news is that in most countries, these creations enjoy copyright protection without the need for registration. As a result, the works are automatically protected from the moment of creation. However, it’s crucial to maintain comprehensive records of your work to establish your ownership. Trademarks. Trademarks are vital for AI developers looking to establish and protect their brand. Pay close attention to Nice classifications, particularly class 9 (for software), class 35 (for business management and online marketing), and class 42 (for software design and development). Registering trademarks in these classes can provide robust protection for your brand and products. Patents. For truly innovative AI algorithms, techniques, or processes, consider the option of patenting. Patents offer strong protection, but they require a thorough application process and the documentation of your innovation, including evidence that the invention is novel, non-obvious, and practically
Read More

Contact

We have seven offices in six countries
across Southeast Asia.

Contact Us

Careers

We are always seeking great people to grow
our amazing team.

Join Us

Networks

© 2024 Tilleke & Gibbins International Ltd. All rights reserved.

© 2020 Tilleke & Gibbins International Ltd. All rights reserved.

Privacy Policy

| Fraudulent Communications

| Legal Notice