Issue of November 2021 – Draft Decree on personal data protection

Dear Valued Clients,

Recently, the Government has announced the second draft of the Decree on personal data protection (the “Draft Decree”) as a guidance document of the current Cyber Security Law. In this Legal Update, we would emphasize several highlights which could affect business activities in Vietnam since this Draft Decree is adopted.

Definition of personal data

Recently, personal data (“PD”) is absent from or is stipulated scatteredly in the law. As the first legal document guiding this matter, the Draft Decree has provided a specific definition of PD, which includes two types: (i) Basic PD[1] and (ii) Sensitive PD[2]. Thus, compared with the previous legal documents – in which PD is defined ambiguously, the Draft Decree has clearly determined the scope of the PD, rendering the application of regulations of PD easier and more accurate.

 Establishment of the Commission for Personal Data Protection (“CPDP”)

The Draft Decree stipulates the establishment of the CPDP, located at the Department of Cyber Security and High-Tech Crime Prevention of the Government[3]. The main function of the CPDP is to supervise and ensure the compliance with regulations on protection of PD as stated in the Decree[4]. The CPDP has the right to inspect the compliance no more than 2 times/year at an organization/enterprise, but has the right to conduct additional investigations in case there is a suspicion of an infringement of PD protection provisions[5].

A national website for PD protection will be established to post the ratings and reviews of CPDP on the reliability of the PD protection of agencies and organizations.

Notice on the realization of PD of the data subjects

According to Article 11 of the Draft Decree, the realization of PD must be notified to the data subject in advance, except for the following cases[6]:

1.  The data subject has completely consented to the contents and operations of the entire PD realization.

2.  The PD realization of is regulated by international laws, international agreements, and international treaties.

3.  The PD realization does not cause any impact to the rights and interests of the data subject, and it is impossible to inform the data subject.

4.  The PD realization is implemented for scientific research or statistics.

This is to ensure that “the data subject is able to be aware of and to receive notice of the activities related to his/her PD realization”.

The consent to the PD of the data subject

According to Article 5.1 of the Draft Decree, the data subject has the right to “either agree or disagree to let the realizing party or any third party to realize their PD”, except for the case specified in Article 10 of this Draft Decree. The consent of the data subject, clarifying in Article 8, only becomes effective when it is based on voluntary and the data subject has well aware of the following contents:

1.  The type of PD to be realized;

2.  The realization purpose;

3.  The authorities to realize and share the PD;

4.  Conditions for transferring and sharing PD to third parties;

5.  The rights of the data subject related to their PD realization in accordance with the laws.

Note: The silence non-response of data subject is not considered consent.

Realization of sensitive personal data (“SPD”)

SPD must be registered with the CPDP in advance of realization, except for certain special cases, for example, to serve the prevention, detection, investigation and sanction of violations, judicial activities of courts, scientific research, statistics, etc.

Transfer data across borders

PD of Vietnamese citizens may be transferred across borders when the following conditions is satisfied[7]:

Have consent of the data subject to the transfer.

The original data is stored in Vietnam.

The country, territory or a specific area within the country or territory to which the data is transferred has promulgated regulations on PD protection to an extent equal to or higher than the provisions of the Draft Decree.

Have a written approval of the CPDP.

Note: The realizing party of the PD must build a storage system of data transfer history for a period of 03 years, including the contents of time to transfer PD externally; identity of the receiving party; the type, quantity, and sensitivity of the PD to be transferred externally; etc.

Obligation to develop regulations on PD protection

The realizing party of the PD must designate the division that has the function of protecting PD and providing information about that division to the CPDP[8]. At the same time, the realizing party must issue regulations for receiving and responding the complaints related to PD protection that may arise[9].

Penalties for administrative violations

If there is any violation related to the realization or disclosure of the PD, the realizing party may be subjected to the following administrative penalties:

1.  A fine ranging from VND 50,000,000 to VND 100,000,000[10].

2.  5% of total revenue for repeated violations or violation causing serious consequences[11].

3.  Additional sanctions such as suspension of PD realization ranges from one to three months or deprivation of the right to use the license/written consent to realize and/or transfer the PD out of the border.

In addition, violations may also be subjected to remedial measures (such as coercively return the money obtained from committing violations[12]).

The above are some issues that Customers may be interested in about the Draft Decree that will be approved in the upcoming time.

As usual, we hope you find this Legal Update helpful and look forward to working with you in the upcoming time.

Kind regards,

ENT Law LLC

The full version of this Legal Update can be found here.

—————————————————-

[1] Under Article 2.2 of the Draft Decree: Basic PD includes:

1.  Last name, middle name and birth name, alias (if any);

2.  Date of birth; day, month, year of death or missing;

3.  Blood group, gender;

4.  Place of birth, place of birth registration, place of permanent residence, current residence, hometown, contact address, email address;

5.  Academic level;

6.  Nation;

7.  Nationality;

8.  Phone number;

9.  Identity number, passport number, citizen identification number, driving license number, license plate number, personal tax identification number, social-insurance number;

10.  Marital status;

11.  Data that reflects activities or the history of activities in cyberspace.

[2] According to Article 2.3 of the Draft Decree: Sensitive data includes:

1.  PD on political and religious views;

2.  Health PD is information relating to the physical or mental health status of a data subject that is collected or identified during registration or the provision of medical services;

3.  Genetic PD is information relating to inherited or acquired genetic characteristics of an individual;

4.  Biometric PD is information about the physical attributes, unique biological characteristics of each individual;

5.  PD on gender status is information about a person identified as male, female, a mix of female and male, neither completely female nor male, neither female nor male or the status of a gender-conscious data subject that does not conform to the sex determined at birth;

6.  PD about life, sexual orientation;

7.  PD about criminals, criminal acts collected, stored by law enforcement agencies;

8.  Financial PD is information used to identify accounts, cards, payment instruments provided by a financial institution to a subject of data or information about the relationship between the financial institution, principal data with data subject, including profile, financial status, credit history, income level;

9.  PD about location is information about an individual’s physical location in the past and present;

10.  PD about social relationships;

11.  Other PD considered unique and requires necessary security measures as per the laws.

[3] Under Article 23.1 of the Draft Decree.

[4] Under Article 24 of the Draft Decree.

[5] Under Article 19.2 of the Draft Decree.

[6] Under Article 11.3 of the Draft Decree.

[7] Under Article 21.1 of the Draft Decree.

[8] Under Article 18.2 of the Draft Decree.

[9] Under Article 18.1 of the Draft Decree.

[10] Under Article 22 of the Draft Decree.

[11] Under Articles 4.3 and 22.3 of the Draft Decree.

[12] Under Articles 22.4 and 22.4 of the Draft Decree.