ARTICLE
17 July 2023

Personal Data Protection In Vietnam – Decree 13 – Frequently Asked Questions

RV
Russin & Vecchi

Contributor

Russin & Vecchi logo
Russin & Vecchi was founded in Asia over 60 years ago. We have offices in Ho Chi Minh City and Hanoi. We work with global clients and with international law firms. From entry strategy to operations, we help clients navigate the complex and changing Vietnamese regulatory framework. We deliver creative, compliant, and practical solutions.
Explore
Does the new Decree 13 on "Personal Data" protection apply to us? Yes, if you're an entity or individual located in Vietnam and involved in data processing.
Vietnam Privacy
To print this article, all you need is to be registered or login on Mondaq.com.

¤ Does the new Decree 13 on "Personal Data" protection apply to us?

  • Yes, if you're an entity or individual located in Vietnam and involved in data processing.
  • Yes, if you're an entity or individual located offshore, but process data that originates in Vietnam or you process data relevant to Vietnamese nationals.

¤ What is "Personal Data"?

  • Very little data is excluded from the definition of personal data. It includes customer information, buying habits, preferences and more; it includes employee data of almost every description. Personal data is divided into basic personal data and sensitive personal data, and each requires different protective measures.

¤ What types of personal data processing are regulated:

  • Virtually all processing: collection, recording, analysis, storage, encryption and decryption, retrieval, granting access, copying, transferring, deletion, alteration, disclosure, verifying, combining.

¤ Who is covered or has a duty under Decree 13:

  • Data subjects, Data controllers, Data processors and any third party who is involved with personal data processing.

¤ What rights do data subjects have?

  • Right to give and withhold consent, the right to access, delete, update their personal data, the right to object to or restrict processing activities, the right to make claims and receive damages and the right to protect themselves.

¤ Do we need a data subject's consent to process her data?

  • Yes–with some exceptions. Consent must be voluntary, specific, verifiable. Consent may be withdrawn or conditional. Data can be processed without consent.

¤ What are a Data Controller's obligations?

  • Only work with qualified data processors, keep proper logs, notify authority in case of data breach, assist the data subjects to exercise their rights, implement appropriate measures, comply with authority, be liable for damages, perform and submit impact assessments.

¤ What are a Data Processor's obligations?

  • Work only upon and in accordance with a data processing agreement, implement appropriate measures, delete or return data after completion, notify the data controller in case of data breach, be liable for damages, comply with authority, perform and submit impact assessments.

¤ Some key requirements:

  • Impact assessments must be prepared, maintained and submitted for data processing and offshore transfer of data; appropriate technical, management, administrative measures must be considered and implemented; rules and regulations on protection of personal data must be developed and published; a data protection officer may be required; consent must be obtained for all processing activities including offshore transfer; a binding document is required for offshore transfer of data; data minimalization should be practiced.

* * *

Decree 13 comes into effect on 1 July 2023. The nature of compliance is deep. It is possible to build a consistent strategy of compliance, step by step and over a period of time.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More