Written by: Minh Nguyen, Senior Associate, ACSV Legal
The entry into force of the European Union’s General Data Protection Regulation (GDPR) in May 2018 was a wake-up call for companies and countries in Vietnam which have business relationships with EU-based companies or employ EU citizens. The main reason was because the GDPR has extraterritorial effect under which the supervisory authority of each Member State of the EU is empowered to penalise non-EU companies violating the GDPR while having business transactions with EU individuals or companies.
With the Vietnam-EU Free Trade Agreement that took effect in August 2020, it is not a surprise but a welcomed move from the Vietnamese Government when it recently circulated the draft Decree on Personal Data Protection (DPDP) for public consultation.
The DPDP is drafted by the Ministry of Public Security of Vietnam (MPS) and is proposed to take effect from 1 December 2021. Once adopted, it will become the first-ever unified regulation on personal data protection in Vietnam.
Using a model similar to the GDPR in sanctioning the non-compliance activities, being the highest level of fine might be calculated based on the annual turnover of the violator of the preceding financial year, the DPDP is foreseen to have a significant impact on all businesses operating in Vietnam, especially foreign-invested companies which often have cross-border data transfer activities.
Through this legal update, we would like to give you a heads-up on certain points worth noting in the draft DPDP.
1. – Personal Data Protection Committee
The personal data protection committee (PDPC) is an independent governmental body to be established under the auspice of MPS. The PDPC will function as the supervisory authority, which oversees personal data protection activities in Vietnam. Some of its duties include:
• Develop and run a national portal of personal data protection;
• Approve data privacy policies of companies and organisations before they are rolled out;
• Examine registration dossiers for the processing of sensitive personal data and transferring personal data cross border and requesting the MPS to approve or reject the registration dossiers;
• Request the MPS to inspect suspected violations in personal data protection activities or to sanction the violations;
• Issue guidelines to implement the DPDP; and propose inspection plans to the MPS which might be conducted maximum twice a year, save for the case of a manifest violation.
2. Sensitive Personal Data
2.1 – Definition
The definition of sensitive personal data is introduced for the first time in Vietnam by the MPS to distinguish between that and the definition of basic personal data. Sensitive personal data includes genetic and biometric data, data concerning health, gender, sexual orientation, financial status and income, criminal records, location and social relations of an individual.
According to the draft DPDP, the list of sensitive personal data is not an exhaustive one as any signature data of a person which requires high level of confidentiality and special protection of the laws will be considered as sensitive personal data. Due to this special characteristic of the sensitive personal data, any processor wishing to process such data must register the data with the PDPC in advance, save for certain exceptional circumstances.
2.2 – Registration
The registration process would take maximum 20 working days from the date the PDPC receives a sufficient registration dossier.
2.3 – Fines
Violation of the registration requirement might expose the processor to a fine of up to VND 100 million ($4,300 USD).
2.4 – Impact
Fintech companies, banks, hospitals, fitness centers and healthcare clinics would be the first ones that would get hit by this regulation when the DPDP takes effect.
3. Cross-Border Transfer of Personal Data
3.1 - General
According to the draft DPDP, cross-border transfer of personal data of Vietnamese citizens is restricted to a large extent. Specifically, cross-border transfer is conditional upon the satisfaction of the following 4 elements:
• The data subject consented to the transfer
• The original data is stored in Vietnam
• The country or the state where the data recipient is based offers the same or a higher level of data protection in comparison with Vietnam
• The PDPC approves the transfer
Although the draft DPDP sets out 1 exception where the cross-border transfer would be permissible without satisfying the 4 aforesaid elements, the prerequisites for this exceptional case need to be clarified in the subsequent drafts of the DPDP as they are still very obscure in this draft. It is worth noting that in respect to the 4th element as set forth above, it would take maximum 20 working days to obtain an approval from the PDPC after a sufficient registration dossier is lodged.
3.2 – Fines
Violation of the aforesaid requirement regarding cross-border transfer might expose the data transferor to a fine of up to VND 100 million (~USD4,300).
3.3 – Impact
As foreign-invested companies, and branches and representative offices of foreign investors in Vietnam often involve in multiple cross-border transfer activities pertaining to personal data of employees, suppliers and customers, these subjects should start reviewing and updating their current data privacy policies to stay in line with the new regulation.
4. Additional Requirements for Companies and Organisations
4.1 – Data Protection Officer
Similar to the concept of data controller in the GDPR, the draft DPDP requires a company or organisation which conducts data processing to:
• Set up or designate an internal department to function as a personal data protection department; and,
• Appoint a data protection officer
The main responsibilities of the personal data protection department and the data protection officer are to supervise data protection activities within the organisation and to be the contact point for liaison with the PDPC. The contact details of such department and officer must be notified to the PDPC.
4.2 – Internal Policies on Personal Data Protection
The draft DPDP also requires a company or organisation, which conducts data processing to issue:
• A policy on personal data protection and applicable templates in implementation of the DPDP; and,
• Internal regulations governing the process of handling complaints and whistle-blowing reports with regard to personal data protection.
4.3 – Retention of Records of Cross-border Transfer
Last but not least, the draft DPDP requires a company or organisation which conducts cross-border transfer of personal data to store the records containing timing of the transfer, recipient identity and contact details, and nature and volume of the data transferred within 3 years from the date of the transfer.
5. – Penalties Against Violations
The draft DPDP sets out different types of administrative sanctions against violations of personal data protection, e.g. monetary penalty, suspension of personal data processing, or revocation of the rights for processing sensitive personal data and cross-border transfer of personal data. Some of which have been mentioned under sections 2.3 and 3.2. Of note, similar to GDPR, the draft DPDP proposes to apply a very severe fine, being 5% of the total revenue in Vietnam to violators of the DPDP.
6. – Conclusion
Although the draft DPDP is still in the process of being completed, given the fact that it is proposed to take effect in December 2021, both local and foreign-invested companies should develop an action plan as soon as possible to address new requirements imposed by the DPDP, e.g. an internal policy regarding data protection; setting up a department and appointing a data protection officer to oversee and censor data processing activities within the company. This might require the involvement and collaboration of different departments in a company such as Legal and Compliance, HR, IT and Finance. Companies and organisations operating in Vietnam should keep the developments of the draft DPDP on the radar in the coming months.
|About The Author
Minh Nguyen, Senior Associate, ACSV Legal
Minh Nguyen is a Senior Associate and Head of the Dispute Resolution Practice at ACSV Legal, a boutique law firm headquartered in Ho Chi Minh City, Vietnam. She has a strong corporate and compliance background and an impressive track record in international arbitration.
Minh was admitted to the HCMC Bar Association in 2014. She received a Fulbright scholarship in 2016 to attend Pepperdine University in Malibu, California, where she obtained an LLM degree in International Arbitration and also recorded one of the highest-grade point averages in her graduation class.
While attending Pepperdine, Minh was a research assistant for Professor Thomas Stipanowich, the Academic Director of the Straus Institute for Dispute Resolution at Pepperdine University, who is one of the four Companions (the highest honor) of the Chartered Institute of Arbitrators.
Minh is a registered arbitrator at the Pacific International Arbitration Centre in Vietnam, and is a member of various arbitration networks in the USA, Singapore, the United Kingdom and the Netherlands. She is also an Adjunct Lecturer for a course in the Master of Civil Law Program – a joint program between the University of Economics and Law of Vietnam and the University of Paris, Pantheon-Sorbonne.
Visit ACSV Legal on the web at: https://acsvlegal.com
The opinions expressed are those of the author.