On 07 June 2023, the Ministry of Public Security (“MPS”) held a conference to disseminate and guide several provisions of Decree 13/2023/ND-CP of the Government issued on 17 April 2023 on personal data protection (“Decree 13/2023”) that takes effect from 01 July 2023.
1. Does personal data collected and processed before Decree 13/2023 comes into effect need consent from the data subject?
Personal data collected before the effective date of Decree 13/2023 is still within the scope of Decree 13/2023. However, organizations and individuals that have collected data will not need to ask for the consent of the data subject again for data collection that has been provided by such data subject before Decree 13/2023 takes effect, i.e., 01 July 2023. In addition, organizations and individuals that collect personal data must comply with the provisions of Decree 13/2023.
2. Is it possible to make a report for the assessment of the impact of personal data processing and a report for assessing the impact of international transfer of personal data in one report?
Currently, the MPS is preparing to publish relevant administrative procedures to make personal data reports according to Decree 13/2023.
According to MPS’s guidance, the dossier of impact assessment of personal data processing and assessment of the impact of international transfer of personal data is carried out in 02 procedures, with 02 different application dossiers.
The MPS shall publish forms and documents and open the National Portal on Personal Data Protection for organizations and individuals to implement.
3. Is it necessary to redo or adjust the report when there is a change in the field or type of personal data?
The dossier of impact assessment of personal data processing is carried out once for each case or type of sending personal data of Vietnamese citizens abroad, until there is a change. If there is a change in the type or contract, the organization or individual must update and supplement according to the application form.
4. When an enterprise’s employees fill in personal data in the enterprise’s system and the system automatically transfers personal data to that enterprise’s system abroad, does the enterprise need to report the results of data transfer abroad?
Decree 13/2023 has not stipulated the form of transferring personal data abroad. Accordingly, Decree 13/2023 requires the transfer of personal data abroad to make an impact assessment dossier. Therefore, even though the system automatically transfers data abroad, the Controller, the Controlling and Processing Entity, the Processor, and the third party must make a report on assessment of transferring personal data abroad.
5. How do organizations and individuals report to the MPS on personal data processed or transferred abroad before Decree 13/2023 takes effect?
The preparation of the dossier is carried out from the date Decree 13/2023 comes into effect, i.e., within 60 days from the effective date of Decree 13/2023. Organizations and individuals that have transferred data of Vietnamese citizens abroad before the effective date of Decree 13/2023 for business activities will continue to report.
After completing the impact assessment dossier, the competent authority will evaluate the dossier to determine the legal suitability for the transfer of personal data of Vietnamese citizens abroad.
6. According to the provisions of Decree 13/2023, the Controller, and the Controlling and Processing Entity must comply with the request of the data subject within 72 hours of receiving the request. Are these 72 working hours or consecutive hours?
According to Decree 13/2023, the time limit is 72 hours after receiving the request, which means 72 consecutive hours, not 72 working hours.
7. If the data subject and the Controlling and Processing Entity have a contractual relationship, under which the data subject is obliged to provide data to the Controlling and Processing entity to perform the contract, can the right to edit, request correction, or delete be restricted?
When signing a civil contract, the relevant parties have clearly defined related rights, obligations and responsibilities.
The information that the data subject provides to the Controlling and Processing Entity is to perform the rights and obligations in the contract. The data subject has the right to edit and request correction of its data, especially if some data subject information has changed. For example, the issuance of citizen identification.
According to the MPS, the right to edit, request correction, and delete data cannot be legally restricted. If the modification request exceeds the contractual obligation limit, the Controlling and Processing entity may notify the data subject of this. At that time, there will be 03 cases according to civil law:
(1) the parties terminate the contract;
(2) the Controlling and Processing Entity agrees to allow the correction; or
(3) the data subject withdraws the correction request.
8. What activity is considered buying and selling personal data? Is the purchase and sale of personal data completely prohibited? Is it allowed to buy and sell personal data without the consent of the data subject?
Trading activities in “buying and selling personal data” are understood in the sense of buying and selling property in civil relations according to the provisions of the Civil Code, with the main purpose of making a profit. The main purpose of buying and selling is not necessarily a business purpose but can be for other purposes such as consumption, gifting, etc. The subject in the sale and purchase relationship is any person who has needs and acting abilities pursuant to the laws.
Buying and selling personal data is not completely prohibited, as long as the law specifically regulates the cases in which it is sold. The consent of the data subject is not the basis for determining the permission to trade. In this case, only the law can regulate the cases where trading is allowed.
9. When making forms such as a Notice of Submission of Personal Data Processing Impact Assessment Profile, or Notice of Changes in content of Personal Data Processing Impact Assessment Profile, can they be presented in English?
According to regulations on the provision of administrative procedures, all application forms are made in Vietnamese. Individuals and organizations cannot submit documents in English, nor translate them into Vietnamese, but need to declare directly in the application form on the National Portal on Personal Data Protection or submit the form directly at the Department of Cybersecurity and High-tech Crime Prevention and Control.
10. Can the “Personal data processing activities in Vietnam” be understood as including data processing activities only in the territory of Vietnam or elsewhere as well? If a foreign enterprise collects personal data of users in Vietnam (Vietnamese citizens) but immediately transfers it abroad, and all data processing activities take place abroad, is it within the scope of this Law?
Foreign enterprises that collect data on Vietnamese citizens, enterprises that transfer data on Vietnamese citizens abroad, and enterprises that receive data on Vietnamese citizens fall within the scope of regulation under Decree 13/2023, whether or not the enterprise deals in the territory of the Socialist Republic of Vietnam. Therefore, organizations and enterprises need to pay attention to the factor of processing the personal data of Vietnamese citizens, not the data processing location.
The above is not official advice from BLawyers Vietnam. If you have any questions or suggestions about the above, please contact us at email@example.com. BLawyers Vietnam would love to hear from you.
Date: 17 October 2023
Writer: Linh Nguyen and Tinh Nguyen