Authors: Carolyn Bigg, Amanda Ge, Venus Cheung, and Gwyneth To.

Vietnam’s long-awaited, first-ever Personal Data Protection Decree (“PDPD”) has finally been passed and is scheduled to take effect from 1 July 2023 (save limited grace period exceptions).

The PDPD is the first comprehensive data protection regulation consolidating Vietnam’s existing data protection regulatory framework (which is found across various legal instruments).

Given the tight timelines, businesses which engage in or relate to personal data processing activities in Vietnam, are advised to take prompt action to ensure compliance.

The most notable provisions of the PDPD relate to the compliance requirements in general processing and cross-border transfers of personal data.

Highlights of the PDPD
  • Consent: the primary legal basis for processing personal data remains to be consent.
  • Data Protection Impact Assessment (“DPIA”) Profile: data controllers are required to prepare and maintain DPIA Profiles for their personal data processing activities. In certain circumstances DPIA Profile may need to be submitted to the regulators.
  • Cross-Border Transfer of Personal Data: in order to transfer personal data outside of Vietnam, organisations must complete and submit a Dossier of Impact Assessment for Cross-Border Personal Data Transfer (“TIA Dossier”). The regulators may halt data transfers in situations where an organisation violates national security, submits an incomplete TIA Dossier, or loses or discloses personal data of Vietnamese citizens.
  • Data Localisation: surprisingly, the PDPD has not addressed the issue of data localisation. This said, organisations should continue to observe developments on this, and follow existing laws and regulations, notably the interaction between PDPD and the Cybersecurity Law (Decree 53).
  • DPO: organisations may need to appoint and register its DPO with the authority, especially if sensitive personal data is processed.
  • Data subject rights: certain data subject rights are now subject to a 72-hour handling deadline.
  • Data incident: data breach incidents must be notified within 72 hours of the occurrence.
What next – practical steps

In view of the tight timescales to ensure compliance with the PDPD, organisations should speed up in brushing up their existing data privacy programmes and remedy any inconsistencies with the PDPD requirements.

Please contact Carolyn Bigg, Venus Cheung, or Gwyneth To if you have any questions or to see what this means for your organisation.