Vietnam Issues Decree on Personal Data Protection
On April 17, the Government of Vietnam issued Decree 13/2023/ND-CP on Personal Data Protection (PDPD). This is Vietnam’s first comprehensive legal document on the regulation of personal data protection. Decree 13 will take effect as of July 1, 2023. A two-year grace period (after the date of incorporation) is only granted to micro-enterprises, SMEs, and start-ups. The newly issued PDPD has no data localization requirement, however, it is still challenging for companies to comply with, given the short timeline for preparation and the ambiguous language in the decree. Some notable issues in PDPD include: 1) the extra-territorial scope of obligation which applies for both domestic and foreign organizations directly engaged in and/or related to personal data processing activities in Vietnam; 2) the definition of personal data include basic and sensitive data with different set of requirements where “sensitive data” has much stricter compliance requirement; 3) 72-hour limit for compliance for some data-specific subject’s right; 4) valid consent and consent exempted; 5) regulated stake holders include “data controller”, “data processor”, “data controlling and processing entity” and “third party”, each has different set of obligations; 6) requirements on cross border transfer of data including assessment report; 7) Other requirements related to setting up Data protection department & officer, impact assessment report.