NO&T Asia Legal Review
The long-awaited new Decree No. 13/2023/ND-CP (“PDPD”) on personal data protection has been issued by the Vietnamese government on April 17, 2023 and will take effect from July 1, 2023. The PDPD includes 4 Chapters, 44 Articles prescribing personal data protection, and responsibilities pertaining to protection of personal data of relevant agencies, organizations and individuals. Among other provisions such as an obligation to obtain consent from personal data subject, obligation to issue regulations to protect personal data and assign specialized departments/individuals to protect the data, the PDPD also focuses on the obligation to prepare personal data processing impact assessment (“PDP Impact Assessment”) and cross-border transfer impact assessment. We will delve deeper into the obligation on preparation of such impact assessments, which would require organizations and individuals to make more effort to meet the requirements on managing personal data under the PDPD.
The PDPD provides new definitions regarding Personal Data Controller (an organization or individual that decides the purposes and means of processing personal data), the Personal Data Controller cum Processor (an organization or individual who simultaneously determines the purposes, means and directly processes the personal data), and Personal Data Processor (an organization or individual that performs data processing on behalf of the Personal Data Controller, through a contract or an agreement with the Personal Data Controller).
The PDP Impact Assessment, in all cases, shall be prepared and stored by the Personal Data Controller, Personal Data Controller cum Processor, or additionally by Personal Data Processor (in the circumstances that such Personal Data Processor has entered into a contract with the Personal Data Controller) after the commencement of processing of personal data (“processing” of personal data includes the collection, recording, analysis, storage, disclosure, access, copying, transmission, etc. of personal data). The expansive definition of processing of personal data implies that the processing of personal data may be carried out on a daily basis at each company and each company may require compliance with the obligation. The PDP Impact Assessment is required to be available for inspection by the Ministry of Public Security and be submitted to the Ministry of Public Security – Department of Cybersecurity and Hi-tech Crime Prevention (“A05”) within 60 days from the date of commencement of personal data processing.
The PDP Impact Assessment under the PDPD appears to be similar to the data protection impact assessment in the EU General Data Protection Regulation (GDPR), whereas under GDPR it is only required where the risk of data processing is high. However, there is no such limitation included under the PDPD.
The content of the PDP Impact Assessment of the Personal Data Controller, the Controller cum Processer, and Personal Data Processor is slightly different. To elaborate:
Under the PDPD, besides the PDP Impact Assessment, an independent impact assessment is also required for cross-border transfer of personal data and is applicable to any transferor of personal data, which includes not only Personal Data Controller, the Controller cum Processer or Personal Data Processer, but also any third party (any other organizations or individuals allowed to process personal data) (collectively, “Transferor”). The cross-border transfer of personal data means the act of transferring personal data of Vietnamese citizens outside the territory of Vietnam using cyberspace, electronic devices, equipment or other forms, or using a place outside the territory of Vietnam to process personal data. Therefore, if a Japanese company in Vietnam uses a cloud service to store the personal data of Vietnamese employees on a server outside Vietnam, or if a Japanese parent company uses a computer outside Vietnam to process the personal data of Vietnamese employees of a Vietnamese subsidiary by accessing the subsidiary’s server located in Vietnam, the act of accessing and viewing such personal data of Vietnamese employees may also be considered to be a cross-border transfer. On the other hand, according to the above definition, overseas transfer of personal data of individuals other than Vietnamese citizens does not fall under "cross-border transfer", so processing of personal data of Japanese employees based in Vietnam on the parent company's server is not subject to such regulation.
Same as the PDP Impact Assessment, the Transferor is required to prepare and store a cross-border transfer impact assessment and submit it to the competent authority (A05) within 60 days from the date of commencement of processing of the personal data.
A personal data cross-border transfer impact assessment includes the following contents:
Currently, there are no further guidelines on how to prepare a sample PDP Impact Assessment or Cross-border Transfer Impact Assessment. Besides, a new draft of the decree on governmental sanction applied to violations relating to cyber security including violations relating to such assessments has just been released for public comments. As the guidance under the PDPD on the content of both impact assessments seems to be ambiguous, it is expected that the competent authority will issue further clear and detailed guidance on this matter. In theory, it is necessary to prepare and store the PDP Impact Assessment and Cross-border Transfer Impact Assessment by the enforcement date of the PDPD. As a result, each company directly or indirectly processing personal data or engaged in cross-border transfer of personal data should pay attention to the analysis of the PDPD and prepare the necessary impact assessments in accordance with the PDPD.
This newsletter is given as general information for reference purposes only and therefore does not constitute our firm’s legal advice. Any opinion stated in this newsletter is a personal view of the author(s) and not our firm’s official view. For any specific matter or legal issue, please do not rely on this newsletter but make sure to consult a legal adviser. We would be delighted to answer your questions, if any.
(March 2025)
Yoshinobu Koyama, Masato Kumeuchi, Masanori Tosu (Co-author)
Patricia O. Ko
(February 2025)
Keiji Tonomura, Minh Thi Cao Koike, Akira Komatsu, Yuki Matsumiya (Co-author)
Shunsuke Minowa, Poonyisa Sornchangwat, Niparat Pothong (Co-author)
Yoichi Maekawa
Kara Quek, Kennosuke Muro (Co-author)
Patricia O. Ko
Anastasia Jessica Maureen
Yoichi Maekawa
Kara Quek, Kennosuke Muro (Co-author)
Patricia O. Ko
Anastasia Jessica Maureen
Nga Tran
Hoai Tran
Dzung Pay
Chi Duong
