Strict regulations on the mechanism for exercising data subject rights

Earlier, when presenting the report on explanation, reception, and revision of the draft Law on Personal Data Protection, Chairman of the National Defense, Security and Foreign Affairs Committee, Lê Tấn Tới, highlighted that many opinions focused on mechanisms to ensure the exercise of data subjects’ rights, specific personal data processing activities, cases where personal data may be processed without the subject’s consent, cross-border personal data transfers, data protection impact assessments, and data protection in specific sectors or activities.

The National Assembly Standing Committee directed the study and incorporation of these opinions. Accordingly, the law sets out strict regulations on the mechanisms for exercising data subject rights and on specific processing activities such as collecting, analyzing, aggregating, encrypting, decrypting, modifying, deleting, destroying, anonymizing, disclosing, publishing, transferring personal data, and other activities affecting personal data, including cases where consent is not required.

The term “cross-border personal data transfer” was unified to align with the Law on Data and to apply an ex-post supervision mechanism via the personal data transfer impact assessment dossier. Inspection will only be conducted when necessary, rather than requiring prior approval in most cases, thereby facilitating business operations.

Regarding impact assessments for personal data processing and cross-border transfers, the draft law retains the content proposed by the Government, whereby agencies and organizations are only required to prepare the assessment dossier once for the entire period of operation and update it when changes occur. Authorities will inspect the dossier when deemed necessary. For both types of assessments, if performed according to this law, a similar risk assessment under the Law on Data is not required.

Provisions have been added to ensure personal data protection for individuals who are incapacitated or have limited legal capacity, or who have cognitive or behavioral difficulties, ensuring comprehensive coverage.

Clear definition of personal data protection forces

National Assembly deputies also contributed feedback on measures for personal data protection, technical standards and norms, capacity building, and research and development in the field. They recommended clearly defining the entities responsible for data protection and exempting small and start-up enterprises from mandatory appointment of data protection officers.

The National Assembly Standing Committee directed the removal of unclear or unnecessary provisions already governed by specialized legislation, such as data protection measures, capacity building, and R&D in the field.

The law defines the personal data protection forces as follows:

• The specialized agency under the Ministry of Public Security;

• Departments or personnel in charge of data protection within organizations and agencies;

• Organizations and individuals providing personal data protection services;

• Other entities and individuals mobilized to participate in personal data protection activities.

To reduce the legal compliance burden, the Standing Committee added provisions allowing small and start-up businesses to choose whether or not to implement the requirements for data protection impact assessments and the designation of data protection personnel or departments for a period of five years from the law’s effective date. Micro-enterprises and household businesses are fully exempt from these requirements.

The Law will take effect on January 1, 2026.