November 7, 2023
Decree 13/2023/ND-CP on the Protection of Personal Data (“Decree”) has finally been issued with many completely new regulations designed to protect personal data and control the “flow” of personal data, as well as set obligations that every business must comply with. In particular, an issue that businesses are especially concerned about is the regulation on controlling the transfer of personal data across borders. Here is an overview of the regulations that businesses are required to comply with from July 1, 2023:
Personal data is information that is tied to a particular person or helps to identify a particular person. Some examples of personal data include full name, date of birth, nationality, phone number, photo, place of residence, etc. Personal data includes basic and sensitive data. Processing of personal data is defined as one or more activities affecting personal data which may include: collection, recording, analysis, confirmation, storage, correction, disclosure, association, access, retrieval, encryption, decryption, copy, sharing, transmission, provision, transfer, deletion, destruction of personal data or other related actions.
The Decree stipulates that the transfer of personal data abroad is the use of cyberspace, equipment, electronic means, or other forms of transferring personal data of Vietnamese citizens (not applicable to personal data of foreigners) to a location outside the territory of Vietnam or use a location outside the territory of Vietnam to process personal data of Vietnamese citizens, including:
1. Organizations, enterprises, and individuals transferring personal data of Vietnamese citizens to overseas organizations, enterprises and management departments for processing in accordance with the purposes agreed upon by the data subject;
(Example: Company A in Vietnam collects data about the user’s name, phone number, email, address and send this information via the internet to company B in a foreign country for company B to process the data and send back the statistics for company A to use)
2. Processing personal data of Vietnamese citizens by automatic systems located outside the territory of the Socialist Republic of Vietnam of the Data Controller, the Data Controller-cum-Processor, the Data Processor in accordance with the purposes agreed to by the data subject.
(Example: Company A – not based in Vietnam, operates a website on the internet that collects data of Vietnamese citizens directly through the website and processes the data using a server located abroad)
Yes.
All individuals and organizations, when transferring personal data abroad, must carry out the following procedures:
The Data Transfer Dossier includes the following contents:
Yes.
Based on the specific situation, the Ministry of Public Security will decide to check the transfer of personal data abroad once a year. However, extraordinary inspections can be performed in case of detecting violations of the provisions of the law on the protection of personal data, or the disclosure or loss of Vietnamese citizens’ personal data.
The first risk when not complying with the above regulations on cross-border data transfer is that the party transferring data abroad will have to stop transferring data abroad, disrupting business operations.
The Decree also stipulates that depending on the level of violation, enterprises can be sanctioned at different levels from administrative to criminal. It is expected that the Vietnamese Government will soon issue detailed regulations on specific sanctions for each violation. In the spirit of the previous drafts, administrative sanctions can be very strict and greatly affect the finances of the business.[1]
PrivacyCompliance provides solutions related to ensuring compliance with personal data, assessing the impacts of personal data processing, drafting impact assessment dossiers, cross-border data transfer dossiers. |
PrivacyCompliance
#Decree13 #personaldata #crossborder #dossier #privacy #impactassessment
[1]According to previous drafts, the highest fine can be up to 5% of the annual revenue of the violating enterprise/organization.
Do foreign enterprises have to store their data in Vietnam? In this day and age, data in general is increasingly becoming more and more valuable. Most service-based companies live off data collected from their clients, prime examples of this type of companies include social media networks such as Facebook or search engines such as Google […]
Learn more
The Decree on personal data protection has been officially issued On April 17, 2023, the Decree on Personal Data Protection has been issued as Decree No. 13/2023/ND-CP (hereinafter referred as “Decree”) and officially takes effect on July 1st, 2023. This is the first legal document that directly regulates the issue of personal data in Vietnam, […]
Learn more
Managing spam messages and calls in Vietnam Spam messages and calls have been defined as advertising messages and calls which are made without users’ prior consent as well as not being under the receiving responsibility of the recipients. So the question to be raised is why, despite the unwillingness to receive advertising information, do people […]
Learn more