7. Obligations of the Controller and Processor

1. Introduction

On April 17, 2023, the Government of Vietnam promulgated Decree No. 13/2023/ND-CP on the protection of personal data (PDPD), which took effect on July 1, 2023. PDPD is an important step for the government to consolidate regulations on personal data.

1.1 Main Acts, Regulations, Directives, Laws

• PDPD.

• Cybersecurity LawLaw No. 24/2018/QH14 (passed on June 12, 2018) regulates network activities that affect national security and social order and security.

• Civil Code - Article 38 stipulates the rules for the collection, storage, processing, use, disclosure, and publication of personal information.

• The Electronic Transactions Law (passed on June 22, 2023, and to take effect on July 1, 2024) regulates electronic transactions in state and private sectors, and prohibits the use, provision, or disclosure of data accessible in electronic transactions without consent.

• The Information Technology Law (passed on June 29, 2006) manages the application and development of information technology, stipulates the rights and obligations of institutions, organizations, and individuals engaged in these activities, and regulates the collection, processing, use, storage, and provision of personal data in the network environment.

• The Telecommunications Law (passed on November 24, 2023, and to take effect on July 1, 2024) regulates telecommunications activities and the rights and obligations of professionals in the telecommunications industry, and explicitly requires that telecommunications enterprises may not disclose information about end-users without the consent of the final user or an effective request from the competent authority.

• The Credit Institution Law (passed on January 18, 2024, to take effect on July 1, 2024), which regulates the establishment and operation of Vietnam's credit institutions and explicitly requires credit institutions to keep all information about their users' accounts, assets, and transactions confidential unless consent is obtained or valid requests are made by competent authorities.

• The Consumer Rights Protection Law (passed on June 20, 2023, to take effect on July 1, 2024), lists various consumer rights and details the obligations of organizations to protect consumer information.

1.2. Standard Guidelines

Vietnam's legal guidelines are issued in the form of government decrees, ministry notifications, and decisions. Generally, matters concerning privacy and personal data protection are under the responsibility of the Ministry of Public Security (MPS), while other ministries such as the Ministry of Defense, the Ministry of Information and Communications, and the Ministry of Science and Technology will provide opinions on the decisions of the Ministry of Public Security.

1.3. Case Law

Not applicable.

2. Scope of Application

2.1. Scope of Individuals

Vietnam's Personal Data Protection Act applies to organizations and individuals participating in the processing of personal data (data controllers, data processors, or third parties) as well as to natural persons identified or identifiable based on personal information (data subjects).

2.2. Geographical Scope

Generally speaking, Vietnam's personal data protection regulations cover data processing activities within Vietnam, regardless of the nationality of the data processor or data controller, whether they operate overseas, directly participate, or are involved in Vietnam's data processing activities (onshore or offshore).

2.3. Scope of Data

Vietnam's personal data protection regulations apply to the following personal data processing activities: collection, recording, analysis, verification, storage, editing, publication, combination, access, retrieval, encryption, decryption, copying, sharing, transmission, provision, transmission, deletion, or removal of personal data, as well as any other related activities, including automated data processing activities.

3. Data Protection Regulatory Agencies

3.1. Main Regulatory Agencies for Data Protection

The Ministry of Public Security is the supervisory authority for data protection. The Cybersecurity and Cybercrime Prevention Department (Cybersecurity Department) is a special working group established by the Ministry of Public Security to implement and enforce data protection regulations;

3.2. Main Powers, Responsibilities, and Responsibilities

The powers of the Ministry of Public Security include:

• Assist the government in supervising personal information protection work;

• Guide and carry out personal data protection activities; protect the legitimate rights and interests of data subjects from illegal infringement; propose standards and suggestions for personal data protection;

• Develop, manage, and operate the national personal data protection portal;

• Assess the effectiveness of entities, institutions, and activities related to personal data protection;

• Receive submissions of files, forms, and information related to personal data protection under the Personal Data Protection Act;

• Take measures, carry out research, innovate in personal data protection methods, and promote international cooperation in personal data protection;

• Inspect and handle complaints, reports, and actions in violation of personal data protection regulations.

4. Key Definitions

Data controller: Any entity or individual that decides on the purpose and method of processing personal data.
Data processor: The entity or individual representing the data controller in processing personal data according to the contract or agreement with the data controller.
Personal information: Any information that exists in a digital environment in the form of symbols, letters, numbers, graphics, audio, or other forms that can identify a specific natural person, or information that can be identified with other data to identify a specific natural person. Personal information is divided into basic personal information and sensitive personal information.
Basic personal information: including:

• Name, nickname (if any);

• Date of birth, date of death, or date of disappearance;

• Gender;

• Place of birth, permanent address, temporary address, current address, contact address;

• Nationality;

• Personal photos;

• Phone numbers, ID cards, passports, license plates, driver's licenses, tax numbers, social security numbers, and medical insurance numbers;

• Marital status and information related to the family (parents, children);

• Personal digital account information as well as data reflecting a person's activities or activity history on the Internet; as well as

• Other data involving specific individuals, or data that can be identified with other data and information combined to identify specific individuals, but does not belong to sensitive personal data.

Sensitive data: including:

• Political views, religious views;

• Medical conditions and private information in medical records, excluding blood type;

• Racial information;

• Genetic information;

• Biometric and physical information;

• Sexual orientation;

• Criminal records collected and preserved by law enforcement agencies;

• Customer information of financial institutions, intermediary payment service providers, including KYC information and account information, assets, transactions, guarantees/guarantors, etc.;

• Real-time location identified through location services; as well as

• Other personal information specified by law as unique and requiring security protection.

Pseudonymization: Not applicable.

5. Legal basis for legitimacy

5.1. Consent

The legal basis upon which the data controller may rely on to process personal data, including consent:

•  Voluntary and fully informed:

  • The types of personal data to be processed;

  • The purpose of processing;

  • Who is permitted to process;

  • The rights and obligations of the data subject; as well as

  • Whether the data is sensitive personal data;

•  Expressed and specifically stated through written records, voice recordings, checking off consent, text messages, selecting technical options for consent, or other actions; silence or inaction is not considered valid consent; as well as

•  In a printable, reproducible written format, including electronic format and other verifiable formats.

Furthermore, consent may be partial or conditional.

5.2. Contracts with the data subject

The legal basis upon which the data controller relies on when processing personal data includes fulfilling the contractual obligations between the data subject and related entities or individuals in accordance with the law.

5.3. Legal obligations

The legal basis upon which the data controller relies on when processing personal data includes processing personal data in accordance with legal requirements.

5.4. Interests of the data subject

The legal basis upon which the data controller may rely on when processing personal data includes the need to immediately process personal data in emergency situations to protect the life and health of the data subject or other individuals.

5.5 Public interest

The legal basis for the data controller to process personal information includes situations such as national defense, national security, social security order, natural disasters, diseases, or potential risks to national security that do not require a state of emergency declaration; or processing personal information in situations where it is legally necessary to combat riots, terrorists, criminals, and other illegal activities.

5.6 Legal interests of the data controller

Not applicable.

6. Principles

The following data protection principles exist in Vietnamese law (Article 3 of PDPD):

• Legality principle: Personal information is processed in accordance with the law;

• Informed consent principle: The data subject has the right to be informed of processing activities related to their personal data, unless otherwise provided by law;

• Purpose limitation: Personal information is only processed in accordance with the purposes registered or declared by the data controller and processor;

• Accuracy: Personal data must be collected, updated, and supplemented appropriately within the scope and purpose of the processing;

• Prohibition of purchasing or selling personal data in any form;

• Security principles: Personal data must be protected throughout the processing process; as well as

• Storage period: Unless otherwise provided by law, personal data may only be stored for the period suitable for the processing purpose.

7. Obligations of the Controller and Processor

7.1 Processing Notification

No registration is required.
Before processing personal data, the data subject must be notified (Article 13 of PDPD). The notification must be in a verifiable format (written, digital, or other printable format) and include the following information:

• The purpose of the processing activity;

• Types of personal data being processed;

• Processing methods;

• Information of the parties involved in such processing activities;

• Potential adverse consequences; as well as

• The start and end time of the processing activity.

No notification is required if the data subject has agreed or if the competent authorities are processing the data for legitimate purposes. This means that privacy policies do not need to be agreed upon each time you log in.

7.2 Data Transmission

The Cybersecurity Law requires that organizations storing personal information or customer information must establish physical entities in Vietnam within the time specified by the Government of the Socialist Republic of Vietnam, as follows:

• Provide telecommunications networks, internet services, and value-added services in the cyberspace in Vietnam, including value-added services such as cyberspace data storage and sharing, national or international domain name registration, e-commerce services, social networking services, online gaming services, and email services;

• Collect, analyze, or process personal data related to users of Vietnamese services.

The guidelines for the implementation of this requirement will be specified in future detailed regulations.
On August 15, 2022, the Government of Vietnam promulgated Decree No. 53/2022/ND-CP (Decree No. 53). Among other things, Decree No. 53 provides important guidance and clarification on the requirements of 'data localization' and 'mandatory physical establishment' introduced by the 'Cybersecurity Law'. Decree No. 53 regulates the following data (regulated data):

• Personal data of Vietnamese users;

• Data created by Vietnamese users, including account names, usage time, credit card information, email addresses, IP addresses, recent log-out and registration phone numbers; as well as

• Data related to the relationship between Vietnamese users and their friends or others with whom they interact;

According to Decree No. 53, 'Vietnamese companies' must store regulated data in Vietnam. Foreign companies operating in Vietnam must store regulated data in Vietnam and establish branches or representative offices if they fall under the following situations:

• • The foreign company is engaged in one of the following fields in Vietnam:

  • Telecommunications services;

  • Data sharing and storage, providing national or international domain names for Vietnamese users;

  • E-commerce;

  • Social networking and social marketing;

  • Online games; as well as

  • Providing, managing, or operating other information on the Internet in the form of short message, telephone, video call, email, online games, and so on;

• • The services provided by the company were used to violate the 'Cybersecurity Law';

• • The government cyber security working group has notified the company and requested the company to cooperate in preventing, investigating, and dealing with such illegal activities, but the company did not cooperate, leading to the failure of the measures of the working group.

According to PDPD, the transfer of personal data is regarded as a processing activity. Therefore, the requirements for processing personal data shall apply. In addition, PDPD also puts forward specific requirements for the offshore transfer of personal data. The offshore transfer of personal data refers to the transfer of personal data of Vietnamese citizens overseas by means of the Internet, digital means or devices, or other means, or the processing of personal data of Vietnamese citizens overseas by using locations outside Vietnam.
Entities or individuals transferring personal data overseas within the scope of PDPD must prepare and maintain a transfer impact assessment.
The transferee shall submit a transfer impact assessment report to the cyber security department within 60 days after the start of processing personal information. After the transfer is completed, the transferee shall notify the cyber security department.

7.3. Data Processing Records

The data controller must record and maintain system logs of data processing activities.

7.4. Data Protection Impact Assessment

Data controllers and data processors need to prepare, maintain, and submit personal data protection impact assessments (DPIA) to the cyber security department.
The DPIA of the data controller must include the following:
• Information and contact details of the data controller;

• • Names and contact information of data protection department and data controller officials;

• • Purpose of personal data processing activities;

• • Types of personal data to be processed;

• • Personal data recipients, including overseas recipients;

• • Offshore transfer of personal information (if any);

• • Duration of data processing activities;

• • Description of the protective measures implemented;

• • Assess the impact of personal data processing activities; as well as

• • Potential adverse consequences and mitigation measures;

The DPIA of the data processor must include the following:

• • Information and contact details of the data processor;

• • The names and contact information of the entities and individuals performing data processing activities;

• • According to the agreement with the data controller, describe the processing activities and the types of personal data to be processed;

• • Duration of data processing activities; expected deletion or removal of personal data (if any);

• • Offshore transfer of personal data (if any); as well as

• • Consequences or potential adverse consequences and mitigation and/or preventive measures.

These DPIA must be submitted to the cyber security department within 60 days after the commencement of personal data processing activities.

7.5. Appointment of Data Protection Officer

Article 28 of the Personal Data Protection Law stipulates that data controllers and/or data processors shall appoint a department to protect personal data. If sensitive personal data is involved, a Data Protection Officer (DPO) shall also be appointed. The information of the DPO must be notified to the cyber security department.

7.6. Data Breach Notification

Upon discovering a data breach, the data processor shall notify the data controller as soon as possible. The data controller shall notify the cyber security department within 72 hours after the data breach. If it is not possible to notify within 72 hours, a reason must be provided (Article 23 of the Personal Data Protection Law).
The notification shall include the following content:

• • Description of the nature and scope of the data breach, including but not limited to the time, location, data leaked, and information of the relevant parties;

• • Contact information of the person responsible for personal data protection;

• • Description of the consequences or damage of data breaches; as well as

• • Describe the measures taken to deal with or mitigate the consequences or damage of data breaches.

7.7. Data Retention

Retention requirements are in place for files that may contain personal information (e.g., accounting documents and corporate documents).

7.8. Children's Data

The Children's Law prohibits the disclosure of personal data of children under the age of 16 without the consent of their parents or guardians. PDPD stipulates that the personal data of children aged seven or above can only be processed with the consent of the children and their parents or guardians (PDPD Article 20).
In addition, the Cybersecurity Law also provides general guidance for the protection of children in cyberspace. In particular, system administrators, telecommunications service providers, Internet service providers, and value-added service providers are responsible for ensuring that the information on their systems or services does not harm children, does not infringe on children's rights, blocks and deletes information harmful to children or infringing on children's rights, and immediately notifies and cooperates with the Ministry of Public Security's cyber security working group upon discovering such information.

7.9. Special Categories of Personal Data

PDPD requires the appointment of a specialized department and personnel responsible for the protection of personal data (PDPD Article 28(2)). In addition, measures stipulated in Articles 26 and 27 of PDPD must be implemented when processing sensitive personal information, and the data subject must be notified of such processing, unless otherwise provided for in PDPD Articles 13(4), 17, and 18. In addition, it must be informed to the data subject that the data to be processed is sensitive data (PDPD Article 11(8)).

7.10. Contract between Controller and Processor

PDPD requires data controllers and data processors to enter into agreements or contracts for the processing of personal data. There are no specific requirements for such agreements or contracts (PDPD Article 39).

8. Rights of the Data Subject

8.1. Right to Information

The data subject has the right to be informed of the methods, scope, location, and purpose of the collection, processing, and use of their personal information (Article 9.1 of the Personal Data Protection Law). Even if personal data processing does not require the consent of the data subject, the data subject still has the right to be informed. Please refer to the relevant section on data processing notification above.

8.2. Right to Access

PDPD grants the data subject the right to access or request access to view or edit their personal data (Article 9.3 of PDPD).

8.3. Right to Rectification

As above.

8.4. Right to Erasure

PDPD grants the data subject the right to delete their personal data or request the deletion of their personal data (Article 9.5 of PDPD).

8.5. Right to Object/Withdrawal

PDPD grants the data subject the right to object to or restrict data processing activities (Articles 9.6 and 9.8 of PDPD). In addition, PDPD also grants the data subject the right to consent or withdraw their consent for the processing of their personal data. Personal data processing activities that occurred before the withdrawal of consent are legally valid (Articles 9.2 and 9.4 of PDPD).

8.6. Right to Data Portability

The data subject has the right to request a copy of their personal data from the data controller (Article 9.7 of PDPD).

8.7. Rights not subject to automated decision-making

Vietnamese law does not have specific provisions for automated decision-making. Automated decision-making should be regarded as a data processing activity. Therefore, the data subject has the right to object to or restrict such automated decision-making.

8.8. Other Rights

According to the Personal Data Protection Law, the data subject has the right to claim compensation for losses, file a lawsuit, and take self-protection measures (Articles 9.9 to 9.11 of the Personal Data Protection Law).

9. Penalties

Non-compliance with the Vietnamese Data Protection Law may result in administrative penalties and criminal penalties. According to Decree No. 14/2022/ND-CP, administrative penalties may include fines:

• Imposing a fine of 2 million Vietnamese Dong (about 80 USD) to 5 million Vietnamese Dong (about 200 USD) for storing personal information beyond the time required by law or agreed upon by both parties (Article 102.1);

• 500 million to 1 billion Vietnamese Dong (approximately 390 USD):

  • Failing to verify, correct, or delete personal information stored, collected, and processed on the network after receiving the owner's request (Article 102.2(c));

  • Providing or using incorrect information after receiving the correction request from the owner (Article 102.2(d)); or

  • Providing or using incorrect information after receiving the deletion request from the owner (Article 102.2(dd));

• 10 million to 20 million Vietnamese Dong (approximately 790 USD):

  • Collecting personal information without the consent of the data subject regarding the scope and purpose (Article 84.1(a));

  • After the data subject requests to stop the provision of data, personal information of the data subject is still provided to any third party (Article 84.1(b));

  • Failure to notify the data subject after deleting the personal data of the data subject, or failure to implement the protection of the personal data of the data subject due to technical issues (Article 85.1).

  • Non-compliance with network information security technical standards and regulations (Article 86.1); or

  • Failure to implement necessary management and technical measures in the collection, processing, and use of personal information in the network environment to ensure that personal information is not lost, misused, leaked, modified, or damaged (Article 102.3(dd));

•  40 million to 60 million Vietnamese dong (approximately 1,580 USD to 2,370 USD):

  • Use of personal information outside the agreed scope and purpose or without consent (Article 84.2(a));

  • Provision, disclosure, or public disclosure of collected or controlled personal information to a third party without consent (Article 84.2(b));

  • Illegal collection, use, publication, and exploitation of the personal information of the data subject for commercial activities (Article 84.2(c));

  • Failure to update, modify, or delete personal information upon the request of the data subject (Article 85.2(a));

  • Failure to grant the right to update, modify, or delete personal information upon the request of the data subject (Article 85.2(a));

  • Failure to delete collected personal information after the completion of the collection purpose or the expiration of the statutory retention period (Article 85.2(b)); or

  • Non-compliance with network information security technical standards and regulations (Paragraph 2, Article 86);

•  30 million to 50 million Vietnamese dong (approximately 1,180 USD to 1,970 USD):

  • Failure to take remedial or preventive measures in a timely manner against acts of threat of breach (Article 86.3);

  • Failure to apply and maintain sufficient security or management measures to protect personal information (Article 85.3);

  • Unauthorized access to another person's network or electronic device to collect data or claim control over such network or device (Article 80.2); or

  • If the competent authorities require the provision of personal information related to terrorism or criminal activities and fail to provide it (Article 100.2);

•  50 million to 70 million Vietnamese dong (approximately 2,760 USD):

  • Illegal sale, purchase, or transfer of personal information (Article 102.5).

Violations of confidentiality and security rules related to personal email, mail, phone, or other communication methods may be subject to criminal penalties. The severity of the criminal sanctions depends on the severity of the crime, which may include: warnings, fines of 5 million to 50 million Vietnamese dong, and/or up to three years of non-custodial rehabilitation (similar to probation or supervised release in other jurisdictions) or imprisonment of one to three years.
In addition, anyone who suffers losses due to violations of the Data Protection Law has the right to claim compensation from the infringing party (Article 13 of the Civil Code). To obtain compensation, the claimant must initiate a lawsuit and bear the burden of proof for actual damages. The government is drafting a separate regulation to impose sanctions on violations of cyber security regulations (including violations of personal data protection regulations).