The issue of personal data processing is getting hotter than ever in this digital age with increasing cases where large conglomerate or even national governments being accused of utilizing citizen’s personal data without consent. This trend makes no exception in Vietnam.
So far, the Ministry of Public Security (the “MPS”) has finally prepared a Draft Decree on personal data protection (“Draft Decree”). The Draft Decree was shared on 9 February 2021 for public comments. We outline below some key terms and foundation of the Draft Decree:
I. The Basic: New Draft Decree on Personal Data Protection and Cross-Border Provision of Data
Personal data means data about an individual, or relating to the identification or possible identification of a particular individual. Personal data is comprised of two tranches: (i) Basic personal data includes name, date of birth, blood type, marriage status and most notably, data that reflects activity or history of activity of an individual on cyberspace; and (ii) Sensitive personal data concerning political opinion, health, financial details (credit history, income level…), social relationships and data considered by laws as specific and require necessary security measures.
Personal data processing is broadly defined as one or more acts having an impact on personal data, including collection, record, analysis, storage, change, disclosure, access right, extraction, withdrawal, encryption, decryption, delivery, deletion, cancelation and other related acts. 2. Consent and Exception
Generally, the Draft Decree strictly regulates that a data owner must give his/ her consent prior to any processing and disclosing such data, except for the following limited cases: • As provided by the applicable law; • For the sake of national security, social order and safety; • In case of an emergency, a threat to life or seriously affecting the health of that data owner or public health as provided by applicable law; and • In accordance with the Law on Press and not resulting in economic, honorable, spiritual or material damage to the data owner; • For investigation and handling an act in violation of laws; • As allowed by the regulations in international agreements or treaties to which Vietnam is a member; or • Scientific research or statistics in encrypted form that is to be de-identified and replaced with a code. However, Article 6.3 of the Draft Decree restricts that it is not permitted to disclose personal data that are of sensitive nature.
When requesting to process personal data, the data owner’s silence or unresponsiveness does not constitute approval. The data owner can agree only to a part of the request or approve the request with attached conditions. The data owner’s consent must be displayed in a format that is printable and copy-able in writing.
With regard to sensitive personal data, the data owner must be fully informed of the nature of the data to be processed. In case of dispute, the burden of proof lies on the data processor.
3. Prior to any processing activity regarding sensitive personal data, the processing party must register this activity with the Personal Data Protection Committee,which is an independent body to be established under the government of Vietnam,except when: • Personal data is processed to serve the prevention, detection, investigation and handling of violations of the law; • To carry out health care functions of health facilities and social security of state agencies; • Serving judicial functions of the Court; • For research, archival or statistical purposes of state agencies or scientific research organizations
4. Personal data processors have an obligation to notify the data owner prior to their processing, except for the following: • The data owner has fully agreed with the contents and activities of processing personal data; • The processing of personal data is regulated by laws, international agreements, international treaties; • The processing does not affect the rights and interests of the data owner and it is not possible to notify the data owner; • For scientific research and statistics collection.
5. Cross-border transfer of personal data of Vietnamese citizens must satisfy all following four conditions: • The data owner consented the transfer; • Original data is stored in Vietnam; • Regulations on personal data protection at the receiving country are of equal or higher level compared to Vietnam’s regulations; • There is a written approval from the Personal Data Protection Committee.
6. Penalties for violation of personal data protection rules: • Monetary fines range from VND 50 million to VND 100 million; • Additional penalties: Suspend the processing of personal data up to 3 months, deprive the right to use written consent issued by the Personal Data Protection Committee to process sensitive personal data and cross-border transfer of data, forcible payment of money gained from committing acts of violation. Multiple violations of personal data protection regulations by a personal data processor in Vietnam can result in a maximum penalty of 5% of total revenue of the data processor in addition to the aforementioned penalties.
II. Preliminary Guidance on Practical Handling
Because the Draft Decree would be amended, thus our analysis and comments hereof is preliminarily made in nature (i.e., subject to change according to the final adopted Decree).
As a rule of thumb, the Draft Decree provides several obligations of the party processing and disclosing personal data, thus it is critical for employers/ enterprises (the “Employer” or “Enterprise”) to consider and adopt all those obligations into its internal rules and contracts/ agreements with third parties.
1. Internal Labor Rules and Labor Contracts
It is required for the Employer to adapt all relevant obligations in relation to personal data over its employees, staff, directors, etc. as well as those in relation to the Employer’s customers, members and their staff into the Employer’s internal labor rules/ codes and collective labor agreement (if any). This is to ensure that its employees and staff shall comply with those personal data related obligations.
Otherwise, there is a very high risk that the Employer shall be fully responsible for the unpermitted processing and disclosing made by its employees without necessary tools to address such violations. In addition, it is advisable to state clearly in the labor contracts with the employees that they must comply with requirements on personal data protection promulgated by the Employer and the applicable law.
In addition, it is advisable to negotiate and agree with the employees in the relevant labor contracts about the possible data processing made by the Employer again such employees’ personal data for the purpose of employment such as tax information, CVs, health information, etc. This would very likely prevent the future claims from the Employer’s employees over unpermitted processing of employees’ personal data. We will advise in detail if desired subject to the final Decree.
2. Contract/ Agreement with Customers/ Members
It is advisable for the Enterprise and Employer to consider, renegotiate and update all current and future contracts/ agreements between the Enterprise and its customers/ members that the Enterprise and Employer is entitled to disclose/ process a specific list of personal data and the customers/ members agree to give consents for such disclosure/ processing. The Enterprise should, with our support if desired, build a clear list and procedure for collecting, storing, disclosing and otherwise processing personal data of customers/ members.