Q&A: personal data handling and processing in Vietnam

Legitimate processing of PI

Legitimate processing - grounds

Does the law require that the processing of PI be legitimised on specific grounds, for example to meet the owner’s legal obligations or if the individual has provided consent?

Vietnam adopts a consent-centric approach. This means that regarding lawfulness, prior consent given by the data subject is the primary legal basis for personal data processing activities, except for certain exemptions as provided by law.

Particularly, under the Personal Data Protection Decree (PDPD), the processing of personal data without consent is permissible in the following circumstances:

in urgent cases where it is necessary to immediately process relevant personal data to protect the life or health of the data subject or others;
where the public disclosure of personal data is in accordance with the law;
when the processing of data is done by competent state agencies in the event of a state of emergency on national defence and security, social order and safety, major disaster, or dangerous epidemic; or when there is a risk that threatens security and national defence but not to the extent where it is necessary to declare a state of emergency; or to prevent and combat riots, terrorism, crimes and violations of the law;
to fulfil the contractual obligations of the data subject with relevant agencies, organisations and individuals as prescribed by law;
for competent agencies and organisations to carry out audio and/or video recording and process personal data obtained from audio or video recording activities in public places for the purpose of protecting national security, social order and safety, or the legitimate rights and interests of organisations and individuals; or
to serve the activities of state agencies as prescribed by sector-specific laws.

Under the Personal Data Protection Law (PDPL), the consent-exemption cases largely remain the same, with some new additions and clarification, which make the PDPL more enterprise-friendly.

Legitimate processing - types of PI

Does the law impose more stringent rules for processing specific categories and types of PI?

Vietnamese law regulates that personal data includes basic personal data and sensitive personal data. Sensitive personal data is subject to more stringent rules for its processing.

Under the PDPD, 'sensitive personal data' is defined as personal data associated with individual privacy which, if violated, will directly affect a person’s legitimate rights and interests. In particular, the PDPD specifies sensitive personal data to include, among other things, political and religious views, health status and private life information as recorded in medical records (except for blood type), racial or ethnic origin, genetic characteristics, biometric characteristics, sexual orientation, criminal records, customer information of credit institutions, foreign bank branches or payment intermediary service providers, or location data identified via location services. When obtaining consent to process sensitive personal data, organisations must clearly inform the data subject that the data falls within a sensitive category. In addition to applying all protection measures for basic personal data, organisations processing sensitive personal data are also required to: (1) establish a dedicated data protection department; (2) assign a specific data protection officer; and (3) notify the A05 of the appointed department and responsible personnel.

While the PDPL retains the concept of sensitive personal data, it does not specify the exact types of data that fall within this category or set out specific processing requirements. Instead, the categories of sensitive personal data will be determined by a list to be issued by the government later.

Data handling responsibilities of owners of PI

Transparency

Does the law require owners of PI to provide information to individuals about how they process PI? What must the notice contain and when must it be provided?

The Personal Data Protection Decree (PDPD) stipulates that data subjects must be notified of the processing before their personal data is processed. The PDPD further regulates: (1) conditions to obtain the consent, which include information that the data subject must be provided with before collecting the consent; and (2) the data processing notification, which includes information that the data subject must be provided with before the personal data processing is conducted. In brief, to satisfy the two requirements, the data subject must be provided with:

purposes of processing;
type of personal data used in relation to the processing purposes;
methods of processing personal data;
information on other organisations and individuals related to the processing purposes above;
consequences and undesirable damages that are likely to occur;
start time and end time of data processing;
rights and obligations of the data subject; and
indication if any of the data to be processed falls under the category of sensitive personal data.

In addition, if there is a cross-border personal data transfer, the data subject needs to be notified about such transfer as well.

The requirements above, however, are more relaxed under the Personal Data Protection Law (PDPL).

Exemptions from transparency obligations

When is notice not required?

Under the PDPD, personal data controllers and controller-processors are generally required to notify data subjects before processing their personal data. However, this obligation does not apply in the following cases:

the data subject is already aware of and has voluntarily given consent to all required information prior to the collection of their personal data; or
the personal data is processed by competent state authorities for the performance of their duties as provided by law.

Although the PDPD exempts consent in certain circumstances, it does not explicitly address whether notification obligations are also waived in those cases. Nonetheless, it is commonly interpreted that notification may also be exempted.

Data accuracy

Does the law impose standards in relation to the quality, currency and accuracy of PI?

While the PDPD and the PDPL do not expressly impose specific standards, they do set out general principles related to data quality, currency and accuracy:

The PDPD requires that personal data be updated and supplemented as appropriate for the intended processing purposes. Data subjects also have a duty to provide complete and accurate personal data when consenting to its processing.
Similarly, the PDPL emphasises the principle that personal data must be accurate and subject to correction, updating or supplementation when necessary. It also requires data subjects to provide their personal data in a complete and accurate manner in accordance with legal provisions, contracts, or when giving consent to data processing.

Data minimisation

Does the law restrict the types or volume of PI that may be collected?

The PDPD and PDPL do not explicitly limit the types or amount of personal data that may be collected. However, both incorporate the principle of data minimisation. Specifically, the PDPD requires that personal data be collected in a manner that is appropriate and limited to the scope and purpose of processing, while the PDPL mandates that personal data be collected and processed strictly within a specific and clearly defined scope and purpose, in compliance with legal regulations.

Purpose limitation

Are there any restrictions on the purposes for which PI can be used by owners? If there are purpose limitations built into the law, how do they apply?

The PDPD and the PDPL both acknowledge the purpose limitation principle. Specifically, the PDPD requires that personal data must be processed for specific purposes that have been declared to the data subjects. The PDPL further clarifies that personal data may only be collected and processed for clear, specific, and lawful purposes.

In particular, the PDPD obliges personal data controllers and controller-processors to provide mandatory information to data subjects to obtain valid consent (unless consent-exemption cases are applied). Accordingly, it is understood that any subsequent changes to agreed content (eg, purposes) must also be notified and subject to additional consent (unless consent-exemption cases are applied). This approach is upheld under the PDPL as well.

Register now for your free, tailored, daily legal newsfeed service.

Q&A: personal data handling and processing in Vietnam

Filed under

Topics

Laws

Popular articles from this firm

Regional Guide to franchising law in Southeast Asia *

Vietnam Liberalizes Foreign Exchange for International Financial Center Operations *

New Developments in Vietnam’s Casino Policies for Local Gamblers *

Q&A: key IP issues affecting licensing agreements in Vietnam *

Snapshot: foreign investment law and policy in Vietnam *

Professional development

Related practical resources PRO

Related research hubs

California Consumer Privacy Act 2018 (USA)

GDPR

Vietnam

IT & Data Protection