The long-awaited Decree on Personal Data Protection (“PDPD”) has finally been issued as Decree No. 13/2023/ND-CP last night.
Mirroring the EU’s General Data Protection Regulation in different aspects, the PDPD introduces various new requirements to any organizations/individuals engaging in and/ or related to personal data processing activities in Vietnam.
Notable provisions under the PDPD include:
- Extra-territorial scope of application – the PDPD will apply to both local and offshore entities directly engaging in and/or related to personal data processing activities in Vietnam.
- Extended categories of regulated subjects – as hinted under the draft Cybersecurity Administrative Sanctions Decree, the PDPD recognizes the concepts of “data controller” and “data processor”. It also introduces the concept of “data controlling and processing entity”
- Broad definition of personal data and data processing – similar to the public draft version of the PDPD, the final issued version classifies personal data into two groups of “basic personal data” and “sensitive personal data”. In which, the list of sensitive personal data is very broad and non-exhaustive.
- New requirements for a valid consent, sensitive personal data processing, and cross-border data transfer. No specific data localization requirement was introduced.
- Obligation to apply different managerial and technical measures to protect personal data, including personal data protection impact assessment; and
- Strict time limit to comply with a data subject’s request.
The PDPD will come into effect on 01 July 2023. A grace period of 2 years, however, only applies to small-and-medium sized enterprises.