Legal Update | Draft Law on Personal Data Protection | October 2024

Key Updates of the Draft Law on Personal Data Protection (Draft PDPL): 

  • Scope of application 

  • Consent requirement  

  • Location data and Biometric data 

  • Sensitive personal data protection 

  • Credit rating mechanism of personal data protection  

  • Protection of personal data in contexts with intensive data involvement 

  • Periodic updates of Data Protection Impact Assessment (DPIA) and Cross-border Transfer Data Impact Assessment (CTIA) dossiers 

The Draft PDPL has been opened for public feedback until 24 November 2024. The Draft PDPL is expected to be reviewed by the XV National Assembly in the 8th Session for its enforcement as of 1 January 2026. 

The Draft PDPL is the first overarching law on personal data protection in Vietnam. The Draft PDPL aims to address concerns of stakeholders, strengthen the framework for personal data protection and ensure alignment of Vietnam with international standards.  

  1. Scope of application

    According to Decree 13 on Personal Data Protection (Decree 13), regulations on personal data protection apply to: 
  • Vietnamese agencies, organizations and individuals
  • Foreign agencies, entities and individuals in Vietnam
  • Vietnamese agencies, organizations and individuals operating in foreign countries
  • Foreign agencies, organizations and individuals that directly process or are involved in processing personal data in Vietnam
  • Additionally, the Draft PDPL expands the scope to include also “agencies, organizations and individuals that collect and process personal data of foreigners within the territory of Vietnam”. The expansion indicates that subjects engaged in the processing of personal data relevant to Vietnam must comply with Vietnamese regulations on protection of personal data.

2. Consent Requirement

The Draft PDPL reinforces and even strengthens the already strict consent requirements set out in Decree 13:

  • Consent for the transfer of personal data: the Draft PDPL prohibits the inclusion of a mandatory condition requiring the provision of consent for the transfer of personal data to other services not related to the purpose of the data collection.

  • Consent for processing by group companies: the Draft PDPL clarifies that the consent given to one company for the processing of personal data does not automatically extend to other companies within the same group.

3. Location data and Biometric data

  • The Draft PDPL requires explicit notification for the processing of location data and biometric data. 

  • In addition, for location data, the Draft PDPL requires the explicit consent of the data subject for location tracking via Radio Frequency Identification (RFID) tags and other technologies, unless otherwise required by law. Such provisions are particularly relevant in light of the proliferation of technological devices with location tracking capabilities and underscore the need for strict control over such tracking to ensure the privacy and autonomy of data subjects.

4. Sensitive Personal Data Protection

The Draft PDPL introduces two notable points regarding the provisions on protection of sensitive personal data, specifically:

  • An additional type of sensitive personal data, namely information about land users, land-related data containing information about land users

  • A new compulsory measure for sensitive personal data protection, which is the implementation of “credit rating of personal data protection”

5. Credit rating mechanism of personal data protection 

  • The credit rating mechanism of personal data protection is a focus of the Draft PDPL. 

  • The Draft PDPL not only defines credit rating and credit rating agencies in terms of personal data protection, but also incorporates them into other provisions, including provision on DPIA. Written credit rating results are required as a mandatory document in the DPIA dossiers of personal data controllers, personal data controllers-cum-processors and personal data processors.

6. Protection of personal data in contexts with intensive data involvement

The Draft PDPL provides detailed regulations on protection of personal data in common contexts with intensive data involvement such as marketing, behavioral and targeted advertising, big data processing, artificial intelligence, cloud computing, recruitment and employment monitoring, financial, banking, credit, and credit information, health and insurance information or social networks, media services. Some pertinent takeaways for these contexts includes:

  • Recruitment and employment monitoring:

  • Only publicly available information in the content list for recruitment or employee profiles can be requested.

  • The company collecting and processing personal data has the burden of proof for the lawfulness of the collection and processing when employees' personal data are updated in the global employee database system.

  • Financial, banking, credit, and credit information:

  • Financial, banking, credit, and credit information companies may only provide credit information and related products of data subjects to organizations and individuals that are financial, banking, and credit institutions as prescribed by laws.

  • The buying and selling of credit information or the illegal transfer of credit information between financial, credit and credit information institutions is prohibited.

  • Social networks, media services:

  •  A “do not track” option or only track social media and over-the-top service usage only with user consent must be provided by over-the-top service providers.

  • Requiring a photo of your ID card or citizen identification card as a factor in account authentication is prohibited.

  • Eavesdropping, wiretapping or recording calls and reading text messages without data subject's consent is against the law.

7. Periodic updates of DPIA and CTIA dossiers

  • The Draft PDPL requires that DPIA and CTIA dossiers be updated every six months in the event of changes. 

  • Otherwise, DPIA and CTIA dossiers must be updated immediately upon the occurrence of the following circumstances:

  • Dissolution or merger of the company

  • Changes in the information regarding the Personal Data Protection Department and the Personal Data Protection Officers (DPO)

  • Supplement of new business lines/services, or cessation of the provision of services/products relating to personal data registered in the DPIA or CTIA dossiers

8. Timeline for compliance

If the provision on enforcement of the Draft PDPL is fully adopted, there will be no grace period for compliance once the legislation comes into force, unless small and start-up businesses choose to waive the provisions on appointing a DPO for the first two years from the date of incorporation of the business.

 

Download this document