Key Updates of the Draft Law on Personal Data Protection (Draft PDPL):
The Draft PDPL has been opened for public feedback until 24 November 2024. The Draft PDPL is expected to be reviewed by the XV National Assembly in the 8th Session for its enforcement as of 1 January 2026.
The Draft PDPL is the first overarching law on personal data protection in Vietnam. The Draft PDPL aims to address concerns of stakeholders, strengthen the framework for personal data protection and ensure alignment of Vietnam with international standards.
- Scope of application
According to Decree 13 on Personal Data Protection (Decree 13), regulations on personal data protection apply to:
- Vietnamese agencies, organizations and individuals
- Foreign agencies, entities and individuals in Vietnam
- Vietnamese agencies, organizations and individuals operating in foreign countries
- Foreign agencies, organizations and individuals that directly process or are involved in processing personal data in Vietnam
- Additionally, the Draft PDPL expands the scope to include also “agencies, organizations and individuals that collect and process personal data of foreigners within the territory of Vietnam”. The expansion indicates that subjects engaged in the processing of personal data relevant to Vietnam must comply with Vietnamese regulations on protection of personal data.
2. Consent Requirement
The Draft PDPL reinforces and even strengthens the already strict consent requirements set out in Decree 13:
3. Location data and Biometric data
In addition, for location data, the Draft PDPL requires the explicit consent of the data subject for location tracking via Radio Frequency Identification (RFID) tags and other technologies, unless otherwise required by law. Such provisions are particularly relevant in light of the proliferation of technological devices with location tracking capabilities and underscore the need for strict control over such tracking to ensure the privacy and autonomy of data subjects.
4. Sensitive Personal Data Protection
The Draft PDPL introduces two notable points regarding the provisions on protection of sensitive personal data, specifically:
5. Credit rating mechanism of personal data protection
The Draft PDPL not only defines credit rating and credit rating agencies in terms of personal data protection, but also incorporates them into other provisions, including provision on DPIA. Written credit rating results are required as a mandatory document in the DPIA dossiers of personal data controllers, personal data controllers-cum-processors and personal data processors.
6. Protection of personal data in contexts with intensive data involvement
The Draft PDPL provides detailed regulations on protection of personal data in common contexts with intensive data involvement such as marketing, behavioral and targeted advertising, big data processing, artificial intelligence, cloud computing, recruitment and employment monitoring, financial, banking, credit, and credit information, health and insurance information or social networks, media services. Some pertinent takeaways for these contexts includes:
Financial, banking, credit, and credit information companies may only provide credit information and related products of data subjects to organizations and individuals that are financial, banking, and credit institutions as prescribed by laws.
7. Periodic updates of DPIA and CTIA dossiers
8. Timeline for compliance
If the provision on enforcement of the Draft PDPL is fully adopted, there will be no grace period for compliance once the legislation comes into force, unless small and start-up businesses choose to waive the provisions on appointing a DPO for the first two years from the date of incorporation of the business.