Question 1: Are there any recent notable developments in data protection regulations in Vietnam?

The Vietnamese Government introduced Decree No. 13/2023/ND-CP on Personal Data Protection, which took effect on July 1, 2023.  This marks a significant step toward aligning Vietnam with international data privacy standards.  However, there is still uncertainty regarding compliance, particularly concerning core obligations related to consent, data collection, and data control.

The Vietnamese Government is currently drafting a new Law on Personal Data Protection, which is expected to be approved in May of this year.  This new draft aims to expand the scope and impose more obligations on businesses, including specific regulations for special sectors such as finance, artificial intelligence, advertising, and marketing.

Question 2: From the labor perspective, how do these regulations impact employment practices?

Under labor law, employers can request that employees provide accurate information about their full name, date of birth, gender, place of residence, education level, occupational qualifications and skills, health status, and any other details directly related to entering into a labor contract.  Additionally, during employment, employers may also collect information such as salary, allowances, and other income related to the employee.  This information is categorized as personal data under the regulations.

As such, when processing and using this data, particularly when transferring it to an overseas parent company or to third parties providing outsourced services (such as payroll and tax), employers must obtain the employee’s consent or notify the employee.  Furthermore, the employees as the data owner have the right to withdraw their consent to the employer to process their data, or to request the employer to remove their data.

These regulations significantly impact HR practices, as employers are required to take extra steps to ensure compliance.

Question 3: What additional steps would you recommend the employer take?

Notify and obtain employee consent for collecting personal data

Under current regulations, obtaining consent is fundamental. For it to be valid, consent must meet the following criteria:

• Freely given;
• Specific to each processing purpose;
• Informed and based on clear notification;
• Unambiguous, requiring a clear affirmative action.

A written consent form should be created to ensure clarity, specific purposes, and compliance with data protection requirements.

Update labor documentation

Recruitment notices, offer letters, employment contracts, and other labor documents must be revised to include the employer’s right to collect and process the personal data of candidates and employees.

Document data transfers outside of Vietnam

Before transferring personal data abroad, an assessment should be conducted.  Authorities must be informed of such transfers, and organizations should regularly update their documentation to facilitate inspections by the authorities upon request.

• Enhance internal teams and develop role-specific compliance procedures
• Designate a qualified individual or organization responsible for data protection.
• Provide teams that handle large volumes of personal data (such as HR, customer service, and digital marketing) with practical protocols rather than just general awareness training.
• Conduct a data audit to map how personal data is collected, processed, stored, and shared across departments and systems, identifying gaps and assessing risk areas.
• Establish internal workflows for documenting data processing activities, managing data subject requests, and responding to security incidents.
• Engage legal counsel to review and strengthen your data governance model, including strategies for international data transfers and third-party vendor management.

Question 4: What are the legal consequences if an employer fails to comply with data protection requirements?

 The current regulations focus on administrative sanctions rather than criminal penalties. However, the consequences for violations can still be significant:

• Fines for Non-Compliance: The newly drafted law proposes administrative penalties ranging from 1% to 5% of the previous year’s revenue (not profits) for organizations and enterprises that violate personal data protection regulations. Additionally, the Government is preparing a draft Decree outlining specific administrative sanctions for various violations.
• Regulatory Authority Actions: Regulatory authorities may order the suspension of data processing activities or impose additional audits as part of their enforcement actions.
• Future Criminal Liability: There is a possibility that criminal liability could be introduced for serious offenses, particularly those involving data trading or intentional misuse.

Furthermore, perhaps the most significant consequence is the reputational damage and loss of trust that can result from mishandling personal data.