Personal Data Protection Regulation Currently in the Pipeline

The ability to collect and access information domestically and across borders is essential for businesses of all sizes, industries, and geographic location.  By the end of this year (2021), such data processing activities may be subject to requirements for personal data protection in Vietnam.  In the process of being approved is the Draft Decree on Personal Data Protection (Draft Decree), which will likely have a significant impact on personal data protection practices in Vietnam.  The provisions are slated to take effect as early as December 1, 2021 and will affect all companies doing business in Vietnam, including multinational companies.

This executive brief is to inform corporate leaders of the key legal implications of the Draft Decree and assist them to make preparations.

Broad definition of personal data and classification of basic and sensitive personal data

Under the Draft Decree, the definition of ‘personal data’ is very broad and includes data concerning or related to the identification of an individual.  Such personal data is divided into basic and sensitive personal data, in which sensitive personal data is afforded a higher level of protection. Essentially, disclosure of sensitive personal data is prohibited and registration with the Personal Data Protection Committee (Committee) is required before processing this information.  Sensitive personal data includes, among other categories, certain information related to employment and business activities, such as mental and physical health conditions, financial data, and location data.  There is also an umbrella of ‘other personal data regulated by laws as specified and subject to necessary confidentiality measures’.

Appointment of personnel and a department in charge of personal data protection

The Draft Decree requires businesses to designate personnel and a department in charge of personal data protection.  The identity of the personnel and the department must be communicated by the Company to the Committee.  The Draft Decree does not specify whether the data protection personnel and department are required to be physically stationed in Vietnam or need to acquire any qualifications.

Restrictions on cross-border transfer of personal data of Vietnamese citizens

The Draft Decree sets out four significant conditions that businesses must fully meet for the international transfer of personal data of a Vietnamese citizen: (i) the data subject’s consent must be obtained for the transfer, (ii) the original data is stored in Vietnam, (iii) a document proving that the recipient country has equivalent data protection regulations to Vietnam’s, and (iv) written approval obtained from the Committee.

If the above four conditions are not satisfied, the following four requirements must be fulfilled for such cross-border transfer: (i) the data subject’s consent must be obtained for the transfer, (ii) written approval is required to be obtained from the Committee, (iii) the personal data processor’s must make a commitment to protecting the personal data, and (iv) the personal data processor’s commitment to implementing measures to protect the personal data.

Technical measures for personal data protection

Under the Draft Decree, it is mandatory that businesses develop and issue its own set of personal data protection regulations.  These regulations will be subject to the appraisal and comments of the Committee before they can be published.  Additionally, the Draft Decree requires businesses to adopt technical and administrative measures to protect personal information. These measures include, among others, recording the time and subject of the data when a processing activity or transfer of personal data occurs, recording information about the devices and software used for processing, and promptly notifying the Committee of any personal data protection breach.

Heavy penalties for personal data protection non-compliance

Cross-border transfers of personal data can be terminated if a business violates the regulations on processing personal data under the Draft Decree.  This would include failure to apply technical measures or to develop regulations on personal data protection.  Moreover, the Draft Decree contains provisions that allow for the competent authority to impose criminal penalties for violating data protection requirements and also sets administrative fines for violations of the Draft Decree at up to 5% of the total revenue of the violator.

We will provide further updates on the approval and implementation of the Draft Decree as they develop.  In the meantime, if you have any questions or concerns regarding personal data protection in your business, our experienced lawyers are always available at