Vietnam’s Digital Personal Data Protection Bill (PDPL) represents a pivotal step in safeguarding individuals’ privacy rights in the digital age. As the digital landscape evolves and technology becomes more integrated into everyday life, the need to regulate the collection, processing, and storage of personal data becomes increasingly imperative. The PDPL seeks to address these concerns by establishing comprehensive guidelines and regulations tailored to the unique challenges posed by the digital realm. In this blog, we will explore Vietnam’s Digital Personal Data Protection Bill (PDPL) and understand its impact on businesses.
Key provisions of Vietnam’s Digital Personal Data Protection Bill (PDPL) encompass data protection principles, consent requirements, data subject rights, cross-border data transfers, and enforcement mechanisms. Through these provisions, the PDPL endeavors to strike a balance between facilitating data-driven innovation and protecting individuals’ privacy interests.
Access: Vietnam Digital Personal Data Protection Bill
Article 1. Consent stipulates that personal data is processed without the consent of the data subject in the following cases:
a) To protect the life and health of the data subject or others in an emergency situation. Personal Data Controller, Personal Data Processor, Personal Data Controller and Processor, Third Party is responsible for proving this case;
Personal data can be processed without consent in emergency situations that threaten the life and health of the data subject or others. This means that in a critical situation, like a medical emergency, personal data can be accessed and used without explicit consent.
While this provision allows for data to be used in emergencies, it’s important to ensure that the data is not misused or accessed by unauthorized parties. The responsibility lies with the Personal Data Controller, Personal Data Processor, Personal Data Controller and Processor, and Third Party to prove that this was a genuine emergency situation.
b) The disclosure of personal data in accordance with the law;
Personal data can be disclosed in accordance with the law. This means that if the law requires the disclosure of personal data, it can be done without consent. While the disclosure of personal data in accordance with the law is necessary in some cases, there is a need for clear guidelines on what constitutes lawful disclosure. Otherwise, there is a risk of personal data being misused or abused.
c) The processing of data by competent state agencies in the event of a state of emergency on national defense, security, social order and safety, major disasters, or dangerous epidemics; when there is a risk of threatening security and national defense but not to the extent of declaring a state of emergency; to prevent and combat riots and terrorism, to prevent and combat crimes and violations of the law in accordance with the law;
Competent state agencies can process personal data without consent in situations of national defense, security, social order and safety, major disasters, dangerous epidemics, riots, terrorism, and crime prevention. While it is understandable that state agencies may need access to personal data in certain situations, there is a need for strict guidelines and oversight to prevent misuse of data. Personal data should only be accessed and used for specific purposes and not be shared with unauthorized parties.
d) To fulfill the contractual obligations of the data subject with relevant agencies, organizations, and individuals as prescribed by law;
Personal data can be processed to fulfill the contractual obligations of the data subject with relevant agencies, organizations, and individuals as prescribed by law. This means that personal data can be used to fulfill a contractual obligation, such as providing personal information for a bank account or insurance policy. While this provision may seem reasonable, there is a need to ensure that personal data is only used for the specific purpose stated in the contract and is not shared or used for other purposes without the consent of the data subject.
dd) Serving the activities of state agencies as prescribed by specialized laws.
Personal data can be used to serve the activities of state agencies as prescribed by specialized laws. This means that personal data can be used to serve the activities of state agencies, such as conducting a census or collecting data for research purposes. While the use of personal data for state agency activities may be necessary, there is a need for strict guidelines and oversight to prevent misuse of data. Personal data should only be accessed and used for specific purposes and not be shared with unauthorized parties. Additionally, there is a need to ensure that the data is anonymized where possible to protect the privacy of the data subjects.
Article 2. Approving the Government’s report, the report on the collection of opinions of the National Assembly Standing Committee, the draft content of the Decree on protection of personal data; assigned the Minister of Public Security, authorized by the Prime Minister, on behalf of the Government to report and consult the National Assembly Standing Committee on the draft Decree on protection of personal data as prescribed in Clause 3, Article 19 of the Law on protection of personal data . Promulgating legal documents in 2015 (amended and supplemented in 2020).
Article 3. This Resolution takes effect from the date of signing for promulgation.
Article 4. The Minister of Public Security, Ministers, and Heads of relevant agencies shall be responsible for the implementation of this Resolution.
The above article is related to the process of approving the draft Decree on the protection of personal data. The Government has prepared a report on the collection of opinions of the National Assembly Standing Committee regarding the draft content of the Decree. The Minister of Public Security is authorized by the Prime Minister to report and consult with the National Assembly Standing Committee on the draft Decree, as prescribed in Clause 3, Article 19 of the Law on the protection of personal data promulgated in 2015 (amended and supplemented in 2020).
Vietnam’s Personal Data Protection Bill(PDPL) brings significant changes and improvements to the country’s data protection framework. It imposes strict obligations and responsibilities on businesses that collect and process personal data, including obtaining valid consent and implementing appropriate technical and managerial measures to protect personal data. The broad definition of personal data and the introduction of the concepts of data controllers and processors under the PDPD will provide more clarity and accountability in the processing of personal data. The obligations and penalties for non-compliance will encourage businesses to prioritize the protection of personal data.
About Concur – Harmonizing Data Compliance
Concur is a technology company that provides a suite of enterprise solutions to help organizations manage their data compliance and other business operations. Our solutions include consent management, digital policy management, legacy customer notice guidelines, data principal rights solutions, and more. With a focus on innovation and the use of blockchain technology, Concur helps enterprises to stay compliant with various regulations such as DPDPB, while streamlining their operations and enhancing overall efficiency. Additionally, they offer dedicated support through their Support Center to ensure customers have the assistance they need to achieve their compliance goals.