In the context of rapid digital technology advancement and the increasing importance of personal data protection, the role of Data Protection Officer (DPO) has become essential for all organizations and enterprises. This article analyzes the position of Data Protection Officer under Vietnam’s Draft Law on Personal Data Protection, while assessing the impact of these regulations on business operations.
Regulations on Data Protection Officer under the Draft Law on Personal Data Protection
The Data Protection Officer is a key legal entity formally introduced for the first time in the Draft Law on Personal Data Protection, playing a crucial role in supervising and ensuring compliance with personal data protection regulations within organizations and enterprises.
According to the Draft Law’s definition, a Data Protection Officer is an individual appointed by the controller, controller and processor, third party, cross-border data transfer party, or Vietnamese citizens’ data recipient to serve as personnel responsible for personal data protection, possessing technological and/or legal competency in personal data protection, and specifically referenced in both the Personal Data Protection Impact Assessment Records and Cross-border Data Transfer Impact Assessment Records.
According to the Draft Law, Data Protection Officers are classified into:
a) Data Protection Officers with both technological and legal competency;
b) Data Protection Officers with technological competency;
c) Data Protection Officers with legal competency.
Data Protection Officers must obtain a certificate of competency issued by authorized certification bodies, ensuring that these Officers possess adequate qualifications and expertise to effectively perform their duties and meet legal requirements for data protection. The Ministry of Public Security shall authorize licensed certification bodies to conduct assessments and issue competency certificates to qualified Data Protection Officers. To obtain this certification, candidates must meet minimum requirements, including possession of an associate degree in a relevant field and successful completion of an advanced training course in data protection certification.
The appointment of a Data Protection Officer is a mandatory requirement and essential for conducting comprehensive and accurate personal data processing impact assessments. During the assessment process, detailed information about the Data Protection Officer must be fully and accurately documented in both the enterprise’s Personal Data Processing Impact Assessment Records and Cross-border Data Transfer Impact Assessment Records. This ensures transparency and accountability in data processing. Furthermore, according to the Draft Law on Personal Data Protection, each enterprise must not only appoint a Personal Data Protection Organization and a Data Protection Officer but also establish and maintain regular communication channels with the Personal Data Protection Authority to ensure effective supervision and compliance.
The requirement to have or hire a Data Protection Officer poses significant legal and compliance burdens for small and medium-sized enterprises, including recruitment costs, training expenses, position maintenance, and requirements for implementing related compliance procedures and processes. To alleviate this burden, the Draft Law on Personal Data Protection has provided a special exemption clause for micro, small, medium-sized enterprises, and startups, whereby they are not required to appoint a Data Protection Officer during the first two years from the date of enterprise establishment. This allows new businesses time to develop and stabilize operations before meeting this requirement. However, it should be noted that this exemption does not apply to micro, small, medium-sized enterprises, and startups whose primary business activity involves direct data processing.
Comparison with current regulations under Decree 13/2023/ND-CP on personal data protection
Under Decree 13, the protection of sensitive personal data only requires enterprises to establish a specialized unit and assign personnel responsible within the organization. The Decree does not set specific standards regarding professional qualifications, experience, or legal competency requirements for assigned personnel. This creates a relatively flexible legal framework for enterprises in organizing their personal data protection apparatus. Meanwhile, the Draft Law on Personal Data Protection has significantly enhanced personal data protection requirements by establishing stricter regulations. Specifically, enterprises must not only have a specialized unit but also establish an official Personal Data Protection Organization and appoint a qualified Data Protection Officer for all data processing activities.
Vietnam’s Draft Law on Personal Data Protection contains more stringent provisions regarding Data Protection Officers compared to the EU’s GDPR. While GDPR only requires the appointment of Data Protection Officers (DPOs) in specific cases such as public authorities or organizations conducting large-scale data processing, Vietnam’s Draft Law imposes stricter requirements by mandating that all entities involved in personal data processing must have a Data Protection Officer.
The provisions regarding Data Protection Officers in the Draft Law on Personal Data Protection mark a significant milestone in Vietnam’s legal framework for data protection. While the new regulations may pose compliance challenges and cost implications for businesses, particularly small and medium-sized enterprises, these requirements are essential to ensure professionalism and effectiveness in personal data protection. However, to effectively evaluate and implement the new provisions in the Draft Law, we must await the detailed implementing regulations to be issued following the law’s adoption.
See more:
1/ Legal framework for ESG assessment and sustainable business practices in Vietnam
2/ Shape Personal data protection organization services under the draft law on personal data protection
3/ New legal framework for data management in Vietnam
Disclaimers:
This article is for general information purposes only and is not intended to provide any legal advice for any particular case. The legal provisions referenced in the content are in effect at the time of publication but may have expired at the time you read the content. We therefore advise that you always consult a professional consultant before applying any content.
For issues related to the content or intellectual property rights of the article, please email cs@apolatlegal.vn.
Apolat Legal is a law firm in Vietnam with experience and capacity to provide consulting services related to Data and contact our team of lawyers in Vietnam via email info@apolatlegal.com.
