Personal data in the new draft decree

Personal data in the new draft decree

Hello, I  am from ABC Company specializing in securities investment consultancy“, “Hello, there is currently a real estate project for sale in District X”. The above examples are among the few ones of disturbing “junk” called from other organizations/individuals. This raises the question of whether handling and securing the information that we provide for other units such as network operators, credit institutions, hospitals, e-commerce sites, social networks, etc, is really efficient and whether they have the right to provide/sell our personal data to other units? This article will analyze some new points according to the Draft Decree on Personal Data Protection (“Draft Decree”) published by the Ministry of Public Security for taking public opinion and expected to come into force  in December 2021. However,  the Government has not so far published the full text of the official Decree on Personal Data Protection. 

In general, the content of the Draft Decree is in accordance with international standards, especially the General Data Protection Regulation (abbreviated as “GDPR”) of the European Union. Some notable highlights are as follows: 

The first point is about the governing scope. The governing scope of the Draft Decree is conssiderd as quite broad and comprehensive. The Draft Decree regulates all activities of agencies, organizations and individuals related to personal data of Vietnamese citizens.1 Accordingly, all agencies, organizations, or individual (whether domestic or foreign) implementing any activities related to the personal data of Vietnamese citizens are covered by the governing scope of this Draft Decree. However, this legislation has some differences from the requirements of GDPR. The GDPR  excludes following cases from its governing scope:2 

  1. The processing of personal data outside the scope of Union Law; 
  2. The processing of personal data is carried out by Member States in accordance with the general regulations on external policy and general security (as prescribed in Chapter I Section V of TEU);
  3. The processing of individual’s data for individual or household activity purposes only;
  4. The processing of personal data by competent authorities for public purposes such as the prevention, investigation, detection or prosecution of criminal offenses. 

The second point is the concept of  “Personal data”. Personal data is data about an individual or related to the identification or possible identification of a specific individual.2 The Draft Decree divides Personal Data into two (02) groups: 

  1. Basic personal data: Last name, middle name and birth name; date of birth; gender, etc.
  2. Sensitive personal data: Personal data about political views, religion, biometrics, life, finance, location, etc. 

The division of personal data into the above-mentioned two groups represents a difference in personal data protection level. Specifically, corresponding to each type of personal data, the obligations of agencies, organizations, and individuals when processing such personal data will be different. For example, suppose agencies, organizations, and individuals want to process sensitive personal data. In this case, they will must comply with stricter regulations, and explain to owner’s data that working data is sensitive personal data and seek the consent of the owner’s data in a format that can be printed, copied in writing,3 and must be registered with the Personal Data Protection Commission. In addition, the division of types of personal data also helps the authorities to easier manage, inspect, determine the level of violations and penalize violations. 

The third point is about the establishment of the Personal Data Protection Committee. The Personal Data Protection Committee is a government-affiliated organization, located at the Department of Cybersecurity and High-Tech Crime Prevention, Ministry of Public Security.4 In general, the Personal Data Protection Committee is an organization that performs the function of managing, monitoring and ensuring compliance with regulations on personal data protection specified in the Draft Decree. In addition, the Personal Data Protection Committee is also the organization in charge of building and operating the National Portal on Personal Data Protection.5  

The fourth point is about the cross-border transfer of personal data. Article 21 of the Draft Decree stipulates that  the following four requirements must be met (except for certain cases) before transferring personal data of Vietnamese citizens out of the Vietnamese territory:  

  1. The consent of the owner’s data to the transfer;
  2. Original data is stored in Vietnam;
  3. Written proof that the country, territory or a specific area in the country or territory moving has issued regulations on the protection of personal data to an  equal or higher level than the provisions in the Draft Decree; and
  4. Getting the approval of the Personal Data Protection Committee . 

It should be aware that in order to be approved in writing by the Personal Data Protection Committee, the application must include an impact assessment report when the register transfers personal data across borders describing such activities in detail, the purpose, assessment of possible risks and disadvantages; measures to reduce or eliminate such risks or disadvantages. 

The fifth point is about the handling of administrative violations. Currently, Decree No. 91/2020/ND-CP on preventing spam messages, emails, and calls has entered into effect, the Ministry of Information and Communications has applied policies to support users of reporting spam messages, calls. However, this situation has not been solved thoroughly. Following Article 22 of the Draft Decree, depending on the nature and level of the violation, the violator may be administratively sanctioned or even criminally prosecuted.6 The administrative sanction will be applied from VND50,000,000 to VND100,000,000. In addition, violators may be temporarily or permanently prohibited from processing or transferring data. In case of repeated violations, the violator may be deprived of the right to process data and sanctioned with a fine of up to 5% of total revenue in Vietnam.  

For a fine of up to 5% of total revenue in Vietnam, the Draft Decree does not specify whether this percentage will be calculated on revenue from violations or monthly/quarterly/yearly revenue. Meanwhile, GDPR determines the percentage of revenue calculated on the total global revenue of the previous fiscal year of the violator. It can be seen that the level of sanction for administrative violations as prescribed in the Draft Decree is not at a high deterrent level because the amount is too small compared to the profit earned from the breach. Specifically, any enterprises that violate the GDPR rules can face fines of up to 20 million euros (about 550 billion VND) or up to 4% of the total annual worldwide revenue for the previous fiscal year, whichever is higher.7 

Information always plays a vital role in the age of digital transformation and the growth of information technology. Overusing and using personal information for illegal purposes can cause serious consequences. Therefore, the Government’s promulgation of a stricter legal corridor on personal data protection will be an important contribution to the prevention of stolen and sold data. 

Disclaimer: This article is for general information only and is not a substitute for legal advice. Apolat Legal is a Vietnamese law firm with experience and capacity to advise on matters related to Legal retainer. Please click here to learn more about our services and contact our lawyers in Vietnam for advice via email

Send Contact
Call Us
This site is registered on as a development site.