In the context of increasing digitalization, personal data protection has become a critical issue of concern for many countries. In Vietnam, the Draft Law on Personal Data Protection has established detailed regulations regarding the establishment and operation of Personal Data Protection Organizations, aimed at ensuring information security for individuals and organizations.
This article will provide a detailed analysis of the business conditions for Personal Data Protection Organization services, expert requirements in this field, and the capacity certification process as stipulated by the draft law. This information will provide businesses and interested individuals with a comprehensive overview of participating in this new business sector.
1. Business conditions for Personal Data Protection Organization services
The business conditions for Personal Data Protection Organization services are strictly regulated to ensure quality and professionalism in personal data protection. According to the regulations, organizations providing these services must meet three fundamental criteria:
- First, regarding legal status, the entity must be an organization or enterprise with functions, duties, or business activities related to technology, legal matters, or consultancy in these two fields. This ensures that the organization possesses the necessary professional foundation to perform its duties.
- Second, regarding professional personnel, the organization must meet one of two options: either having at least one expert certified with a Comprehensive Certificate in technological and legal capabilities, or having a minimum of two experts – one with certification in legal capabilities and one with certification in technological capabilities.
- Third, the organization must achieve a minimum credibility rating of “Satisfactory” in the field of personal data protection.
2. Personal data protection experts
Personal data protection experts are classified into three main categories based on their professional competencies: comprehensive experts (both technology and legal), technology experts, and legal experts. Each category must meet stringent standards regarding educational qualifications and professional expertise.
For comprehensive experts, the highest requirements include two college degrees or higher: one in security, information security, cybersecurity, and another in law. Additionally, they must complete specialized training in personal data protection that integrates both legal and technological knowledge.
Specialists in a single field (technology or legal) have less complex requirements. Legal experts must possess a college degree or higher in law and complete specialized training in data protection law. Similarly, technology experts must hold a college degree in information security and complete training in data protection technology.
Notably, to support newly established enterprises, the law permits micro-enterprises, small enterprises, medium enterprises, and startups to be exempt from expert requirements during their first two years of operation. However, this provision does not apply to enterprises directly engaged in personal data processing operations.
3. Certification of technological and legal competency in personal data protection
The certification system for technological and legal competency in personal data protection is a formal process wherein authorized organizations issue certificates to experts in the field of personal data protection. This process is designed to ensure the professionalism and competency of experts in this field.
The certification system comprises three main types of certificates: Comprehensive Certificate in technological and legal capabilities, Specialized Certificate in technological capabilities, and Specialized Certificate in legal capabilities. This diversity enables experts to be recognized according to their specific expertise and competencies, while facilitating organizations in selecting personnel appropriate to their specific needs.
The certification issuance is conducted by qualified Personal Data Protection Certification Organizations. To ensure transparency and quality, these organizations must be approved by the Personal Data Protection Authority before they can perform certification functions. This regulation creates a multi-tier quality control system, ensuring the professionalism and reliability of the certification process.
Conclusion
The business of Personal Data Protection Organization services represents a new and promising field in Vietnam. With strict regulations on business conditions, expert requirements, and competency certification systems, the draft Law on Personal Data Protection has established a solid legal framework for the development of this sector.
Businesses and individuals interested in this field need to thoroughly prepare in terms of personnel, expertise, and capabilities to meet the law’s stringent requirements. Meanwhile, the exemption of certain conditions during the initial phase for small and medium enterprises demonstrates policy flexibility, facilitating opportunities for new businesses to enter this market.
With increasingly strong digitalization trends, the demand for personal data protection services will undoubtedly rise in the future, creating numerous business opportunities for organizations that meet the legal requirements.
See more:
1/ New legal framework for data management in Vietnam
2/ Consumer information under the provisions of the law on consumer protection 2023
3/ Due diligence on personal data protection in M&A transactions
Disclaimers:
This article is for general information purposes only and is not intended to provide any legal advice for any particular case. The legal provisions referenced in the content are in effect at the time of publication but may have expired at the time you read the content. We therefore advise that you always consult a professional consultant before applying any content.
For issues related to the content or intellectual property rights of the article, please email cs@apolatlegal.vn.
Apolat Legal is a law firm in Vietnam with experience and capacity to provide consulting services related to Data and contact our team of lawyers in Vietnam via email info@apolatlegal.com.
