Vietnam: Draft Personal Data Protection Law (PDPL) open for public consultation

24 Sept 2024    2 minute read
DT Featured Content

In brief

Vietnam has released the draft Personal Data Protection Law (PDPL) for public consultation, open until 24 November 2024.

Contents

In more detail

Key points include the following:

  • Timeline: The draft PDPL is expected to be enacted in May 2025 and take effect on 1 January 2026. There is, however, no grace period for compliance, save for the limited two-year exemption to discharge the DPO appointment obligation, which is only available for some SMEs and start-up enterprises.
  • Structure: This first draft version incorporates nearly all provisions of the current Personal Data Protection Decree (PDPD)  and adds new ones. Consequently, stringent rules under the PDPD remain unchanged (e.g., granular consent, limited consent-exempted scenarios, 72-hour deadline to address certain data subject requests and to report a data breach, impact assessment filings, and prohibition against data sale), some of which even contradict the draft PDPL's new requirements.
  • Consent and legal bases for processing: Requirements for consent are scattered inconsistently across various articles of the draft PDPL. On the one hand, the draft PDPL retains the general requirements for consent and the circumstances where consent is exempted, similar to the PDPD. On the other hand, certain context- and data-specific regulations explicitly require consent without any exceptions. It therefore remains unclear how other legal bases for data processing (e.g., contract performance) would apply in these instances. GDPR-type legitimate interest is not yet recognized under the draft PDPL as a lawful ground for personal data processing.
  • Data processing in specific contexts: The draft PDPL aims to regulate personal data processing in specific contexts such as marketing, behavioral and targeted advertising, big data processing, AI, cloud computing, recruitment and employment monitoring, banking and finance, social networks, and media services. It also addresses specific categories of personal data, including health and insurance data, location data, biometric data, credit data, and children's data.
  • Data processing in marketing and advertising: The draft PDPL stipulates a separate opt-in and opt-out regime for the processing of personal data in marketing services and behavioral and targeted advertising. It also restricts the scope of data that can be processed for these purposes.
  • Special categories of personal data: Certain personal data are subject to heightened regulations under the draft PDPL, such as children's data, biometric data and location data. Notice and consent are among the requirements that one must adhere to when processing these types of personal data.
Contact Information
Manh Hung Tran
Partner
Hanoi
Read my Bio
tmh@bmvn.com.vn
Huu Tuan Nguyen
Special Counsel
Hanoi
Read my Bio
huutuan.nguyen@bmvn.com.vn
Huyen Minh Nguyen
Associate
Hanoi
Read my Bio
huyenminh.nguyen@bmvn.com.vn

Copyright © 2024 Baker & McKenzie. All rights reserved. Ownership: This documentation and content (Content) is a proprietary resource owned exclusively by Baker McKenzie (meaning Baker & McKenzie International and its member firms). The Content is protected under international copyright conventions. Use of this Content does not of itself create a contractual relationship, nor any attorney/client relationship, between Baker McKenzie and any person. Non-reliance and exclusion: All Content is for informational purposes only and may not reflect the most current legal and regulatory developments. All summaries of the laws, regulations and practice are subject to change. The Content is not offered as legal or professional advice for any specific matter. It is not intended to be a substitute for reference to (and compliance with) the detailed provisions of applicable laws, rules, regulations or forms. Legal advice should always be sought before taking any action or refraining from taking any action based on any Content. Baker McKenzie and the editors and the contributing authors do not guarantee the accuracy of the Content and expressly disclaim any and all liability to any person in respect of the consequences of anything done or permitted to be done or omitted to be done wholly or partly in reliance upon the whole or any part of the Content. The Content may contain links to external websites and external websites may link to the Content. Baker McKenzie is not responsible for the content or operation of any such external sites and disclaims all liability, howsoever occurring, in respect of the content or operation of any such external websites. Attorney Advertising: This Content may qualify as “Attorney Advertising” requiring notice in some jurisdictions. To the extent that this Content may qualify as Attorney Advertising, PRIOR RESULTS DO NOT GUARANTEE A SIMILAR OUTCOME. Reproduction: Reproduction of reasonable portions of the Content is permitted provided that (i) such reproductions are made available free of charge and for non-commercial purposes, (ii) such reproductions are properly attributed to Baker McKenzie, (iii) the portion of the Content being reproduced is not altered or made available in a manner that modifies the Content or presents the Content being reproduced in a false light and (iv) notice is made to the disclaimers included on the Content. The permission to re-copy does not allow for incorporation of any substantial portion of the Content in any work or publication, whether in hard copy, electronic or any other form or for commercial purposes.