Comparing personal data protection laws in Vietnam and the EU
As digitalization advances, the need for comprehensive personal data protection has become a priority for legal systems worldwide. Regions in the world, such as the European Union (EU) or Vietnam, have set similar standards to protect personal data in addition to some other specific differences.
The European Union (EU) sets one of the highest standards globally through its General Data Protection Regulation (GDPR), which governs the processing of personal data with the EU and beyond. In Vietnam, Decree No 13/2023/ND-CP (Decree 13) outlines the nation’s approach to safeguarding personal data. While both the GDPR and Vietnam’s Decree share common principles, such as ensuring data subject rights and securing personal information, there are key differences in their application, scope, and enforcement.?
1. Key similarities
1.1. Consent-based data processing
Under Articles 6 and 7 of the EU’s GDPR, processing of personal data must be based on lawful grounds, with consent being a key basis. Indeed, obtaining consent from individuals before processing personal data is mandatory, consent must be specific, informed, freely given, and revocable.
Vietnam’s Decree 13 aligns closely with GDPR in inquiring about?informed and explicit consent. Indeed, consent is required for the collection and processing of personal data, with data subjects given the right to revoke it at any time (Article 11).
1.2. Rights of data subjects
The GDPR provides several rights for data subjects such as:
Vietnam’s Decree 13 also grants similar rights to:?
1.3. Data security obligations
In case of a personal data breach, which refers to any security incident resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data.?
Under Article 33 of the EU’s GDPR, data controllers must notify supervisory authorities of any data breach within 72 hours. Indeed, the organization must promptly inform the relevant supervisory authority. If the breach poses a high risk to individuals’ rights and freedoms and the risk has not been addressed, the affected individuals must also be notified without undue delay.?
Vietnam’s Decree 13 is like GDPR, organizations must report breaches to the Ministry of Public Security (MPS) and notify affected individuals (Article 23).
领英推荐
2. Key differences
2.1. Personal data classification
In the EU conception, personal data is, by its nature, particularly sensitive in relation to fundamental rights and freedoms merit specific protection as the context of its processing could create significant risks to the fundamental rights and freedoms. There is no clear classification of personal data.?
Whereas, in Vietnam conception, personal data is classified into common personal information and sensitive personal information.
2.2. Scope of application
The GDPR is a comprehensive and far-reaching regulation that applies to entities that process the personal data of EU citizens, regardless of their physical location (Article 3 GDPR). This means companies outside the EU, including Vietnam, must comply if they handle data from EU citizens.
In contrast, Vietnam’s Decree, focuses on businesses operating within the country, emphasizing cybersecurity and data localization for national security purposes, a narrower focus than the GDPR.?
2.3. Data localization
The GDPR allows cross-border data transfers to non-EU countries, provided that adequate protection is in place (Article 45 GDPR).??
Whereas, Vietnam’s Decree requires businesses to store certain personal data locally, particularly data of Vietnamese citizens within a?minimum of?24 months. When transferring personal data abroad, the overseas personal data transfer impact assessment file is required to be established and submitted to the?Department of Cyber Security and High-Tech Crime Prevention, Ministry of Public Security.
2.4 Enforcement and penalties
The GDPR imposes strict penalties for non-compliance, with fines up to 20 million euros or 4% of global annual turnover (Article 83 GDPR).?
Vietnam’s Decree 13 focuses more on state interest and national security, which can sometimes limit the protection of individual privacy. However, in the?near future, draft regulations on penalties for violations of personal data protection regulations will come into force.
2.5. Supervisory authorities
?The EU’s GDPR establishes independent Data Protection Authorities (DPAs) in each member state, supervised by the European Data Protection Board (EDPB) (Articles 51 to 59 GDPR). These authorities are empowered to investigate breaches and impose sanctions.?
Vietnam, on the other hand, does not have an independent data protection authority. The MPS oversees data protection issues, particularly, through a cybersecurity lens.?
3. Conclusion
Thus, while both Vietnam and the EU recognize the importance of personal data protection, the GDPR provides a more comprehensive and rights-focused framework, with broad territorial scope and stringent enforcement. Vietnam’s Decree 13, while offering basic protection, is still limited in scope and prioritizes state security. Companies operating in both regions must navigate these differences to ensure compliance, particularly when handling cross-border data transfers or operating in sectors where national security concerns are paramount.?
Article completion date: December 27th, 2024.
PLF Law Firm
The article is based on laws applicable at the time noted as above and may no longer be appropriate at the time the reader approaches this article as the applicable laws and the specific cases that the reader may wish to apply may have changed. Therefore, the article is for referencing only.