Vietnam's first ever draft Personal Data Protection Decree ("PDPD") has been released for public consultation. This draft PDPD will, once adopted, impact on many stakeholders' operation in Vietnam. 

By and large, the PDPD adopts a GDPR-type framework, which is similar to GDPR in the whirlwind of ways, including the broad definition of personal data, data subject’s rights, the concept of Data Protection Officer, extraterritorial applicability, and potentially harsh penalties for non-compliance.

Key regulations under the draft PDPD includes:

Broad definition of personal data. Personal data is any information which includes a natural person or is related to the identification or identifiable natural person.

Vietnam will establish a Personal Data Protection Commission, which is the supervisory authority of the PDPD. 

Personal data comprises (i) basic personal data and (ii) sensitive personal data.

Potentially harsh penalties (up to 5% of total revenues of the violator in Vietnam) can be imposed for non-compliance with the PDPD.

The PDPD provides for obligations of the data controller with regard to the personal data after the data subject’s death.

Companies must have a department supervising personal data protection and Data Protection Officer(s).

Most notably, the PDPD provides restrictions on cross-border transfer of personal data. In general, cross-border transfer can only be performed if all of the following 4 conditions are fulfilled:

the data subject agreed to the transfer of the data;

original personal data is stored in Vietnam;

the country of recipient imposes the same or higher level of data protection (must have a document proving the same); and

the Personal Data Protection Commission agrees to the transfer in writing.

The proposed effective date of the PDPD is 01 Dec 2021. No grace period is provided.