Personal data processors that violate regulations on personal data would be subject to a maximum fine of VND 80-100 million (USD 3,400-4,300), according to the second draft of a decree on protection of personal data formulated by the Ministry of Public Security (MPS).
|Hanoi police officers collect personal data for issuance of chip-based ID cards__Photo: vnexpress.net|
Specifically, a fine of VND 50-80 million (USD 2,150-3,400) would be imposed on acts of disclosing personal data, restricting the right to access personal data, processing personal data without the consent of data subjects, and violating regulations on processing of children’s personal data. Meanwhile, those that violate regulations on sensitive personal data or commit cross-border transfer of personal data would face a fine of up to VND 100 million.
Additional sanctions for violators include suspension of personal data processing activities and deprival of the rights to process sensitive personal data or transfer personal data out of Vietnam’s territory.
Under the draft, personal data are defined as data about an individual or related to a specific individual who can be identified or is identifiable. Personal data are classified into two types: (i) fundamental personal data (name, date of birth, gender; permanence residence address, contact address, email address; citizenship; marital status, etc.) and (ii) sensitive personal data (political and religious viewpoints; health status, genetic data, biometric data, and gender status; sexual life and orientation; criminal records, financial data; location data; social relation data; and other special data needed to be secured).
Data processors and third parties may disclose personal data without the consent of data subjects when such disclosure is necessary for national interests, national security or social order and safety or in case of emergency when the life or health of data subjects or community well-being is under threat. The disclosure of personal data in the mass media would be also permitted as long as it does not cause harms to data subjects.
However, the disclosure of personal data is prohibited if it involves sensitive personal data or causes harms to lawful interests of data subjects.
One of the most notable provisions of the draft concerns the establishment of the Committee for Personal Data Protection which would be organized as a government-attached organization placed at the MPS’s Department of Cybersecurity and Hi-Tech Crime Prevention and tasked to consider and license personal data processing activities in the country.
As for cross-border transfer of Vietnamese citizens’ personal data, the draft says that such transfer would be permitted on the following four conditions: (i) obtaining the consent of data subjects; (ii) storing original data in Vietnam; having proof that the countries, territories or areas to which data are transferred have issued regulations on protection of personal data at a level equal to or higher than Vietnam’s; and (iv) obtaining approval from the Committee for Personal Data Protection.- (VLLF)