What are the cases in which the Ministry of Public Security of Vietnam shall decide to request the Sender to stop transferring personal data abroad?

Main Content

• What is the outbound transfer of personal data in Vietnam?
• What are the cases in which the Ministry of Public Security of Vietnam shall decide to request the Sender to stop transferring personal data abroad?
• What are the dossiers on assessment of impact of outbound transfer of personal data in Vietnam?

What is the outbound transfer of personal data in Vietnam?

Pursuant to Clause 14, Article 2 of Decree No. 13/2023/ND-CP stipulating outbound transfer of personal data in Vietnam as follows:

“Outbound transfer of personal data” refers to an act of using cyberspace, electronic devices, equipment, or other forms to transfer personal data of a Vietnamese citizen to a location outside the territory of the Socialist Republic of Vietnam or using a location outside the territory of the Socialist Republic of Vietnam to process personal data of a Vietnamese citizen. To be specific:

- An organization, enterprise or individual transfers personal data of an Vietnamese citizen to an overseas organization, enterprise or management department in order to process the data for the purposes agreed upon by the data subject;

- The personal data of a Vietnamese citizen is processed by automatic systems outside the territory of the Socialist Republic of Vietnam of the Personal Data Controller, Personal Data Controller-cum-Processor, Personal Data Processor for the purposes agreed upon by the data subject.

What are the cases in which the Ministry of Public Security of Vietnam shall decide to request the Sender to stop transferring personal data abroad? (Image from the Internet)

What are the cases in which the Ministry of Public Security of Vietnam shall decide to request the Sender to stop transferring personal data abroad?

Pursuant to Clause 8, Article 25 of Decree No. 13/2023/ND-CP stipulating as follows:

Outbound transfer of personal data

1. A Vietnamese citizen’s personal data shall be transferred abroad in case where the Sender makes a dossier on assessment of impact of outbound transfer of personal data and carries out the procedures specified in Clauses 3, 4 and 5 of this Article. The senders include the Personal Data Controller, the Personal Data Controller-cum-Processor, the Personal Data Processor and the Third Party.

2. A dossier on assessment of impact of outbound transfer of personal data includes:

a) Contact information and details of the Sender and the Receiver;

b) Full name and contact details of an organization or individual under the Sender involved in sending and receiving a Vietnamese citizen’s personal data;

c) Description and explanation about objectives of the processing of a Vietnamese Citizen’s personal data after the personal data is transferred abroad;

d) Description and clarification of type of personal data to be transferred abroad;

dd) Description and explanation about the observance of regulations on protection of personal data in this Decree, detailed measures for protecting personal data;

e) Assessment of impact of personal data processing; undesirable consequences and damage that may occur, measures for reducing or removing such consequences and damage.

g) Consent of the data subject according to regulations in Article 11 of this Decree when he/she is informed of the mechanism for feedback and complaint in case of arising problems or requests;

h) Document that shows obligations and responsibilities between the Senders and the Receivers for processing of a Vietnamese Citizen’s personal data.

3. A dossier on assessment of impact of outbound transfer of personal data shall be always available in order to serve inspection and assessment by the Ministry of Public Security of Vietnam.

The Sender shall send 01 authentic copy of the assessment to the Ministry of Public Security of Vietnam (Department of CyberSecurity and Hi-tech Crime Prevention) according to Form No. 06 in the Appendix of this Decree within 60 days from the date of processing of personal data.

4. The Sender shall notify the Ministry of Public Security of Vietnam (Department of CyberSecurity and Hi-tech Crime Prevention) of information about the data transfer and contact details of the organization or individual in charge of such transfer in writing after the personal data is successfully transferred.

5. The Ministry of Public Security of Vietnam (Department of CyberSecurity and Hi-tech Crime Prevention) shall make assessment and request the Sender to complete the dossier on assessment of impact of outbound transfer of personal data in case the assessment is not complete and accurate according to regulations.

6. The Sender shall update and amend the dossier on assessment of impact of outbound transfer of personal data when there is any change of contents submitted to the Ministry of Public Security of Vietnam (Department of CyberSecurity and Hi-tech Crime Prevention) according to Form No. 05 in the Appendix of this Decree. The duration for completion of the dossier on assessment for the Sender is 10 days from the date of request.

7. According to specific situation, the Ministry of Public Security of Vietnam shall decide to inspect the outbound transfer of personal data once a year, unless it detects violations against the law on protection of personal data in this Decree or a Vietnamese citizen's personal data is leaked or lost.

8. The Ministry of Public Security of Vietnam shall decide to request the Sender to stop transferring personal data abroad in the following cases:

a) It is detected that the transferred personal data is used for activities that violate the interests and national security of the Socialist Republic of Vietnam.

b) The Sender does not comply with regulations in Clause 5 and Clause 6 of this Article;

c) A Vietnamese citizen's personal data is leaked or lost.

Thus, according to the above provisions, the Ministry of Public Security of Vietnam shall decide to request the Sender to stop transferring personal data abroad in the following cases:

- It is detected that the transferred personal data is used for activities that violate the interests and national security of the Socialist Republic of Vietnam.

- The Sender does not comply with regulations in Clause 5 and Clause 6 Article 25 of Decree No. 13/2023/ND-CP;

- A Vietnamese citizen's personal data is leaked or lost.

What are the dossiers on assessment of impact of outbound transfer of personal data in Vietnam?

Pursuant to Clause 2, Article 25 of Decree No. 13/2023/ND-CP, a dossier on assessment of impact of outbound transfer of personal data includes:

- Contact information and details of the Sender and the Receiver;

- Full name and contact details of an organization or individual under the Sender involved in sending and receiving a Vietnamese citizen’s personal data;

- Description and explanation about objectives of the processing of a Vietnamese Citizen’s personal data after the personal data is transferred abroad;

- Description and clarification of type of personal data to be transferred abroad;

- Description and explanation about the observance of regulations on protection of personal data in this Decree, detailed measures for protecting personal data;

- Assessment of impact of personal data processing; undesirable consequences and damage that may occur, measures for reducing or removing such consequences and damage.

- Consent of the data subject according to regulations in Article 11 of Decree No. 13/2023/ND-CP when he/she is informed of the mechanism for feedback and complaint in case of arising problems or requests;

- Document that shows obligations and responsibilities between the Senders and the Receivers for processing of a Vietnamese Citizen’s personal data.

Decree No. 13/2023/ND-CP takes effect from July 1, 2023.