Are there any restrictions on transferring personal data and how can these be overcome?
Cross-border data transfers affect all organizations that engage online IT services, cloud-based services, remote access services and global HR databases. Understanding the applications of lawful data transfer mechanisms is essential to validate recipients located outside the country.
Data transfers typically include the following examples:
- personal data communicated over the telephone, by email, fax, letter, through a web tool or in person to another country;
- IT systems or data feeds which lead to personal data being stored on databases hosted internationally;
- people/entities outside the country being able to access or "see" personal data held in the country; and,
- the use of personal data by third parties through external solutions, e.g., outsourcing, offshoring and cloud computing.
The law is currently silent on the transfer of employee data outside of Vietnam.
Vietnam’s new Law on Cybersecurity (No. 24/2018/QH14) has data localization requirements for domestic and foreign service providers using internet and telecommunication networks. The Law includes requirements to store certain data for a specified time period within Vietnam and is applicable to: (1) users’ personal data, (2) data on the relationships of users, and (3) data generated by users in Vietnam. Government decrees (regulations relating) to this law have not been finalized. The decrees, once published, should provide clarity on the numerous uncertainties relating to data transfer under the Law of Cybersecurity.
The Vietnamese government is drafting a decree on personal data protection (the Draft PDP Decree). Under the current Draft PDP Decree, there would be specific requirements for the cross-border transfer of personal data, including requiring the original version of the data to be stored in Vietnam. It is unclear whether this version will be approved and when it would go into effect.