LEGAL CONSIDERATIONS ON CROSS-BORDER TRANSFER OF PERSONAL DATA

The cross-border transfer of personal data has become a common practice in the digital era, driven by the need to leverage technological infrastructure, enhance data analytics capabilities, enable long-term storage, and optimize personalized customer services for business operations. However, any transfer of personal data beyond the territorial boundaries of Vietnam must strictly comply with legal procedures as prescribed by applicable laws. Such compliance is essential to ensure national cybersecurity and safeguard the privacy rights of data subjects.

Cross-border transfer of personal data must serve legitimate and permissible purposes

Personal data may only be collected, processed, and transferred across borders for legitimate and permissible purposes, such as advanced big data analytics, artificial intelligence training, customer service enhancement, or other lawful purposes as agreed upon by the parties involved. In addition to compliance with applicable legal provisions, the purpose of any cross-border transfer of personal data must be explicitly consented to by the data subject in an electronic or verifiable format that is, a format that can be printed or otherwise reproduced in writing.

Cross-border transfer of personal data may be carried out in one of two ways: (i) directly by organizations, enterprises, or individuals in Vietnam to overseas entities or foreign-based management units for processing; or (ii) through automated systems located outside the territory of Vietnam.

Personal data includes all directly identifiable information (such as full name, date of birth, national ID/citizen ID/passport number) and indirectly identifiable information (such as service usage behavior, geolocation data, health data, and financial data). Under Decree No. 13/2023/ND-CP, personal data is classified into two categories: general personal data and sensitive personal data, depending on the level of impact such data may have on the data subject.

Entities authorized to conduct cross-border transfer of personal data include Personal data controllers, Personal data controller-cum-processors, Personal data processors, and Third parties, as defined under the applicable legal framework.

Enterprises must fulfill all legal requirements when conducting cross-border transfers of personal data

Pursuant to Article 25 of Decree No. 13/2023/ND-CP, the cross-border transfer of personal data belonging to Vietnamese citizens must satisfy specific conditions and comply fully with all prescribed legal procedures.

Cross-border data transfer impact assessment

Enterprises are required to prepare a Cross-border transfer impact assessment dossier in accordance with the prescribed template and submit it to the Department of Cybersecurity and High-Tech Crime Prevention under the Ministry of Public Security within 60 days from the commencement of data processing activities. This dossier must clearly describe the purpose, scope, and types of personal data to be transferred; assess the potential impacts and risks; and set out measures to eliminate or mitigate such risks accordingly.

In addition, once the cross-border transfer of personal data has been completed, the enterprise must notify the Ministry of Public Security in writing, providing detailed information regarding the transfer and the contact details of the responsible organization or individual.

Timely reporting and updating of impact assessment dossier

In the event of any changes to the information contained in the previously submitted dossier, the data-transferring party is obligated to promptly update and supplement the Cross-border transfer impact assessment dossier accordingly. The updated documentation must be completed within 10 days from the date of the request.

Failure to comply with these legal obligations may result in the Ministry of public security issuing a decision to suspend the enterprise’s cross-border transfer of personal data.

Retention of documentation for periodic and ad-hoc inspections

Cross-border transfers of personal data are subject to periodic inspections, which may occur once per year or as otherwise determined by the Ministry of Public Security, depending on the specific circumstances. Ad-hoc inspections may also be conducted in cases where there are indications of legal violations concerning personal data protection, or in the event of incidents involving data breaches or data loss.

The Cross-border transfer impact assessment dossier must be readily available at all times for inspection and assessment upon request by the competent authority.

Liability of enterprise in the event of a personal data breach

As a personal data controller or personal data processor, the enterprise bears legal liability not only before the competent authorities but also direct responsibility toward data subjects in the event of any data breach, leakage, or loss.

In the event of a data incident, the enterprise is obligated to report to the Department of Cybersecurity and High-Tech Crime Prevention under the Ministry of Public Security within 72 hours of the incident. Concurrently, it must immediately implement appropriate technical and organizational measures to prevent further harm, contain the incident, and restore the compromised data. The Ministry of Public Security reserves the right to order a suspension of any ongoing cross-border transfer of personal data until the incident is fully remedied.

Enterprises must also ensure transparency in the investigation of the cause of the incident and uphold the rights of data subjects in accordance with legal regulations and contractual commitments. Liability for damages shall be determined proportionally based on the actual extent of harm incurred.

>> NEW REGULATIONS ON PERSONAL DATA PROTECTION, WHAT DO ENTERPRISES NEED TO DO? https://linconlaw.vn/new-regulations-on-personal-data-protection-what-do-enterprises-need-to-do/

>> WHAT IS SENSITIVE PERSONAL DATA? RESPONSIBILITIES OF THE DATA PROCESSOR? https://linconlaw.vn/what-is-sensitive-personal-data-responsibilities-of-the-data-processor/