Vietnam: Processing by Entity Registered or Incorporated in Jurisdiction

The factor of processing by an entity registered or incorporated in the jurisdiction is used to determine the applicability of the Decree No. 13/2023/ND-CP on the Protection of Personal Data (PDPD) in Vietnam. This factor extends the law's scope to Vietnamese entities regardless of their location.

Text of Relevant Provisions

PDPD Art.1(2)(a):

"2. This Decree applies to:a) Vietnamese agencies, organizations and individuals;"

PDPD Art.1(2)(c):

"2. This Decree applies to:c) Vietnamese agencies, organizations and individuals that operate in foreign countries;"

Original (Language): Not applicable as the original text is provided only in English.

Analysis of Provisions

The PDPD explicitly states its applicability to Vietnamese entities in two separate provisions. Article 1(2)(a) establishes that the decree applies to "Vietnamese agencies, organizations and individuals". This broad statement encompasses all Vietnamese entities, regardless of their specific nature or structure.

Furthermore, Article 1(2)(c) extends the decree's reach to "Vietnamese agencies, organizations and individuals that operate in foreign countries". This provision is particularly significant as it demonstrates the law's extraterritorial application to Vietnamese entities operating abroad.

The inclusion of these provisions serves several purposes:

  1. It ensures comprehensive coverage of Vietnamese entities, both domestically and internationally.
  2. It prevents Vietnamese entities from evading data protection responsibilities by operating outside the country's borders.
  3. It aligns with the global trend of extending data protection laws beyond territorial boundaries to protect citizens' data rights.

Implications

The implications of these provisions for businesses are far-reaching:

  1. All Vietnamese entities, regardless of size or sector, must comply with the PDPD when processing personal data.
  2. Vietnamese companies operating internationally cannot escape the decree's obligations by moving their data processing activities offshore.
  3. Multinational corporations with Vietnamese subsidiaries or branches must ensure compliance with the PDPD for those entities.

Examples of cases where the law applies due to this factor include:

  • A Vietnamese company processing customer data within Vietnam.
  • A Vietnamese tech startup operating in Silicon Valley, USA, but still processing data of Vietnamese citizens.
  • A Vietnamese branch of a multinational corporation handling employee data.

It's important to note that the law does not limit its application to only processing data of Vietnamese citizens. The provisions suggest that any data processing by Vietnamese entities, regardless of the data subjects' nationality, falls under the PDPD's scope.

This broad applicability underscores the need for Vietnamese businesses, and international companies with Vietnamese operations, to carefully review their data processing activities and ensure compliance with the PDPD, regardless of where those activities occur.


Jurisdiction Overview