The Personal Data Protection Decree (PDPD) of Vietnam explicitly uses the factor of processing in jurisdiction to determine its scope of applicability, extending its reach to foreign entities that process personal data within Vietnam's territory.

Text of Relevant Provisions

PDPD Art.1(2)(d):

"2. This Decree applies to:

d) Foreign agencies, organizations and individuals that directly process or are involved in processing personal data in Vietnam."

Analysis of Provisions

The PDPD clearly establishes its applicability to data processing activities occurring within Vietnam's territorial boundaries, regardless of the entity's origin. This is evident from the phrase "foreign agencies, organizations and individuals that directly process or are involved in processing personal data in Vietnam" in Article 1(2)(d).

This provision captures two key elements:

1. The entities covered: "foreign agencies, organizations and individuals"
2. The qualifying activity: "directly process or are involved in processing personal data in Vietnam"

By including this provision, the Vietnamese lawmakers have ensured that any foreign entity engaging in data processing activities within Vietnam's territory falls under the PDPD's jurisdiction. This approach aligns with the principle of territorial sovereignty in data protection laws, where a country asserts its authority over activities occurring within its borders, regardless of the actor's nationality or place of establishment.

The use of the phrase "directly process or are involved in processing" suggests a broad interpretation of what constitutes data processing activities. It not only covers entities that directly handle personal data but also those that may be indirectly involved in the processing chain, as long as these activities occur within Vietnam.

Implications

The inclusion of this factor in the PDPD has significant implications for foreign businesses operating in or targeting the Vietnamese market:

1. Extraterritorial reach: Foreign companies without a physical presence in Vietnam may still be subject to the PDPD if they process personal data of Vietnamese residents within the country's territory. This could include, for example, using local data centers or cloud services located in Vietnam.
2. Compliance obligations: Foreign entities processing data in Vietnam must adhere to all PDPD requirements, including obtaining consent, implementing security measures, and potentially appointing local representatives.
3. Cross-border data transfers: Companies that collect data in Vietnam but process it elsewhere may need to comply with both the PDPD and any regulations governing cross-border data transfers.
4. Local infrastructure considerations: Foreign businesses may need to reassess their data processing infrastructure and consider whether maintaining or establishing local data processing capabilities in Vietnam is necessary to comply with the law.
5. Potential dual compliance: Multinational companies may find themselves subject to both the PDPD and their home country's data protection laws, necessitating a comprehensive compliance strategy.

This provision effectively ensures that all personal data processing activities within Vietnam's borders are subject to the same legal standards, creating a level playing field for domestic and foreign entities while safeguarding the personal data of individuals in Vietnam.