Explore Vietnam's new data privacy law, Decree 13/2023, which introduces strict regulations on personal data handling and cross-border transfers.
Explore more privacy compliance insights and best practices
Vietnam's groundbreaking 2023 Personal Data Protection Decree introduces strict regulations governing the collection, use, and protection of personal data within the country. This comprehensive law aims to provide enhanced data security, regulate data processing activities, and ensure the privacy of individuals in Vietnam. With data protection being a growing concern worldwide, this new decree is pivotal for businesses, data controllers, and data processors operating in Vietnam.
Whether you're a business owner or a privacy enthusiast, understanding this decree is crucial for compliance and safeguarding personal data. Read on to explore the core elements of this regulation and how it impacts personal data rights in Vietnam.
Vietnam’s Personal Data Protection Law of 2023, implemented through Decree No. 13/2023/ND-CP, establishes a comprehensive framework to safeguard personal data. Effective from July 1, 2023, this decree applies to any organization, domestic or foreign, that processes the personal data of Vietnamese citizens. Its primary objective is to enhance data privacy and ensure that companies adhere to strict guidelines on data processing, security, and consent.
This law defines personal data in two categories: basic personal data and sensitive personal data, each with its own handling requirements. Sensitive data, which includes health information and political views, is subject to more stringent controls.
The law also grants Vietnamese citizens the right to access, update, and delete their data, empowering individuals with greater control over their personal information.
Additionally, the decree mandates that organizations appoint a data protection officer, conduct data protection impact assessments for high-risk processing activities, and implement robust security measures to prevent unauthorized access or misuse of data.
For companies with cross-border data transfers, the decree imposes stringent conditions, requiring consent from data subjects and verification of data protection measures in the receiving country.
Non-compliance with the law can result in substantial penalties, underscoring the importance of adhering to these new data protection standards in Vietnam.
Decree 13/2023/ND-CP applies to all individuals and organizations, whether you’re based in Vietnam or abroad, if you engage in the processing of personal data within or outside of Vietnam.
This regulation requires you to review and update your internal policies and privacy management practices. You must identify any gaps in compliance with the requirements of Decree 13/2023/ND-CP and develop corresponding action plans to ensure full adherence.
Decree 13/2023/ND-CP categorizes entities involved in personal data processing into three types:
According to Decree 13/2023/ND-CP, basic personal data includes:
Sensitive personal data refers to information associated with an individual’s privacy that could significantly impact their legitimate rights and interests if violated. Sensitive personal data includes:
Under Decree 13/2023/ND-CP, there are specific situations where you may process personal data without obtaining the data subject’s consent:
These exemptions are designed to allow necessary flexibility while still safeguarding personal data rights under Vietnamese law.
Decree 13/2023/ND-CP defines processing personal data to include various actions, such as collecting, recording, analyzing, storing, modifying, disclosing, combining, accessing, retrieving, encrypting, sharing, transmitting, providing, transferring, deleting, and destroying data, among other related activities.
As a business owner, you must ensure that each stage of handling personal data has the data subject’s consent, except where the law allows otherwise. This consent is only valid if the data subject gives it willingly and is fully aware of:
Personal data protection includes actions to prevent, detect, and address any violations involving personal data, as required by Vietnamese law.
Under Decree 13/2023/ND-CP, the following activities are strictly prohibited for businesses:
Violating these regulations can result in serious penalties, from administrative sanctions to legal prosecution. Additionally, the Decree strictly prohibits the buying and selling of personal data in any form, considering these activities illegal. As a business owner, it’s essential to ensure compliance with these prohibitions to avoid legal risks and protect your business reputation.
Under Vietnam’s Decree 13/2023/ND-CP, data subjects have various rights over their personal data, and as a business owner, it’s essential to understand and respect these rights to maintain compliance:
Under Decree 13/2023/ND-CP, data controllers and processors have specific responsibilities to ensure the protection and lawful processing of personal data in Vietnam. As a business owner, here are the key obligations you should be aware of:
Under Vietnam’s Decree 13/2023/ND-CP, managing consent in personal data processing is essential to ensure compliance and respect individuals’ rights.
As a business, you must obtain explicit, informed consent from data subjects before processing their personal data, covering details like the type of data collected, the processing purpose, and any third parties involved. This consent must be voluntary, fully informed, and documented for legal compliance. Additionally, data subjects have the right to withdraw their consent at any time, so it’s crucial to have systems in place that allow for easy consent withdrawal and stop future processing based on that consent.
If you change how you use the data or add new processing purposes, you must obtain updated consent to ensure transparency. Properly managing and recording consent not only aligns with legal standards but also strengthens customer trust in your data practices.
Certain businesses are required to appoint a Data Protection Officer (DPO) to oversee compliance with data protection regulations. If your business handles large volumes of personal data or processes sensitive data, having a DPO is mandatory.
The DPO’s role involves monitoring data protection practices, conducting impact assessments, and ensuring that all data processing activities align with the law. Additionally, the DPO serves as a point of contact for data subjects and regulatory authorities, helping address inquiries and ensuring compliance.
Appointing a DPO is especially crucial for businesses that frequently process personal data or transfer it abroad, as this role helps reduce legal risks and fosters a culture of data privacy within your organization.
Under Decree 13/2023/ND-CP, as a business owner, you are required to create and keep up-to-date records of impact assessments for any personal data processing activities. These records must be easily accessible at all times to meet inspection requirements by the Ministry of Public Security from the start of data processing, helping ensure any data risks are clearly identified and documented.
If your business transfers personal data of Vietnamese citizens outside of Vietnam—as often seen with international businesses—you’ll need to prepare an impact assessment report specifically for this cross-border data transfer. This report must be available for the Ministry of Public Security’s review to verify compliance with Vietnamese data protection laws.
Additionally, you must submit the original impact assessment report to the Ministry of Public Security’s Department of Cybersecurity and High-Tech Crime Prevention within 60 days of beginning data processing. This submission should use Form No. 06 as specified in the Decree’s Appendix, ensuring all documentation meets the legal requirements for international data transfers.
For a more in-depth look at these requirements, check out our Vietnam’s Personal Data Protection Law Checklist for Compliance.
Under Decree 13, entities classified as Personal Data Controllers (PDC), Personal Data Processors (PDP), and Personal Data Controllers and Processors (PDCP) are required to prepare an impact assessment dossier detailing their data processing activities. This dossier must be submitted to the Ministry of Public Security (MPS) for review and updated periodically whenever there are content changes or at the MPS's request.
In cases of cross-border transfers, where personal data of Vietnamese citizens is transferred or processed outside of Vietnam, a separate impact assessment dossier is required. The entity initiating the transfer must submit this dossier to the MPS within 60 days of the transfer’s commencement and ensure it is updated as needed based on content changes or at the MPS's request.
Under Decree 13/2023/ND-CP, the Department of Cybersecurity and High-Tech Crime Prevention is the primary agency responsible for personal data protection. This department assists the Ministry of Public Security in managing and enforcing state regulations on personal data protection.
Additionally, the national portal on personal data protection plays a key role in spreading awareness, updating legal information, and receiving data-related inquiries and reports, helping to ensure that businesses and individuals stay informed on data protection requirements.
Businesses can prepare by conducting data audits, establishing robust data protection policies, and training employees on data privacy. These measures are critical for achieving compliance and maintaining trust.
Navigating the requirements of Vietnam's Decree 13/2023/ND-CP can be complex, but Secure Privacy is here to make compliance straightforward and achievable. Our platform provides powerful tools to manage data processing documentation, consent tracking, impact assessments, and data subject requests—all in one place.
With built-in data security measures, automated compliance reports, and customizable privacy notices, Secure Privacy helps you meet legal requirements effortlessly while protecting your customers' trust.
Ready to simplify compliance? Contact us today to see how Secure Privacy can support your business in meeting Vietnam's data protection standards.
