Vietnam's Personal Data Protection Decree:Key Insights on Data Law

Vietnam's groundbreaking 2023 Personal Data Protection Decree introduces strict regulations governing the collection, use, and protection of personal data within the country. This comprehensive law aims to provide enhanced data security, regulate data processing activities, and ensure the privacy of individuals in Vietnam. With data protection being a growing concern worldwide, this new decree is pivotal for businesses, data controllers, and data processors operating in Vietnam.

Whether you're a business owner or a privacy enthusiast, understanding this decree is crucial for compliance and safeguarding personal data. Read on to explore the core elements of this regulation and how it impacts personal data rights in Vietnam.

What Is Vietnam’s Personal Data Protection Law of 2023?

Vietnam’s Personal Data Protection Law of 2023, implemented through Decree No. 13/2023/ND-CP, establishes a comprehensive framework to safeguard personal data. Effective from July 1, 2023, this decree applies to any organization, domestic or foreign, that processes the personal data of Vietnamese citizens. Its primary objective is to enhance data privacy and ensure that companies adhere to strict guidelines on data processing, security, and consent.

This law defines personal data in two categories: basic personal data and sensitive personal data, each with its own handling requirements. Sensitive data, which includes health information and political views, is subject to more stringent controls.

The law also grants Vietnamese citizens the right to access, update, and delete their data, empowering individuals with greater control over their personal information.

Additionally, the decree mandates that organizations appoint a data protection officer, conduct data protection impact assessments for high-risk processing activities, and implement robust security measures to prevent unauthorized access or misuse of data.

For companies with cross-border data transfers, the decree imposes stringent conditions, requiring consent from data subjects and verification of data protection measures in the receiving country.

Non-compliance with the law can result in substantial penalties, underscoring the importance of adhering to these new data protection standards in Vietnam.

Who Must Comply with the New Personal Data Protection Law?

Decree 13/2023/ND-CP applies to all individuals and organizations, whether you’re based in Vietnam or abroad, if you engage in the processing of personal data within or outside of Vietnam.

This regulation requires you to review and update your internal policies and privacy management practices. You must identify any gaps in compliance with the requirements of Decree 13/2023/ND-CP and develop corresponding action plans to ensure full adherence.

Who Are Involved in Data Processing?

Decree 13/2023/ND-CP categorizes entities involved in personal data processing into three types:

1. Personal Data Controller (PDC): This is an individual or organization that determines the purpose and methods of processing personal data. The PDC is responsible for deciding how and why data is processed.
2. Personal Data Processor (PDP): This refers to an individual or organization that processes data on behalf of a Personal Data Controller, based on a contractual agreement. The PDP operates under the instructions and authority of the PDC.
3. Personal Data Controller and Processor (PDCP): This entity performs both roles, acting simultaneously as a controller and processor of personal data. The PDCP manages data processing decisions while also performing processing activities directly.

What is Basic Personal Data and Sensitive Personal Data?

According to Decree 13/2023/ND-CP, basic personal data includes:

• Full name, middle name, birth name, and any other names;
• Date of birth, date of death or missing status;
• Gender;
• Place of birth, birth registration, permanent and temporary residence, current address, hometown, contact address;
• Nationality;
• Personal image;
• Phone number, identity card number, personal identification number, passport number, driver’s license number, license plate number, tax identification number, social insurance number, health insurance card number;
• Marital status;
• Family relationships (e.g., parents, children);
• Information on digital accounts;
• Data reflecting online activities and activity history in cyberspace;
• Any other information that identifies a specific person or helps in identification, excluding data classified as sensitive.

Sensitive personal data refers to information associated with an individual’s privacy that could significantly impact their legitimate rights and interests if violated. Sensitive personal data includes:

• Political and religious views;
• Health status and private life details recorded in medical records, excluding blood type information;
• Information on racial or ethnic origin;
• Genetic characteristics, whether inherited or acquired;
• Physical and biological attributes;
• Sex life and sexual orientation;
• Criminal records and offenses documented by law enforcement;
• Customer data held by credit institutions, foreign bank branches, and payment intermediaries, covering customer identification, account details, asset and transaction information, and guarantor details;
• Location data identified through location-based services;
• Other legally required personal data that demands unique and stringent security measures.

When Can You Process Personal Data Without the Subject’s Consent?

Under Decree 13/2023/ND-CP, there are specific situations where you may process personal data without obtaining the data subject’s consent:

• If immediate processing is essential to protect the life and health of the data subject or others. In this case, you, as the Personal Data Controller or Processor, or a relevant Third Party, must be able to demonstrate that the situation requires such action.
• When making personal data public, ensure that you comply with all legal requirements governing such disclosure.
• In emergencies where state agencies need to process personal data—such as for national defense, security, social order, disaster response, or controlling dangerous epidemics. This also covers situations with security or defense risks, preventing and combating riots, terrorism, crime, or other legal violations.
• To fulfill any contractual obligations you may have with the data subject in connection with agencies, organizations, or individuals, as prescribed by law.
• When complying with specific laws that require processing personal data in support of state agency operations.

These exemptions are designed to allow necessary flexibility while still safeguarding personal data rights under Vietnamese law.

How Should You Handle Personal Data Under Vietnam’s Data Protection Law?

Decree 13/2023/ND-CP defines processing personal data to include various actions, such as collecting, recording, analyzing, storing, modifying, disclosing, combining, accessing, retrieving, encrypting, sharing, transmitting, providing, transferring, deleting, and destroying data, among other related activities.

As a business owner, you must ensure that each stage of handling personal data has the data subject’s consent, except where the law allows otherwise. This consent is only valid if the data subject gives it willingly and is fully aware of:

• The specific types of personal data you plan to process;
• The purpose behind processing their data;
• The organizations and individuals involved in handling the data;
• Their rights and obligations regarding their personal data.

What Are Prohibited by the Vietnam Data Protection Law?

Personal data protection includes actions to prevent, detect, and address any violations involving personal data, as required by Vietnamese law.

Under Decree 13/2023/ND-CP, the following activities are strictly prohibited for businesses:

• Processing personal data in ways that violate Vietnam’s personal data protection laws;
• Using personal data to distribute information that opposes the State of the Socialist Republic of Vietnam;
• Processing personal data to create information that threatens national security, disrupts social order, or infringes on the legitimate rights and interests of other organizations or individuals;
• Conducting any data processing that obstructs the state’s personal data protection efforts;
• Exploiting personal data protection measures to carry out unlawful activities.

Violating these regulations can result in serious penalties, from administrative sanctions to legal prosecution. Additionally, the Decree strictly prohibits the buying and selling of personal data in any form, considering these activities illegal. As a business owner, it’s essential to ensure compliance with these prohibitions to avoid legal risks and protect your business reputation.

What Are the Rights of Data Subjects in Vietnam?

Under Vietnam’s Decree 13/2023/ND-CP, data subjects have various rights over their personal data, and as a business owner, it’s essential to understand and respect these rights to maintain compliance:

1. Right to Be Informed: You must inform data subjects about how their data is collected, processed, and used, including details on data types, purposes, and any parties involved.
2. Right to Consent: Data subjects need to give explicit consent before their data is processed. Ensure you have clear, documented consent from users to avoid non-compliance.
3. Right to Access: Data subjects can request access to their personal data held by your business. Be prepared to provide this information promptly when requested.
4. Right to Withdraw Consent: Individuals have the right to withdraw their consent at any time, impacting future data processing. Make sure your systems allow for easy consent withdrawal.
5. Right to Data Deletion: Data subjects can request deletion of their data if it’s no longer necessary or if they withdraw consent. Establish processes for handling deletion requests quickly and securely.
6. Right to Restrict Processing: Data subjects may ask to limit data processing, especially if there’s a dispute over data accuracy. Ensure your systems can apply restrictions as needed.
7. Right to Data Portability: Individuals may request their data in a structured, machine-readable format or have it transferred to another data controller. Set up protocols to enable secure data transfer when requested.
8. Right to Object: Data subjects can object to data processing under certain conditions. Have a process in place to manage and respond to objections effectively.

What Are the Obligations of Data Controllers and Processors Under Vietnam’s Data Protection Law?

Under Decree 13/2023/ND-CP, data controllers and processors have specific responsibilities to ensure the protection and lawful processing of personal data in Vietnam. As a business owner, here are the key obligations you should be aware of:

1. Ensure Data Security Measures: Data controllers and processors must implement technical and organizational measures to protect personal data from unauthorized access, breaches, or misuse. This includes encryption, access controls, and regular security assessments.
2. Obtain Consent: Explicit consent from data subjects is required before processing their data, except in cases specified by law. Make sure consent is clear, informed, and documented for compliance.
3. Maintain Records of Processing Activities: You must document and maintain detailed records of all personal data processing activities. These records should be readily available for review by the Ministry of Public Security to ensure transparency.
4. Appoint a Data Protection Officer (DPO): Businesses involved in processing high volumes or sensitive personal data must appoint a Data Protection Officer to oversee compliance with data protection laws and ensure that data processing activities meet legal requirements.
5. Conduct Impact Assessments: Before starting data processing, especially for activities that pose high risks, data controllers and processors must conduct and maintain records of impact assessments to evaluate and mitigate potential risks to data subjects.
6. Ensure Compliance for Cross-Border Data Transfers: If personal data is transferred outside Vietnam, you are required to conduct impact assessments and maintain dossiers on data transfers. Additionally, you must submit these dossiers to the Ministry of Public Security’s Department of Cybersecurity and High-Tech Crime Prevention.
7. Notify Authorities and Data Subjects of Breaches: In the event of a data breach, you are obligated to promptly notify both the data subjects affected and relevant authorities to ensure transparency and manage potential risks.

How Is Consent Managed in Personal Data Processing Under Vietnam’s Data Protection Law?

Under Vietnam’s Decree 13/2023/ND-CP, managing consent in personal data processing is essential to ensure compliance and respect individuals’ rights.

As a business, you must obtain explicit, informed consent from data subjects before processing their personal data, covering details like the type of data collected, the processing purpose, and any third parties involved. This consent must be voluntary, fully informed, and documented for legal compliance. Additionally, data subjects have the right to withdraw their consent at any time, so it’s crucial to have systems in place that allow for easy consent withdrawal and stop future processing based on that consent.

If you change how you use the data or add new processing purposes, you must obtain updated consent to ensure transparency. Properly managing and recording consent not only aligns with legal standards but also strengthens customer trust in your data practices.

Do You Need A Data Protection Officer?

Certain businesses are required to appoint a Data Protection Officer (DPO) to oversee compliance with data protection regulations. If your business handles large volumes of personal data or processes sensitive data, having a DPO is mandatory.

The DPO’s role involves monitoring data protection practices, conducting impact assessments, and ensuring that all data processing activities align with the law. Additionally, the DPO serves as a point of contact for data subjects and regulatory authorities, helping address inquiries and ensuring compliance.

Appointing a DPO is especially crucial for businesses that frequently process personal data or transfer it abroad, as this role helps reduce legal risks and fosters a culture of data privacy within your organization.

What Is Required for Cross-Border Data Transfers?

Under Decree 13/2023/ND-CP, as a business owner, you are required to create and keep up-to-date records of impact assessments for any personal data processing activities. These records must be easily accessible at all times to meet inspection requirements by the Ministry of Public Security from the start of data processing, helping ensure any data risks are clearly identified and documented.

If your business transfers personal data of Vietnamese citizens outside of Vietnam—as often seen with international businesses—you’ll need to prepare an impact assessment report specifically for this cross-border data transfer. This report must be available for the Ministry of Public Security’s review to verify compliance with Vietnamese data protection laws.

Additionally, you must submit the original impact assessment report to the Ministry of Public Security’s Department of Cybersecurity and High-Tech Crime Prevention within 60 days of beginning data processing. This submission should use Form No. 06 as specified in the Decree’s Appendix, ensuring all documentation meets the legal requirements for international data transfers.

For a more in-depth look at these requirements, check out our Vietnam’s Personal Data Protection Law Checklist for Compliance.

What Are the Impact Assessment Requirements for Data Processing and Cross-Border Transfers

Under Decree 13, entities classified as Personal Data Controllers (PDC), Personal Data Processors (PDP), and Personal Data Controllers and Processors (PDCP) are required to prepare an impact assessment dossier detailing their data processing activities. This dossier must be submitted to the Ministry of Public Security (MPS) for review and updated periodically whenever there are content changes or at the MPS's request.

In cases of cross-border transfers, where personal data of Vietnamese citizens is transferred or processed outside of Vietnam, a separate impact assessment dossier is required. The entity initiating the transfer must submit this dossier to the MPS within 60 days of the transfer’s commencement and ensure it is updated as needed based on content changes or at the MPS's request.

Who Enforces the Decree?

Under Decree 13/2023/ND-CP, the Department of Cybersecurity and High-Tech Crime Prevention is the primary agency responsible for personal data protection. This department assists the Ministry of Public Security in managing and enforcing state regulations on personal data protection.

Additionally, the national portal on personal data protection plays a key role in spreading awareness, updating legal information, and receiving data-related inquiries and reports, helping to ensure that businesses and individuals stay informed on data protection requirements.

How Can Businesses Prepare for Compliance with the Decree?

Businesses can prepare by conducting data audits, establishing robust data protection policies, and training employees on data privacy. These measures are critical for achieving compliance and maintaining trust.

How Can Secure Privacy Help You Comply with Vietnam’s Data Protection Law?

Navigating the requirements of Vietnam's Decree 13/2023/ND-CP can be complex, but Secure Privacy is here to make compliance straightforward and achievable. Our platform provides powerful tools to manage data processing documentation, consent tracking, impact assessments, and data subject requests—all in one place.

With built-in data security measures, automated compliance reports, and customizable privacy notices, Secure Privacy helps you meet legal requirements effortlessly while protecting your customers' trust.

Ready to simplify compliance? Contact us today to see how Secure Privacy can support your business in meeting Vietnam's data protection standards.