On April 17, 2023, the Vietnamese Government issued Decree No. 13/2023/ND-CP on personal data protection (“Decree 13“), the first legal instrument in Vietnam that provides a comprehensive framework for the protection of personal data. In addition to drawing on certain aspects of the General Data Protection Regulation (“GDPR”) of the European Union, Decree 13 also introduces several new requirements for organizations and individuals involved in personal data processing activities in Vietnam. Below is a summary of the notable provisions of Decree 13:

  1. Scope of application: Decree 13 applies to Vietnamese individuals and organizations (including those operating offshore) and also to foreign entities operating in Vietnam, or directly engaging in or relating to personal data processing activities in Vietnam (Article 1.2).
  2. Key definitions: Like the Draft Decree on personal data protection (“Draft PDPD“), released in 2021 for public comments, Decree 13 includes broad definitions of key terms. In particular:
    • Personal data” means information in the form of symbols, scripts, numbers, images, sounds or any other similar form in the electronic environment, which pertains to a particular individual or facilitates the identification of a particular individual. Personal data includes “basic personal data” and “sensitive personal data” (Article 2.1).
    • Basic personal data” includes the name, date of birth, gender, place of birth, address, nationality, personal image, phone number, ID number, passport number, driver’s license number, license plate number, personal tax number, social insurance number, health insurance card number, marital status, family relationship information, data about digital accounts, data reflecting activities and history of activities in cyberspace and other data which does not qualify as “sensitive personal data” (Article 2.3).
    • Sensitive personal data” refers to personal data associated with an individual’s privacy that, when infringed, directly affects their rights and interests. The list of sensitive personal data is broad and non-exhaustive, including: (i) political and religious views; (ii) information on health condition and personal life recorded in medical documents (excluding information about blood type); (iii) information relating to racial or ethnic origin; (iv) genetic data, i.e. information relating to inherited or acquired genetic characteristics of an individual; (v) biometric data, i.e. information about physical and biological characteristics of an individual; (vi) information on sexual life and sexual orientation of an individual; (vii)  criminal records collected and stored by law enforcement agencies; (viii) client data of credit institutions, branches of foreign banks, intermediary payment service provider, or other licensed organizations; (ix) personal location data identified via location service; and (x) other personal data that the law regards as specific and requiring security measures (Article 2.4).
    • Data processing” means one or more activities that affect personal data, such as collecting, recording, analyzing, storing, modifying, publishing, encrypting, copying, sharing, transferring, or other related actions (Article 2.7).
  3. Principles for protecting personal data: (i) lawfulness, (ii) transparency, (iii) purpose limitation, (iv) data minimization, (v) accuracy, (vi) integrity, confidentiality, and security, (vii) storage limitation, and (viii) accountability. Decree 13 explicitly prohibits the sale and purchase of personal data in any form, unless otherwise provided by law (Article 3).
  4. Regulated subjects: Taking a similar approach to the GDPR, Decree 13 mainly regulates three (3) subjects: the “data controller” (“bên kiểm soát dữ liệu cá nhân” in Vietnamese), the “data processor” (“bên xử lý dữ liệu cá nhân” in Vietnamese), and the “data controlling and the processing entity” (“bên kiểm soát và xử lý dữ liệu cá nhân” in Vietnamese), which has the functions of both the data controller and the data processor (Articles 2.9, 2.10 and 2.11)
  5. Data subject rights: (i) right to know, (ii) right to consent, (iii) right to access, (iv) right to withdraw consent, (v) right to delete data, (vi) right to restrict data processing, (vii) right to request the provision of data, (viii) right to object to data processing (ix) right to complain, denounce and initiate lawsuits (x) right to claim compensation for damage, and (xi) right to self-defense (Article 9).
  6. Consent of data subjects: (Articles 11 and 12)
    • Consent is required for all stages of data processing, unless otherwise provided by law. If data is processed for different purposes, the data controller and the data controlling and processing entity must indicate each purpose and the data subject must be able to consent to the purposes individually.
    • Consent is valid only if the data subject provides consent voluntarily and is clearly informed of (i) the type of data being processed, (ii) the purpose(s) of the processing, (iii) the person or organization processing the data, and (iv) the data subject’s rights and obligations.
    • Consent must be clearly and specifically expressed by (i) written instrument, (ii) voice, (iii) selecting a consent box, (iv) texting consent syntax, (v) selecting consent technical settings, or (vi) other actions indicating consent. The data subject’s silence or non-response is not considered consent. The data subject may give partial or conditional consent. Provision or withdrawal of consent must be expressed in a format that can be printed, or reproduced in writing, including in electronic or verifiable formats.
    • The consent is valid until the data subject, or a competent State agency decides otherwise. Withdrawing consent does not affect the legality of data processing before the consent was withdrawn.
  7. Acting upon receipt of the data subjects’ request: The data controller and the data controlling and processing entity must comply with the data subject’s request within 72 hours of receipt of the request to restrict data or processing, objecting to data processing, provision of personal data, modifying personal data, or storing or deleting personal data (Articles 9.6(b), 9.8(b), 14.3, 15.2 and 16.5).
  8. Processing personal data without data subjects’ consent: Cases in which personal data may be processed without data subjects’ consent are similar to those provided under Government’s Resolution No. 13/NQ-CP of February 07, 2023, including (Articles 17 and 18):
    • The processing of personal data is to protect the life and health of the data subject or other persons in an emergency situation. The data controllers, data processors, data controlling and processing entity, and third parties bear the burden of proof in this case;
    • The disclosure of personal data in accordance with laws;
    • The processing of personal data is performed by competent State agencies: in the event of emergency related to national defense, national security, social order and safety, major disaster, or dangerous epidemic; when there is a threat to security and national defense which does not result in an emergency being declared; or when the processing is to prevent and combat riots and terrorism, crime, and law violations in accordance with law;
    • The processing of personal data fulfills the data subject’s contractual obligations with relevant agencies, organizations, and individuals;
    • The processing of personal data serves the activities of state agencies prescribed by specialized laws; and
    • The processing of personal data obtained from audio and video recording activities in public locations is for the protection of national security, social order and safety, as well as the legitimate rights and interests of individuals in accordance with the law.
  9. Data processing impact assessment: The data controller, data processor, and data controlling and processing entity are required to prepare and retain a dossier for to assess the impact of personal data processing (the “Processing Impact Assessment“) for the Ministry of Public Security (“MPS”). The Processing Impact Assessment must be submitted to the Department of Cyber Security and Hi-Tech Crime Prevention of the MPS within 60 days of the start of personal data processing. Any updates or changes to the Processing Impact Assessment must be reported to the MPS (Article 24).
  10. Cross-border transfer of personal data:
  • in Article 2.14 of Decree 13 defines the scope of cross-border transfers of personal data, which includes (i) the use of cyberspace, electronic means or equipment, or other forms to transfer personal data of Vietnamese citizens to a location outside Vietnam’s territory, or (ii) the use of a location outside Vietnam’s territory for processing of personal data of Vietnamese citizens, including:
    • The transfer personal data of Vietnamese citizens by organizations, enterprises, or individuals to organizations, enterprises, or management units abroad for processing in accordance with the purposes consented by data subjects; and
    • The processing of personal data of Vietnamese citizens using automated systems located outside Vietnam’s territory by the data controller, data processor or data controlling and processing entity in accordance with the purposes consented by data subjects.
  • Unlike the Draft PDPD, Decree 13 omits the requirement to register the cross-border transfer of personal data (including the sensitive personal data). Instead, the data transferor must meet several conditions (Articles 25.1, 25.3, 25.4 and 25.6):
    • Obtain the data subject’s consent for the cross-border transfer of personal data;
    • Prepare and retain a transfer impact assessment dossier (“Transfer Impact Assessment”) for MPS inspection and evaluation. The Transfer Impact Assessment must be submitted to the Department of Cyber Security and Hi-Tech Crime Prevention of the MPS within 60 days of the transfer. Any updates or changes to the Transfer Impact Assessment must be reported to the MPS; and
    • After successful transfer of data, submit a written notification to the Department of Cyber Security and Hi-Tech Crime Prevention of the MPS, which includes details of the data transfer and the contact information of the responsible organization and/or individual.
  • The cross-border transfer of personal data may be suspended by the MPS in the following circumstances (Article 25.8):
    • The transferred personal data is used for activities that violate the interests or national security of Vietnam;
    • Failure to comply with the MPS’s request to amend the Transfer Impact Assessment; or
    • Incidents of disclosure or loss of personal data of Vietnamese citizens.
  • Unlike the Draft PDPD, Decree 13 does not require personal data to be stored in Vietnam in the case of cross-border transfer. However, Decree No. 53/2022/ND-CP implementing Law on Cybersecurity already imposes a data localization requirement on cross-border transfers of personal data.

11. Measures to protect personal data: Decree 13 requires managerial and technical measures to protect personal data, including the assignment of a data protection department and a data protection officer within the organization/entity (Articles 26, 27, and 28).

12. Effective date: Decree 13 is effective on July 01, 2023. However, micro, small, and medium-sized enterprises, as well as start-up enterprises, that do not engage in personal data processing directly, are exempt from the requirement to establish a data protection department or appoint a data protection officer until 2 years from their establishment (Article 43.2).