New Personal Data Protection Decree of Vietnam


On 17 April 2023, the Government issued the long-awaited Decree 13/2023/ND-CP on Personal Data Protection (“Decree 13”), which will take effect from 01 July 2023. With the Law on Cybersecurity (before 4/2018/QH14) dated 12 June 2018 and its first implementing Decree 53/2022/ND-CP dated 15 August 2022, Decree 13 forms the third legal document issued in the Government’s initiative to strengthen the legal framework governing cyberspace. Decree 13 provides more detailed data protection and cybersecurity obligations with respect to personal data processing activities.

Who needs to comply?

Decree 13 applies to any domestic or foreign organizations or individuals that are involved in processing personal data in Vietnam (e.g., employees, customers, suppliers, users, or other individuals), even if the processing occurs outside of Vietnam.

Whilst Decree 13 has similar requirements compared to the European Union’s General Data Protection Regulation (“GDPR”), there are some significant differences, such as requirements for cross border transfers, consent forms and impact assessment reports, and lawful basis for processing personal data.

Companies that have privacy management practice and policies in place that are either GDPR-compliant or compliant with other privacy laws are not automatically granted a free pass as to compliance with Decree 13. With the effective date of 1 July 2023, businesses should begin reviewing their internal privacy management practices and policies immediately to identify gaps and a corresponding action plan.

How to comply?

We have outlined in the below table some of the key compliance requirements of Decree 13. Note that many of the provisions in this Decree are broadly worded and interpreting the same will be challenging. Given the short time for implementation, we expect that the Ministry of Public Security (“MPS”) will issue further guidance on how Decree 13 is interpreted and enforced. These guidelines will assist businesses compliance efforts. We will continue to closely monitor the developments and provide updates. In the interim, there are various steps that businesses can take immediately to comply with Decree 13.

Action items

Identify role in processing personal data

Identify types of personal data processed

Identify lawful basis for personal data processing

Implement mechanism for individuals to withdraw consent

Personal data processing notification requirements

Implement system to handle data subject requests

Data protection officer

Data security and data breach notification/reporting

Impact assessment reports to authorities for personal data processing and cross border transfer

Investigations and audits

The Decree 13 is expected to provide a strong protection for each and every individual in Vietnam when it is integrating deeply into the world digital era. 

Post a Comment