New Decree on Personal Data Protection

Vietnam's much-anticipated Decree No. 13/2023/ND-CP on the Protection of Personal Data was issued on 17 April 2023 (“PDPD”). This comprehensive regulation marks a significant step forward in the country´s efforts to safeguard individuals' personal information and privacy rights. The Decree is scheduled to take effect on 1 July 2023, and will apply to both local and offshore entities involved in personal data processing.


Definitions and Scope of Application


The PDPD has provided a clear definition of personal data. According to the PDPD, personal data pertains to electronic information in the form of symbols, letters, numbers, images, sounds, or equivalents that are linked to an individual or used to identify them. It is worth noting that personal data is classified into two categories: “general personal data” and “sensitive personal data”, in which the list of sensitive personal data covers a broad and non-exhaustive range of information.

The new PDPD introduces further terms related to personal data protection activities. For instance, "Personal data processing" refers to a broad set of activities related to personal data, which can include collecting, storing, sharing, and deleting the personal data. The PDPD defines a "Personal Data Controller" as an individual or organization that has the authority to determine the purpose and methods of personal data processing. On the other hand, a "Personal Data Processor" is an entity that processes personal data on behalf of the controller through a contract or agreement. 




The scope of the new PDPD includes (i) Vietnamese agencies, organizations, and individuals, (ii) foreign agencies, organizations, and individuals located in Vietnam, (iii) Vietnamese agencies, organizations, and individuals operating outside of Vietnam, and (iv) foreign agencies, organizations, and individuals that engage in personal data processing within Vietnam.

Principles of Personal Data Protection

The PDPD sets out principles for Personal Data Protection, which follows a similar approach like the data protection principles stipulated in the EU's General Data Protection Regulation (the "GDPR"): Lawfulness, Individuality, Transparency, Minimization, Data Quality, Limited Use, Security and Confidentiality and Accountability. 

Consent of Data Subject

The term "data subject" refers to an individual to whom the data pertains. In order to ensure the legality of data processing, obtaining the data subject's consent is generally considered crucial. According to the PDPD, unless certain exceptions apply, consent from the data subject must be obtained for all data processing activities. To be considered valid, the data subject's consent must be freely given, and they must have full knowledge of the personal data being processed, the purpose of the data processing, the parties involved in processing the data, and their own rights and obligations. 
Valid consent from the data subject must be clear and specifically expressed through a written instrument, voice, ticking a consent box, text message, selecting technical settings, or another demonstrable action. Consent must be given for a single purpose, with all purposes listed for multiple purposes. It must also be provided in a printable or electronic format. The data subject's silence or non-response is not considered as a “consent”.


  • Personal data may be processed to protect lives in emergencies; proof required by the Personal Data Controller, Processor, or Third Party;
  • Personal data may be disclosed in accordance with the law;
  • Regulatory authorities may process personal data in emergency situations like national defense, safety, or epidemics, and to prevent crime, riots, terrorism, and law violations;
  • Personal data may be processed to fulfill contractual obligations with relevant parties as per the law;
  • Personal data may be processed to serve regulatory authorities' operations per relevant laws.

Mandatory requirements to conduct an Impact Assessment

Both, the Personal Data Controller and the Personal Data Processor, are required to perform the assessments of the impact of personal data processing. The assessment must include the following information: 
  • contact details and information about the controller and processor (if applicable); 
  • the names and contact details of the data protection officers for both the controller and processor;
  • the purposes for which the data is being processed; 
  • the types of data being processed; 
  • the recipients of the data, including those outside of Vietnam; 
  • any transfers of data from Vietnam; 
  • the duration of the data processing, including when it will be deleted; 
  • a description of the security measures applied to protect the data, and 
  • an evaluation of the benefits, risks, and any measures taken to mitigate such risks or harms associated with processing the data.
These assessments must be available for inspection and evaluation by the Ministry of Public Security. An original copy of the assessment must also be forwarded to the Ministry of Public Security (Department of Cybersecurity and Hi-tech Crime Prevention).

Requirements and restrictions for Outbound Transfer of Personal Data

“Outbound transfer of personal data” refers to an act of using cyberspace, electronic devices, equipment, or other forms to transfer personal data of a Vietnamese citizen to a location outside the territory of the Vietnam or using a location outside the territory of the Socialist Republic of Vietnam to process personal data of a Vietnamese citizen. For outbound transfers of personal data from Vietnam, a transfer impact assessment must be carried out. This assessment should include full contact details of the exporter, importer, and any other involved parties, objectives of the transfer, types of personal data, security measures applied, impact assessment, measures taken to mitigate risks, and consent of data subjects. The PDPD mandates a legally binding document outlining responsibilities of the exporter and importer for the transfer of data overseas. The original documents must be submitted to Ministry of Public Security (Department of Cybersecurity and Hi-tech Crime Prevention) within 60 days of data processing, and the Ministry of Public Security may prevent any data transfer that violates national security, non-compliance with the DPDP's requirements, or unintended disclosure or loss of personal data.

Our Conclusions 

The new PDPD is a comprehensive regulation that aims to safeguard individuals' privacy rights. It applies to both local and offshore entities and imposes additional and stricter obligations for companies that handle personal data. 
Upon the effectiveness of the PDPD, it is advisable for both local and foreign entities that collect and/or process personal data of Vietnamese individuals or foreign individuals to take the following actions:
  • Obtain valid consents from the relevant data subjects;
  • Conduct an assessment of the impact of personal data processing and submit it to the Ministry of Public Security;
  • Prepare and submit an assessment of the impact of offshore personal data transfer to the Ministry of Public Security; 
  • Companies involved in personal data processing must review their policies and procedures to ensure they comply with this new regulation.

 From The Newsletter


Contact Person Picture

Michael Wekezer


+84 28 7307 2788

Send inquiry

Contact Person Picture

Hanh Pham

Associate Partner

+84 28 7307 2788

Send inquiry

 How We Can Help

Deutschland Weltweit Search Menu