Skip to main content

Vietnam Personal Data Protection Decree (Decree 13/2023/ND-CP)

Vietnam's Personal Data Protection Decree (Decree 13/2023) is the country's first comprehensive data protection instrument, requiring demonstrable consent, data subject rights, impact assessment dossiers, cross-border transfer assessments, and 72-hour breach notification.

Jurisdiction
Vietnam

Vietnam Personal Data Protection Decree (Decree 13/2023/ND-CP)

Vietnam's Personal Data Protection Decree, Decree No. 13/2023/ND-CP, is the country's first comprehensive instrument dedicated to personal data protection. It took effect on July 1, 2023. Issued as a government decree ahead of an anticipated full Personal Data Protection Law, it nonetheless imposes detailed, binding obligations on organizations and individuals that process personal data. Oversight rests primarily with the Ministry of Public Security.

Who It Applies To

The decree applies to Vietnamese and foreign agencies, organizations, and individuals that process the personal data of people in Vietnam, including processing conducted from abroad. It distinguishes basic personal data from sensitive personal data, the latter covering categories such as health, financial, biometric, and location data, with stricter handling rules.

Key Requirements

Processing generally requires the data subject's consent, which must be given freely, clearly, and for specified purposes, and consent records must be demonstrable. Data subjects have rights including to be informed, to consent and withdraw consent, to access, to correct, to delete, to restrict processing, to object, and to complain. A central obligation is the preparation of impact assessment dossiers: controllers and processors must compile a Personal Data Processing Impact Assessment and, for transfers of Vietnamese personal data abroad, a separate Transfer Impact Assessment, both kept available for inspection by the authorities. Organizations must also implement security measures and notify the authority of violations within 72 hours of becoming aware.

Penalties for Non-Compliance

The decree itself requires compliance but is enforced alongside administrative sanctions under related regulations, with monetary fines and potential suspension of data processing or cross-border transfer activities. Continued development of the sanctioning framework, including significant fines, has accompanied the move toward a full statute. Serious violations may also engage criminal liability under the Penal Code.

How to Comply

Build robust, demonstrable consent flows and honor the listed data subject rights. Prepare and maintain Personal Data Processing Impact Assessment dossiers and, for any export of Vietnamese personal data, Transfer Impact Assessment dossiers available to regulators. Implement security measures and a 72-hour breach-notification process.

Practical Notes

The defining operational burden in Vietnam is documentation: both the Personal Data Processing Impact Assessment and, for exports, the Transfer Impact Assessment must be compiled and kept available for the Ministry of Public Security. Organizations transferring Vietnamese personal data abroad should prepare these dossiers early. A full Personal Data Protection Law is expected to build on the decree, so programs should be designed to scale with stronger statutory obligations.

Building a Durable Program

Organizations operating across borders should treat this regime as one input into a unified, principles-based privacy program rather than a standalone checklist. Practical foundations include maintaining a current record of processing activities that documents purposes, lawful bases, data categories, recipients, retention periods, and any cross-border transfers; classifying data so that sensitive categories receive heightened safeguards by default; and embedding privacy-by-design reviews into product and engineering workflows so that new features are assessed before launch. Robust consent and preference management, demonstrable through audit logs, is essential where the law is consent-centric, since the burden of proving a valid lawful basis typically rests on the controller. Incident-response runbooks should encode the applicable breach-notification timelines and decision criteria so that the organization can act within tight windows. Vendor management should ensure processors are bound by contracts that flow down core obligations, and periodic audits should verify that controls remain effective. Aligning to recognized frameworks such as ISO 27701 and privacy-by-design principles helps satisfy overlapping obligations across jurisdictions while reducing duplicated effort and the risk of gaps.