On April 17, 2023, the Vietnamese government issued Decree No. 13/2023/ND on the Protection of Personal Data (“PDPD”), following extensive public consultations and multiple rounds of review since the first release of its draft version in February 2021. This is a long-awaited legal instrument which is designed to be the very first comprehensive regulation on the protection of personal data in Vietnam. The PDPD is set to take effect on July 1, 2023, without any transitional period. All Vietnamese and foreign organizations and individuals located in Vietnam and/or directly participating in or related to personal data processing activities in Vietnam must comply with the PDPD.
As expected, the PDPD sets out significantly new requirements on the processing of personal data. The most critical provisions include:
- Eight principles for the processing of personal data: (i) lawfulness, (ii) transparency, (iii) purpose limitation, (iv) data minimization, (v) accuracy, (vi) integrity, confidentiality, and security, (iv) storage limitation, and (viii) accountability (Article 3).
- Critical new definitions and concepts, notably including personal data (Article 2.1); basic personal data (Article 2.3); sensitive data (Article 2.4); data subject (Article 2.6); data controller (Article 2.9); data processor (Article 2.10); parties controlling and processing personal data (Article 2.11); third parties (Article 2.12); and cross-border transfer of personal data (Article 2.14).
- Eleven data subject rights, including the right to know; right to consent; right to access; right to withdraw consent; right to delete data; right to restrict data processing; right to request the provision of data; right to object to data processing; right to complain, denounce and initiate lawsuits; right to claim compensation for damage; and right to self-defense (Article 9).
- Specific responsibilities of data controllers (Article 38), data processors (Article 39) and third parties (Article 41).
- Specific requirements in the exercise of data subject rights (Articles 14-16).
- Rules on data subjects’ consent, including the requirements on validity, acceptable formats and withdrawal of consent (Articles 11 and 12).
- Requirements on data processing impact assessment (Article 24).
- Conditions for cross-border transfer of personal data, including a transfer impact assessment and post-transfer notification sent to the Department of Cyber Security and Hi-Tech Crime Prevention of the Ministry of Public Security (Article 25).
- Rules on privacy notices, including timing to send the notices and mandatory content of the notices (Article 13).
- Rules on processing of personal data obtained through audio and video recording activities in public places (Article 18).
- Rules on processing of personal data of individuals who are declared missing or deceased (Article 19).
- Processing of children’s personal data (Article 20).
- Rules on protection of personal data in the business of marketing services and introducing advertising products (Article 21).
- Cases where personal data can be processed without consent (Article 17).
- Measures to protect personal data in general (Article 26), basic personal data (Article 27) and sensitive personal data (Article 28). The measures to protect sensitive personal data include assigning a data protection officer.
The PDPD will have far-reaching implications across virtually all business operations in Vietnam. We will provide further analysis on the anticipated impact of the PDPD in upcoming articles to help companies chart their compliance strategies.
Related: For a deeper exploration of the changes introduced by the PDPD, please see “A Closer Look at Vietnam’s First-Ever Personal Data Protection Decree.”