Data Privacy Law in Vietnam: PDPD Compliance Guide

Introduction

Vietnam's Personal Data Protection Decree (PDPD, Decree 13/2023/ND-CP), effective July 1, 2023, established the country's first comprehensive data privacy framework. For businesses operating in or targeting Vietnam, compliance is now mandatory.

Scope and Applicability

Who must comply?

  • All organizations processing personal data of individuals in Vietnam
  • Both Vietnamese and foreign entities
  • Applies regardless of where processing occurs

What is personal data?

Basic personal data: Name, date of birth, gender, address, phone number, email, nationality, ID number, images.

Sensitive personal data: Political opinions, religious beliefs, health data, financial data, sexual orientation, biometric data, genetic data, criminal records, location data.

Key Obligations

1. Consent

  • Must obtain explicit consent before processing personal data
  • Consent must be informed, specific, and freely given
  • For sensitive data: consent must be separate and explicit
  • Must be able to demonstrate consent was obtained

2. Data Processing Agreement

Required for all data processing activities. Must include:

  • Purpose of processing
  • Types of data processed
  • Duration of processing
  • Security measures
  • Rights of data subjects

3. Data Protection Impact Assessment

Required when:

  • Processing sensitive personal data
  • Processing data of children
  • Cross-border data transfers
  • Using new technologies for processing
  • Processing data for automated decision-making

4. Data Breach Notification

  • Notify the Ministry of Public Security within 72 hours
  • Notify affected data subjects without undue delay
  • Document all breaches regardless of notification obligation

Data Subject Rights

Individuals have the right to:

  1. Be informed about data collection and processing
  2. Consent to or refuse data processing
  3. Access their personal data
  4. Rectify inaccurate data
  5. Delete their data
  6. Restrict processing
  7. Object to processing
  8. Data portability — receive data in a structured format
  9. Lodge complaints with authorities
  10. Claim damages for violations

Cross-Border Data Transfer

Requirements

Transfer of personal data outside Vietnam requires:

  1. Consent of the data subject
  2. Data Protection Impact Assessment
  3. Notification to the Ministry of Public Security
  4. The transferring organization remains responsible for data protection
  5. Written agreement with the receiving party

Data Localization

  • No general data localization requirement
  • Specific sectors (banking, telecom) may have localization rules
  • Government data must be stored in Vietnam

Penalties

  • Administrative fines: up to 100 million VND per violation
  • Criminal liability: possible for severe violations
  • Civil liability: damages claims from affected individuals
  • Operational: suspension of data processing activities

Compliance Roadmap

Immediate steps

  1. Audit current data practices: What data do you collect, why, and where is it stored?
  2. Update privacy policies: Vietnamese and English versions
  3. Implement consent mechanisms: Clear, specific, documented
  4. Appoint a data protection officer: Recommended for organizations processing large volumes

Ongoing compliance

  1. Regular data protection impact assessments
  2. Employee training on data handling
  3. Vendor due diligence for data processors
  4. Incident response plan for data breaches
  5. Annual compliance review

Conclusion

Vietnam's PDPD represents a significant step toward international data privacy standards. Early compliance not only avoids penalties but builds trust with Vietnamese consumers and business partners.

Contact Attorney Vo Thien Hien at Apolo Lawyers for data privacy compliance advisory.