Personal data is a valuable asset in the digital age, as it is “associated with or identifies a specific person.” Online services such as e-commerce, digital banking, and e-health collect and process vast amounts of personal data. If not handled and protected properly, personal data can be misused, leading to breaches of privacy and security-related crimes.
To align with international practices and regulations on personal data protection, Vietnam is in the stages of issuing unified legal documents to guide personal data protection. Currently, Decree 13/2023/ND-CP issued by the Government on April 17, 2023 (“Decree 13”) serves as a crucial legal framework governing the collection, processing, storage, and protection of personal data. It aims to ensure privacy and information security in the digital age. Decree 13 establishes technical and legal requirements for businesses that process and control the data of Vietnamese citizens.
What Should Businesses Do to Minimize Legal Risks
When Processing Personal Data?
- Decree 13 defines personal data processing broadly as “one or more activities affecting personal data, such as collecting, recording, analyzing, confirming, storing, editing, disclosing, combining, accessing, retrieving, recalling, encoding, decoding, copying, sharing, transmitting, providing, transferring, deleting, destroying personal data, or other related actions.”
- Principles of personal data protection:
a. Personal data must be processed in accordance with the law.
b. Data subjects must be informed about activities related to the processing of their personal data.
c. Personal data may only be processed for the registered and declared purposes.
d. Personal data collected must be appropriate and limited to the scope and purpose of processing.
e. Personal data must be updated and supplemented as necessary for the processing purpose.
f. Personal data must be protected and secured during processing, including safeguarding against breaches, unauthorized access, and risks of loss, destruction, or damage using technical measures.
g. Personal data must be stored only for a period appropriate to the processing purpose, unless otherwise required by law. - Based on these principles, businesses must obtain clear, voluntary, and affirmative consent from data subjects before processing their personal data, except in certain legally permitted exceptions. “Consent” must be explicitly expressed in one of the following ways: written agreement, verbal consent, checking a consent box, consent syntax via text message, selecting technical consent settings, or any other action demonstrating clear consent. As part of compliance, businesses must prepare and provide a Personal Data Processing Notice to data subjects, which must include the following key details:
a. Types of personal data being processed;
b. Purpose of data processing;
c. Methods of data processing;
d. Start and end date of data processing; and
e. Rights of the data subject.
Data subjects must sign the Notice to confirm their understanding and agreement to the data processing activities. - Under Decree 13, data controllers, data processors, and entities performing both roles must establish and submit a Personal Data Processing Impact Assessment Dossier to A05 (Department of Cyber Security and High-Tech Crime Prevention) within 60 days from the start of data processing. These dossiers must be readily available for inspection and assessment and must be updated and supplemented whenever changes occur.
- Businesses transferring personal data abroad must establish a Cross-Border Personal Data Transfer Impact Assessment Dossier and fulfill the same obligations as required for domestic data processing (as outlined above).
- Entities processing sensitive personal data must establish a dedicated department responsible for personal data protection, appoint personnel in charge of personal data protection, and report information about the designated department and personnel to A05.
Although the prevailing laws of Vietnam do not currently impose administrative sanctions for non-compliance, Vietnamese state agencies have adopted strict supervision and inspection measures. Additionally, the Draft Law on Personal Data Protection, expected to take effect on January 1, 2026, will further regulate data protection. To mitigate legal risks and ensure compliance, businesses should proactively adhere to Decree 13 and prepare for future regulatory developments.
______________________
Should you have any inquiries, please do not hesitate to contact us.
𝟏𝟗𝟖𝟗 𝐋𝐀𝐖
Website: 1989law.vn
Hotline: (+84) 945.45.45.11
Address: No. 207C Nguyen Xi, Ward 26, Binh Thanh District, Ho Chi Minh City, Vietnam