Law: Decree No. 13/2023/ND-CP on the Protection of Personal Data (only available in Vietnamese here) ('PDPD')

Regulator: The primary regulatory authorities are the Ministry of Public Security ('MPS') and the Ministry of Information and Communication ('MIC').

Summary: The PDPD is the first comprehensive data protection law in Vietnam and will enter into effect on 1 July 2023. In particular, the PDPD establishes data protection principles, data subject rights, as well as data controller and data processor obligations, among other things. More specifically, the PDPD introduces restrictions on cross border data transfers and obligations for data processing including the purchase and sale of personal information, as well as marketing and advertising.

The PDPD is accompanied by other legislation which provide personal data protections including the Law on Cyber Information Security No. 86/2015/QH13 ('LCIS'), the Law on Cybersecurity No. 24/2018/QH14 ('the Cybersecurity Law') (only available to download in Vietnamese here), and Law No. 59/2010QH12 of 17 November 2010 on Protection of Consumers' Rights. In addition, Decree No. 53/2022/ND-CP Detailing Some Articles of Network Security Law (only available in Vietnamese here) outlines data localisation requirements in Vietnam. Furthermore, Vietnam is party to several international data transfer agreements, including the APEC Privacy Framework and the ASEAN Framework on Personal Data Protection.