Support Centre



Law: Decree No. 13/2023/ND-CP on the Protection of Personal Data (only available in Vietnamese here) ('PDPD')

Regulator: The primary regulatory authorities are the Ministry of Public Security ('MPS') and the Ministry of Information and Communication ('MIC').

Summary: The PDPD is the first comprehensive data protection law in Vietnam and will enter into effect on 1 July 2023. In particular, the PDPD establishes data protection principles, data subject rights, as well as data controller and data processor obligations, among other things. More specifically, the PDPD introduces restrictions on cross border data transfers and obligations for data processing including the purchase and sale of personal information, as well as marketing and advertising.

The PDPD is accompanied by other legislation which provide personal data protections including the Law on Cyber Information Security No. 86/2015/QH13 ('LCIS'), the Law on Cybersecurity No. 24/2018/QH14 ('the Cybersecurity Law') (only available to download in Vietnamese here), and Law No. 59/2010QH12 of 17 November 2010 on Protection of Consumers' Rights. In addition, Decree No. 53/2022/ND-CP Detailing Some Articles of Network Security Law (only available in Vietnamese here) outlines data localisation requirements in Vietnam. Furthermore, Vietnam is party to several international data transfer agreements, including the APEC Privacy Framework and the ASEAN Framework on Personal Data Protection.


It has been almost 60 days since the enactment of the Vietnam Government's Decree No. 13/2023/ND-CP on the Protection of Personal Data (PDPD), the country's first comprehensive legislative instrument governing personal data protection, and thus the deadline for outbound data transfer impact assessments (OTIA) submissions is approaching. By adopting the PDPD's broad extraterritoriality,[1] Vietnam's Government has set a bold goal to effectively safeguard Vietnamese citizens' rights and interests over their personal data. Therefore, businesses, particularly multinational corporations frequently involved with the international transfer of personal data, must be aware of how the PDPD regulates their transfer activities.

This Insight article provides a comprehensive look at the outbound transfer of personal data, and related requirements, including the matters necessary for the compilation of OTIA, as well as differences between OTIA and data processing impact assessments (DPIA) under the PDPD, allowing businesses to take note of some key compliance takeaways.

On April 17, 2023, the Government issued its long-awaited Decree on the Protection of Personal Data (PDPD). Logan Leung, Deputy Managing Partner at Rajah & Tann LCT Lawyers, provides an overview of the PDPD, including obligations for data processors and data controllers, consent requirements, and cross-border data transfers.

The Government of Vietnam issued, on 17 April 2023, the highly anticipated Decree No.13/2023/ND on the Protection of Personal Data ('PDPD') which represents the first comprehensive document governing personal data protection in Vietnam. In particular, the PDPD establishes data protection principles, data subject rights, as well as data controller and data processor obligations, among other things. OneTrust DataGuidance Research provides an overview of the most significant provisions under the PDPD.

Countries across the APAC region have been introducing comprehensive data protection laws and/or updating existing legislation to ensure personal data is protected in the digital era. OneTrust DataGuidance provides an overview of the status of current privacy/data protection bills in Australia, Brunei Darussalam, India, Malaysia, Mongolia, Myanmar, Pakistan, Sri Lanka, Thailand, and Vietnam.

The Ministry of Public Security ('MPS') released, in February 2021, a draft Decree on Personal Data Protection ('the draft Decree'). The draft Decree was submitted for public comment in 2021 and is currently under review. OneTrust DataGuidance breaks down the draft Decree's key provisions and obligations.

With an unconventional piecemeal approach to data protection, global organisations may find it difficult to adapt their privacy programs to the Vietnamese framework. Le Ton Viet, Associate at Russin & Vecchi, discusses this area and its future.