Support Centre

Vietnam

Summary

Law: Decree No. 13/2023/ND-CP on the Protection of Personal Data (only available in Vietnamese here) ('PDPD')

Regulator: The primary regulatory authorities are the Ministry of Public Security ('MPS') and the Ministry of Information and Communication ('MIC').

Summary: The PDPD is the first comprehensive data protection law in Vietnam and will enter into effect on 1 July 2023. In particular, the PDPD establishes data protection principles, data subject rights, as well as data controller and data processor obligations, among other things. More specifically, the PDPD introduces restrictions on cross border data transfers and obligations for data processing including the purchase and sale of personal information, as well as marketing and advertising.

The PDPD is accompanied by other legislation which provide personal data protections including the Law on Cyber Information Security No. 86/2015/QH13 ('LCIS'), the Law on Cybersecurity No. 24/2018/QH14 ('the Cybersecurity Law') (only available to download in Vietnamese here), and Law No. 59/2010QH12 of 17 November 2010 on Protection of Consumers' Rights. In addition, Decree No. 53/2022/ND-CP Detailing Some Articles of Network Security Law (only available in Vietnamese here) outlines data localisation requirements in Vietnam. Furthermore, Vietnam is party to several international data transfer agreements, including the APEC Privacy Framework and the ASEAN Framework on Personal Data Protection.

Insights

The Government of Vietnam issued, on 17 April 2023, the highly anticipated Decree No.13/2023/ND on the Protection of Personal Data ('PDPD') which represents the first comprehensive document governing personal data protection in Vietnam. In particular, the PDPD establishes data protection principles, data subject rights, as well as data controller and data processor obligations, among other things. OneTrust DataGuidance Research provides an overview of the most significant provisions under the PDPD.

Countries across the APAC region have been introducing comprehensive data protection laws and/or updating existing legislation to ensure personal data is protected in the digital era. OneTrust DataGuidance provides an overview of the status of current privacy/data protection bills in Australia, Brunei Darussalam, India, Malaysia, Mongolia, Myanmar, Pakistan, Sri Lanka, Thailand, and Vietnam.

The Ministry of Public Security ('MPS') released, in February 2021, a draft Decree on Personal Data Protection ('the draft Decree'). The draft Decree was submitted for public comment in 2021 and is currently under review. OneTrust DataGuidance breaks down the draft Decree's key provisions and obligations.

With an unconventional piecemeal approach to data protection, global organisations may find it difficult to adapt their privacy programs to the Vietnamese framework. Le Ton Viet, Associate at Russin & Vecchi, discusses this area and its future.