Vietnam: Official issuance of Vietnam Decree on Personal Data Protection (PDPD)

Resolution 13/NQ-CP in 2023 approving the dossier to develop the Decree on Personal Data Protection issued by the Government

Mirroring the EU’s General Data Protection Regulation in different aspects, the PDPD introduces various new requirements to any organizations/individuals engaging in and/ or related to personal data processing activities in Vietnam.

Vietnam has issued its first comprehensive legal document, Decree 13, which governs the protection of personal data in the country. The new decree has significantly improved as compared to the Draft Decree, incorporating key aspects necessary to protect personal data and aligning with the General Data Protection Regulation (GDPR). Onshore and offshore entities that collect and/or process personal data of Vietnamese or foreign individuals residing in Vietnam must comply with Decree 13 by 1 July 2023.

Highlights under the PDPD include:

• The PDPD has an extra-territorial scope of application, meaning it applies to both local and offshore entities directly involved in personal data processing activities in Vietnam.
• The PDPD recognizes the concepts of “data controller” and “data processor,” as well as introducing the concept of a “data controlling and processing entity.”
• The definition of personal data and data processing under the PDPD is broad, with personal data classified into two groups: basic personal data and sensitive personal data. The list of sensitive personal data is extensive and not exhaustive.
• The PDPD introduces new requirements for valid consent, processing of sensitive personal data, and cross-border data transfer. However, there is no specific data localization requirement.
• Entities must apply different managerial and technical measures to protect personal data, including personal data protection impact assessments.
• The PDPD imposes strict time limits for complying with a data subject’s request.

They must obtain proper consent from data subjects, determine the type of personal data they deal with, and prepare an impact assessment of personal data processing and offshore transferring of personal data. In addition, they must establish a system to protect personal data safety and confidentiality, and set up a personal data protection department and a data compliance officer if they deal with sensitive personal data. However, small and medium enterprises or start-ups are exempt from certain requirements until 1 July 2025. Decree 13 currently lacks the potential penalty that may apply in case of non-compliance, unlike the GDPR which has clear penalties and fines for violations.

The scope of application under Decree 13 includes Vietnamese and foreign organizations and individuals operating in or related to personal data processing activities in Vietnam, personal data of Vietnamese and foreign individuals residing in Vietnam, and offshore entities collecting and/or processing personal data. It is unclear if onshore entities collecting and processing personal data of foreign individuals residing outside of Vietnam will be subject to Decree 13. Decree 13 defines personal data as any information that identifies or associates with a particular natural person expressed in any electronic form. It covers both basic and sensitive personal data, excluding information about a person’s blood type. Decree 13 distinguishes between the terms “data controller” and “data processor,” similar to those provided under the GDPR, enhancing transparency in the allocation of rights and obligations among parties involved in data processing and aligning with international best practices.