Vietnam Data Privacy Laws: Decree 13/2023 Personal Data Protection Guide (2026)
Overview of Vietnam's Data Protection Framework
Vietnam's data protection landscape has undergone rapid transformation. For years, the country relied on a patchwork of provisions scattered across multiple laws, including the Civil Code, the Law on Information Technology (2006), the Law on Cybersecurity (2018), and various sector-specific regulations. This fragmented approach lacked the comprehensive framework needed for a modern digital economy.
That changed on 17 April 2023 when the Vietnamese Government issued Decree No. 13/2023/ND-CP on Personal Data Protection (commonly referred to as the PDPD). Effective from 1 July 2023, this decree represents Vietnam's first dedicated personal data protection regulation and brings the country's framework significantly closer to international standards such as the GDPR.
The decree was followed by the Law on Data (Law No. 60/2024/QH15), passed on 30 November 2024 and effective from 1 July 2025. This broader law expands regulation from personal data to all categories of digital data, signaling Vietnam's intent to build a comprehensive data governance framework.
Decree 13/2023/ND-CP: Key Provisions
Scope and Application
Decree 13 applies to all Vietnamese and foreign agencies, organizations, and individuals in Vietnam that are directly involved in or related to the processing of personal data of Vietnamese citizens. It also applies to foreign organizations and individuals outside Vietnam that process the personal data of Vietnamese citizens.
This broad territorial scope means that international companies providing services to Vietnamese users or processing their data are subject to the decree, regardless of where the company is based or where the processing takes place.
Definition of Personal Data
The decree distinguishes between two categories of personal data, each subject to different levels of protection.
Basic personal data includes names, dates of birth, gender, place of birth, nationality, personal images, phone numbers, email addresses, identification numbers, marital status, family relationships, and social media account information.
Sensitive personal data includes political and religious views, health conditions, genetic and biometric data, sexual orientation, criminal records, financial data, location data, and data about an individual's activities on digital platforms. Processing of sensitive data requires stricter safeguards and, in many cases, explicit consent.
Consent Requirements
Consent is a central pillar of Decree 13. The decree requires that consent be given voluntarily, knowingly, and in writing (which includes electronic formats). Data subjects must be informed of the type of personal data to be processed, the purpose of processing, the organizations and individuals authorized to process the data, and the rights and obligations of the data subject.
For sensitive personal data, consent must be explicit. The decree requires that data subjects be clearly notified that the data being processed falls into the sensitive category.
Consent may be withdrawn at any time, and organizations must cease processing within 72 hours of receiving a withdrawal request. Organizations must also be able to demonstrate that valid consent was obtained, placing the burden of proof on the data controller.
Data Subject Rights
Decree 13 establishes a set of rights for data subjects that parallels those found in the GDPR. These include the right to be informed about processing activities, the right to consent or withdraw consent, the right to access personal data, the right to delete or correct personal data, the right to restrict processing, the right to data portability, the right to object to processing, and the right to file complaints with authorities.
Data controllers must respond to data subject requests within 72 hours and must provide a mechanism for individuals to exercise their rights.
Data Protection Impact Assessments
Organizations that process sensitive personal data or that process data on a large scale must conduct Data Protection Impact Assessments (DPIAs). The results of these assessments must be documented and retained for the duration of the processing activity.
For cross-border data transfers, a specific impact assessment dossier must be prepared and submitted to the Ministry of Public Security.
Cross-Border Data Transfers
Transfer Requirements
One of the most impactful provisions of Decree 13 concerns cross-border data transfers. Any entity that transfers personal data of Vietnamese citizens outside Vietnam must meet several requirements.
First, the transferring organization must prepare a comprehensive impact assessment dossier. This dossier must describe the data to be transferred, the purpose of the transfer, the identity of the receiving party, the data protection measures in place, and an assessment of the potential impact on data subjects.
Second, the dossier must be submitted to the Ministry of Public Security's Department of Cybersecurity and High-Tech Crime Prevention within 60 days of the initial processing.
Third, the original copy of the consent from the data subject must be obtained before the transfer takes place.
Broad Definition of Cross-Border Transfer
The decree defines cross-border data transfer broadly. It includes not only the physical or electronic transmission of data outside Vietnam but also any processing of Vietnamese citizens' personal data using automated systems located outside the country. This broad definition effectively captures cloud computing services, SaaS platforms, and any international digital service that processes data on servers outside Vietnam.
Data Localization Under the Cybersecurity Law
While Decree 13 does not itself mandate data localization, Decree No. 53/2022/ND-CP implementing the Law on Cybersecurity does impose localization requirements. Companies that provide services on telecommunications networks, the internet, or value-added services in cyberspace in Vietnam and that collect, exploit, analyze, or process data related to personal information, user-created data, or relationship data of Vietnamese users must store this data in Vietnam.
The interaction between these two frameworks creates a complex compliance landscape for organizations, particularly international technology companies and cloud service providers.
The Law on Data (Law No. 60/2024/QH15)
Expanded Scope
The Law on Data, passed on 30 November 2024 and effective from 1 July 2025, significantly expands Vietnam's data governance framework. While Decree 13 focuses specifically on personal data, the Law on Data covers all digital data, including non-personal data.
The law introduces new data categories, including "important data" and "core data," which face additional restrictions, particularly regarding cross-border transfers. Important and core data categories are determined based on considerations of national defense, security, foreign affairs, and socioeconomic stability.
National Data Infrastructure
The Law on Data establishes provisions for a national data infrastructure, including requirements for data centers and data processing facilities. It also addresses data sharing between government agencies and the development of a national data strategy.
Enforcement and Penalties
Enforcement Authorities
The Ministry of Public Security (MPS), through its Department of Cybersecurity and High-Tech Crime Prevention, is the primary enforcement authority for personal data protection in Vietnam. The MPS receives impact assessment dossiers for cross-border transfers, investigates complaints, and takes enforcement action against violations.
Other ministries and agencies also play roles in data protection enforcement within their respective sectors. The Ministry of Information and Communications oversees information technology and telecommunications, while sector-specific regulators address data protection in areas such as banking and healthcare.
Administrative Penalties
Violations of personal data protection provisions can result in administrative fines. While Decree 13 itself does not specify a detailed penalty schedule, existing administrative penalty frameworks apply. Fines for data protection violations can reach hundreds of millions of Vietnamese dong.
The Government has been working on additional implementing regulations to establish a more detailed penalty framework specific to personal data protection violations.
Criminal Liability
In serious cases, data protection violations can give rise to criminal liability under the Penal Code. Article 288 addresses violations of regulations on the provision and use of computer networks and telecommunications networks. Article 159 addresses violations of the right to private correspondence, telephone, and telegraph. These provisions can result in imprisonment for serious offenses involving unauthorized access to or disclosure of personal data.
Data Controller and Processor Obligations
Appointment of Data Protection Personnel
Organizations that process sensitive personal data or large volumes of personal data must designate a department and individuals responsible for data protection. While the decree does not use the exact term "Data Protection Officer," the functional requirement is similar, requiring organizations to have dedicated personnel overseeing compliance.
Record Keeping
Data controllers and processors must maintain records of their processing activities, including the categories of data processed, the purposes of processing, the parties with access to the data, and the retention periods. These records must be made available to the Ministry of Public Security upon request.
Security Measures
The decree requires organizations to implement appropriate technical and organizational measures to protect personal data. These measures must address the risks of unauthorized access, destruction, loss, alteration, or disclosure of personal data. For sensitive data, enhanced security measures are required.
Breach Notification
In the event of a personal data breach, the data controller must notify the Ministry of Public Security within 72 hours of discovering the breach. The notification must include details about the nature of the breach, the categories of data affected, the number of data subjects affected, and the remedial measures taken or planned.
Practical Compliance Considerations
Organizations operating in Vietnam face several practical challenges in complying with the evolving data protection framework. The broad definition of cross-border transfers means that virtually any use of international cloud services or platforms requires impact assessment dossiers and regulatory filing.
The 72-hour timelines for responding to data subject requests and reporting breaches are more aggressive than those in some other jurisdictions, requiring organizations to establish efficient processes and escalation procedures.
The ongoing development of implementing regulations means that compliance requirements continue to evolve. Organizations should monitor regulatory developments closely and maintain flexibility in their compliance programs.
The intersection of Decree 13, the Law on Cybersecurity, and the new Law on Data creates a multi-layered regulatory framework that requires careful analysis to identify all applicable obligations. Organizations should conduct comprehensive assessments of their data processing activities to ensure compliance across all relevant laws and regulations.
This article is for informational purposes only and does not constitute legal advice. Data protection laws are subject to change, and organizations should consult with a qualified attorney for advice specific to their situation.
Sources and References
- Decree 13/2023 English Text(finalsite.net)
- DLA Piper Vietnam Data Protection(dlapiperdataprotection.com)
- KPMG Vietnam Decree 13 Alert(kpmg.com)
- ITIF Vietnam Data Localization(itif.org)
- DataGuidance Vietnam(dataguidance.com)