2023 Update of the Personal Data Protection Measures in Vietnam

Vietnam has taken a significant step towards increasing the protection of personal data by implementing the 13/2023/ND-CP Decree on Personal Data Protection (“PDP Decree”), that came into effect on 1 July 2023. What does this mean for your business?

SMEs and startups benefit from a two-year grace period for the enforcement of specific provisions (providing they are not operating in the personal data processing business).

This legislation aims to ensure the privacy and security of data subjects in the digital age and Vietnam is participating in actively protecting data rights.

Find more about its key provisions and implications below.

Scope of Application of the PDP

The PDP Decree has an extraterritorial application. It applies to all individuals and organizations involved in personal data processing activities in Vietnam, regardless of their nature or nationality.

New Definitions and Principles for Data protection

The PDP Decree provides clarity by defining notions such as “basic personal data”, “sensitive personal data”, “data controller”, and “personal data processing”. By doing so, it distinguishes the different roles that data handlers have.

In addition, it introduces the principles of lawfulness, transparency, purpose limitation, data minimization, accuracy, confidentiality, accountability, and storage limitation, that must serve as guidelines when processing personal data.

Data Subject Rights

The PDP Decree expands the rights of data subjects in respect of the processing of their personal data, namely the right to give and withdraw consent, to access, update and erase their information, to be aware of data processing activities, and to object to data processing. Entities have the duty to respond promptly to such requests.

Consent for Data sharing

The PDP Decree emphasizes the importance of obtaining data subjects’ consent for the collection and use of their personal data. It prescribes more detailed requirements on this matter.

Consent is valid only if data subjects are informed about the purpose, scope and duration of data processing activities and their rights and obligations, allowing them to exercise control over their personal data. The PDP Decree also describes situations where processing personal data is permitted without such consent.

Protective Measures

The PDP Decree requires businesses to implement internal security measures e.g., encryption, access controls, and regular audits, in order to prevent personal data from being compromised.

Cross-Border Data transfers

Under the PDP Decree, when transferring personal data abroad, transferors must gather the mandatory elements to prepare an impact assessment dossier, which is subject to inspection by the relevant authority. Organizations must also ensure that the recipient country has a satisfying level of data protection.

The enforcement of the PDP Decree in Vietnam is expected to strengthen security and prevent data breaches that may affect data subjects’ rights and interests, and therefore enhance trust when using or collecting personal data.

You can talk with us to mitigate any risks related to the Personal Data Protection in Vietnam.

If you appreciate our content, you will also appreciate other Vietnam articles:

    Singapore companies are subject to audit
    Company administration

    Share This Post

    Share on facebook
    Share on linkedin

    You might also like

    CONTACT US

    Get in Touch!

    Connect with our Experts to explore and discuss your project in Asia!

    icon mbia