Vietnam’s much awaited Personal Data Protection Decree: Examining Benefits and Key Challenges

Central Institute for Economic Management (CIEM), Vietnam’s Dr. Thao Nguyen Minh examines the current landscape of Vietnam’s personal data protection and provides a closer look at the first ever enacted personal data protection degree (Vietnam: Decree No. 13/2023/ND-CP) and its key challenges.

This copy is also available in Vietnamese, click here to read.

By Dr. Thao Nguyen Minh Central Institute for Economic Management (CIEM), Vietnam

Vietnam has one of the world’s highest growth rates of internet usage and development. As of 2023, the number of Internet users in Vietnam has reached 77.93 million, accounting for 79.1% of the total population. The number of social media users also reached 70 million, equivalent to 71% of the total population. However, as technology rapidly develops, so does the need for personal data protection. Thus, there is a crucial need for the governments to protect their citizens’ personal data to deter unsanctioned use.

Prior to the promulgation of Decree No. 13/2023/ND-CP, Vietnam’s legal system did not have a unified definition of personal data. There were different definitions of personal data in various legal documents, and the provisions regarding personal data protection were fragmented. This resulted in duplication and overlap, making it challenging to implement the legal provisions effectively. According to the Ministry of Public Security (MPS), more than two-thirds of Vietnamese’s personal data is unsecured due to the proliferation of illegal data collection and exchange.

A closer look at Vietnam’s Decree No. 13/2023/ND-CP

The personal data protection decree was issued by the Vietnam government on 17 April 2023, as part of the government’s effort in implementing the National Digital Transformation Programme which aims to accelerate digital transformation to improve the country’s business efficiency and competitiveness. The decree is scheduled to take effect from 1 July 2023, with the Department of Cybersecurity and Hi-tech Crime Prevention under MPS as the key authority of the personal data protection decree.

Below are some of the notable key provisions of the decree.

The Decree provides a general, unified concept of personal data; recognized in both traditional physical and virtual environments, creating standardisation across existing overlapping legal documents.

Additionally, the decree classifies personal data into two categories – basic personal data and sensitive personal data. Basic personal data includes name, date of birth, gender, nationality, phone number, identification number, marriage status and so on. Sensitive personal data, on the other hand, is more private and if violated, has the potential to jeopardise a person’s legitimate rights and interest. It includes health status, medical records, customer information of credit institutions, location data and so on. This differentiation allows one’s sensitive personal data to be more strictly regulated and protected than before.

Lastly, sale of any data be it basic personal data or sensitive personal data in any form is strictly prohibited by the government, unless it is stipulated otherwise by the law. [4]

To ensure that companies strengthen their responsibilities in data control and processing, the decree divides regulated parties into four categories:

  1. Personal data controller (“Controller”): an entity or individual who is responsible for determining the purposes and means of data processing
  2. Personal data processor (“Processor”): an entity or individual who conducts processing on behalf of the Controller
  3. Personal data controller-processor (“Controller-Processor”): an entity or individual who performs both roles concurrently
  4. Third party: any organization or individual, other than the data subject, Controller, Processor, or Controller-Processor, that processes personal data

The decree also enforces both the data controllers and processors to keep a profile of the impact assessment of their personal data processing and regularly update it as necessary.


The decree comprehensively regulates the basic rights of individuals as data subjects and sets forth technical and legal requirements for enterprises of controlling and processing data of Vietnamese citizens.

It stipulates 11 rights for data subjects. Namely: (1) Right to be informed; (2) Right to give consent; (3) Right to access personal data; (4) Right to withdraw consent; (5) Right to delete personal data; (6) Right to obtain restriction on processing; (7) Right to obtain personal data; (8) Right to object to processing; (9) Right to file complaints, denunciations and lawsuits; (10) Right to claim damage; and (11) Right to self-protection.

 

In the case where a Vietnamese citizen’s personal data is needed to be transferred abroad, the sender of personal data need to first create a Dossier of Impact Assessment for the Cross-Border Transfer of Personal Data (“TIA Dossier”) before being able to transfer the personal data out of Vietnam.

The sender will need to notify MPS of information relating to the information transfer for MPS’s review and submit one original copy of the TIA Dossier to the Department of Cybersecurity and Hi-Tech Crime Prevention under MPS within 60 days from the date of personal data processing.

Dossiers on the assessment of impact of processing personal data should also be kept updated and made readily available to the MPS.

Micro, small and medium-sized enterprises and startup companies have the right to opt for exemption from regulations on personal designation and personal data protection for a period the first 2 years, from the date of establishment of the business, except for enterprises that are directly engaged in the processing of personal data.

Key Challenges in implementing the Personal Data Protection Decree

1. Integration of data processes into businesses – While large organisations typically have an existing system that is compliant with international data protection regulations, small and medium-sized businesses face the technical challenge of creating such a process for both data controllers and processors to meet these new regulation requirements. These businesses will need to review their entire process to meet these new data requirements and may not have the technical capabilities to evolve in such a short period of time to meet all the data requests, especially extensive impact assessment and filing requirements from stakeholders.

2. Withholding of personal data information – with the decree stipulating that the data subject has the right to “delete or request deletion of his/her personal data” or “obtain restriction on the processing of his/her personal data”, this creates a challenge for businesses (e.g. airlines and hotels) who have been collecting these personal data in their systems to make these changes quickly.

3. Government agencies to adapt to new technologies and maintain impartiality –governments will also face the challenge and pressure in pivoting to new technologies to meet the new data regulations in areas of data review, inspection and assessment, to identify data protection anomalies and data violation. Additionally, as government agencies themselves are subjects under the inspection of personal data protection, there is a need for all agencies including the governing authority of data protection, MPS, to maintain impartiality in their own internal inspection.

In conclusion, protecting personal data is essential for establishing trust in online services and encouraging participation in the digital transformation process. The issuance of Decree No 13/2013/ND-CP by the Vietnam government is a crucial step towards meeting the demands for personal data protection. However, to fulfil the promise of the personal data protection decree, it will require the MPS to provide a detailed guidance on implementing this decree, for it to properly serve as a foundation for the future development of the law on protection of personal data.

Dr. Thao Nguyen Minh is the Head of the Business Environment and Competitiveness Research Department, at the Central Institute for Economic Management (CIEM), Vietnam. She is an expert in business environment and digitalization. She is also the key drafter of Vietnam’s National Strategy for Fourth Industrial Revolution by 2030.

The views and recommendations expressed in this article are solely of the author/s and do not necessarily reflect the views and position of the Tech for Good Institute.

Download Report

Download Report

Latest Updates

Latest Updates​

Keep pace with the digital pulse of Southeast Asia!

Never miss an update or event!

Mouna Aouri

Programme Fellow

Mouna Aouri is an Institute Fellow at the Tech For Good Institute. As a social entrepreneur, impact investor, and engineer, her experience spans over two decades in the MENA region, South East Asia, and Japan. She is founder of Woomentum, a Singapore-based platform dedicated to supporting women entrepreneurs in APAC through skill development and access to growth capital through strategic collaborations with corporate entities, investors and government partners.

Dr Ming Tan

Founding Executive Director

Dr Ming Tan is founding Executive Director for the Tech for Good Institute, a non-profit founded to catalyse research and collaboration on social, economic and policy trends accelerated by the digital economy in Southeast Asia. She is concurrently a Senior Fellow at the Centre for Governance and Sustainability at the National University of Singapore and Advisor to the Founder of the COMO Group, a Singaporean portfolio of lifestyle companies operating in 15 countries worldwide.  Her research interests lie at the intersection of technology, business and society, including sustainability and innovation.

 

Ming was previously Managing Director of IPOS International, part of the Intellectual Property Office of Singapore, which supports Singapore’s future growth as a global innovation hub for intellectual property creation, commercialisation and management. Prior to joining the public sector, she was Head of Stewardship of the COMO Group and the founding Executive Director of COMO Foundation, a grantmaker focused on gender equity that has served over 47 million women and girls since 2003.

 

As a company director, she lends brand and strategic guidance to several companies within the COMO Group. Ming also serves as a Council Member of the Council for Board Diversity, on the boards of COMO Foundation and Singapore Network Information Centre (SGNIC), and on the Digital and Technology Advisory Panel for Esplanade–Theatres on the Bay, Singapore’s national performing arts centre.

 

In the non-profit, educational and government spheres, Ming is a director of COMO Foundation and Singapore Network Information Centre (SGNIC) and chairs the Asia Advisory board for Swiss hospitality business and management school EHL. She also serves on  the Council for Board Diversity and the Digital and Technology Advisory Panel for Esplanade–Theatres on the Bay, Singapore’s national performing arts centre.

 

Ming was educated in Singapore, the United States, and England. She obtained her bachelor’s and master’s degrees from Stanford University and her doctorate from Oxford.