As businesses in Vietnam expand their digital operations, the stakes for handling personal data have never been higher. Companies face growing pressure not only to secure information but to do so within a clear and legally compliant structure. In response, the Vietnamese government introduced Decree No. 13/2023/ND-CP on Personal Data Protection (PDPD), which took effect on July 1, 2023. While the regulation marks a significant step toward aligning Vietnam with international data privacy standards, many businesses are still uncertain about how to comply especially when it comes to core obligations around consent, data collection, and data control.

This article breaks down the key concepts of the PDPD and explains what companies operating in Vietnam need to know to meet their legal responsibilities.

Overview of Vietnam’s Personal Data Protection Decree (PDPD)

Decree 13 is the country’s first comprehensive data privacy regulation, introduced to fill the longstanding gap in Vietnam’s legal framework regarding personal data protection. It applies to both Vietnamese and foreign agencies, organizations and individuals that involved in personal data processing activities in Vietnam, regardless of whether the data processing takes place onshore or remotely from abroad. The decree broadly defines:

• Personal data means information in the form of symbol, script, digit, image or sound or in a similar form in the electronic environment which is affiliated to a specific person or helps identify a specific person. Personal data include basic personal data and sensitive personal data.
• Sensitive data as data relating to health, finances, ethnicity, political opinions, and location, among others

The PDPD introduces obligations for data controllers (entities that decide how personal data is processed) and data processors (entities that carry out data processing on behalf of a controller), while also setting out the rights of data subjects (The individual whose personal data is collected with their consent/permission.).

Consent: The Cornerstone of Lawful Data Processing

Under the PDPD, consent is a foundational requirement. To be valid, consent must be:

• Freely given
• Specific to each processing purpose
• Informed and based on clear notification
• Unambiguous, requiring a clear affirmative action

For sensitive personal data, data subject shall be informed that to-be-processed data are sensitive data. The explicit consent of a data subject is required for both basic and sensitive data and must be expressed in a format that can be printed or copied in written form, including electronic or verifiable formats.

Companies must ensure data subjects are fully aware of what data is being collected, how it will be used, who it will be shared with, and how long it will be retained. Consent may be withdrawn at any time, and data controllers must immediately stop processing when consent is revoked.

There are limited exceptions where data can be processed without consent—such as for contractual obligations, legal compliance, emergencies, or as directed by authorities—but these are narrowly defined and must be carefully assessed.

Data Collection: What’s Allowed and What’s Not

The PDPD requires that personal data be collected only for legitimate, clear, and lawful purposes. Businesses must avoid broad, vague, or preemptive data harvesting.

Key rules include:

• Data must be collected proportionally, i.e., no more than necessary for the stated purpose
• Data subjects must be notified before collection, including details of processing purposes, entities involved, and data retention periods
• Methods of collection must be transparent and non-deceptive
• Unlawful practices such as unauthorized profiling, hidden tracking, or using third-party data without consent are strictly prohibited

Retention of data must be limited to the duration necessary for the original purpose, after which it should be deleted or anonymized unless otherwise required by law.

Data Control: Responsibilities of Controllers and Processors

Data controllers and processors have wide-ranging responsibilities under the PDPD. Some of the core obligations include:

• Data Protection Officer (DPO): Controllers and processors must designate individuals responsible for overseeing data privacy compliance
• Impact Assessments: A Data Protection Impact Assessment (DPIA) must be conducted for any activity that poses a high risk to data subjects
• Cross-border transfers: Controllers must conduct an assessment and notify the Ministry of Public Security before transferring personal data abroad
• Security Measures: Adequate technical and organizational safeguards must be implemented to prevent unauthorized access, disclosure, or loss
• Incident Notification: Violation of regulations on personal data protection must be reported within 72 hours

Controllers are also required to provide mechanisms for data subjects to access, correct, or request deletion of their personal data.

Penalties for Non-Compliance

While the PDPD currently outlines administrative sanctions rather than criminal penalties, the consequences can still be significant:

• Fines for non-compliance may range from warnings to substantial monetary penalties, depending on the nature and severity of the violation
• Regulatory authorities may order suspension of data processing or impose additional audits
• In the future, criminal liability may be introduced for serious violations, particularly those involving data trading or deliberate abuse

Perhaps most impactful is the damages from violation are much greater than what we mentioned here, they could be: Business operation disruption, financial loss, impact on privacy and reputation, risk of surveillance and monitoring.

Cross-Border Data Transfers Under the PDPD

One of the most critical compliance areas under the PDPD involves the transfer of personal data outside Vietnam. Businesses that host data on overseas servers or share information with foreign affiliates must be aware of the specific legal requirements.

Before conducting a cross-border transfer, data controllers must carry out a Data Transfer Impact Assessment (DTIA) and submit a report to the Ministry of Public Security (MPS). The assessment must evaluate the nature of the data, the receiving party’s data protection measures, and potential risks to the data subjects.

Cross-border transfers are only permitted when appropriate safeguards are in place, and businesses must retain proof of consent where applicable. The MPS may require additional documentation or impose restrictions depending on the destination country and data sensitivity.

Organizations that overlook these requirements may face suspension of transfers, regulatory scrutiny, or reputational harm.

How Businesses Can Prepare

Compliance with Vietnam’s data privacy law requires a strategic and proactive approach:

• Conduct a data audit to map how personal data is collected, processed, stored, and shared across departments and systems. This helps identify gaps and assess risk areas.
• Update privacy notices and consent forms to ensure they are clear, purpose-specific, and meet PDPD requirements regarding transparency and user control.
• Develop role-specific compliance procedures, particularly for teams handling high volumes of personal data, such as HR, customer service, and digital marketing. Equip these teams with practical, real-world protocols instead of general awareness training.
• Designate a DPO and establish internal workflows for documenting data processing activities, managing data subject requests, and responding to security incidents.
• Engage legal counsel to review and strengthen your data governance model, including strategies for international data transfers and third-party vendor management. In addition, Personal data protection measures (management and technical measures) shall be applied right from the beginning of, and during, personal data processing.

Early preparation will not only reduce legal risk but also demonstrate your organization’s commitment to ethical data handling.

Conclusion

The introduction of the PDPD marks a turning point for how businesses in Vietnam must approach personal data. As the government prioritizes data protection and enforcement mechanisms mature, companies can no longer afford to treat privacy as an afterthought. Noncompliance now carries real consequences, from fines and regulatory scrutiny to reputational harm and loss of consumer trust.

Understanding and properly applying the core pillars of consent, data collection, and control is no longer just about checking a box, it’s about building credibility in a digital first business environment.

Le & Tran is a premier Vietnamese law firm with deep expertise in data protection, cybersecurity, and regulatory compliance. We help both local and international clients navigate Vietnam’s data privacy regulations and build legally sound, risk-resilient frameworks.

For tailored legal guidance on personal data protection in Vietnam, contact our team at info@letranlaw.com.