Skip to main content

Viet Nam’s Personal Data Protection Decree: Examining Benefits and Key Challenges

Share on:

As of 2023, the number of internet users in Viet Nam has reached 77.93 million, accounting for 79.1% of the total population. Photo credit: ADB.

As of 2023, the number of internet users in Viet Nam has reached 77.93 million, accounting for 79.1% of the total population. Photo credit: ADB.

The challenge lies in ensuring the decree stops illegal data collection and exchange, which has left more than two-thirds of citizens' personal data unsecured.

This article is published in collaboration with the Tech for Good Institute.

Viet Nam has one of the world’s highest growth rates of internet usage and development. As of 2023, the number of internet users in Viet Nam has reached 77.93 million, accounting for 79.1% of the total population. The number of social media users also reached 70 million, equivalent to 71% of the total population. However, as technology rapidly develops, so does the need for personal data protection. Thus, there is a crucial need for the government to protect their citizens’ personal data to deter unsanctioned use.

Prior to the promulgation of its personal data protection decree, Viet Nam’s legal system did not have a unified definition of personal data. There were different definitions of personal data in various legal documents, and the provisions regarding personal data protection were fragmented. This resulted in duplication and overlap, making it challenging to implement the legal provisions effectively. According to the Ministry of Public Security (MPS), more than two-thirds of Vietnamese’s personal data is unsecured due to the proliferation of illegal data collection and exchange.

A unified concept of personal data

The personal data protection decree, or Decree No. 13/2023/ND-CP, was issued by the government on 17 April 2023, as part of efforts in implementing the National Digital Transformation Program that aims to accelerate digital transformation to improve the country’s business efficiency and competitiveness. The decree was to take effect from 1 July 2023, with the Department of Cybersecurity and Hi-tech Crime Prevention under the MPS as the key authority tasked to implement the personal data protection decree.

Below are some of the notable key provisions of the decree.

Definition and classification of personal data

The decree provides a general, unified concept of personal data; recognized in both traditional physical and virtual environments, creating standardization across existing overlapping legal documents.

Additionally, the decree classifies personal data into two categories—basic personal data and sensitive personal data. Basic personal data includes name, date of birth, gender, nationality, phone number, identification number, marriage status, and so on. Sensitive personal data, on the other hand, is more private and if violated, has the potential to jeopardize a person’s legitimate rights and interest. It includes health status, medical records, customer information of credit institutions, location data, and so on. This differentiation allows one’s sensitive personal data to be more strictly regulated and protected than before.

Lastly, sale of any data be it basic personal data or sensitive personal data in any form is strictly prohibited by the government, unless it is stipulated otherwise by the law.  

Concepts of regulated parties in data processing

To ensure that companies strengthen their responsibilities in data control and processing, the decree divides regulated parties into four categories:

  1. Personal data controller (“Controller”): an entity or individual who is responsible for determining the purposes and means of data processing
  2. Personal data processor (“Processor”): an entity or individual who conducts processing on behalf of the Controller
  3. Personal data controller-processor (“Controller-Processor”): an entity or individual who performs both roles concurrently
  4. Third party: any organization or individual, other than the data subject, Controller, Processor, or Controller-Processor, that processes personal data

The decree also requires both the data controllers and processors to keep a profile of the impact assessment of their personal data processing and regularly update it as necessary.

Rights of data subjects

The decree comprehensively regulates the basic rights of individuals as data subjects and sets forth technical and legal requirements for enterprises of controlling and processing data of Vietnamese citizens.

It stipulates 11 rights for data subjects. Namely: (1) right to be informed; (2) right to give consent; (3) right to access personal data; (4) right to withdraw consent; (5) right to delete personal data; (6) right to obtain restriction on processing; (7) right to obtain personal data; (8) right to object to processing; (9) right to file complaints, denunciations, and lawsuits; (10) right to claim damage; and (11) right to self-protection.

Cross-border transfer of data

In the case where a Vietnamese citizen’s personal data is needed to be transferred abroad, the sender of personal data need to first create a Dossier of Impact Assessment for the Cross-Border Transfer of Personal Data (TIA Dossier) before being able to transfer the personal data out of Viet Nam.

The sender will need to notify the MPS of information relating to the information transfer for MPS’s review and submit one original copy of the TIA Dossier to the Department of Cybersecurity and Hi-Tech Crime Prevention under MPS within 60 days from the date of personal data processing.

Dossiers on the assessment of impact of processing personal data should also be kept updated and made readily available to the MPS.

Period of exemption for micro and startup enterprises

Micro, small-, and medium-sized enterprises and startups have the right to opt for exemption from regulations on personal designation and personal data protection for the first 2 years, from the date of establishment of the business, except for enterprises that are directly engaged in the processing of personal data.

Key challenges in implementing the decree

1. Integration of data processes into businesses. While large organizations typically have an existing system that is compliant with international data protection regulations, small and medium-sized businesses face the technical challenge of creating such a process for both data controllers and processors to meet these new regulation requirements. These businesses will need to review their entire process to meet these new data requirements and may not have the technical capabilities to evolve in such a short period of time to meet all the data requests, especially extensive impact assessment and filing requirements from stakeholders.

2. Withholding of personal data information. With the decree stipulating that the data subject has the right to “delete or request deletion of his/her personal data” or “obtain restriction on the processing of his/her personal data,” this creates a challenge for businesses (e.g. airlines and hotels) which have been collecting these personal data in their systems to make these changes quickly.

3. Government agencies to adapt to new technologies and maintain impartiality. Governments will also face the challenge and pressure in pivoting to new technologies to meet the new data regulations in areas of data review, inspection, and assessment, to identify data protection anomalies and data violation. Additionally, as government agencies themselves are subjects under the inspection of personal data protection, there is a need for all agencies including the governing authority of data protection, MPS, to maintain impartiality in their own internal inspection.

Protecting personal data is essential for establishing trust in online services and encouraging participation in the digital transformation process. The issuance of Decree No 13/2013/ND-CP by the government is a crucial step toward meeting the demands for personal data protection. However, to fulfill the promise of the personal data protection decree, it will require the MPS to provide a detailed guidance on implementing this decree, for it to properly serve as a foundation for the future development of the law on protection of personal data.

This article was first published by the Tech for Good Institute on 13 June 2023.

Tech for Good Institute

The Tech for Good Institute is a nonprofit organization working to leverage the promise of technology and the digital economy for inclusive, equitable, and sustainable growth in Southeast Asia. The Institute is seed funded by Grab, a leading superapp in Southeast Asia.