Personal Data Protection Vietnam: New Decree to Come into Full Force in July
© Tero Vesalainen/Shutterstock

Personal Data Protection Vietnam: New Decree to Come into Full Force in July

2 min.
22. May 2023

Decree No. 13/2023/ND-CP on personal data protection (PDPD) was issued on 17 April 2023. It comes into full force on 1 July 2023. From then on, all companies will have to comply with the regulations. However, the government has given SMEs a two-year deadline to implement some of the regulations. The Ecovis experts explain the details and their impact on companies.

Important PDPD regulations

Personal data is defined as any information associated with a particular person, not just information that helps identify a person. There are two types of personal data: basic personal data (such as name, date of birth, nationality, phone number, email, ID, or personal pictures) and sensitive personal data (such as political opinion, religion, sexual preference, or location data).

The PDPD also introduces the concepts of “data controller”, “data processor”, and “third party”, as well as a new, unprecedented concept of “party controlling and processing personal data”.

The key legal basis for personal data processing is still consent, but it must be clear, affirmative consent that can be printed out or reproduced in writing.

f you need further explanations about the PDPD and would like to know what consequences it has for your company, please do not hesitate to contact us.
Vu Manh Quynh, Managing Partner, ECOVIS Vietnam OC Law, Ho Chi Minh City, Vietnam

In addition, for the cross-border transfer of personal data out of Vietnam, the party transferring the data abroad must prepare a dossier to assess the impact of the transfer. After the successful data transfer, the party transferring the data abroad will also need to notify the Department of Cyber Security and High-Tech Crime Prevention (A05).

The PDPD will come into full force on 1 July 2023, and there will be no general exemptions to its application except for SMEs, who will be given a 2-year grace period for the specific obligation of appointing a Data Protection Officer (DPO).

While it remains unclear how strictly the authorities will enforce the PDPD regulations during this initial transition period, businesses should not ignore their obligations under the decree and may need to start preparing for compliance plans.

For further information please contact:

Vu Manh Quynh, Managing Partner, ECOVIS Vietnam OC Law, Ho Chi Minh City, Vietnam
Email: quynh.vu@ecovislaw.vn

Nguyen Nhuan, Partner, ECOVIS Vietnam OC Law, Ho Chi Minh City, Vietnam
Email: nhuan.nguyen@ecovislaw.vn

Sign up to our newsletter!

Contact us:

Vu Manh Quynh
Nguyen Nhuan
ECOVIS Vietnam Law / ECOVIS Orient Counsel
#2 Phan Van Dang Street
Level 1, Toong VistaVerde,
71100, Thu Duc City Ho Chi Minh City
Phone: +84 898 120 121
www.ecovis.com/vietnam/law