Personal Data Protection under the new Decree 13/2023/ND-CP

Ho Chi Minh City, July 2023  

Attention: To who it may concern 

(herein referred to as “Client”)   

[*] This recommendation applies to any domestic or foreign organizations or individuals that are involved in processing personal data in Vietnam (e.g., employees, customers, suppliers, users, or other individuals), even if the processing occurs outside of Vietnam. 

Before going through the detail, please note that: 

      1. The content of this document does not constitute legal advice and does not necessarily reflect the views of us or that of any of our attorneys or consultants. This document is for general information only, which may or may not be accurate, complete, or valid at the time of reading this document. The content of this document is not intended to be used as a substitute for specific legal opinions or advice. Please seek legal advice or other professional guidance tailored to your particular issue. We are not responsible for any action or inaction based on part or all of the contents of this document. In certain cases, please contact PCA Legal Team for further assistance and advice. 

    This recommendation has been prepared for Clients, subsidiaries, and professional associates of PCA Corporate Services (“PCACS”). Whilst every effort has been made to ensure accuracy, this presentation is not an exhaustive treatment of the area of law discussed and no responsibility for any loss occasioned to any person acting or refraining from action as a result of material in this presentation is accepted by PCACS. 

    After reviewing the relevant legal regulations of the Government and other practical information, we would like to give initial advice as follows: 

        1. OVERVIEW: 

      The government issued Decree 13/2023/ND-CP on personal data protection on April 17, 2023 (hereinafter referred to as “Decree 13” or “Personal Data Protection Decree”), and went into effect on 01 July 2023. Decree 13 is the third legal instrument released as part of the government’s initiative to strengthen the legal framework governing cyberspace, following the Law on Cybersecurity No. 24/2018/QH14, dated 12 June 2018, and its initial implementing Decree 53/2022/ND-CP, dated 15 August 2022. With regard to operations involving the processing of personal data, Decree 13 establishes more precise data protection and cybersecurity obligations. 

      The Personal Data Protection Decree represents a significant legal provision which investors and businesses operating in Vietnam should peruse in thorough detail, to ensure they maintain full compliance with the new legal requirements. 

      Please see below the summary of basic information of Decree 13/2023/ND-CP on Personal Data Protection. 


            1. Personal data: 

          “Personal data” refers to electronic information in the form of symbols, letters, numbers, images, sounds, or equivalences associated with an individual or used to identify an individual.  

          “Information used for identification of an individual” refers to information that results from an individual’s activities and may identify an individual when it is combined with other stored information and data. 

          The personal data includes BASIC PERSONAL data and SENSITIVE PERSONAL DATA: 

          BASIC PERSONAL DATA  SENSITIVE PERSONAL DATA refers to personal data in association with individual privacy which, when being infringed, will directly affect an individual’s legal rights and interests, including: 
          a) Last name, middle name and first name, other names (if any); b) Date of birth; date of death or going missing; c) Gender; d) Place of birth, registered place of birth; place of permanent residence; place of temporary residence; current place of residence; hometown; contact address; dd) Nationality; e) Personal image; g) Phone number; ID Card number, personal identification number, passport number, driver’s license number, license plate, taxpayer identification number, social security number and health insurance card number; h) Marital status; i) Information about the individual’s family relationship (parents, children); k) Digital account information; personal data that reflects activities and activity history in cyberspace; l) Information associated with an individual or used to identify an individual other than that specified in Clause 4 of this Article.  a) Political and religious opinions; b) Health condition and personal information stated in health record, excluding information on blood group; c) Information about racial or ethnic origin; d) Information about genetic data related to an individual’s inherited or acquired genetic characteristics; dd) Information about an individual’s own biometric or biological characteristics; e) Information about an individual’s sex life or sexual orientation. g) Data on crimes and criminal activities collected and stored by law enforcement agencies; h) Information on customers of credit institutions, foreign bank branches, payment service providers and other licensed institutions, including: customer identification as prescribed by law, accounts, deposits, deposited assets, transactions, organizations and individuals that are guarantors at credit institutions, bank branches, and payment service providers; i) Personal location identified via location services; k) Other specific personal data as prescribed by law that requires special protection. 

              1. Personal data processing: 

            “Personal data processing” refers to one or multiple activities that impact on personal data, including: 

            Collection  Storage  Access  Decryption  Provision  or other relevant activities 
            Recording  Rectification  Traceability  Copying  Transfer 
            Analysis  Disclosure  Retrieval  Sharing  Deletion 
            Confirmation  Combination  Encryption  Transmission  Destruction 

            Legal basis: Article 2 Decree 13/2023/NĐ-CP 


              Decree 13/2023/NĐ-CP enforces regulations concerned the following entities: 

                  • Vietnamese agencies, organizations and individuals; 

                  • Foreign agencies, organizations and individuals in Vietnam; 

                  • Vietnamese agencies, organizations and individuals that operate in foreign countries; 

                  • Foreign agencies, organizations and individuals directly participating in or related to personal data processing activities in Vietnam. 

                Based on how they handle and process data, regulated entities are categorized under Decree 13/2023/NĐ-CP into the following groups:  

                1.  Controller of personal data  an organization or individual that decides the purpose and means of processing personal data. 
                2.  Personal Data Processor  an organization or individual that performs data processing on behalf of the Data Controller, through a contract or agreement with the Data Controller. 
                3.  Personal Data Controller-cum-Processor  an organization or individual that simultaneously decides the purposes, means and directly processes personal data. 
                4.  A third party  an organization or individual other than Data Subject, Personal Data Controller, Personal Data Processor, Personal Data Controller and Processor authorized to process personal data. 

                Data Subject: the individual reflected by the personal data (Vietnamese citizen or Foreign citizen). 

                Legal basis: Article 2 Decree 13/2023/NĐ-CP 


                  Decree 13 generally requires organizations to obtain the individual’s prior consent to process personal data and adhere to the principles set out in Article 3, namely process data: 

                      1. lawfully;  

                        1. transparently; 

                          1. for purpose(s) disclosed;  

                            1. limited purpose and scope; 

                              1. using appropriate and updated data; and  

                                1. confidentially; whilst  

                                  1. ensuring data is stored for the appropriate retention period, and  

                                    1. be accountable. 

                                  Note: Decree 13 expressly prohibits purchase of any data that is likely intended to address the sale of data lists in the past. However, Article 22 provides that the establishment of software systems and technical measures, or the organization of the collection, transfer, purchase and sale of personal data without the consent of the data subject are personal data violations.  

                                  Accordingly, it can be interpreted that the trading of personal data is not entirely prohibited but will be permitted with the consent of the data subject. 

                                  Legal basis: Article 3 Decree 13/2023/NĐ-CP 

                                      1. RIGHTS OF DATA SUBJECTS: 

                                        1. Rights of data subjects: 

                                      Decree 13 sets out 11 rights of the Data Subjects, including: 

                                      the right to be informed;  the right to consent; the right to access; the right to withdraw consent;  the right to delete data;   the right to restrict data processing;  the right to data provision; the right to object to data processing;  the right to complain and denounce and/or initiate lawsuits; the right to claim compensation for damages; and the right to self-protection. 

                                      Among aforementioned rights, enterprises should pay special attention to right No. 6 and No. 8, as compliance in these regards would be subject to a restriction of 72-hours. Particularly as follows: 

                                          • Restrict data processing: restriction of data processing is carried out within 72 hours after the request of the data subject, with all personal data that the data subject requests to restrict, unless otherwise provided by law. 

                                          • Object to data processing: the Personal Data Controller, Personal Data Controller-cum-Processor shall fulfill the request of the data subject within 72 hours after receiving the request, unless otherwise provided for by law. 

                                        Legal basis: Article 9 Decree 13/2023/NĐ-CP 

                                            1. Consent of the data subject: 

                                          Consent of the data subject: 

                                              • Appropriate format and form of consent: Must be clearly and specifically expressed in writing, by voice, by ticking consent boxes, by sending syntax consent via text message, by selecting consent technical settings or through another action that demonstrates this. In addition, consent must be expressed in a format that can be printed, reproduced in writing, including in electronic or verifiable formats. 

                                              • Voluntary consent and knowledge of the data subject: Consent must also be given voluntarily based on the data subject’s clear understanding of the processing activities, including (i) processing destination; (ii) the type of personal data to be processed; (iii) the subjects to whom personal data is processed; and (iv) rights and obligations of data subjects. 

                                              • For the same purpose: In the case of data processing for multiple purposes, consent can be for one or more of the stated purposes. Partial or conditional consent is at the discretion of the data subject. 

                                              • Silence or non-response is not considered consent. 

                                                • Validity: Consent is valid until the data subject decides otherwise (withdrawal of consent) or when requested in writing by a competent authority. 

                                              Legal Basis: Article 11 Decree 13/2023/NĐ-CP 

                                              With a few notable exceptions, processing personal data for any purpose—including cross-promotional marketing and advertising—requires the consent of the data subject. Every time the organization modifies the way they handle data; a new consent is needed. 

                                              Processing without consent is limited to the following circumstances: 

                                                  • to protect the life and health of the data subject or others; 

                                                  • disclosure in accordance with the law; 

                                                  • by State agencies, such as (i) in the event of a state of emergency or when there is a risk of threatening national security and national defense; to prevent against riots and terrorism, to prevent against crimes and violations of the law; or (ii) to serve their activities, as prescribed by the law 

                                                  • security surveillance with prior notification to the data subject to serve the data handler’s legitimate purpose; 

                                                    • to fulfil the contractual obligations (except to further its marketing and advertising business) of the data subject in accordance with the law. 

                                                  Legal Basis: Article 17 Decree 13/2023/NĐ-CP 

                                                      1. TRANSFERRING PERSONAL DATA OUTSIDE VIETNAM 

                                                    Transferring Data outside Vietnam includes: 

                                                    (1) transferring data from inside to outside Vietnam, or  

                                                    (2) processing data of Vietnamese individuals by electronic automatic system located outside Vietnam.  

                                                    The entities which are transferring data are organizations, enterprises, individuals whilst the entities in circumstance include the Personal Data Controller, Personal Data Controller and Processor, Personal Data Processor (Transferor).  

                                                    Kindly note that:  

                                                    (a) the Transferor is required to obtain the approval, consensus of Personal Data Subject prior to carrying out the transfer of personal data outside Vietnam, and 

                                                    (b) the purpose of the data transfer must be agreed by the Personal Data Subject as well. 

                                                    Legal Basic: Article 24, 25 Decree 13/2023/NĐ-CP 

                                                        1. SOME NECESSARY ACTIVITIES THAT BUSINESSES CAN TAKE TO COMPLY WITH DECREE 13  

                                                      ACTION ITEM  COMPLIANCE ACTION 
                                                      Identify role in processing personal data AND Identify types of personal data processed  Assign department in charge for every processing activity to the relevant business units. Review the data processing and recording techniques e.g., whether it is transactional, real time, batch, or multi-processing Identify and classify into the appropriate group: (Please refer to section III) Data Controller  Data Processor  Data Controller cum Processor  Third parties 
                                                      Setting up a data classification and management system for various categories of personal data, and develop or revise internal data management structures and operational regulations. Identify and classify into the appropriate group: (Please refer to section II) Personal data Basic personal data  Sensitive personal data  
                                                      Identify lawful basis for personal data processing  The entity processing the data has the responsibility of demonstrating that the processing is legal. Principles for protection of personal data: (Please refer to section IV) Examine whether the current procedures, rules, instructions, and system logs can prove compliance. The following should be covered by internal rules and policies: guidelines for processing personal data; authorization for staff to process data; guidelines for handling breaches of personal data; and remediation techniques. A mechanism is put in place to ensure consent is capable of being printed or reproduced in writing, which can be in electronic format. Determine if the data subject will be informed if processing is dependent on other circumstances. Processing without consent is limited to the following circumstances: (Please refer to section 4.2) 
                                                      Implement mechanism for individuals to withdraw consent  Evaluate and update current mechanisms to guarantee this right; train employees responsible for handling data subject requests and raise personal data protection awareness. Where consent is used as a legal basis for processing personal data, to have a mechanism for individuals to withdraw their consent, which should allow for printing or re- production as needed. Where consent is withdrawn, the organization will need to notify the individual of the possible consequence or damage that occurred as a result of the consent withdrawal. 
                                                      Personal data processing notification requirements  Either review and update existing or develop new privacy policies to provide to the individuals as soon as possible. The privacy notice is required to the individuals prior to processing their personal data and will need to include inter alia the type, purpose, and method of processing; identity of the data processor or third party involved; the risks of processing, the timing of the processing. 
                                                      Implement system to handle data subject requests AND Appoint Data protection officer  A system through which the data subjects can exercise their rights and the appropriate personnel can receive, evaluate, authenticate, and respond to these requests. (Please refer to section 4.1) 
                                                      Appoint a data protection officer or designate a department with this compliance task. Grace period for 2 years is only applicable for the case upon the establishment of micro-enterprises, small enterprises, medium-sized enterprises, startup companies which are not directly engaged in providing personal data processing services. Save for this, organizations are required to appoint a data protection officer. 
                                                      Data security and data breach notification/ reporting  Within 72 hours of the occurrence of a breach of personal data protection or another breach specified in the Decree, the Personal Data Controller and the Personal Data Controller and Processor may obligated to notify the Ministry of Public Security for notification of violations (including measures to be taken to minimize harm) according to the form promulgated together with the Decree.  (Please refer to section 4.1) Review contracts with Data Processors to check if it contains duties and obligations in relation to data protection and security and clarify how liability will be allocated between the parties. 
                                                      Impact assessment reports to authorities for personal data processing and transfer outside Vietnam  Review existing, or develop, personal information protection impact and risk assessment template in the format prescribed by Decree 13. The reports will need to be stored and be made available for inspection and have a mechanism to ensure that these reports are produced and submitted within 60 days of commencement of processing activities or changes to the same.  Both Data Controllers and Data Processors must conduct a personal information impact assessment for all their processing activities, including processing basic and sensitive personal data on its own or by contracting a data processor or providing information to third parties or transferring personal data overseas and submit within 60 days of commencing the relevant processing activityLegal Basic: Article 24, 25 Decree 13/2023/NĐ-CP 
                                                      Investigations and audits  Have mechanism and personnel tasked to handle any investigation and audit requests from the authorities. 

                                                          1. LEGAL BASIS 

                                                            • Law on Cybersecurity No. 24/2018/QH14  

                                                              • Decree 13/2023/ND-CP  

                                                                1. PCA’S NOTE 

                                                              This recommendation aims to allow the Clients in Vietnam to better grasp the complexity of the new regulations relating Personal Data Protection. 

                                                              The Decree may present difficulties for data controllers and processors who must assess the entire system and process to comply with the requirements, including technical choices to allow users to access, view, update, and erase their stored data. 

                                                              To achieve compliance with the new Decree, businesses in Vietnam must prepare a compliance plan and assess their existing practices as soon as feasible. Special attention should be placed on compliance with data storage and processing outside of Vietnam, as well as guaranteeing the system’s ability to erase or correct personal data as and when data subjects require enterprises to do so. 

                                                              Contact PCA Company Services today. We will help you info@pcacompanyservices.com

                                                              Yours truly, 

                                                              PREPARED by Miss Tạ Ngọc Khánh Vy, Team Leader, Legal & Compliance, PCA CS 

                                                              SUPERVISED by Miss Ngô Thị Ngọc, Managing Partner, Legal & Compliance, PCA CS 

                                                              CHECKED on by Mr. LÊ N. Bao, Group CEO, PCA Group 

                                                              No Comments

                                                              Sorry, the comment form is closed at this time.