Data NuanceData>Nuance

These jurisdiction checklists are practical scoping aids for privacy, DPO, DSAR, transfer, incident, and vendor governance decisions. Confirm obligations against your facts before relying on any checklist as advice.

All checklistsScope review
Back to Checklists
VN

Vietnam

Decree No. 13/2023/ND-CP

Comprehensive guide to Vietnam's personal data protection regulations under Decree No. 13/2023/ND-CP, effective July 1, 2023.

Key Provisions

Article 1: Governing Scope and Applicable Subjects

Defines what this Decree covers and to whom it applies, including Vietnamese bodies, foreign bodies operating in Vietnam, and any overseas entities processing Vietnamese personal data.

Article 2: Interpretation of Terms

Gives precise definitions for key terms like "Personal data," "Sensitive personal data," "Data subject," "Personal Data Controller," "Personal Data Processor," and "Cross-border transfer of personal data".

Article 3: Principles of Personal Data Protection

Sets out seven core principles: lawfulness, transparency, purpose limitation, data minimisation, accuracy, security, and storage limitation. Controllers must also be able to demonstrate compliance.

Article 4: Handling Violations

Provides for disciplinary, administrative or criminal penalties against those who breach the Decree's provisions, depending on severity.

Article 5: State Management over Personal Data Protection

Establishes the Government's unified role in policy-making, guidance, inspection, education and international cooperation on personal data protection.

Section 1 (Art 9–10): Rights and Obligations of Data Subjects

Rights (Art 9): to be informed, consent, access, withdraw consent, delete data, restrict processing, data portability, object, complain, claim damages, self-defence.
Obligations (Art 10): to protect their own and respect others' data, provide accurate data, help spread awareness, and comply with the law.

Section 2 (Art 11–23): Data Processing Rules

  • Consent (Art 11–12): explicit, informed, purpose-specific; withdrawal within defined procedure.
  • Notification (Art 13): must tell data subjects purpose, data types, methods, recipients, risks, timeframe.
  • Provision, Correction (Art 14–15): 72-hour timelines for access, correction.
  • Storage, Deletion, Destruction (Art 16): when data no longer needed or upon withdrawal/objection, with some legal exceptions; deletion within 72 hours.
  • Non-consent processing (Art 17–20): permitted in emergencies, legal obligations, public interest, law-enforcement, children's data rules.
  • Marketing (Art 21): needs consent and transparency.
  • Unauthorized Acts (Art 22): prohibited collection, transfer, sale without consent.
  • Breach Notification (Art 23): must notify Ministry of Public Security within 72 hours of any incident, scope, impact and mitigation.

Section 3 (Art 24–25): Impact Assessment & Cross-Border Transfer

  • Impact Assessment (Art 24): Controllers and Processors must keep a detailed dossier from the start, submit to MPS within 60 days, update on changes.
  • Cross-Border Transfer (Art 25): allowed only after dossier and MPS approval; notify MPS after transfer; MPS can inspect or suspend transfers if national security or compliance issues arise.

Section 4 (Art 26–31): Measures & Conditions

  • Protection Measures (Art 26): organisational and technical safeguards from the start and throughout.
  • Basic Data (Art 27), Sensitive Data (Art 28): extra steps for sensitive data, appointment of data protection officer.
  • Specialized Agency (Art 29): Department of Cybersecurity & Hi-Tech Crime Prevention is the regulator and runs Personal Data Protection Portal.
  • Conditions (Art 30): mandates trained staff, resources.
  • Funding (Art 31): State budget, service fees, international aid.

Chapter III (Art 32–42): Responsibilities

  • Ministries & Agencies (Art 32–37): between MPS, MIC, MOD, MOST and provincial PCs covering policy, guidance, inspection, budget.
  • Controllers (Art 38): implement measures, log systems, notify breaches, pick compliant processors, uphold data subject rights, liaise with MPS.
  • Processors (Art 39): process only under contract, follow instructions, protect data, delete/return data post-processing, assist investigations.
  • Controller+Processor (Art 40) & Third Parties (Art 41): comply fully.
  • Others (Art 42): protect own data, report violations, cooperate.

Chapter IV (Art 43–44): Implementation

  • Effectiveness (Art 43): Decree effective 1 July 2023; SMEs have two-year grace for appointing data officers.
  • Implementation (Art 44): MPS to guide and inspect; all heads of agencies and local PCs responsible.

Compliance Checklist

Article 11: Consent

For Controllers:

Obtain explicit, written or verifiable consent for each data-processing purpose. Keep records of consent mechanisms.

For Processors:

Only process data for purposes and with consent frameworks defined by Controllers. Assist in managing and recording consents.

Article 16: Storage, Deletion & Destruction

For Controllers:

  • Define and enforce retention schedules
  • Delete or irreversibly destroy data within 72 hours of valid deletion request or purpose completion.

For Processors:

Ensure secure deletion or return of data upon Controller's instruction or contract end.

Article 17: Non-consent Processing

For Controllers:

Document legal basis for processing without consent (emergency, public interest, legal obligation), keep evidence to demonstrate necessity.

For Processors:

Process only as instructed; flag any conflicts between instructions and Decree.

Article 23: Breach Notification

For Controllers:

  • Establish incident response plan; report any breach to Ministry of Public Security (MPS) within 72 hours with full incident dossier
  • Inform data subjects.

For Processors:

Notify Controller immediately upon detection, provide all required details (nature, scope, impact, mitigation) to enable timely reporting.

Article 25: Cross-Border Transfer

For Controllers:

  • Maintain cross-border transfer dossier
  • Submit to MPS within 60 days
  • Notify MPS post-transfer
  • Monitor recipient compliance.

For Processors:

Transfer personal data only to approved jurisdictions, adhere to contractual and technical safeguards.

Article 26: Protection Measures

For Controllers:

Implement and regularly review organisational (policies, training) and technical (encryption, access control) safeguards from day one.

For Processors:

  • Follow Controller's security policies
  • Maintain logs, report vulnerabilities or incidents promptly
  • Undergo audits if required.

Article 38: Controller Responsibilities

For Controllers:

  • Appoint and register data-protection staff
  • Keep processing logs
  • Vet and contract processors
  • Uphold data-subject rights
  • Liaise with MPS.

For Processors:

N/A

Article 39: Processor Duties

For Controllers:

N/A

For Processors:

Sign data-processing agreement; only process data under contract; implement measures; delete/return data after processing; assist audits.

Need Help with Vietnam PDPL Compliance?

Our expert team can guide you through Vietnam's data protection requirements and ensure your organization meets all compliance obligations.

Schedule a CallContact Us

Checklist to implementation

Need a fact-specific view?

Data>Nuance can turn this checklist into a scoped action plan for your product, vendor stack, cross-border transfers, DSAR workflow, breach readiness, or DPO operating model.

Book a consultationSend structured brief