An Overview of Vietnam’s Decree No. 13/2023/ND on the Protection of Personal Data (Decree)

I. Introduction

Vietnam's long-awaited, first-ever comprehensive data privacy law, Decree No. 13/2023/ND on the Protection of Personal Data (Decree), was finally enacted on April 17, 2023. The Decree won't have a transition period and will take effect on July 1, 2023. Prior to this, ​​on February 7, 2023, Resolution No. 13/NQ-CP was issued, following Resolution No. 27/NQ-CP, passed in March 2022.

The Decree applies to all Vietnamese and foreign companies operating offices in Vietnam or carrying out data processing activities in Vietnam.

Under the Decree, individuals have the right to access, correct, and delete their personal data, and organizations must comply with these requests. The law also mandates that organizations implement the appropriate security measures to secure individuals’ personal data and notify the authorities of any data breaches.

Violations of Vietnam's data privacy law might lead to disciplinary measures and administrative sanctions to potential criminal charges, which will be determined by the severity of the violation. To avoid potential legal and financial repercussions, it is crucial for businesses operating in Vietnam to make sure their data processing operations are in line with Vietnam’s data protection law.

II. Who Needs to Comply with Vietnam’s Decree No. 13/2023/ND

A. Material and Territorial Scope

The Decree applies to both Vietnamese and foreign organizations, agencies, and individuals. It applies to any Vietnamese agency, organization, or individual based in Vietnam or operating abroad and involved in the processing of personal data. The Decree also covers any foreign agency, organization, or individual handling personal data within Vietnam. The Decree provisions demonstrate the extra-territorial scope of Vietnam's personal data protection law.

III. Definitions of Key Terms

A. Personal Data

Personal data is information in the form of symbols, letters, numbers, images, sounds, or an electronic medium that is associated with a particular person or helps to identify a particular person/body. As per the Decree, personal data includes both basic personal data and sensitive personal data.

B. Basic Personal Data

Basic personal data includes an individual’s:

• full name, middle name, birth name, and any other name (if any);
• date of birth; day, month, year dead or missing;
• gender;
• place of birth, place of birth registration, place of permanent or temporary residence, hometown, contact address;
• nationality;
• image of the individual;
• phone number, identity card number, personal identification number, passport number, driver's license number, license plate number, personal tax identification number, social insurance number, insurance card number medical;
• marital status;
• family relationship information (such as their parents and/or children);
• information about the individual's digital account; and
• personal data reflecting activities and history of activities in cyberspace.

C. Sensitive Personal Data

Sensitive personal data is any personal data that, when violated, will directly affect an individual’s legitimate rights and interests, including their:

• political views, religious views;
• health status, medical records, excluding blood information;
• racial or ethnic origin information;
• inherited or acquired genetic characteristics information;
• physical attributes and biological characteristics;
• sex life, sexual orientation information;
• data on crimes and offenses collected and stored by law enforcement agencies;
• customer information of credit institutions, foreign bank branches, payment intermediary service providers, and other authorized organizations, including:
  • customer identification information as prescribed by law laws,
  • information about accounts,
  • information about deposits,
  • information about deposited assets,
  • information about transactions,
  • information about organizations and individuals as guarantors at credit institutions,
  • bank branches,
  • payment intermediary service providers,
• location data of an individual identified through location services.

D. Consent

The data subject's consent is a clear, voluntary, affirmative expression of the data subject's permission to process personal data.

E. Controller

Personal data controller (‘data controller’) means an organization or individual that decides the purposes and means of processing personal data.

F. Processor

A personal data processor (‘data processor’) refers to an organization or individual that performs data processing on behalf of the controller through a contract or agreement with the controller.

G. Third-Party

A third party is an organization or individual other than a data subject, data controller, or data processor who is allowed to process personal data.

IV. Obligations for Organizations Under Vietnam’s Decree No. 13/2023/ND

A. Lawful Basis Requirements

The Decree mandates that personal data be processed in accordance with the processing principles. These principles are as follows:

1. Lawfulness, fairness and transparency: Personal data must be processed in accordance with law, and the data subject should be made aware of his/her personal data processing-related activities unless otherwise stated by the law;
2. Purpose Limitation: Personal data should only be processed for the purposes that have been registered and initially declared by the relevant parties, such as the data controller, data processor, and any third party;
3. Data Minimization: Personal data collected must be appropriate and limited within the scope and purpose of its initial collection;
4. Accuracy: Personal data must be kept updated and supplemented in accordance with processing purposes;
5. Integrity, confidentiality, and security: Protective and security measures should be implemented during the processing of personal data to protect against violations and as well as to prevent and mitigate losses, destruction, or damage resulting from incidents, including the use of appropriate technical measures;
6. Storage Limitation: Personal data is only stored for a period suitable for the purpose of data processing unless otherwise provided for by law;
7. Accountability: The data controller and processor are responsible for ensuring compliance with the data processing principles.

Additionally, the Decree goes one step forward. It introduces the principle of ‘prohibition sale of personal data’, which stipulates that personal data may not be purchased or sold in any manner. In particular, the establishment of software systems or implementation of technical measures, as well as the collection, transfer, purchase, or sale of personal data without the explicit consent of the data subject, is illegal under the law.

B. Consent Requirements

The Decree outlines a number of requirements related to obtaining consent from the data subject, which include the following provisions: Firstly, the data subject's consent applies to all activities involved in the personal data processing process unless otherwise specified by law. Additionally, the data subject's consent is only considered valid if they have knowingly and voluntarily provided the following information:

1. The type of personal data to be processed;
2. Purpose of processing personal data;
3. Organizations and individuals are allowed to process personal data;
4. Rights and obligations of data subjects.

The consent of the data subject applies to all activities involved in the processing of personal data, unless otherwise specified by law and is only considered valid if he/she knowingly and voluntarily provides the required information.

The data subject must express his/her consent in writing, by voice, or by ticking a consent box, using the appropriate text message syntax, selecting the appropriate technical settings, or taking other action to clarify the consent. When there are multiple purposes for processing the data, the data controller and processor must list all of them so that the data subject can decide whether they consent to one or more of them.

The Decree further stipulates that the data subject's consent must be in a form that can be printed, copied in writing, electronically, or verified. It must be noted that the data subject's silence or lack of response does not constitute consent, and partial or conditional consent may be given, and that the data subject's consent is valid until the data subject decides otherwise.

Whenever sensitive personal data is processed, the data subject must be informed about it. Finally, the data controller and data processor are each responsible for proving the data subject's consent in case of a dispute.

C. Data Controller and Data Processor Requirements

Data controllers have several key responsibilities under the Decree. Organizations acting as personal data controllers are obligated to implement organizational and technical measures and appropriate safety and security measures to demonstrate that data processing has complied with the law. Such measures must also be reviewed and updated periodically.

Data controllers are responsible to the data subject for damages caused by the processing of personal data and, therefore, must ensure that data subjects' rights are fulfilled. They must also diligently choose and appoint a data processor that is in line with specific mandates and has necessary security measures in place. Data controllers are also required to maintain a system log of how personal data is processed and issue a notice of violations of regulations.

On the other hand, data processors can only receive and process personal data after having a contract or agreement on data processing with the data controller. Moreover, data processors should also implement technical and organizational measures to ensure the security and integrity of the personal data, as the data processor can also be held liable to the data subject for any harm brought on by the processing. After data processing is completed, data processors are required to delete all personal information and provide it back to the data controller.

Cooperation with the Ministry

Both data controllers and data processors are responsible for cooperating with the Ministry of Public Security and other appropriate state agencies, and sharing information to help with investigations and processing cases where the legislation governing personal data protection has been violated.

D. Children’s Personal Data Processing Requirements

Processing of children's personal data should always be carried out in accordance with the principle of protecting children's rights and in the best interests of the child. When processing children’s personal data, consent must be obtained from both the child as well as the parent/guardian, and the child must be at least 7 years old. Therefore, before processing the personal data of children, the data controller, data processor, data controller and processor, and the third party must confirm the age of the children.

In the following situations, data controllers and data processors stop processing children's personal data, delete it permanently, or destroy it if:

• processing data for improper purposes or fulfilling the purpose of processing personal data with the consent of the data subject;
• the parent or legal guardian of the child withdraws consent for the processing of the child's personal data; and
• at the request of a competent authority when there are sufficient grounds to demonstrate that processing personal data affects children's legitimate rights and interests.

E. Security Requirements

The Decree obligates personal data protection measures to be implemented from the beginning to the end of processing. These measures include management and technical measures taken by individuals or organizations involved in the processing of personal data. Competent state management agencies should also take measures in accordance with relevant laws and this Decree to protect personal data. Additionally, competent state agencies can take investigation and procedural measures to ensure personal data is protected.

F. Data Breach Requirements

If an organization detects a breach of any of the Decree’s provisions, it must notify the Ministry of Public Security, Department of Cybersecurity, and High-Tech Crime Prevention within 72 hours after the violation occurs. A justification shall accompany any late notification. The following must be included in the notification:

• a description of the nature of the breach, including its time, place, nature, parties involved, and types and volume of personal data affected;
• the contact details of a data protection officer;
• the possible consequences of the breach; and
• any remedial measures that are being taken. Such a notification may be made in phases.

G. Data Protection Impact Assessment

Data controllers and data processors should prepare and retain a record of impact assessment of their personal data processing from the time it begins to process personal data. This impact assessment report should include details and contact details of the data controller and data processor along with the details (names and contact information) of their respective data protection officers. The report must also outline the purposes of the data processing, the types of data being processed, recipients of the data (including those outside of Vietnam), and any transfers of personal data abroad.

Additionally, the report should highlight the retention periods, and security measures and evaluate any risks or harms of the processing and any mitigation methods for those risks or harms. These assessments’ reports must be made available to the Ministry of Public Security, Department of Cybersecurity and High-Tech Crime Prevention (regulator) for examination and evaluation, and an original must be sent within 60 days of the day the data processing was finished, using Form No. 4 of the Decree’s Appendix. The regulator must also be informed of any modifications using Form No. 05 from the Decree's appendix.

H.  Third-Party Processing Requirements

Any third parties involved in the processing activities should ensure to have suitable security measures in place to protect the personal data. Third-Party may edit the personal data of the data subject after obtaining the written consent of the data controller and data processor and after fully making sure that the consent of the data subject had been obtained. When processing the personal data of children, third parties must verify the age of the children before processing the children's personal data.

I.  Cross-Border Data Transfer Requirements

To transfer personal data of Vietnamese citizens abroad, the following information needs to be provided:

1. Name and contact information of the sender and receiver of the personal data;
2. Name and contact information of the person in charge of the data transfer;
3. Reasons why the personal data of Vietnamese citizens is being transferred abroad;
4. What type of personal data is being transferred abroad;
5. How the personal data protection regulations are being followed and what measures are taken to protect the data;
6. An assessment of how transferring personal data could impact the individuals and what measures are being taken to minimize any harm;
7. The agreement of the person whose personal data is being transferred, along with information on how they can file a complaint if needed; and
8. Proof that both parties transferring and receiving the personal data have agreed to comply with regulations regarding the protection of personal data.

The documents related to the impact assessment of transferring personal data abroad must be available for inspection by the Ministry of Public Security. The original copy should be given to the regulator within 60 days from the date of processing personal data.

The Ministry of Public Security has powers to stop the transfers of personal data outside of Vietnam where:

1. It's found that the personal data is being used for activities that go against the interests and safety of Vietnam;
2. The party sending the data is not following the rules for managing and protecting personal data that Vietnam agreed to in international agreements; and
3. There is a situation where personal data of Vietnamese citizens is lost or shared without permission.

J. Special Provisions

People and companies who sell marketing services or advertise products can only use personal information collected from customers for those purposes if the customer agrees. To use a customer's personal information for marketing services or advertising, the customer must agree and know how their information will be used, such as what products will be introduced and how often. Companies and people who sell marketing services or advertise products must show that they follow the provisions of this Decree when they use customers' personal information for marketing and advertising.

In accordance with the Decree, Vietnam shall establish a framework for international cooperation to help ensure the effective application of personal data protection laws. It shall participate in the exchange of legal information and potential investigation assistance with other authorities as well as mutual legal assistance in the protection of personal data of other countries.

V. Data Subject Rights

Under Article 9 of the Decree, data subjects have eleven rights, including::

1. Right to Know

Data subjects have the right to know about their personal data processing.

2. Right to Consent

Data subjects are free to consent or object to processing their personal data.

3. Right to Access

Data subjects have the right to access, view, and request correction of their personal data.

4. Right to Withdraw Consent

Data subjects have the right to revoke consent.

5. Right to Delete Data

Data subjects have the right to request the deletion of his/her personal data.

6. Right to Restrict Data Processing

Data subjects can request to limit the processing of their personal data. The restriction must be carried out within 72 hours after the data subject's request, with all personal data that the data subject requests to restrict.

7. Right to Provide Data

Data subjects can request a data controller to provide them with their personal data being processed.

8. Right to Object to Data Processing

Data subjects can prevent or limit the disclosure of personal data or the use of personal data for advertising and marketing purposes. The request must be fulfilled within 72 hours after receiving the request.

9. Right to Complain, Denounce and Initiate Lawsuits

Data subjects have the right to complain, denounce or initiate a lawsuit in accordance with the law.

10. Right to Claim Damages

Data subjects have the right to claim damages in accordance with the law when there is a violation of his/her personal data protection regulations unless otherwise agreed by the parties or otherwise provided for by law.

11. Right to Self-Defense

In accordance with the provisions of the Civil Code, other applicable laws, and this Decree, data subjects have the right to protect themselves, or they may request that competent agencies and organizations implement civil rights protection measures in accordance with the provisions of the Civil Code, other applicable laws, and this Decree, as outlined in Article 11 of the Civil Code.

VI. Regulatory Authority

The Ministry of Public Security's Department of Cybersecurity and High-Tech Crime Prevention and Control is the organization responsible for enforcing the Decree and is the Regulatory Authority. It works with the Ministry of Public Security to carry out state data protection management.

VII. Penalties for Non-compliance

If an organization violates the Decree, it may be subject to disciplinary action, administrative sanctions, or criminal penalties based on regulations to be issued under the Decree.

VIII. How Can an Organization Operationalize Vietnam’s Decree No. 13/2023/ND

Organizations can operationalize Vietnam’s Decree No. 13/2023/ND by following these steps:

• Identifying the personal information that the organization collects, uses, stores, and shares;
• Identify the role in the processing activity, i.e., is the organization acting as data controller, data processor or a third party;
• Identify the lawful basis of processing;
• Implement mechanisms to effectively respond to data subject requests in exercising their rights;
• Conducting a data protection impact assessment to identify the types of personal data processed, the purposes of the processing, and the potential privacy impacts;
• Implement appropriate safeguards to protect personal data's confidentiality, integrity, and availability;
• Develop a privacy program that includes policies, procedures, and controls to manage and protect personal information;
• Provide clear and concise privacy notices to individuals;
• Train employees on its privacy program, privacy policies, and procedures; and
• Have a response plan in place to respond to data breaches.

IX. How Can Securiti Help

Securiti’s Data Command Center framework enables organizations to comply with Vietnam’s Decree No. 13/2023/ND by securing the organization’s data and enabling organizations to maximize data value and fulfilling an organization’s obligations around data security, data privacy, data governance, and compliance.

Organizations can overcome hyperscale data environment challenges by delivering unified intelligence and controls for data across public clouds, data clouds, and SaaS, enabling organizations to swiftly comply with privacy, security, governance, and compliance requirements.

Request a demo to learn more.