Vietnam’s Personal Data Protection 2024: What to be aware of? 

According to the Vietnam E-commerce Association (VECOM), as of early 2024, there were 78.44 million internet users in Vietnam with 72.7 million social media users (equivalent to 73.3% of the total population and 165.5 million mobile connections (equivalent to 169.8% of the total population) in Vietnam1. These statistics highlight Vietnam’s rapid growth in internet and mobile connectivity, underscoring the critical importance of personal data protection. 

Previously, regulations on personal data protection were not specifically codified in a standalone law document, aspects of this issue can only be found dispersed across various laws, including the Civil Code 2015, the Law on Information Technology No. 67/2006/QH11, the Law on Cyber Information Security No. 86/2015/QH13, and the Law on Electronic Transactions No. 20/2023/QH15. These regulations lacked a unified approach to defining and safeguarding personal data. 

Recognizing its importance, on 17 April 2023, the Vietnamese Government issued Decree No. 13/2023/ND-CP (“Decree 13”) on Personal Data Protection, marking a significant step in establishing a legal framework for protecting personal data in Vietnam. Decree 13 took effect on 1 July 2023 and is part of the ongoing effort to promote and safeguard citizens’ privacy rights, paving the way for the eventual creation of the Law on Personal Data Protection (“Law”). 

Implementation of Decree 13 

Briefly, Decree 13, consisting of 4 Chapters with 44 Articles, applies to all Vietnamese and foreign agencies, organizations, and individuals involved in personal data processing activities in Vietnam and abroad. The main contents of Decree 13 include: defining and classifying personal data, outlining the rights of data subjects, establishing principles in processing personal data, and specifying the responsibilities of individuals and organizations handling personal data.  

After a year of being officially effective, Decree 13 has significantly impacted the responsibilities of relevant agencies, organizations, and individuals. Following the issuance of Decree 13, relevant state agencies and local authorities established and announced plans to implement Decree 13. These agencies have conducted campaigns to disseminate and propagate the decree to the public and businesses. They are also in the process of implementing the necessary steps to establish more detailed regulations for reviewing, identifying, and applying appropriate personal data protection measures, as well as investigating and addressing regulatory violations. Moreover, to support the development of the Law, central and local agencies have compiled and reported a summary of Decree 13’s implementation within their jurisdictions, highlighting existing limitations and recommendations. 

To ensure compliance with Decree 13, the enterprises have taken several crucial steps such as: reviewing and updating their contracts and agreements to align with data protection requirements, including obtaining consent and notifying data subjects about the handling of sensitive information; appointing dedicated personnel for managing sensitive data and informed the Cybersecurity Authority accordingly; reviewing their procedures for situations where customers withdraw consent or request data deletion, etc. However, enterprises struggled with preparing impact assessment reports, liaising with data processors and third parties to gather relevant documents, and lacked specific guidance on how to report from authorities. They also faced issues with insufficient resources and time to review all internal policies, and limited internal training capacity due to expertise and budget constraints2

Law on Personal Data Protection  

Given the limitations in implementing Decree 13 and the practical issues of personal data breaches, it is essential to promptly supplement and formalize the regulations of personal data protection into law to ensure stability, comprehensiveness, and direct regulation of personal data protection issues. It is clear that the swift enactment of the Law is both crucial and urgent.    

The Ministry of Public Security of Vietnam (MPS) is the leading authority in developing the Law. The MPS finalized a draft of the Dossier proposing the development of the Law (“Draft Dossier”) on 29 February 2024 and updated it on the MPS’s electronic information portal to collect opinions and suggestions from agencies, organizations, and individuals within 30 days, including a Draft of Report on the Assessment of the current state of social relations; and a Draft of Report on the Assessment of policy impacts3.

The MPS proposed four policies in its Draft Dossier, which include:  

(i) Standardizing legal regulations on terms related to personal data and personal

(ii) Clearly defining the rights and obligations of data subjects;

(iii) Enhancing regulations on personal data protection during data processing;  

(iv) Finalizing regulations to ensure the conditions and measures for safeguarding personal data. 

By 19 July 2024, during the Government Standing Committee’s conference on digital transformation, Prime Minister Pham Minh Chinh reiterated the urgent completion of the proposal for the Law to the MPS and relevant authorities. 

Conclusion 

Vietnam is taking significant steps towards enhancing personal data protection. These regulatory developments not only strengthen the legal framework for safeguarding citizens’ privacy rights but also align Vietnam with global data protection standards. As the digital landscape continues to evolve, the ongoing efforts to refine and expand the country’s data protection regime will be crucial in addressing the complexities of data privacy, fostering public trust, and ensuring responsible data management across all sectors. 

In D’Andrea & Partners Legal Counsel we have authored innovative publications exploring Vietnam, produced in order to provide foreign investors and businesses with more practical guidance on how to do business in Vietnam, as it requires a specific context of the economic and legal framework of the country, including tailor made consultancy for Personal Data Protection in Vietnam. 

The above content is provided for informational purposes only. The provision of this article does not create an attorney-client relationship between D’Andrea & Partners and the reader and does not constitute legal advice. Legal advice must be tailored to the specific circumstances of each case, and the contents of this article are not a substitute for legal counsel. 

Riccardo Verzella Riccardo Verzella

Riccardo Verzella

Senior Associate
Riccardo Verzella, a highly qualified Italian lawyer, has been based in Shanghai, China since January 2020.
Carlo Fabrizi Carlo Fabrizi

Carlo Fabrizi

Legal Advisor
Carlo Fabrizi, a representative of D’Andrea & Partners Legal Counsel, handles Foreign Direct Investment projects in Vietnam and South China

Contact us for a
first consultation

CONTACT US FOR A FREE CONSULTATION

This field is for validation purposes and should be left unchanged.