April 18, 2023
On April 17, 2023, the Vietnamese government issued Decree No. 13/2023/ND on the Protection of Personal Data (“PDPD”), following extensive public consultations and multiple rounds of review since the first release of its draft version in February 2021. This is a long-awaited legal instrument which is designed to be the very first comprehensive regulation on the protection of personal data in Vietnam. The PDPD is set to take effect on July 1, 2023, without any transitional period. All Vietnamese and foreign organizations and individuals located in Vietnam and/or directly participating in or related to personal data processing activities in Vietnam must comply with the PDPD.
As expected, the PDPD sets out significantly new requirements on the processing of personal data. The most critical provisions include:
Eight principles for the processing of personal data: (i) lawfulness, (ii) transparency, (iii) purpose limitation, (iv) data minimization, (v) accuracy, (vi) integrity, confidentiality, and security, (iv) storage limitation, and (viii) accountability (Article 3).
Critical new definitions and concepts, notably including personal data (Article 2.1); basic personal data (Article 2.3); sensitive data (Article 2.4); data subject (Article 2.6); data controller (Article 2.9); data processor (Article 2.10); parties controlling and processing personal data (Article 2.11); third parties (Article 2.12); and cross-border transfer of personal data (Article 2.14).
Eleven data subject rights, including the right to know; right to consent; right to access; right to withdraw consent; right to delete data; right to restrict data processing; right to request the provision of data; right to object to data processing; right to complain, denounce and initiate lawsuits; right to claim compensation for damage; and right to self-defense (Article 9).
Specific responsibilities of data controllers (Article 38), data processors (Article 39) and third parties (Article 41).
Specific requirements in the exercise of data subject rights (Articles 14-16).
Rules on data subjects’ consent, including the requirements on