Loading
Loading
Apolo Editorial Team
Apolo Lawyers Editorial Desk
Data Privacy Law in Vietnam: PDPD Compliance Guide
Introduction
Vietnam's Personal Data Protection Decree (PDPD, Decree 13/2023/ND-CP), effective July 1, 2023, established the country's first comprehensive data privacy framework. For businesses operating in or targeting Vietnam, compliance is now mandatory.
Scope and Applicability
Who must comply?
All organizations processing personal data of individuals in VietnamBoth Vietnamese and foreign entitiesApplies regardless of where processing occurs
What is personal data?
Basic personal data: Name, date of birth, gender, address, phone number, email, nationality, ID number, images.
Sensitive personal data: Political opinions, religious beliefs, health data, financial data, sexual orientation, biometric data, genetic data, criminal records, location data.
Key Obligations
1. Consent
Must obtain explicit consent before processing personal dataConsent must be informed, specific, and freely givenFor sensitive data: consent must be separate and explicitMust be able to demonstrate consent was obtained
2. Data Processing Agreement
Required for all data processing activities. Must include:
Purpose of processingTypes of data processedDuration of processingSecurity measuresRights of data subjects
3. Data Protection Impact Assessment
Required when:
Processing sensitive personal dataProcessing data of childrenCross-border data transfersUsing new technologies for processingProcessing data for automated decision-making
4. Data Breach Notification
Notify the Ministry of Public Security within 72 hoursNotify affected data subjects without undue delayDocument all breaches regardless of notification obligation
Data Subject Rights
Individuals have the right to:
Be informed about data collection and processingConsent to or refuse data processingAccess their personal dataRectify inaccurate dataDelete their dataRestrict processingObject to processingData portability — receive data in a structured formatLodge complaints with authoritiesClaim damages for violations
Cross-Border Data Transfer
Requirements
Transfer of personal data outside Vietnam requires:
Consent of the data subjectData Protection Impact AssessmentNotification to the Ministry of Public SecurityThe transferring organization remains responsible for data protectionWritten agreement with the receiving party
Data Localization
No general data localization requirementSpecific sectors (banking, telecom) may have localization rulesGovernment data must be stored in Vietnam
Penalties
Administrative fines: up to 100 million VND per violationCriminal liability: possible for severe violationsCivil liability: damages claims from affected individualsOperational: suspension of data processing activities
Compliance Roadmap
Immediate steps
Audit current data practices: What data do you collect, why, and where is it stored?Update privacy policies: Vietnamese and English versionsImplement consent mechanisms: Clear, specific, documentedAppoint a data protection officer: Recommended for organizations processing large volumes
Ongoing compliance
Regular data protection impact assessmentsEmployee training on data handlingVendor due diligence for data processorsIncident response plan for data breachesAnnual compliance review
Conclusion
Vietnam's PDPD represents a significant step toward international data privacy standards. Early compliance not only avoids penalties but builds trust with Vietnamese consumers and business partners.
Contact Attorney Vo Thien Hien at Apolo Lawyers for data privacy compliance advisory.
Share
Apolo Editorial Team
Apolo Lawyers Editorial Desk
Authored by the Apolo Lawyers editorial team — senior associates and content specialists — with legal content reviewed by Managing Partner Vo Thien Hien before publication.