Skip to Main Content
Main Menu

Vietnam Personal Data Protection Decree No.13/2023

Vietnam’s Personal Data Protection Decree is a comprehensive data privacy law, applying to every entity directly participating in or related to personal data processing activities in Vietnam.

Are you covered under Vietnam’s Decree?

This Decree applies to:

  • Vietnamese agencies, organizations and individuals;
  • Foreign agencies, organizations and individuals located within the jurisdiction of Vietnam;
  • Vietnamese agencies, organizations and individuals operating outside the jurisdiction of Vietnam; and
  • Foreign agencies, organizations and individuals directly participating in or related to personal data processing activities within Vietnam.

Key obligations of Vietnam’s Decree:

Prohibition on the purchase and sales of personal data

It is illegal for entities to establish and implement software systems, technical measures or organize activities to collect, transfer, purchase and/or sell personal data without first obtaining consent from data subjects. Furthermore, personal data must not be bought or sold by any means, unless permitted by law.

Purpose limitation

Personal data shall only be processed for the purposes that have been registered and declared by the personal data controller, personal data processor, or both, and/or third party.

Conditions to processing children’s data

Children’s data may be processed, only where consent has been obtained from the child (who must be 7 years and older), and from the parent/guardian of the child.

Entities shall immediately cease processing and/or delete children’s data when: the purpose of processing is not covered by valid consent, the purpose of processing has been completed, the data is being processed for an improper purpose, the parents/guardians of the child withdraws their consent to processing, and requested by competent authorities where there is evidence to prove that the processing affects the child’s legitimate rights and interests.

Access to information

Personal data controllers and processors must provide data subjects a copy of their personal data within 72 hours upon receiving the request. Personal data controllers and processors shall ensure access requests are submitted in the Vietnamese language, and the request are supplemented with following documentation from the data subject:

  • Contact information (e.g. full name, place of residence, address, ID card number or passport number, fax number, phone number, and email address);
  • The specific type of personal data requested (e.g. specifying a specific document name or record being sought);
  • The form of access; and
  • Reasons and purposes for requesting access.

CBPR – Navigating Cross-Border Data Privacy Compliance

The CBPR system is an internationally recognized framework and certification.

Achieve compliance


  • Are there exceptions where I do not need to comply with an access request?

    Yes. The following are exceptions where compliance to access requests are not permitted, including where:

    • Such request will cause harm to national defense, security, social order and safety;
    • Such request may affect the safety, physical or mental health of the data subject and/or other individuals; and
    • The data subject has not provided their consent to processing, and does not authorize any third-party to receive their data.
  • What are the legal bases for processing personal data?

    The Decree provides six legal bases, including:

    • Where processing is based on consent obtained from the data subject;
    • In scenarios of emergencies where data must be processed to protect the life and health of the data subject;
    • Where personal data is made publicly available, in accordance with the law;
    • Where a competent state authority processes data for purposes of national security;
    • Where processing is necessary for the performance of a contract; and
    • Where processing is intended to serve operations of state agencies.

    The Decree does not establish a condition where data can be processed based on a legitimate interest.

  • How do I ensure compliance with the Decree when processing sensitive personal data?

    All entities must establish a dedicated department within their organization and appoint an officer responsible for monitoring the protection of sensitive personal data.

The information provided does not, and is not intended to, constitute legal advice. Instead, all information, content, and materials presented are for general informational purposes only.

Back to Top