Comparing personal data protection laws in Vietnam and the EU

As digitalization advances, the need for comprehensive personal data protection has become a priority for legal systems worldwide. Regions in the world, such as the European Union (EU) or Vietnam, have set similar standards to protect personal data in addition to some other specific differences. 

The European Union (EU) sets one of the highest standards globally through its General Data Protection Regulation (GDPR), which governs the processing of personal data with the EU and beyond. In Vietnam, Decree No 13/2023/ND-CP (Decree 13) outlines the nation’s approach to safeguarding personal data. While both the GDPR and Vietnam’s Decree share common principles, such as ensuring data subject rights and securing personal information, there are key differences in their application, scope, and enforcement.  

1. Key similarities

1.1. Consent-based data processing

Under Articles 6 and 7 of the EU’s GDPR, processing of personal data must be based on lawful grounds, with consent being a key basis. Indeed, obtaining consent from individuals before processing personal data is mandatory, consent must be specific, informed, freely given, and revocable. 

Vietnam’s Decree 13 aligns closely with GDPR in inquiring about informed and explicit consent. Indeed, consent is required for the collection and processing of personal data, with data subjects given the right to revoke it at any time (Article 11). 

1.2. Rights of data subjects

The GDPR provides several rights for data subjects such as: 

• The right of access (Article 15 GDPR): data subjects have the right to access their data and know how it is being processed;  

• The right to rectification (Article 16 GDPR): data subjects can request correction of inaccurate data;  

• The right to erasure or right to be forgotten (Article 17 GDPR): data subjects can request the deletion of their personal data;  

• The right to data portability (Article 20 GDPR): data subjects can request the transfer of their data between different services. 

Vietnam’s Decree 13 also grants similar rights to:  

• Access their personal data (Article 13);  

• Request corrections to inaccuracies (Article 15);  

• Withdraw consent for processing (Article 15);  

• Request deletion of their personal data if it is no longer needed for the original purposes (Article 16); 

1.3. Data security obligations

In case of a personal data breach, which refers to any security incident resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data.  

Under Article 33 of the EU’s GDPR, data controllers must notify supervisory authorities of any data breach within 72 hours. Indeed, the organization must promptly inform the relevant supervisory authority. If the breach poses a high risk to individuals’ rights and freedoms and the risk has not been addressed, the affected individuals must also be notified without undue delay.  

Vietnam’s Decree 13 is like GDPR, organizations must report breaches to the Ministry of Public Security (MPS) and notify affected individuals (Article 23). 

2. Key differences  

2.1. Personal data classification 

In the EU conception, personal data is, by its nature, particularly sensitive in relation to fundamental rights and freedoms merit specific protection as the context of its processing could create significant risks to the fundamental rights and freedoms. There is no clear classification of personal data.  

Whereas, in Vietnam conception, personal data is classified into common personal information and sensitive personal information. 

2.2. Scope of application  

The GDPR is a comprehensive and far-reaching regulation that applies to entities that process the personal data of EU citizens, regardless of their physical location (Article 3 GDPR). This means companies outside the EU, including Vietnam, must comply if they handle data from EU citizens. 

In contrast, Vietnam’s Decree, focuses on businesses operating within the country, emphasizing cybersecurity and data localization for national security purposes, a narrower focus than the GDPR.  

2.3. Data localization

The GDPR allows cross-border data transfers to non-EU countries, provided that adequate protection is in place (Article 45 GDPR).   

Whereas, Vietnam’s Decree requires businesses to store certain personal data locally, particularly data of Vietnamese citizens within a minimum of 24 months. When transferring personal data abroad, the overseas personal data transfer impact assessment file is required to be established and submitted to the Department of Cyber ​​Security and High-Tech Crime Prevention, Ministry of Public Security. 

2.4 Enforcement and penalties

The GDPR imposes strict penalties for non-compliance, with fines up to 20 million euros or 4% of global annual turnover (Article 83 GDPR).  

Vietnam’s Decree 13 focuses more on state interest and national security, which can sometimes limit the protection of individual privacy. However, in the near future, draft regulations on penalties for violations of personal data protection regulations will come into force. 

2.5. Supervisory authorities

 The EU’s GDPR establishes independent Data Protection Authorities (DPAs) in each member state, supervised by the European Data Protection Board (EDPB) (Articles 51 to 59 GDPR). These authorities are empowered to investigate breaches and impose sanctions.  

Vietnam, on the other hand, does not have an independent data protection authority. The MPS oversees data protection issues, particularly, through a cybersecurity lens.  

3. Conclusion

Thus, while both Vietnam and the EU recognize the importance of personal data protection, the GDPR provides a more comprehensive and rights-focused framework, with broad territorial scope and stringent enforcement. Vietnam’s Decree 13, while offering basic protection, is still limited in scope and prioritizes state security. Companies operating in both regions must navigate these differences to ensure compliance, particularly when handling cross-border data transfers or operating in sectors where national security concerns are paramount.  

At PLF Law Firm

Personal Data Protection laws in Vietnam and the EU share common principles, such as consent-based data processing, data subject rights, and obligations to report data breaches. However, they differ in areas like data classification, application scope, data localization, enforcement, and supervisory mechanisms. While Vietnam’s Decree 13 emphasizes protecting Vietnamese citizens’ data and prioritizes state security with a narrower scope, the EU’s GDPR offers a more comprehensive, globally oriented framework. Businesses, especially those engaged in FDI, must navigate these differences to comply with data collection and processing requirements in both jurisdictions.

At PLF, we also provide a comprehensive service for “Doing Business“, assisting businesses with a wide range of legal needs, from Company Formation, Licensing to Labor & Employment. 

Contact PLF Law Firm today via email at inquiry@plf.vn or +84913 902 906 or Zalo | Viber | WhatsApp to receive a free 30-Initial Minute Consultation.

Article completion date: December 27th, 2024.

Mr. Cong Thanh Bui, Managing Partner – Director