On April 17th, 2023, the Government issued Decree No. 13/2023/ND-CP on the Protection of Personal Data (”PDPD”). Since its implementation on July 1st, 2023, the Decree provides for a more comprehensive and protective framework to regulate personal data processing of both, organizations and individuals.

1. What is meant by personal data and processing of such data?

Personal data includes all types of information in the form of symbols, letters, numbers, images, sounds, or the like on an associated electronic medium that relate to an individual and which makes it possible to identify and distinguish them, directly or indirectly, from a group of people. It can be identity characteristics, whether physical, social, or economic but also information that could be considered as common such as a name, date of birth, photo, or e-mail address.

Some of that information can be highly sensitive, including revealing political opinions, racial and ethnic origins, or religious beliefs.

Personal data protection means activities to prevent, detect, and handle violations related to personal data under the Law. The processing of such data refers to one or more activities such as the collection, recording, analysis, confirmation, storage, correction, disclosure, combination, sharing, recovery, sorting, consultation, dissemination, deletion, or destruction of information, or other related activities.

In recent years, new computer tools, such as social media or cloud computing, and more recently Artificial Intelligence (AI) have made even more frequent the processing of personal data. It is now part of our day-to-day life, as we can see with cookies, those small text files present whenever you are entering a website and requiring you to accept the collection of your data. As they are permanent, we tend to accept the use of cookies and give our consent automatically. However, through this feature, a lot of data are collected, including the users’ navigation data and centers of interest.

2. Why is the protection and regulation of personal data essential?

The protection of personal data stands as a safeguard for ensuring that individuals’ rights and freedoms are not violated. It helps reduce the risks for wrongful use of personal data, such as identity theft or manipulation through such data.

As personal data are used by companies for targeted marketing strategies, ensuring their protection is key for fair commerce.

Regulation on personal data processing is essential. Hence, the promulgation of the Decree on Personal Data Protection is much welcome new legal instrument.

3. What are the key contributions of the Decree?

3.1 Setting principles and rights

The Decree establishes key principles and rights for effective protection of personal data. These include accuracy, relevance, and limited processing of collected data, lawful collection, and a certain level of security.

3.2 Rights of individuals

The Decree outlines rights similar to the EU’s GDPR for individuals, including the right to access their personal data, the right to object to data processing, the right to consent and withdraw consent, and the right to request data deletion.

3.3 Rules for specific cases

The Decree introduces rules and requirements for processing data related to specific individuals, such as missing or deceased persons and children. Data controllers, who are organizations or individuals involved in data processing, are held liable for protecting personal data.

3.4 Protective measures 

Data controllers are required to implement protective measures for personal data, such as data protection impact assessments, to assess the level of risk in data processing projects. They may also need to appoint a data protection officer in cases involving sensitive personal data.

3.5 Consent for data collection

In general, the Decree states that personal data should be collected with the consent of the individual concerned. However, there are exceptions where data processing can occur without consent, such as when it’s necessary to protect a person’s life and health or during a state of emergency.

3.6 Cross-border data transfer

The Decree imposes requirements on data controllers when transferring personal data across borders. This is expected to have a significant impact on business operations in Vietnam, as companies will need to align with these requirements and develop compliance strategies.

Overall, the Decree aims to establish a comprehensive framework for protecting personal data in Vietnam, defining rights, responsibilities, and procedures for data handling and protection.

The article is based on laws applicable at the time noted as above and may no longer be appropriate at the time the reader approaches this article as the applicable laws and the specific cases that the reader may wish to apply may have changed. Therefore, the article is for referencing only.