The long-awaited Decree on Personal Data Protection (“PDPD”) has finally been issued as Decree No. 13/2023/ND-CP last night.

Mirroring the EU’s General Data Protection Regulation in different aspects, the PDPD introduces various new requirements to any organizations/individuals engaging in and/ or related to personal data processing activities in Vietnam.

Notable provisions under the PDPD include:

  • Extra-territorial scope of application – the PDPD will apply to both local and offshore entities directly engaging in and/or related to personal data processing activities in Vietnam.
  • Extended categories of regulated subjects – as hinted under the draft Cybersecurity Administrative Sanctions Decree, the PDPD recognizes the concepts of “data controller” and “data processor”. It also introduces the concept of “data controlling and processing entity”
  • Broad definition of personal data and data processing – similar to the public draft version of the PDPD, the final issued version classifies personal data into two groups of “basic personal data” and “sensitive personal data”. In which, the list of sensitive personal data is very broad and non-exhaustive.
  • New requirements for a valid consent, sensitive personal data processing, and cross-border data transfer. No specific data localization requirement was introduced.
  • Obligation to apply different managerial and technical measures to protect personal data, including personal data protection impact assessment; and
  • Strict time limit to comply with a data subject’s request.

The PDPD will come into effect on 01 July 2023. A grace period of 2 years, however, only applies to small-and-medium sized enterprises.

Author

Manh-Hung Tran is the practice group leader of the Intellectual Property (IP) and Technology Practice Groups of Vietnam offices. For years, he has been constantly ranked as a leading IP lawyer by numerous researchers such as Chambers Global and Chambers Asia. He regularly writes articles concerning pressing legal issues in both English and Vietnamese, and his works have been published regularly in various reputable publications. He has assisted the government in reviewing and revising the IP Law, the IP provisions under the country’s criminal code, the draft e-Transaction Law, and the first draft Personal Data Protection Decree, etc. While Hung's practices run the full gamut of IP work, he also specializes in the Telecommunications, Media, and Technology (TMT) practice, advising multinational corporations on data privacy, monetization, product reviews, AdTech, regulatory and user rights, cybersecurity, e-commerce, offshore social media, digital services, data breach and incidents, and other emerging technologies. He has been assisting international film studios and streaming clients with various film and TV series productions in Vietnam.