Legal Update: Vietnam accelerates the completion of its legal framework for personal data protection to drive economic and social development

Vietnam is actively working to finalize the legal framework for personal data protection to enhance the capacity of domestic organizations and individuals to protect personal data at international and regional levels. This effort aims to promote the lawful use of personal data for economic and social development. Currently, the draft Law on Personal Data Protection is being reviewed and receiving feedback from relevant agencies, organizations, and individuals before being submitted to the National Assembly for comments in September 2025 and approval at the end of the year. 

The draft Personal Data Protection Law, developed with public consultation by the Ministry of Public Security, is expected to take effect on January 1, 2026, marking a significant step forward in completing the legal framework for personal data protection in Vietnam.

In this context, the Ministry of Justice recently held a meeting to review the draft law with some key points as follows:

Key Issues Identified by the Ministry of Public Security: 

• Excessive Data Collection: Many organizations collect more personal data than necessary for their business needs, lacking a legal basis for such collection. 

• Data Processing Transparency: Organizations often fail to clarify how personal data is processed, for what purposes, to whom it is transferred, and its overall impact. 

• Lack of Consent: Many activities involving personal data collection and processing occur without obtaining consent from data subjects. Reaching out to data subjects for consent later often results in refusal since they are unaware of how their data was initially obtained. 

Rights and Legal Protections: 

• The basic rights of citizens concerning personal data are not well guaranteed, and citizens lack knowledge about how to protect their data, file complaints, or seek compensation for legal violations affecting their rights. 

• The primary cause is the lack of legal recognition of citizens' rights over their personal data, limited awareness among data subjects, and an incomplete mechanism for enforcing these rights. 

Necessity for the Law on Personal Data Protection: 

• Improving Legal Framework: The law is necessary to complete the legal framework for personal data protection, providing a legal basis for protecting personal data. 

• Enhancing Protection Capabilities: The law aims to elevate the capacity of organizations and individuals in Vietnam to protect personal data to international and regional standards. 

• Legal Use of Personal Data: It promotes the lawful use of personal data to support economic and social development. 

4. Specific Issues in Financial, Banking, and Credit Activities: 

• Specialized Terms: The draft law uses many financial and banking terms that require review and adjustment to ensure accuracy. 

• Coverage of Personal Information: Current provisions focus mainly on credit information but should also cover various types of customer information held by financial institutions. 

• Certification for Data Processing Services: The draft assigns the government to detail procedures for issuing certificates for personal data processing services. There is a call to avoid additional licensing requirements or streamline the process in consultation with authorities. 

Financial Impact and Implementation Costs: 

• The draft highlights the need for government investment to implement the law, including costs for document printing, media contracts, equipment procurement, and building a data protection workforce. However, there is a need for a more detailed financial impact assessment and resource allocation plan. 

To support these assessments and analyses, the Government of Vietnam issued Decree 13/2023/ND-CP on personal data protection on April 17, 2023. This decree aims to align Vietnam's data protection practices with international standards, such as the EU's General Data Protection Regulation (GDPR). 

Decree 13/2023/ND-CP

Currently, Decree 13/2023/ND-CP is in effect, and organizations and individuals involved in processing personal data must strictly comply. Below are some important points to note: 

1. Scope and Applicability: 

• Vietnamese Agencies, Organizations, and Individuals: The decree applies to all Vietnamese entities and individuals. 

• Foreign Entities: It also applies to foreign organizations and individuals operating in Vietnam or processing personal data of Vietnamese citizens. 

2. Definitions: 

• Personal Data: Any information that can identify a natural person, expressed in forms such as symbols, text, digits, images, or sounds in an electronic environment. 

• Basic Personal Data: Includes name, date of birth, address, gender, nationality, contact details, personal identification numbers, and other similar information. 

• Sensitive Personal Data: Information that, when infringed upon, directly affects an individual's legitimate rights and interests, such as political views, religious beliefs, health status, and biometric data. 

3. Rights of Individuals: 

• Access: Individuals have the right to access their personal data held by organizations. 

• Correction: Individuals can request corrections to inaccurate personal data. 

• Deletion: Individuals can request the deletion of their personal data under certain conditions. 

4. Obligations of Data Controllers: 

• Consent: Data controllers must obtain explicit consent from data subjects before processing their personal data. 

• Security Measures: Organizations must implement appropriate technical and organizational measures to ensure data security. 

• Transparency: Data controllers must provide clear information about data processing activities, including the purpose and legal basis for processing. 

5. Data Protection Authority: 

• The decree establishes a data protection authority responsible for overseeing personal data protection in Vietnam. This authority will handle complaints, conduct investigations, and enforce compliance with the decree. 

6. Reporting Obligations: 

• Risk Assessment Reports: Businesses managing sensitive personal data must perform risk assessments and submit impact assessment reports before transferring or processing core data. 

• Data Breach Notifications: Organizations must report any personal data breaches to the Ministry of Public Security within 72 hours of discovery. 

• Annual Data Protection Reports: Companies may submit annual reports detailing their data protection practices, compliance measures, and any incidents that occurred during the year. 

Conclusion: 

The development of the Law on Personal Data Protection aims to perfect the legal system on personal data protection in Vietnam, create a legal framework for personal data protection, and improve the capacity to protect personal data for domestic organizations and individuals to reach international and regional levels. However, before the Law is passed by the National Assembly, organizations, individuals, and businesses involved in the processing of personal data need to strictly comply with the provisions of Decree 13/2023/ND-CP. Violations can result in: 

• Disciplinary action 

• Administrative sanctions 

• Criminal proceedings 

At ATLAS, we provide comprehensive information related to compliance with Decree 13/2023/ND-CP on personal data protection, including supporting businesses in training on compliance with personal data processing, consulting on necessary procedures, drafting impact assessment dossiers, supporting the preparation and submission of annual reports to competent state agencies. 

ALTAS LAW is committed to supporting investors and businesses during this volatile period. If you need more detailed information or support in complying with Vietnamese law, please contact ALTAS at contact@altas.vn.  

Written by: Altas Managing Partner & Senior Legal Assistant Pham Uyen Thy 

Date: 10.02.2025