Vietnam publishes long-awaited Personal Data Protection Decree

The Government of Vietnam publishes the PDPD two years after it was first introduced

Robb Hiscock
Senior Content Marketing Specialist, CIPP/E, CIPM
April 19, 2023

Vietnamese flags in front of an office building

On April 17, 2023, the Government of Vietnam published its Personal Data Protection Decree (PDPD). The first draft of the PDPD was issued back in 2021 and has since been through a public consultation resulting in the final text that will enter into effect on July 1, 2023. 

Despite the short window for the PDPD’s entry into effect, there is no transitional period meaning that organizations covered by the PDPD will have little over two months to develop a privacy program in compliance with the law’s new requirements. Like many modern privacy laws, the PDPD contains requirements for privacy notices, privacy risk assessments, and data subject rights as well as offering grounds for valid consent and certain scenarios where consent can be withdrawn. Keep reading for an overview of Vietnam’s PDPD and some of its key requirements. 


What are the key compliance areas of the PDPD?


Scope of application

Before looking at the compliance requirements of the PDPD you should first assess whether the PDPD will apply to your business. The law’s scope of application includes: 

  • Vietnamese agencies, organizations, and individuals

  • Foreign agencies, organizations, and individuals in Vietnam

  • Vietnamese agencies, organizations, and individuals operating abroad

  • Foreign agencies, organizations, and individuals processing personal data in Vietnam


If your business falls under one of the above definitions, then there are several new requirements that you will need to comply with ahead of the July 1 entry into effect. Start-ups, micro-enterprises, and small and medium enterprises (SMEs) have the right to choose to be exempt from the PDPD’s regulations for the first two years of operation from the date of registration unless they are directly involved in personal data processing activities.


Personal data and sensitive personal data

Similarly, it is important to understand what the PDPD means by “personal data” and “sensitive personal data”. Personal data includes information including: 

  • Name of the data subject, including full name, middle name, birth name, or any other name

  • Date of birth, death, or date an individual might have become missing

  • Gender

  • Place of birth and birth registration

  • Place of permanent or temporary residence including hometown and contact address

  • Nationality

  • Image

  • Phone number, national identification number, or medical insurance card number

  • Marital status

  • Family relationship details including parents and children

  • Digital account details and online activities


The PDPD defines sensitive personal data as personal data that, when violated, will directly affect an individual's legitimate rights and interests. This includes information relating to:

  • Political and religious views

  • Health status and medical records (excluding blood type) 

  • Racial or ethnic origin

  • Genetic characteristics, physical attributes, and biological characteristics

  • Sex life and sexual orientation

  • Criminal records held by law enforcement agencies

  • Customer information of credit institutions

  • Location data


Privacy notices

Covered organizations will be required to present a privacy notice to data subjects before processing personal data. The PDPD outlines specific information that needs to be included in the privacy notice, this includes:

  • Purposes of the processing activity

  • Types of personal data that will be collected for the purposes of processing

  • Information third parties that will be involved in the activity

  • Unexpected consequences and damage that are likely to occur

  • Time frames of the data processing activity


PDPD privacy notices should be formatted in a manner that data subjects can print or reproduce in writing. There are certain circumstances where a privacy notice is not required including where personal data is being processed by a state agency for purposes in accordance with the law.


Risk assessments

Data controllers have a requirement to conduct a data protection impact assessment before starting a processing activity. Additionally, controllers are required to keep records of these impact assessments, which should be accessible for auditing purposes and sent to the Ministry of Public Security within 60 days from the date of processing of personal data.

Impact assessment must include details relating to:

  • The purpose of processing personal data

  • The types of personal data to be processed

  • The third parties receiving personal data

  • The transfer of personal data internationally 

  • Processing timeframes 

  • Estimated time to delete or destroy personal data

  • The data protection measures applied 

  • The assessment of the benefits of the processing activity

  • The consequences or unwanted damage that is likely to occur

  • The measures to reduce or eliminate such risk or harm 


Data subject rights

The PDPD provides a broad range of rights to data subjects, many of which are common under modern privacy laws. 

PDPD data subject rights include:

  • Right to know - Data subjects have the right to know about processing activities that involve their personal data

  • Right to consent - Data subjects have the right to give and withdraw consent for the processing of their personal data, except in the case where consent is not needed under Article 17 

  • Right to access - Data subjects have the right to access to view, correct, or request correction of their personal data

  • Right to withdraw consent - The data subject is entitled to withdraw their consent

  • Right to deletion - The data subject can request to have their personal data deleted

  • Right to restrict data processing - Data subjects can limit the processing of their personal data, restriction of processing should be carried out within 72 hours after the request is made

  • Right to object to data processing - The data subject has the right to object to the processing or disclosure of personal data for advertising and marketing purposes. Requests should be fulfilled within 72 hours

  • Right to complain, denounce and initiate lawsuits – Data subjects have the right to complain, denounce or initiate a lawsuit in accordance with the law

  • Right to claim damages – Data subjects have the right to claim damages in accordance with the law when there is a violation of the PDPD involving their personal data

  • Right to self-defense - Data subjects have the right to protect themselves according to the provisions of the Civil Code


Valid consent

Valid consent of the data subject is required for all processing activities under the PDPD. There are several exceptions where processing personal data is permitted without consent such as in the vital interests of the data subject, where processing is necessary for compliance with the law, or to fulfill a contractual obligation. 

Consent can only be considered valid when the data subject voluntarily and clearly knows the following:

  • The type of personal data being processed (or type of sensitive personal data, where applicable)

  • The purposes of processing 

  • The third parties that will process personal data

  • Their rights under the PDPD


Consent must be clear and specific and given through affirmative action such as in writing, by voice, or by ticking a consent box, among other things. Silence or inactivity is not considered as valid consent under PDPD and data subjects may give partial or conditional consent. 


Other notable provisions

The PDPD also includes a range of other responsibilities for data controllers, data processors, and third parties. These include conditions for cross-border transfer of personal data such as transfer impact assessments and post-transfer notifications. The PDPD also includes rules for processing personal data obtained through audio and video recording activities in public places and the processing of children’s personal data. 

Other requirements include protecting personal data in the context of marketing services and advertising products and the measures to protect sensitive personal data include assigning a data protection officer.


How can businesses prepare?

As with most modern privacy laws, the best place to start when preparing your privacy program is to conduct a data discovery exercise to understand what data you have and where it is stored. Classifying and mapping this personal data against the provisions of new laws will help you to visualize data flows, identify third parties, and ensure requirements are met in compliance with the law such as data transfer requirements.  

In the case of the PDPD, you should ensure that you understand what types of information fall under the definitions of personal data and sensitive personal data as well as ensure you have the correct consent or implementing methods for collecting valid consent in preparation for the PDPD’s entry into effect. 

Privacy notices will be one of the most outwardly visible areas of compliance with the PDPD. Ensuring your web properties are displaying the correct notice that fulfills the criteria set out by the PDPD will be essential for transparency and accountability with the law. 

The PDPD introduces a broad range of data subject rights, therefore you should ensure that you have the correct methods of the intake of these requests and that you are set up and ready to fulfill them. Linking your subject rights fulfillment process with your data map will help you to ensure that all instances of personal data relating to the data subject can be easily found and relayed against the different types of request. 

To prepare for PDPD impact assessment requirements, you should begin to develop a risk assessment template that takes into account all of the required information and assessment criteria. You can build your assessment from scratch or use a pre-built template that can fulfill risk assessment templates of several laws. Additionally, the PDPD requires you to perform a transfer impact assessment when transferring data outside of Vietnam. Therefore, it is vital to have a robust process in place for completing risk assessments and have a solid understanding of your personal data processing activities.

Speak to an expert today to learn more about how the OneTrust Privacy & Data Governance Cloud can help you get prepared for the Vietnam PDPD ready for July 1. 

You may also like


Privacy Management

New states, new dates: Preparing for Indiana, Montana, Tennessee and Florida state privacy laws

Join our expert panel where we examine upcoming privacy legislation in Indiana, Montana, Tennessee, and Florida and the key requirements of each law.

June 20, 2023

Learn more


Privacy Management

Saudi Arabia's PDPL latest amendments: Are you ready?

Join OneTrust and Deloitte Middle East as we cover the latest changes to Saudia Arabia's Personal Data Protection Law (PDPL) and what it means for organizations in the KSA region.

May 30, 2023

Learn more


Privacy Management

GDPR turns 5: Celebrating data protection

Northern Europe panel - Join our panel of experts as they recap the GDPR, its key concepts, and what it means for organizations and compliance. 

May 25, 2023

Learn more