After an extended deliberation period in which multiple draft decrees circulated for public comment, Decree 13/2023/NĐ-CP on Personal Data Protection has finally been promulgated (“Decree 13”). Decree 13 is set to take effect from July 1st, 2023. Decree 13 focuses on the rights of data subjects, responsibilities of data controllers, processors, and third parties, and the obligations of government agencies in relation to personal data protection.

Key components of the Decree 13

1. Clear definitions of personal data and sensitive personal data, setting the groundwork for the principles of lawful and transparent processing activities, and requirements for protection of personal data;
2. Definitive recognition of and elaboration on data subjects’ rights, such as access, rectification, deletion, restriction, objection to data processing, and most critically, a right to bring a cause of action and seek damages for misuse of data;
3. Guidelines on data transfers abroad, including the requirement for preparing impact assessments;
4. Obligations for data controllers and processors to implement appropriate personal data protection measures, encompassing management, technical, and legal aspects;
5. Appointment of a data protection officer (“DPO”) or creation of a data protection department;
6. Specific content for notifications to be provided to data subjects prior to processing data and affirmative consent requirements; and
7. Requirements that data controllers and processors create and maintain impact assessments and the required contents of those impact assessments.

Upon the implementation of Decree 13, businesses in Vietnam will face increased compliance requirements and potential penalties for non-compliance. Organizations will need to create, or review and update their existing data protection policies, practices, and procedures to ensure alignment with Decree 13.

Considerations for Businesses

The new Decree 13 applies to all organizations operating in Vietnam that collect, process, or store personal data, including both domestic and foreign entities. Businesses operating in Vietnam should consider:

1. Evaluating their current data processing activities to understand the implications of Decree 13 on their operations, and updating their data protection policies and procedures as necessary to align with Decree 13’s requirements.
2. Doing an inventory of the personal data they are presently storing and consider how that data was collected, what measures are being used to protect it, and what it is presently being used for.
3. Looking into implementing necessary technical and organizational measures to handle and protect personal data, including the appointment of a DPO.
4. Providing training for employees on the new data protection requirements, their responsibilities under Decree 13, and best practices for handling personal data in the workplace. 

This comprehensive regulation will take effect on July 1st, 2023. For SMEs and startups, there is a possible 2-year deferment period from the date they were incorporated in which they may elect not to appoint a DPO. However, all organizations should prepare for compliance with the remaining aspects of Decree 13 and be accountable for their data processing activities and safeguard the privacy of individuals in Vietnam.

You may download a copy of this legal update here.