On April 17, 2023, the Government of Vietnam
issued Decree No. 13/2023/ND-CP on Personal Data Protection, which took
effect on July 1, 2023 (Decree No. 13/2023/ND-CP on Personal Data Protection,
Apr. 17, 2023). The Decree establishes Vietnam’s first comprehensive and
unified legal framework governing the collection, processing, storage, and
cross-border transfer of personal data, applicable to relevant agencies,
organizations, and individuals. The Decree introduces a two-tier classification of personal data, which
includes basic personal data and sensitive personal data. It also establishes
principles for data processing, including lawfulness, purpose limitation, data
minimization, accuracy, storage limitation, security and confidentiality, and
transparency. Additionally, the Decree imposes corresponding compliance
obligations on data controllers and processors. Key requirements include
obtaining explicit consent from data subjects, with limited exceptions;
ensuring transparency in data processing activities; conducting data protection
impact assessments for sensitive data; and adopting technical and
organizational safeguards against data breaches. the Decree stipulates impact assessment
and cross-border data transfers. It requires the Personal Data Controllers and
Personal Data Processors to compile impact assessment
dossiers and subject such transfers to post-transfer supervision by the Ministry
of Public Security. The provisions on data breach response and legal liability
are noticeable. The Decree mandates notice of data breaches and
correction for violations, subjecting offenders to disciplinary,
administrative, civil, or criminal liability.
Vietnam has enacted the Law on Personal
Data Protection No. 91/2025/QH15, which took effect on January 1, 2025 (Law on
Personal Data Protection, No. 91/2025/QH15, January 1, 2025). The Law creates the initial
statutory level framework governing the collection, processing, storage, and
cross-border transfer of personal data in Vietnam. The Law codifies data
protection principles, expands data subject rights, and clarifies lawful bases
for processing beyond the approach set out in Decree No. 13/2023/ND-CP. Furthermore, it delineates the responsibilities of data
controllers, processors, and third parties, institutionalizes mandatory data
protection impact assessments, and strengthens the legal architecture governing
cross-border data transfers and breach notification. A comparison with
Vietnam’s legal framework for personal data protection prior to the adoption of
the 2025 Law reveals that the earlier framework was scattered across various
sector-specific laws and regulations. This dispersion led to fragmented
enforcement and created legal uncertainty. To sum up, the 2025 Law represents
a significant advancement in Vietnam’s personal data protection regime toward a
more coherent, principle-based, and internationally aligned data governance framework.
The adoption of Decree No. 13/2023/ND-CP and the
2025 Law on Personal Data Protection represents a decisive institutional shift
in Vietnam’s data governance and carries important implications for harmonizing
regional norms under ASEAN, especially the ASEAN Framework on Personal Data
Protection (2016). First, these instruments transform Vietnam’s previously
fragmented, sector-based privacy rules into a unified regime broadly aligned
with the ASEAN core principles, such as consent, notification, and purpose;
accuracy of personal data; security safeguards; access and correction; transfer
to another country or territory; retention; and accountability. Second, the
introduction of a regulated cross-border data transfer regime, impact
assessment requirements, and breach notification duties supports ASEAN’s
objectives of facilitating the flow of data among the ASEAN member states while
preserving national regulatory autonomy. Simultaneously, relatively stringent
transfer controls reflect a cautious, sovereignty-sensitive approach to harmonization
characteristic of the “ASEAN Way”. Overall, both Decree No. 13 and the 2025 Law exemplify
the Vietnam’s emergence as an increasingly rule-aligned jurisdiction within
ASEAN’s evolving digital governance framework, contributing to incremental regional coherence
while maintaining careful domestic oversight of data flows.
(Decree No. 13/2023/ND-CP on Personal Data
Protection, Apr. 17, 2023.)
Authors: Bui Thi Ngoc Lan
and Hoang Thanh Phuong, Lecturers at Hanoi Law University
Topic: Personal Data Protection
Jurisdiction: Vietnam
Date: March
20, 2026