Tiếng ViệtAs of today, Decree No. 13/2023/ND-CP remains the sole detailed regulation on personal data protection in Vietnam. Recently, the Ministry of Public Security released the Draft Decree detailing certain provisions of the Law on Personal Data Protection for public consultation.
📌 With the Law taking effect on 01 January 2026, this is a crucial moment for enterprises to review their compliance frameworks and prepare for a new era of data protection.
The Draft not only clarifies existing provisions but also introduces entirely new obligations that directly impact business operations. Some of the key highlights include:
1️⃣ Expanded Definitions
💠Basic personal data: Defined by characteristics instead of listing categories.
💠Sensitive personal data: Expanded to include impact on organizations, requiring stricter controls, with new categories such as biometric/genetic data, religious views, electronic identity, telecom activity history, and behavioral tracking.
2️⃣ Response Timeline for Data Subject Requests
💠Mandatory response within 2 working days, with completion ranging 7–15 working days, subject to type of request. Extensions allowed up to 10 working days with notice.
3️⃣ Broader Forms of Consent
💠Valid consent can be expressed via writing, voice, SMS, email, digital platforms, or other verifiable means.
4️⃣ Data Transfer Regulations
💠Written agreements required, specifying purpose, scope, retention, and responsibilities.
💠Sensitive data transfer must be encrypted and anonymized.
💠Explicit rules for fee-based transfers, intra-organizational sharing, and data marketplace transactions.
5️⃣ Annual Compliance Assessments for Financial Institutions
💠Banks and credit institutions must conduct yearly reviews, maintain audit logs, and notify breaches within 72 hours.
6️⃣ Safeguards in Big Data Processing
💠Encryption, anonymization, strong access controls, and real-time monitoring required.
7️⃣ Data Protection Officers (DPOs) Standards
💠Must hold a university degree, have at least 3 years of relevant experience, certified training, and no prior data/cybersecurity convictions.
📑 The full text of the Draft Decree is now available on the Ministry of Public Security’s portal for public consultation within 60 days. Agencies, organizations, and individuals are encouraged to review and provide detailed feedback.
💡 Implications:
Vietnam is moving closer to international data protection standards, while placing greater compliance obligations on enterprises. Companies should act now to audit processes, strengthen internal policies, and ensure readiness before the Law comes into force.
👉 Don’t forget to follow THE LAM LAW LLC – Your legal need, Our Mission for continuous updates and in-depth legal insights on personal data protection and compliance.
Link PDF: Draft Decree Guiding the Law on Personal Data Protection
THE LAM LAW LLC
🏢Indochina Park Tower, # 4 Nguyen Dinh Chieu Str, Tan Dinh Ward, Ho Chi Minh City.
📞Tel: +84 (0)28 710 58 222 – 6288 3798 – Hotline: +84 (0) 97 309 77 77
✉ Email: info@thelamlawllc.com
Related Posts
Legal Update – When is property acquired before marriage considered common asset?
Does being the sole name on a Land Use Right Certificate before official marriage automatically
Feb
Legal Update – Precedent No. 78/2025/AL
“EQUITY” OR “BUSINESS FUNDING” – NAVIGATING THE LEGAL SUBSTANCE As we embrace the Year of
Feb
Happy Lunar New Year 2026
🌸🧧 Dear Customers and Partners, Spring has arrived, bringing with it bright new beginnings and
Feb
Year End Party 2025
✨ CLOSING A MEMORABLE YEAR – OPENING A NEW JOURNEY 📅 On February 7, 2026,
Feb
Lunar New Year Holiday Notice – Binh Ngo 2026
Dear Valued Clients and Partners, 💖 On the occasion of the Lunar New Year –
Feb
Legal Update – Vietnam Corporate Governance Code 2026
📌 The Viet Nam Corporate Governance Code – 2026 Edition has officially been released, serving
Feb