Tiếng ViệtAs of today, Decree No. 13/2023/ND-CP remains the sole detailed regulation on personal data protection in Vietnam. Recently, the Ministry of Public Security released the Draft Decree detailing certain provisions of the Law on Personal Data Protection for public consultation.
📌 With the Law taking effect on 01 January 2026, this is a crucial moment for enterprises to review their compliance frameworks and prepare for a new era of data protection.
The Draft not only clarifies existing provisions but also introduces entirely new obligations that directly impact business operations. Some of the key highlights include:
1️⃣ Expanded Definitions
💠Basic personal data: Defined by characteristics instead of listing categories.
💠Sensitive personal data: Expanded to include impact on organizations, requiring stricter controls, with new categories such as biometric/genetic data, religious views, electronic identity, telecom activity history, and behavioral tracking.
2️⃣ Response Timeline for Data Subject Requests
💠Mandatory response within 2 working days, with completion ranging 7–15 working days, subject to type of request. Extensions allowed up to 10 working days with notice.
3️⃣ Broader Forms of Consent
💠Valid consent can be expressed via writing, voice, SMS, email, digital platforms, or other verifiable means.
4️⃣ Data Transfer Regulations
💠Written agreements required, specifying purpose, scope, retention, and responsibilities.
💠Sensitive data transfer must be encrypted and anonymized.
💠Explicit rules for fee-based transfers, intra-organizational sharing, and data marketplace transactions.
5️⃣ Annual Compliance Assessments for Financial Institutions
💠Banks and credit institutions must conduct yearly reviews, maintain audit logs, and notify breaches within 72 hours.
6️⃣ Safeguards in Big Data Processing
💠Encryption, anonymization, strong access controls, and real-time monitoring required.
7️⃣ Data Protection Officers (DPOs) Standards
💠Must hold a university degree, have at least 3 years of relevant experience, certified training, and no prior data/cybersecurity convictions.
📑 The full text of the Draft Decree is now available on the Ministry of Public Security’s portal for public consultation within 60 days. Agencies, organizations, and individuals are encouraged to review and provide detailed feedback.
💡 Implications:
Vietnam is moving closer to international data protection standards, while placing greater compliance obligations on enterprises. Companies should act now to audit processes, strengthen internal policies, and ensure readiness before the Law comes into force.
👉 Don’t forget to follow THE LAM LAW LLC – Your legal need, Our Mission for continuous updates and in-depth legal insights on personal data protection and compliance.
Link PDF: Draft Decree Guiding the Law on Personal Data Protection
THE LAM LAW LLC
🏢Indochina Park Tower, # 4 Nguyen Dinh Chieu Str, Tan Dinh Ward, Ho Chi Minh City.
📞Tel: +84 (0)28 710 58 222 – 6288 3798 – Hotline: +84 (0) 97 309 77 77
✉ Email: info@thelamlawllc.com
Related Posts
Legal Update Draft Law on Specialized Courts at International Financial Centers
The Supreme People’s Court of Vietnam is seeking public comments on the Draft Law on
Oct
Recap LAWASIA 38th Annual Conference – Hanoi 2025
From 11–13 October 2025, the 38th LAWASIA Annual Conference was successfully held at the Hanoi
Oct
Penalties vs. Late Payment Interest in Commercial Contracts
When clients or partners delay payments, what legal remedies can businesses rely on to both
Oct
Celebration events for Vietnam Lawyers’ Day & Vietnam Law Day
🌟 In celebration of Vietnam Lawyers’ Day and Vietnam Law Day, THE LAM LAW LLC
Oct
Recap GES HCMC Interview Round 2025
On Sunday, September 28, 2025, THE LAM LAW LLC – Your legal need, Our Mission
Oct
Startup Career Talk at Ho Chi Minh City University of Law
Yesterday, September 23, 2025, THE LAM LAW LLC – Your legal need, Our Mission, represented
Sep