Tiếng ViệtAs of today, Decree No. 13/2023/ND-CP remains the sole detailed regulation on personal data protection in Vietnam. Recently, the Ministry of Public Security released the Draft Decree detailing certain provisions of the Law on Personal Data Protection for public consultation.
📌 With the Law taking effect on 01 January 2026, this is a crucial moment for enterprises to review their compliance frameworks and prepare for a new era of data protection.
The Draft not only clarifies existing provisions but also introduces entirely new obligations that directly impact business operations. Some of the key highlights include:
1️⃣ Expanded Definitions
💠Basic personal data: Defined by characteristics instead of listing categories.
💠Sensitive personal data: Expanded to include impact on organizations, requiring stricter controls, with new categories such as biometric/genetic data, religious views, electronic identity, telecom activity history, and behavioral tracking.
2️⃣ Response Timeline for Data Subject Requests
💠Mandatory response within 2 working days, with completion ranging 7–15 working days, subject to type of request. Extensions allowed up to 10 working days with notice.
3️⃣ Broader Forms of Consent
💠Valid consent can be expressed via writing, voice, SMS, email, digital platforms, or other verifiable means.
4️⃣ Data Transfer Regulations
💠Written agreements required, specifying purpose, scope, retention, and responsibilities.
💠Sensitive data transfer must be encrypted and anonymized.
💠Explicit rules for fee-based transfers, intra-organizational sharing, and data marketplace transactions.
5️⃣ Annual Compliance Assessments for Financial Institutions
💠Banks and credit institutions must conduct yearly reviews, maintain audit logs, and notify breaches within 72 hours.
6️⃣ Safeguards in Big Data Processing
💠Encryption, anonymization, strong access controls, and real-time monitoring required.
7️⃣ Data Protection Officers (DPOs) Standards
💠Must hold a university degree, have at least 3 years of relevant experience, certified training, and no prior data/cybersecurity convictions.
📑 The full text of the Draft Decree is now available on the Ministry of Public Security’s portal for public consultation within 60 days. Agencies, organizations, and individuals are encouraged to review and provide detailed feedback.
💡 Implications:
Vietnam is moving closer to international data protection standards, while placing greater compliance obligations on enterprises. Companies should act now to audit processes, strengthen internal policies, and ensure readiness before the Law comes into force.
👉 Don’t forget to follow THE LAM LAW LLC – Your legal need, Our Mission for continuous updates and in-depth legal insights on personal data protection and compliance.
Link PDF: Draft Decree Guiding the Law on Personal Data Protection
THE LAM LAW LLC
🏢Indochina Park Tower, # 4 Nguyen Dinh Chieu Str, Tan Dinh Ward, Ho Chi Minh City.
📞Tel: +84 (0)28 710 58 222 – 6288 3798 – Hotline: +84 (0) 97 309 77 77
✉ Email: info@thelamlawllc.com
Related Posts
Year End Party 2025
✨ CLOSING A MEMORABLE YEAR – OPENING A NEW JOURNEY 📅 On February 7, 2026,
Feb
Lunar New Year Holiday Notice – Binh Ngo 2026
Dear Valued Clients and Partners, 💖 On the occasion of the Lunar New Year –
Feb
Legal Update – Vietnam Corporate Governance Code 2026
📌 The Viet Nam Corporate Governance Code – 2026 Edition has officially been released, serving
Feb
Legal Update-Tax Incentives – A Strong Signal for Startups and SMEs
⚖️ Decree No. 20/2026/NĐ-CP introduces a comprehensive package of tax incentives, including: ▪️ Corporate Income
Jan
Arbitration Agreements in Multi-Party Credit Disputes – The Court’s Approach
❓ Does the existence of an arbitration clause automatically exclude court jurisdiction? In a recent
Jan
Conference Recap – Congratulations on the Election to TRACENT Executive Board (2026–2030)
🎉Congratulations on the Election to TRACENT – HCMC COMMERCIAL ARBITRATION CENTER Executive Board (2026–2030) 🎉
Jan