Vietnam follows a global approach of securing personal data protection and implements this in its regulatory framework. The guidelines are a work in progress, but general compliance principles are clarified and shall be followed.

The new decree on Personal Data Protection (“PDPD”) has come into effect since July 1, 2023, introducing various new requirements for organizations and individuals (both domestic and offshore entities) involved in personal data processing activities in the country. The new decree represents a significant step towards strengthening data privacy rights and enforcement in Vietnam.

Notable points under the PDPD include:

• New definitions: the PDPD provides the broad definitions of “basic personal data”, “sensitive personal data”. It also introduces the concept of “data controller”, “data processor”, “data controlling cum processing entity”. This establishes clearer roles and responsibilities.
• Data protection principles: these principles include lawfulness, transparency, purpose limitation, data minimization, accuracy, integrity, confidentiality and accountability. The companies must process personal data in line with these standards.
• Data subject consent: the PDPD strengthens consent requirements, access rights and protections for data subjects. Their explicit consents must be obtained for data processing activities, cross border transfer, and any data collection or sale. Data subjects can give partial or conditional consent. Silence or non-response is not considered as consent. Data subjects have the right to access and review their data. If the consent is withdrawn, the relevant data must be deleted within 72 hours. These provisions aim to empower Vietnamese citizens with more control over their personal data.
• Damage claims: data subjects can claim damages if their PDPD rights are infringed. Additionally, collecting, transferring or selling personal data without consent is now illegal. This strengthens enforcement and protections for data subjects against unauthorized data use.
• Impact assessment dossier: within 60 days of the date of data processing, organisations are required to prepare a personal data protection impact assessment as per the form outlined in the PDPD. The Ministry of Public Security - Department of Cybersecurity and High-Tech Crime Prevention and Control is tasked with evaluating these impact assessments. If changes occur in the personal data being handled, the company must amend and update their assessments accordingly. The companies are also required to update their impact assessment in case of changes by sending an update to the Ministry of Public Security. The Ministry of Public Security has the right to inspect the the data protection in Vietnam.  
• Data protection officer (DPO): The company is required to appoint the DPO who is in charge of the data privacy related matters. Information of the DPO must be notified to the authority and included in the impact assessment dossier.
• Cross-border data transfer: similarly, if the company has any act for cross-border data transfer, it is required to do another impact assessment in this regard. Any changes shall be sent an update to the Ministry of Public Security. The Ministry of Public Security has the right to inspect the transfer of data abroad and may prohibit further transfers in case of noncompliance with PDPD.
• Sanctions: Non-compliance with the PDPD may result in moneytary penalty (i.e., the amount is not finalzied), suspension of certain activities (i.e., suspension of data transfer abroad); criminal sanctions for certain acts infringing the right to privacy.

From the above, we recommend companies across all sectors in Vietnam to the take necessary actions and to review data practices and policies to ensure full PDPD compliance and to avoid any kind of financial or regulatory penalty.