Law: Decree No. 13/2023/ND-CP on the Protection of Personal Data (only available in Vietnamese here) (PDPD)

Regulator: The primary regulatory authorities are the Ministry of Public Security (MPS) and the Ministry of Information and Communication (MIC).

Summary: Decree No. 13/2023/ND-CP on the Protection of Personal Data (only available in Vietnamese here) (PDPD) is the first comprehensive data protection law in Vietnam, and entered into effect on July 1, 2023. In particular, the PDPD establishes data protection principles, data subject rights, as well as data controller and data processor obligations, among other things. More specifically, the PDPD introduces restrictions on cross border data transfers and obligations for data processing including the purchase and sale of personal information, as well as marketing and advertising. The Ministry of Public Security (MPS) is the responsible supervisory authority under the PDPD, although the Ministry of Information and Communication (MIC) is also responsible for digital matters and those related to personal data protection.

Although outlines requirements related to cross-border data transfers, Decree 53/2022/ND-CP Detailing Some Articles of Network Security Law (only available in Vietnamese here), also outlines data localization requirements for service providers.

The PDPD is accompanied by other legislation which provide personal data protections including the Law on Cyber Information Security No. 86/2015/QH13 (LCIS), the Law on Cybersecurity No. 24/2018/QH14 (the Cybersecurity Law) (only available to download in Vietnamese here), and Law No. 59/2010QH12 of 17 November 2010 on Protection of Consumers' Rights. In addition, Decree No. 53/2022/ND-CP Detailing Some Articles of Network Security Law (only available in Vietnamese here) outlines data localisation requirements in Vietnam. Furthermore, Vietnam is party to several international data transfer agreements, including the APEC Privacy Framework and the ASEAN Framework on Personal Data Protection.