Personal Data Protection Decree

26 March 2024 1 min read

At a glance

  • The government’s Decree 13/2023/ND-CP (Decree 13) dated 17 April 2023 on personal data protection, came into effect on 1 July 2023.
  • Decree 13 sets out personal data protection obligations and responsibilities for domestic and foreign organisations as well as individuals.
  • Decree 13 also applies to employers who are involved in activities which involve processing their employees’ personal data.

We would like to express gratitude to VNA Legal for their contribution on this publication.

Decree 13 came into effect on 1 July 2023. It sets out personal data protection obligations and responsibilities for domestic and foreign organisations as well as individuals that are involved in activities which involve the processing of personal data in Vietnam (processing personal data is defined under Decree 13 to include one or more activities affecting personal data, such as collecting, recording, analysing, confirming, storing editing, publicising, combining, accessing, retrieving, revoking, encrypting, decoding, copying, sharing, transmitting, supplying, transferring, deleting, and destruction of personal data or other related actions).

Decree 13 also applies to employers who are involved in activities which require them to process their employees’ personal data. It imposes various obligations on employers to protect the personal data of their employees (including obligations on notification of processing personal data to the employees, obtaining the employees’ consent, notification of personal data breaches, and impact assessment reports to authorities for processing personal data and cross border transfer of personal data, etc).

More to explore

Data Protection Authority issues recruitment Code of Conduct

Data Protection Authority issues recruitment Code of Conduct

The Data Protection Authority has published a Code of Conduct that Workforce Supply Agencies must comply with during their recruitment processes.

The Italian Data Protection Authority limits the retention of employee email metadata

The Italian Data Protection Authority limits the retention of employee email metadata

The Privacy Commissioner has imposed a significant change in employee email metadata retention policies.

CPPA releases draft rules for automated decision-making technology

CPPA releases draft rules for automated decision-making technology

On 27 November 2023, the California Privacy Protection Agency released its initial rulemaking draft for automated decision-making technology (ADMT). The release of these draft...

Enforcement against the use of biometrics in the workplace

Enforcement against the use of biometrics in the workplace

The ICO has issued an enforcement notice which provides valuable insights into its approach to the use of biometrics in the workplace, and the lawfulness of employeemonitoring. 

Dismissal of a company data protection officer: Requirements under current case law

Dismissal of a company data protection officer: Requirements under current case law

According to recent case law, the dismissal of a company data protection officer requires good cause for termination within the meaning of Section 626 para. 1 German Civil Code....

Key employer obligations under India’s new data protection regime

Key employer obligations under India’s new data protection regime

The Digital Personal Data Protection Act ( DPDP Act ) was enacted on 11 August 2023. It sets out the framework for consent-based processing of data and non-consent based processing.