The Decree takes effect from July 1, 2023.
This Decree applies to Vietnamese agencies, organizations and individuals, and foreign agencies, individuals and organizations in Vietnam, directly participating in or related to personal data processing activities in Vietnam.
In which, personal data is understood as information in the form of symbols, letters, numbers, images, sounds or similar forms in the electronic environment associated with a specific person or helping to identify a specific person.
Personal data includes basic personal data and sensitive personal data. Basic personal data includes full name, date of birth, gender, place of birth, nationality, personal photo, phone number, ID card number, account number, personal identification number, license plate number, tax code, etc.
With sensitive personal data, this is data related to the privacy of an individual that, when violated, will directly affect the legitimate rights and interests of that person. For example, political views, religious views; Health status and privacy recorded in medical records, excluding information about blood type; Information related to racial origin, ethnic origin; Information about inherited or acquired genetic characteristics of an individual; Information about physical attributes, biological characteristics of an individual; Information about sexual life, sexual orientation of an individual; Data on crimes, criminal acts collected and stored by law enforcement agencies; Customer information of credit institutions, foreign bank branches, payment intermediary service providers, and other licensed organizations, including: customer identification information as prescribed by law, account information, deposit information, deposited assets information, transaction information, information on organizations and individuals who are guarantors at credit institutions, bank branches, and payment intermediary service providers; Data on individual location determined through positioning services; Other personal data as prescribed by law as specific and requiring necessary security measures.
Personal data will be processed in accordance with the law. Data subjects are informed about activities related to the processing of their personal data. Personal data will only be stored for a period of time appropriate to the purpose of data processing. Agencies, organizations and individuals who violate personal data protection regulations, depending on the severity, may be subject to disciplinary action, administrative sanctions or criminal prosecution in accordance with the law.
The Government has also issued a number of prohibited acts in the Decree on Personal Data Protection. These acts include processing personal data in violation of the law, processing personal data to create information and data aimed at opposing the Socialist Republic of Vietnam.
In addition, the act of processing personal data to create information and data that affects national security, social order and safety, and the legitimate rights and interests of other organizations and individuals is also strictly prohibited.
It is noteworthy that according to the Decree, the processing of personal data must notify and receive the consent of the data subject. The data subject is also required to request the data controller to provide him/her with or to correct or delete his/her personal data.
In case of emergency, to protect the life, health of the data subject or other people, and in case of emergency regarding security, national defense, epidemic, disaster,... the data controller and competent State agencies may process personal data without the consent of the data subject.
Competent agencies and organizations are also allowed to record audio, video and process personal data collected from these activities in public places for the purpose of protecting national security, social order and safety, and the legitimate rights and interests of organizations and individuals without the consent of the data subject.
With regard to children's personal data, the processing of such data requires the consent of the child if the child is 7 years of age or older and the consent of the parent or guardian, except in some special cases.
For marketing and advertising activities, organizations and individuals may only use personal data of customers collected through their business activities with the consent of the data subject. Processing of personal data of customers for marketing and product introduction must have the consent of the customer, on the basis of knowing clearly the content, method and frequency of product introduction.
The Decree also clearly stipulates that organizations and individuals involved in data processing must apply protective measures to prevent illegal data collection from their systems and services. Setting up software, technical measures or organizing the collection, transfer, purchase and sale of personal data without the consent of the data subject is a violation of the law.
The Decree also clearly stipulates the rights and obligations of data subjects, along with the responsibilities of agencies, subjects and individuals in protecting personal data.
Measures to protect personal data
The Decree clearly states that personal data protection measures are applied from the beginning and throughout the process of processing personal data.
Measures to protect personal data include: Management measures implemented by organizations and individuals involved in processing personal data; Technical measures implemented by organizations and individuals involved in processing personal data; Measures implemented by competent state management agencies in accordance with the provisions of this Decree and relevant laws; Investigation and prosecution measures implemented by competent state agencies; Other measures as prescribed by law.
Basic personal data protection is to apply the above personal data protection measures; develop and promulgate regulations on personal data protection, clearly stating the tasks to be performed according to the provisions of this Decree. Encourage the application of personal data protection standards appropriate to the fields, professions, and activities related to personal data processing. Check the network security of systems and means, equipment serving personal data processing before processing, delete irreversibly or destroy devices containing personal data.
Sensitive personal data protection means applying the above basic personal data protection and protection measures; designating a department with the function of protecting personal data, designating personnel in charge of protecting personal data and exchanging information about the department and individuals in charge of protecting personal data with the Personal Data Protection Authority. In case the Personal Data Controller, Personal Data Controller and Processor, Data Processor, or Third Party is an individual, the information of the individual shall be exchanged; notifying the data subject that the sensitive personal data of the data subject is being processed, except in some prescribed cases.
Personal Data Protection Authority
The Decree clearly states that the agency responsible for protecting personal data is the Department of Cyber Security and High-Tech Crime Prevention and Control of the Ministry of Public Security , responsible for assisting the Ministry of Public Security in performing State management of personal data protection.
National portal on personal data protection: Providing information on the Party's guidelines, policies, and the State's laws on personal data protection; disseminating and popularizing policies and laws on personal data protection; updating information and the status of personal data protection; receiving information, records, and data on personal data protection activities via cyberspace; providing information on the results of personal data protection assessment of relevant agencies, organizations, and individuals.
In addition, the National Portal on Personal Data Protection receives notifications of violations of regulations on personal data protection; warns and coordinates warnings about risks and acts of personal data infringement in accordance with the law; handles violations of personal data protection in accordance with the law; and performs other activities in accordance with the law on personal data protection.
Conditions for ensuring personal data protection activities
The Decree clearly states that conditions for ensuring personal data protection activities include:
The personal data protection force includes: The personal data protection force is arranged at the personal data protection agency; Departments and personnel with the function of protecting personal data are assigned in agencies, organizations and enterprises to ensure the implementation of regulations on personal data protection; Organizations and individuals are mobilized to participate in personal data protection; The Ministry of Public Security develops specific programs and plans to develop human resources for personal data protection.
Agencies, organizations and individuals are responsible for disseminating knowledge and skills, raising awareness of personal data protection for agencies, organizations and individuals.
Ensure facilities and operating conditions for the Agency specializing in personal data protection.
Wisdom
Source
![[Photo] General Secretary To Lam works with the Central Policy and Strategy Committee](https://vphoto.vietnam.vn/thumb/1200x675/vietnam/resource/IMAGE/2025/5/28/7b31a656d8a148d4b7e7ca66463a6894)
![[Photo] Vietnamese and Hungarian leaders attend the opening of the exhibition by photographer Bozoky Dezso](https://vphoto.vietnam.vn/thumb/1200x675/vietnam/resource/IMAGE/2025/5/28/b478be84f13042aebc74e077c4756e4b)
![[Photo] 12th grade students say goodbye at the closing ceremony, preparing to embark on a new journey](https://vphoto.vietnam.vn/thumb/1200x675/vietnam/resource/IMAGE/2025/5/28/42ac3d300d214e7b8db4a03feeed3f6a)
![[Photo] Prime Minister Pham Minh Chinh receives a bipartisan delegation of US House of Representatives](https://vphoto.vietnam.vn/thumb/1200x675/vietnam/resource/IMAGE/2025/5/28/468e61546b664d3f98dc75f6a3c2c880)
Comment (0)