The Vietnamese Constitution 2013 affirms that individual privacy is inviolable. Personal data is an issue closely related to human rights, civil rights, safety, network security, information security, data security, information technology and the fourth industrial revolution, e-government, digital economy, and information technology. In the article below, Viet An Law will present regulations on personal data protection policy under the current Vietnamese law.
Legal basis
Law on Cyber Information Security 2015;
Decree 13/2023/ND–CP on protecting personal data.
What is personal data?
According to the provisions of Clause 1, Article 2 of Decree 13/2023/ND-CP, personal data is information in the form of symbols, letters, numbers, images, sounds, or similar forms in the electronic environment, which associated with a particular person or helping to identify a particular person.
Classification of personal data
According to Article 2 of Decree 13/2023/ND–CP personal data includes basic personal data and sensitive personal data.
Basic personal data
Sensitive personal data: Sensitive personal data is personal data associated with an individual’s privacy rights that, when violated, will directly affect the individual’s legitimate rights and interests.
Regulations on personal data protection policy
According to the provisions of the Law on Cyber Information Security, the principles of personal data protection are as follows:
Individuals protect their personal information and comply with the law on providing personal information;
Agencies, organizations and individuals handling personal information are responsible for ensuring network information security for the information they process;
Organizations and individuals handling personal information must develop and publicly announce measures to handle and protect the personal information of their organizations and individuals;
The protection of personal information is carried out by the provisions of the Law on Cyber Information Security and other relevant regulations;
Processing of personal information to ensure national defense, national security, social order, and safety or for non-commercial purposes is carried out following other relevant laws.
Thus, the personal data protection policy is a protection measure prescribed under Decree 13/2023/ND-CP drafted and issued by individuals and organizations to apply internally to the collection of personal data, processes, and stores of personal information of users, employees, as well as customers and partners.
Law on Cyber Information Security stipulates that organizations and individuals handling personal information must apply appropriate management and technical measures to protect the personal information they collect and store; Comply with standards and technical regulations on ensuring network information security and have the following responsibilities:
Collect personal information after obtaining the consent of the personal information subject about the scope and purpose of collecting and using that information;
Only use collected personal information for purposes other than the original purpose after obtaining the consent of the personal information subject;
Do not provide, share, or distribute personal information that you have collected, accessed, or controlled to third parties, except with the consent of the subject of that personal information or at the request of the competent state agency.
Measures to protect personal data
Protect personal data
According to Article 26 of Decree 13/2023/ND–CP, personal data protection measures are applied right from the beginning and throughout the personal data processing process. Personal data protection measures include:
Management measures implemented by organizations and individuals involved in processing personal data;
Technical measures implemented by organizations and individuals involved in processing personal data;
Measures implemented by competent state management agencies according to the provisions of this Decree and relevant laws;
Investigation and litigation measures are carried out by competent state agencies;
Other measures as prescribed by law.
Basic personal data protection
In addition to the measures specified above, according to Article 27 of this Decree, the following protection measures can be applied:
Develop and promulgate regulations on personal data protection, clearly stating what needs to be done according to the provisions of the Law;
Encourage the application of personal data protection standards appropriate to the field, industry, and activities related to personal data processing.
Check network security for systems and means and equipment serving personal data processing before processing, irreversibly deleting, or destroying devices containing personal data.
Protect sensitive personal data
In addition to applying the measures above, Article 28 of this Decree stipulates measures including:
Designate a department with the function of protecting personal data, designate personnel in charge of protecting personal data, and exchange information about departments and individuals in charge of protecting personal data with the responsible agency. protect personal data. In case the Personal Data Controller, Personal Data Controller and Processor, Data Processor, and Third Party are individual, the information of the performing individual shall be exchanged.
Notify the data subject that the data subject’s sensitive personal data is processed, except for the cases specified in Clause 4, Article 13, Article 17, and Article 18.
Agency in charge of personal data protection and National Information Portal on personal data protection
According to Decree 13/2023/ND-CP regulating specialized agencies for personal data protection and national information portals on personal data as follows:
The agency in charge of protecting personal data is the Department of Cyber Security and High-Tech Crime Prevention – Ministry of Public Security, which is responsible for helping the Ministry of Public Security carry out state management of personal data protection.
National information portal on personal data protection.
Personal data protection policy drafting service of Viet An Law
Consulting and support osn personal data protection policies;
Drafting personal data protection policy upon requests of clients;
Consulting on handling regulations when violating personal data protection policies.
Clients who have questions or legal needs related to regulations on personal data protection policy, please contact Viet An Law Firm for the best advice and support!
During divorce proceedings, the issue of child support is always considered a crucial matter to ensure the rights and interests of minor children. However, after a court judgment or decision…
On June 12, 2025, the Government issued Decree 151/2025/ND-CP regulating the decentralization of authority for local governments at two levels, empowering and decentralizing in the field of land. Accordingly, Commune…
Currently, violations of fire prevention and fighting regulations are becoming increasingly common with many complex behaviors, causing numerous unfortunate consequences and damages. To enhance deterrence and prevent fire safety violations,…
In the context of the increasingly strong development of import and export activities, especially in border areas, which play an important role as a gateway for trade between Vietnam and…
In the era of digital transformation, Blockchain technology is being widely applied globally, and Vietnam is no exception. However, along with this rapid development comes a series of legal challenges…
