Chapter I
GENERAL PROVISIONS
Article 1. Scope and regulated entities
1. This Decree provides for personal data protection and responsibilities of relevant agencies, organizations and individuals for protection of personal data.
2. This Decree applies to:
a) Vietnamese agencies, organizations and individuals;
b) Foreign authorities, entities and individuals in Vietnam;
c) Vietnamese agencies, organizations and individuals that operate in foreign countries;
d) Foreign agencies, organizations and individuals that directly process or are involved in processing personal data in Vietnam.
Article 2. Definition of terms
For the purpose of this Decree, the following terms shall be construed as follows:
1. “Personal data” refers to electronic information in the form of symbols, letters, numbers, images, sounds, or equivalences associated with an individual or used to identify an individual. The personal data includes general personal data and sensitive personal data.
2. “Information used for identification of an individual" refers to information that results from an individual's activities and may identify an individual when it is combined with other stored information and data.
3. General personal data includes:
a) Last name, middle name and first name, other names (if any);
b) Date of birth; date of death or going missing;
c) Gender;
d) Place of birth, registered place of birth; place of permanent residence; place of temporary residence; current place of residence; hometown; contact address;
dd) Nationality;
e) Personal image;
e) Phone number; ID Card number, personal identification number, passport number, driver’s license number, license plate, taxpayer identification number, social security number and health insurance card number;
h) Marital status;
i) Information about the individual’s family relationship (parents, children);
k) Digital account information; personal data that reflects activities and activity history in cyberspace;
l) Information associated with an individual or used to identify an individual other than that specified in Clause 4 of this Article.
4. “Sensitive personal data” refers to personal data in association with individual privacy which, when being infringed, will directly affect an individual's legal rights and interests, including:
a) Political and religious opinions;
b) Health condition and personal information stated in health record, excluding information on blood group;
c) Information about racial or ethnic origin;
d) Information about genetic data related to an individual's inherited or acquired genetic characteristics;
dd) Information about an individual’s own biometric or biological characteristics;
e) Information about an individual’s sex life or sexual orientation.
g) Data on crimes and criminal activities collected and stored by law enforcement agencies;
h) Information on customers of credit institutions, foreign bank branches, payment service providers and other licensed institutions, including: customer identification as prescribed by law, accounts, deposits, deposited assets, transactions, organizations and individuals that are guarantors at credit institutions, bank branches, and payment service providers;
i) Personal location identified via location services;
k) Other specific personal data as prescribed by law that requires special protection.
5. “Personal data protection” refers to an act of preventing, detecting and handling violations related to personal data in accordance with the law.
6. “Data subject” refers to an individual to whom the data relates.
7. “Personal data processing” refers to one or multiple activities that impact on personal data, including collection, recording, analysis, confirmation, storage, rectification, disclosure, combination, access, traceability, retrieval, encryption, decryption, copying, sharing, transmission, provision, transfer, deletion, destruction or other relevant activities.
8. “Consent” of a data subject refers to an act that the data subject permits the processing of his/her personal data in a clear, voluntary and affirmative manner.
9. “Personal Data Controller” refers to an organization or individual that decides purposes and means of processing personal data.
10. “Personal Data Processor” refers to an organization or individual that processes data on behalf of the Personal Data Controller via a contract or agreement with the Personal Data Controller.
11. “Personal Data Controller-cum-Processor” refers to an organization or individual that jointly decides purposes and means, and directly processes personal data.
12. “Third Party” refers to an organization or individual other than the data subject, Personal Data Controller, Personal Data Processor, and Personal Data Controller-cum-Processor that is permitted to process personal data.
13. "Automated processing of personal data” refers to a form of personal data processing performed by electronic devices with a view to assessing, analyzing and predicting an individual’s activities, including habits, preference, reliability, behavior, location, trends, capability and other circumstances.
14. “Outbound transfer of personal data” refers to an act of using cyberspace, electronic devices, equipment, or other forms to transfer personal data of a Vietnamese citizen to a location outside the territory of the Socialist Republic of Vietnam or using a location outside the territory of the Socialist Republic of Vietnam to process personal data of a Vietnamese citizen. To be specific:
a) An organization, enterprise or individual transfers personal data of a Vietnamese citizen to an overseas organization, enterprise or management department in order to process the data for the purposes agreed upon by the data subject;
b) The personal data of a Vietnamese citizen is processed by automatic systems outside the territory of the Socialist Republic of Vietnam of the Personal Data Controller, Personal Data Controller-cum-Processor, Personal Data Processor for the purposes agreed upon by the data subject.
Article 3. Rules for protection of personal data
1. The personal data shall be processed as prescribed by law.
2. The data subject shall be entitled to receive information related to the processing of his/her personal data, unless otherwise provided for by law.
3. The personal data shall be processed for the purposes that have been registered and declared by the Personal Data Controller, the Personal Data Processor, the Personal Data Controller-cum-Processor and the Third Party.
4. The collected personal data shall be appropriate for the scope and purposes of processing. The purchase or sale of personal data shall be prohibited in any form, unless otherwise provided for by law.
5. The personal data shall be updated and added for the processing purposes.
6. The personal data shall be protected and secured throughout the processing. To be specific, the personal data shall be protected from violations against regulations on protection of personal data and prevention of loss, destruction or damage caused by incidents and use of technical measures.
7. The personal data shall be stored within a period of time that is appropriate for the processing purposes, unless otherwise provided for by law.
8. The Personal Data Controller and the Personal Data Controller-cum-Processor shall comply with the rules for data processing specified in Clauses 1 through 7 of this Article and prove their compliance.
Article 4. Handling violations against regulations on protection of personal data
Agencies, organizations and individuals that commit violations against regulations on protection of personal data, depending on the severity of their violations, may be disciplined, or face administrative penalties or criminal prosecution according to regulations.
Article 5. State management of personal data protection
The Government shall ensure uniform state management of personal data protection.
Contents of state management include:
1. Requesting competent authorities to promulgate or promulgate within its jurisdiction legal documents, and directing and organizing the implementation of legal documents on protection of personal data.
2. Formulating and organizing the implementation of strategies, policies, schemes, projects, programs and plans for protection of personal data.
3. Providing guidance on measures, procedures and standards of protection of personal data for agencies, organizations and individuals in accordance with law.
4. Disseminating and educating the law on protection of personal data; communicating and disseminating skills and knowledge about protection of personal data.
5. Developing and providing training and refresher training for officials, public employees and persons assigned to protect personal data.
6. Inspecting the observance of law on protection of personal data; handling complaints, denunciations and violations against regulations on protection of personal data as prescribed by law.
7. Compiling statistics, and giving information and reports on protection of personal data and the observance of law on personal data protection to competent authorities.
8. Encouraging international cooperation in protection of personal data.
Article 6. Application of Decree on protection of personal data, relevant laws and international treaties
The personal data protection shall comply with regulations of international treaties to which the Socialist Republic of Vietnam is a signatory, relevant laws and this Decree.
Article 7. International cooperation in protection of personal data.
1. Developing mechanisms for international cooperation in order to facilitate the effective enforcement of laws on protection of personal data.
2. Engaging in judicial assistance in protecting personal data by other countries, including notification, complaints, assistance in investigating and exchanging information, and appropriate measures for protecting personal data.
3. Organizing conferences and seminars, conducting scientific research and promoting international cooperation in enforcement of the law on protection of personal data.
4. Organizing bilateral and multilateral meetings to exchange experience in drafting legislation and having the practice of protection of personal data.
5. Transferring technology serving protection of personal data.
Article 8. Prohibited acts
1. Processing personal data in contravention of regulations of law on protection of personal data.
2. Processing personal data in order to provide information and data against regulations of the Socialist Republic of Vietnam
3. Processing personal data in order to provide information and data that affect national security, social order and safety, and legitimate rights and interests of other organizations and individuals.
4. Obstructing protection of personal data by competent authorities.
5. Taking advantage of protection of personal data to commit violations of law.
Tìm kiếm
Nghị định 13/2023/NĐ-CP (Bản Word)
Nghị định 13/2023/NĐ-CP (Bản Pdf)
