Việt Nam · PDPD 2023

Vietnam Decree 13/2023, Personal Data Protection Law

Decree 13/2023/ND-CP took effect July 1, 2023, Vietnam's first comprehensive personal data protection regulation. Learn who it applies to, obligations, and how SaaS/HealthTech/Fintech companies should prepare.

Effective
01/07/2023
Regulator
Ministry of Public Security
Scope
National + cross-border
Global analog
GDPR-inspired

What is PDPD?

PDPD (Personal Data Protection Decree), officially Decree 13/2023/ND-CP, is Vietnam's first comprehensive personal data protection legislation. Issued on April 17, 2023 and effective from July 1, 2023, it consolidates previously scattered personal data provisions across various laws.

Who must comply with PDPD?

The Decree applies broadly to:

  • Vietnamese organizations and individuals processing personal data
  • Foreign organizations operating in Vietnam
  • Foreign organizations offering services to users in Vietnam (including SaaS, apps)

In practice, if your business has users in Vietnam, regardless of where you're headquartered, PDPD may apply.

Personal data under PDPD

PDPD classifies data into two categories:

Type Examples Special requirements
Basic personal data Name, DOB, phone, address, email Consent, purpose notification
Sensitive personal data Health, biometric, financial data, political views, religion, children's data Explicit consent + registration with MPS + mandatory DPIA

Key business obligations

1

Consent

Must obtain clear, voluntary, revocable consent before collecting data. Bundled consent is no longer valid.

2

Purpose notification

Must clearly disclose: data types, processing purposes, retention period, third parties receiving data.

3

Data subject rights

Users have rights to access, rectify, delete data, withdraw consent, and object to processing. Businesses must have processes to handle these requests.

4

DPIA, Impact Assessment

Mandatory for sensitive data and large-scale processing. Must be stored and provided to authorities upon request.

5

Sensitive data registration

Organizations processing sensitive data must register with the Cybersecurity Department (A05), Ministry of Public Security.

6

Cross-border data transfers

Transferring data abroad requires the recipient country to have equivalent protection, or appropriate data transfer agreements (similar to GDPR SCCs).

PDPD vs GDPR, Quick Comparison

Aspect PDPD (Việt Nam) GDPR (EU)
Geographic scope Vietnamese users' data EU users' data
DPO requirement Not required (but recommended) Mandatory in certain cases
Sensitive data registration Mandatory with MPS No equivalent
Breach notification 72 hours to MPS 72 hours to DPA
Supervisory authority Cục A05, Bộ Công An DPA (mỗi quốc gia EU)
Data subject rights Similar to GDPR (access, erasure, objection) 8 full rights

PDPD and international compliance frameworks

If your business is implementing any of the frameworks below, you're simultaneously building technical and organizational controls that overlap significantly with PDPD obligations, because most data security requirements share common ground.

Note on control overlap: Implementing ISO 27001 or GDPR builds technical and organizational controls — access control, incident response, DPIA, breach notification — that overlap significantly with PDPD obligations. This is natural alignment between frameworks, not a pTrackly-specific feature.

PDPD Preparation Checklist for SaaS/HealthTech/Fintech

Inventory all personal data being collected and processed
Classify: basic vs sensitive personal data
Update Privacy Policy and Cookie Policy
Build clear, granular consent mechanism (no bundled consent)
Prepare DPIA for sensitive data or large-scale processing
Register with Ministry of Public Security for sensitive data processing
Build Data Subject Request (DSR) handling process
Review supplier contracts (Data Processing Agreements)
Build data breach detection and notification process (72h)
Review data transfers with overseas entities, need appropriate DTA
Train staff on PDPD requirements

Frequently Asked Questions

Who does Decree 13/2023 apply to?

Any organization or individual processing personal data of Vietnamese nationals, including Vietnamese companies, foreign companies operating in Vietnam, and foreign companies providing services to users in Vietnam.

How does PDPD differ from GDPR?

Similarities: consent, data subject rights, 72-hour breach notification. Key differences: PDPD requires sensitive data registration with MPS (GDPR has no equivalent), and DPO is not mandatory. If already GDPR-compliant, additional PDPD compliance costs are significantly lower.

Do B2B SaaS companies need to comply with PDPD?

Yes, if the data processed contains personal data of Vietnamese nationals (including employee data of enterprise customers). In practice, most B2B SaaS companies become 'Data Processors' under PDPD.

What are the penalties for PDPD violations?

Decree 13/2023 and related penalty regulations specify fines based on severity of violation. In serious cases (willful violations, significant harm), criminal penalties under the Penal Code may apply. Authorities can also suspend data processing operations.

Ready to get audit-ready?

Book a 15-minute call. See the platform. Decide if it fits.

Book Free Demo 15 min, no commitment
No credit card required Setup in 24 hours Cancel anytime
Book a Demo