What is PDPD?
PDPD (Personal Data Protection Decree), officially Decree 13/2023/ND-CP, is Vietnam's first comprehensive personal data protection legislation. Issued on April 17, 2023 and effective from July 1, 2023, it consolidates previously scattered personal data provisions across various laws.
Who must comply with PDPD?
The Decree applies broadly to:
- Vietnamese organizations and individuals processing personal data
- Foreign organizations operating in Vietnam
- Foreign organizations offering services to users in Vietnam (including SaaS, apps)
In practice, if your business has users in Vietnam, regardless of where you're headquartered, PDPD may apply.
Personal data under PDPD
PDPD classifies data into two categories:
| Type | Examples | Special requirements |
|---|---|---|
| Basic personal data | Name, DOB, phone, address, email | Consent, purpose notification |
| Sensitive personal data | Health, biometric, financial data, political views, religion, children's data | Explicit consent + registration with MPS + mandatory DPIA |
Key business obligations
Consent
Must obtain clear, voluntary, revocable consent before collecting data. Bundled consent is no longer valid.
Purpose notification
Must clearly disclose: data types, processing purposes, retention period, third parties receiving data.
Data subject rights
Users have rights to access, rectify, delete data, withdraw consent, and object to processing. Businesses must have processes to handle these requests.
DPIA, Impact Assessment
Mandatory for sensitive data and large-scale processing. Must be stored and provided to authorities upon request.
Sensitive data registration
Organizations processing sensitive data must register with the Cybersecurity Department (A05), Ministry of Public Security.
Cross-border data transfers
Transferring data abroad requires the recipient country to have equivalent protection, or appropriate data transfer agreements (similar to GDPR SCCs).
PDPD vs GDPR, Quick Comparison
| Aspect | PDPD (Việt Nam) | GDPR (EU) |
|---|---|---|
| Geographic scope | Vietnamese users' data | EU users' data |
| DPO requirement | Not required (but recommended) | Mandatory in certain cases |
| Sensitive data registration | Mandatory with MPS | No equivalent |
| Breach notification | 72 hours to MPS | 72 hours to DPA |
| Supervisory authority | Cục A05, Bộ Công An | DPA (mỗi quốc gia EU) |
| Data subject rights | Similar to GDPR (access, erasure, objection) | 8 full rights |
PDPD and international compliance frameworks
If your business is implementing any of the frameworks below, you're simultaneously building technical and organizational controls that overlap significantly with PDPD obligations, because most data security requirements share common ground.
Annex A controls on access control, incident management, encryption, vendor management → map directly to PDPD's technical and organizational obligations.
SOC 2's Privacy TSC covers consent, data subject rights, breach notification, retention, maps nearly 1:1 with PDPD obligations.
HIPAA Technical Safeguards (access control, audit log, encryption) and Privacy Rule → health data protections satisfy both HIPAA and PDPD sensitive data rules.
PDPD is inspired by GDPR. Consent, DPIA, data subject rights, DPA contracts, 72h breach notification, if already GDPR-compliant, additional PDPD effort is minimal.
Card data and financial information are sensitive data under PDPD. PCI-DSS controls on encryption, access, audit logs → meet PDPD's technical requirements for financial data.
ISO 42001 requires transparency and fairness in AI, maps to PDPD obligations on automated processing and data subject right to object.
PDPD Preparation Checklist for SaaS/HealthTech/Fintech
Frequently Asked Questions
Who does Decree 13/2023 apply to?
Any organization or individual processing personal data of Vietnamese nationals, including Vietnamese companies, foreign companies operating in Vietnam, and foreign companies providing services to users in Vietnam.
How does PDPD differ from GDPR?
Similarities: consent, data subject rights, 72-hour breach notification. Key differences: PDPD requires sensitive data registration with MPS (GDPR has no equivalent), and DPO is not mandatory. If already GDPR-compliant, additional PDPD compliance costs are significantly lower.
Do B2B SaaS companies need to comply with PDPD?
Yes, if the data processed contains personal data of Vietnamese nationals (including employee data of enterprise customers). In practice, most B2B SaaS companies become 'Data Processors' under PDPD.
What are the penalties for PDPD violations?
Decree 13/2023 and related penalty regulations specify fines based on severity of violation. In serious cases (willful violations, significant harm), criminal penalties under the Penal Code may apply. Authorities can also suspend data processing operations.