FROM DECREE 13/2023/ND-CP TO THE PERSONAL DATA PROTECTION LAW 2025 – THE INSTITUTIONALIZATION OF PRIVACY RIGHTS IN VIETNAM

I. CONTEXT AND MOTIVATION FOR THE PROMULGATION OF THE PERSONAL DATA PROTECTION LAW

Amidst the accelerating pace of globalization and digital transformation, personal data has become an essential and sensitive asset. Vietnam, with its rapidly expanding digital economy, faces an urgent need to establish a robust legal framework to safeguard personal data and ensure privacy rights—recognized as constitutional rights.

After nearly one year of implementing Decree 13/2023/ND-CP, practical application has revealed the necessity of elevating legal provisions to the legislative level to enhance enforceability, legal certainty, and regulatory oversight. The Personal Data Protection Law 2025 was thus introduced with the following objectives:

• Codify privacy rights as stipulated in the 2013 Constitution;

• Align with international commitments and trade agreements (e.g., CPTPP, EVFTA);

• Strike a balance between digital economic growth and the protection of individual rights.

II. COMPREHENSIVE COMPARISON BETWEEN THE 2025 LAW AND DECREE 13/2023/ND-CP

1. Scope of Regulation and Data Sovereignty

The 2025 Law expands the scope of application in terms of both subject matter and territorial reach:

• It covers Vietnamese-origin individuals with unclear citizenship who possess valid identification documents issued in Vietnam;

• It governs extraterritorial data processing activities that impact Vietnamese individuals.

This shift demonstrates a move from administrative management to the protection of data subjects' rights, affirming national data sovereignty and aligning with global frameworks such as the GDPR.

2. Legal Definitions and Data Classification

• The Law introduces updated definitions such as anonymization, re-identification, biometric data, genetic data, and personal financial data;

• It distinguishes clearly between basic and sensitive personal data based on the degree of potential harm in case of breach;

• It specifies data processing activities and the responsibilities of relevant stakeholders.

3. Data Processing Principles

The Law establishes a mandatory set of core principles:

• Lawful, specific, and clear purposes for data processing;

• Data minimization and avoidance of excessive collection;

• Security, safety, and transparency;

• Alignment with individual and national interests.

These principles provide the foundation for building effective supervision mechanisms and systematic enforcement.

4. Data Subject Rights: From Passive to Proactive

Compared to Decree 13, the 2025 Law enhances the rights of data subjects significantly:

• Rights to access, correct, delete, restrict processing, and transfer data;

• Right to object to processing, especially for advertising or profiling purposes;

• Clear mechanisms for litigation and damage compensation;

• Explicit regulations on data inheritance and post-mortem data handling.

5. Consent and Data Collection Mechanisms

• Consent must be explicit, verifiable, and stored appropriately;

• Silence or implied actions cannot be construed as consent;

• Data subjects can revoke or modify consent or limit it to specific purposes;

• Data controllers must demonstrate proof of consent and its scope.

III. OPERATIONAL MECHANISMS FOR DATA PROCESSING

1. Timeframes and Administrative Forms

• The Law stipulates that requests for access or correction must be addressed within 72 hours;

• Administrative procedures and templates are standardized to reduce procedural burden and enhance transparency.

2. Deletion, Destruction, Anonymization, and Retention

• The Law defines in detail what constitutes deletion and destruction in the digital context;

• Mandatory anonymization of data with no further processing purposes;

• Prohibition of re-identification without legal justification;

• Conditional retention permitted for national defense, security, and crime prevention purposes.

3. Cross-border Data Transfer

• Mandatory Data Protection Impact Assessment (DPIA) for cross-border transfers;

• Submission of reports to the competent authority within 60 days from the start of the transfer;

• Certain exemptions granted to state agencies or transfers of one's own personal data.

IV. INTERNATIONAL COOPERATION AND ENFORCEMENT

1. Principles and Mechanisms of International Cooperation

• Based on equality, sovereignty, and protection of individual rights;

• Areas of cooperation include technical support, information exchange, human resource training, research, and technology transfer.

2. Sanctions and Preventive Measures

• High fines: up to 10 times the illicit gain or 5% of the violator’s annual revenue;

• Suspension of processing or cross-border transfers if national security risks are detected;

• Applicable penalties for foreign individuals or organizations processing Vietnamese citizens' data without compliance.

V. CONCLUSION AND RECOMMENDATIONS

The Personal Data Protection Law 2025 marks a significant milestone in Vietnam’s legislative evolution from administrative policy to a robust legal framework for privacy rights. It elevates regulatory authority from Decree 13/2023/ND-CP to the statutory level, reflecting the government’s strong commitment to safeguarding personal rights in the digital age.

To ensure effective implementation, the following actions are recommended:

• Prompt issuance of detailed implementation guidelines;

• Establishment of an independent or dedicated data protection authority;

• Development of supporting technology for monitoring and enforcement;

• Legal communication campaigns to raise awareness and strengthen compliance capacity among businesses and the public.

The success of the Personal Data Protection Law will not be measured solely by the number of penalties imposed but by the cultivation of a culture of data and privacy respect—an essential standard for sustainable development in Vietnam’s digital society.