Personal Data Protection in Vietnam: Regulations and Practice

September 27, 2025 | Guidelines, Setting up a company in Vietnam

In the current era of information explosion and digital connectivity, personal data has become a critical strategic asset, contributing to economic and social development, as well as national security. However, the collection, processing, and protection of this data face significant challenges, particularly the risks of infringement and misuse. This article will systematize the current legal regulations in Vietnam on personal data protection, analyze the practical situation, and propose solutions for improvement.

1. Legal Basis

- Decree 13/2023/ND-CP on Personal Data Protection;

- The Penal Code 2015 (amended and supplemented in 2017);

- The Civil Code 2015;

- Decree 15/2020/ND-CP, amended and supplemented by Decree 14/2022/ND-CP.

2. Core Legal Concepts

2.1. Personal Data and Its Classification

According to Clause 1, Article 2 of Decree 13/2023/ND-CP, personal data is information in the form of symbols, text, numbers, images, sounds, or similar forms in an electronic environment associated with a specific individual or helping to identify a specific individual. Personal data is classified into two main groups:

- Basic Personal Data: This is a common group of identification data, often used in daily transactions. According to Clause 3, Article 2 of Decree 13/2023/ND-CP, basic personal data includes the following 11 groups:

Full name, middle name, and birth name, other names (if any);
Date of birth; date of death or disappearance;
Gender;
Place of birth, place of birth registration, place of permanent residence, place of temporary residence, current residence, hometown, contact address;
Nationality;
Personal images;
Phone number, ID card number, personal identification number, passport number, driver's license number, vehicle license plate number, personal tax identification number, social insurance number, health insurance card number;
Marital status;
Information about family relationships (parents, children);
Information about an individual's digital accounts; personal data reflecting activities and history of activities in cyberspace;
Other information associated with a specific individual or helping to identify a specific individual that does not fall under sensitive personal data.

- Sensitive Personal Data: This is personal data associated with an individual's privacy, which, if infringed upon, will directly affect the individual's legitimate rights and interests. According to Clause 4, Article 2 of Decree 13/2023/ND-CP, this data includes:

Political and religious views;
Health status and private life recorded in medical records (excluding blood type information);
Information related to racial or ethnic origin;
Information about genetic characteristics;
Information about an individual's unique physical attributes and biological characteristics;
Information about sex life and sexual orientation;
Data on crimes and criminal acts collected and stored by law enforcement agencies;
Customer information of credit institutions, foreign bank branches, intermediary payment service providers, and other authorized organizations;
Data on an individual's location determined through location services;
Other personal data specified by law as specific and requiring necessary security measures.

2.2. Protection and Processing of Personal Data

Personal data protection is the activity of preventing, detecting, stopping, and handling violations related to personal data in accordance with the law (Clause 5, Article 2 of Decree 13/2023/ND-CP).

Processing of personal data refers to one or more actions affecting personal data, including: collecting, recording, analyzing, confirming, storing, modifying, publicizing, combining, accessing, retrieving, recovering, encrypting, decrypting, copying, sharing, transmitting, providing, transferring, deleting, destroying personal data, or other related actions.

2.3. Data Subject: Rights and Obligations

A data subject is the individual to whom the personal data relates.

- Rights of the Data Subject:

The right to be informed, the right to consent, the right to access, the right to withdraw consent, the right to delete data, the right to restrict data processing, the right to obtain data, the right to object to data processing, the right to complain, denounce, and file a lawsuit, the right to claim compensation for damages, and the right to self-protection.
Obligations of the Data Subject:
- To protect their own personal data and request other relevant organizations and individuals to protect it;
- To respect and protect the personal data of others;
- To provide complete and accurate personal data when consenting to its processing;
- To participate in propagating and disseminating skills for personal data protection;
- To comply with legal regulations and participate in preventing and combating violations.

3. Principles of Personal Data Protection

Pursuant to Article 3 of Decree 13/2023/ND-CP, the processing of personal data must adhere to the following principles:

Principle of legality;
Principle of transparency;
Principle of clear purpose;
Principle of relevance and limitation;
Principle of accuracy;
Principle of confidentiality;
Principle of storage duration;
Principle of accountability.

4. Sanctions for Violations

According to Article 4 of Decree 13/2023/ND-CP, agencies, organizations, and individuals that violate regulations on personal data protection may be subject to disciplinary action, administrative sanctions, or criminal prosecution, depending on the severity of the violation.

- Criminal Sanctions: The Penal Code 2015 (amended and supplemented in 2017) provides for several related offenses, such as:

Article 159: The crime of infringing upon the secrecy or safety of correspondence, telephone calls, telegrams, or other forms of private information exchange of others.
Article 288: The crime of illegally providing or using information on computer networks or telecommunications networks. However, these offenses do not directly regulate the act of trading personal data, and enforcement has faced difficulties in practice.

- Civil Sanctions: The Civil Code 2015 affirms that the right to protection of personal information is protected by law. When infringed upon, individuals have the right to request protective measures under Article 11, including:

Forcing the termination of the infringing act;
Forcing a public apology and correction;
Forcing the performance of an obligation;
Forcing compensation for damages.

- Administrative Sanctions: Decree 15/2020/ND-CP (as amended by Decree 14/2022/ND-CP) stipulates monetary fines for violations. Additionally, remedial measures may be applied, such as:

Forcing the recall and deletion of personal information;
Forcing a public apology and correction;
Suspending or revoking licenses or professional practice certificates.

5. Practical Application and Challenges

5.1. The Practical Situation

In reality, many serious violations of personal data have been recorded:

Syndicates trading personal information (ID card numbers, addresses, phone numbers) to offer insurance, investments, and loans.
Leakage of user data on e-commerce platforms, leading to advertising calls and scams.
Millions of customers' banking and financial data being openly sold on forums.

5.2. Difficulties and Limitations

The current sanctions for violations are still inadequate and not deterrent enough:

Criminal Sanctions: There is no direct offense that regulates the large-scale trading of personal data.
Administrative Sanctions: Fines are relatively low and not commensurate with the consequences, and regulations are scattered across various legal documents.

6. Proposed Solutions for Improvement

Completing the Legal Framework: The Law on Personal Data Protection 2025 was passed on June 26, 2025, and will take effect on January 1, 2026. Having a separate law will create a solid and unified legal foundation.
Amending the Penal Code: It is necessary to add offenses that directly address the illegal trading and collection of personal data, especially for organized, large-scale activities.
Increasing Administrative Fines: Raise the level of fines to enhance deterrence, particularly in sensitive sectors such as finance, banking, and e-commerce.
Strengthening Inspection and Auditing: Conduct regular inspections of data processing activities by large organizations.
Applying Technology: Encourage the use of technological measures such as encryption and multi-factor authentication to protect data.

7. Conclusion

Amidst the wave of digital technology, personal data is increasingly becoming a valuable asset but also faces many risks of infringement. Decree 13/2023/ND-CP marks a significant step forward, helping to raise awareness and responsibility among relevant parties. However, to ensure effective implementation, it is necessary to continue improving the legal system, strengthening sanctions for violations, and promoting education on privacy rights. Protecting personal data is not only the responsibility of the state but also of every individual in the digital age.

The information contained in this article is general and intended only to provide information on legal regulations. DB Legal will not be responsible for any use or application of this information for any business purpose. For in-depth advice on specific cases, please contact us.

For more information:

📞: +84 357 466 579

📧: contact@dblegal.vn

🌐Facebook: DB Legal Vietnamese Fanpage or DB Legal English Fanpage

🐦X(Twitter)

💼Linkedin

🎬Youtube