Decree 13/2023: Vietnam's First Data Protection Framework
Vietnam enacted Decree No. 13/2023/ND-CP on Personal Data Protection on 17 April 2023, with the rules taking effect from 1 July 2023. The Decree contains 44 articles covering data classification, consent, cross-border transfers, breach notification, and enforcement. It applies to any individual or organisation - Vietnamese or foreign - that processes personal data of people in Vietnam.
For website owners outside Vietnam, the territorial reach matters. If your site collects data from Vietnamese visitors through cookies, contact forms, or analytics tools, Decree 13 may apply to you.
A full Personal Data Protection Law (Law No. 91/2025/QH15) was passed in 2025 and takes effect on 1 January 2026, elevating these rules from decree level to statutory law. The new law builds on Decree 13 while introducing stricter penalties and broader obligations.
How Vietnam Classifies Personal Data
Decree 13 splits personal data into two categories: basic and sensitive. Basic personal data includes names, dates of birth, contact details, nationality, and similar identifiers.
Sensitive personal data covers political and religious views, health conditions, biometric data, genetic information, financial records, sexual orientation, and membership of political parties or social organisations. Data about children under 16 is also classified as sensitive by default.
This distinction affects consent requirements. Processing sensitive data triggers additional obligations, including a mandatory Data Protection Impact Assessment (DPIA) that must be filed with the Ministry of Public Security.
Consent Requirements Under Decree 13
Consent is the primary lawful basis for processing personal data under Vietnamese law. Unlike the GDPR, which offers six legal bases for processing, Decree 13 centres almost entirely on consent.
The consent must be explicit, informed, and documented. Silence or a lack of response does not constitute valid consent. Each distinct processing purpose requires its own separate consent - bundled consents covering unrelated services are not valid. This means a single cookie banner tick-box covering analytics, marketing, and functional purposes would not satisfy Decree 13.
Withdrawal of consent must be as straightforward as giving it. Data subjects can revoke consent at any time, and organisations must stop processing within 72 hours of receiving a withdrawal request under Decree 13.
The 2026 PDP Law keeps this consent-centric approach but adds a limited exemption: processing without consent is now permitted to protect the legitimate rights of the data controller or another party. That said, this exemption is narrower than the legitimate interest basis available under GDPR.
What Cookies Mean Under Vietnamese Data Protection
Decree 13 does not mention cookies by name. The rules apply whenever data collected through cookies can be linked to an identifiable person. A PHPSESSID storing an authenticated session, a _ga cookie tracking browsing behaviour, or a _fbp pixel identifier all fall within scope if they relate to a Vietnamese visitor.
Granular, purpose-specific consent is required. A compliant cookie banner for Vietnamese visitors should allow separate choices for each processing purpose rather than a single accept-all approach.
Websites using Google Analytics 4 or Meta Pixel should ensure these scripts fire only after valid consent has been given. Script-blocking techniques or a consent management platform that supports conditional loading will help meet this requirement.
Cross-Border Data Transfers
Decree 13 imposes specific conditions on transferring personal data out of Vietnam. If your servers sit outside the country and you process data from Vietnamese visitors, these rules apply directly to you.
The data subject must consent specifically to the cross-border transfer. This consent must include a clear explanation of the complaint mechanism available if something goes wrong. A generic privacy policy mention is not enough - the consent needs to address the transfer itself.
Organisations must also prepare a Transfer Impact Assessment Dossier and submit it to the Ministry of Public Security's online portal within 60 days of the first transfer. The dossier must document the purpose, data categories, recipient safeguards, and risk mitigation measures.
| Requirement | Decree 13 (2023) | PDP Law (2026) |
|---|---|---|
| Consent model | Explicit, purpose-specific | Explicit, purpose-specific (with limited legitimate interest exemption) |
| Breach notification | 72 hours from occurrence | 72 hours from detection |
| Data Protection Officer | Required in limited cases | Required for all data processors |
| Cross-border transfer filing | Within 60 days of first transfer | Within 60 days (with expanded halt powers for regulators) |
| Penalties (max fine) | Up to VND 100 million (approx. USD 4,000) | Up to 5% of annual revenue for serious violations |
| Vulnerable group protections | Children under 16 | Children, plus persons with limited civil capacity |
Data Localisation: Who Must Store Data in Vietnam
Vietnam's data localisation rules have drawn attention from global businesses, though the scope is narrower than often reported. The data localisation requirement applies to foreign providers of ten specified service types, including telecommunications, e-commerce, online payment, social networking, and data storage services.
If your website falls into one of these categories and you serve Vietnamese users, you must store a copy of the personal data in Vietnam and retain it for at least 24 months. A standard blog, corporate website, or SaaS platform not offering one of the ten listed services is unlikely to trigger this obligation, though the broad wording of some categories creates uncertainty.
The 2026 PDP Law gives regulators explicit authority to suspend or halt cross-border transfers where data is used in ways that threaten national security or where serious data protection violations occur.
Breach Notification Obligations
Decree 13 requires data controllers to notify the Ministry of Public Security within 72 hours of a personal data breach. The notification must describe the breach, the categories of data affected, and the measures taken to mitigate harm.
The 2026 PDP Law changes the clock: the 72-hour window now starts from the moment the breach is detected, not from when it occurred. This aligns more closely with the GDPR's 72-hour breach notification rule, which also counts from awareness.
Enforcement and Penalties
Under Decree 13, enforcement has been limited. The Ministry of Public Security oversees compliance, but a dedicated sanctions decree was still being drafted through 2024. Fines under existing administrative penalty frameworks have been modest by international standards.
The 2026 PDP Law changes this significantly. Cross-border transfer violations can attract fines of up to VND 3 billion (approximately USD 115,000) or 5% of the violator's total revenue from the previous financial year. Selling or purchasing personal data illegally carries a minimum fine of VND 3 billion, with the maximum set at ten times the illegal gain.
These penalty levels signal Vietnam's intent to enforce data protection rules more aggressively. While not yet at GDPR levels, the revenue-based penalty model mirrors the approach taken by European regulators.
How Vietnam Compares to Other Asia-Pacific Privacy Laws
Vietnam's framework sits alongside a growing number of Asia-Pacific data protection regimes. Thailand's PDPA, South Korea's PIPA, Singapore's PDPA, Japan's APPI, and China's PIPL each take slightly different approaches to consent, data transfers, and enforcement.
Vietnam's heavy reliance on consent as the primary processing basis and its data localisation requirements for certain service providers make it distinctive. The cross-border transfer filing obligation - requiring proactive submission to the Ministry of Public Security - is more burdensome than the mechanisms used in most other APAC jurisdictions.
Practical Steps for Website Compliance
If your website attracts Vietnamese visitors, start with a cookie audit to identify which cookies and trackers collect data that could fall within Decree 13's scope. Any cookie that tracks behaviour, stores identifiers, or enables profiling is likely covered.
Configure your consent banner to present Vietnamese visitors with granular, purpose-specific consent options. The banner should explain each category of data collection and allow separate acceptance or rejection. Pre-ticked boxes or implied consent through continued browsing do not satisfy the Decree's requirements.
For cross-border transfers, document the data flows from your website to servers outside Vietnam. Prepare the required Transfer Impact Assessment Dossier if you process significant amounts of Vietnamese personal data. Keep records of consent, including timestamps and the specific purposes consented to, as evidence of compliance.
Frequently Asked Questions
Does Vietnam's data protection law apply to websites outside Vietnam?
Yes. Decree 13/2023 applies to any individual or organisation, domestic or foreign, that processes personal data of people in Vietnam. If your website collects data from Vietnamese visitors, you may fall within scope.
Do I need cookie consent for Vietnamese website visitors?
If cookies on your site collect data that can identify a specific person - such as analytics identifiers, advertising pixels, or session tokens - you need explicit, purpose-specific consent from Vietnamese visitors before processing that data.
What is the penalty for violating Vietnam's data protection rules?
Under the 2026 PDP Law, fines can reach VND 3 billion (approximately USD 115,000) or 5% of annual revenue for cross-border transfer violations. Illegal sale of personal data carries fines up to ten times the illegal gain.
Does Vietnam require data to be stored locally?
Data localisation applies to foreign providers of ten specified service types, including e-commerce, social networking, and online payment. Standard websites outside these categories are generally not required to store data in Vietnam.
How does Vietnam's Decree 13 differ from the GDPR?
Decree 13 relies almost entirely on consent as the lawful basis for processing, whereas the GDPR provides six legal bases. Vietnam also requires proactive filing of cross-border transfer assessments with the Ministry of Public Security, which has no direct GDPR equivalent.
What changes when Vietnam's PDP Law takes effect in January 2026?
The PDP Law introduces mandatory Data Protection Officers for all data processors, higher penalties including revenue-based fines, expanded protections for vulnerable groups, and a limited legitimate interest exemption for processing without consent.
Take Control of Your Cookie Compliance
If you are not sure which cookies your site sets, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of the law.
