On April 17, 2023, the Government issued Decree No. 13/2023/ND-CP on protection of personal data (hereinafter referred to as "Decree No. 13/2023/ND-CP"). Accordingly, Decree 13/2023/ND-CP consists of 44 articles and 4 chapters, which specify measures and conditions to ensure the protection of personal data.

Decree 13/2023/NĐ-CP has highlighted the following issues:

(i)    Definition of personal data: Decree No. 13/2023/ND-CP defines personal data as  electronic information in the form of symbols, letters, numbers, images, sounds, or equivalences associated with an individual or used to identify an individual and It is divided into two main types, namely general personal data and sensitive personal data;

(ii)    Principles of personal data protection: Decree No. 13/2023/ND-CP sets out some fundamental principles for personal data protection, including: The personal data shall be processed as prescribed by law; The data subject shall be entitled to receive information related to the processing of his/her personal data; the personal data shall be processed for the purposes that have been registered; the collected personal data shall be appropriate for the scope and purposes of processing, the purchase or sale of personal data shall be prohibited in any form; The personal data shall be updated, added and shall be protected and secured throughout  the processing purposes;  The personal data shall be stored within a period of time that is appropriate for the processing purposes. Data controllers are responsible for complying with these principles and must demonstrate their compliance with these principles.

(iii)    Personal data protection measures: Measures for protecting personal data shall be adopted from the beginning of and throughout the processing of personal data, accordingly, measures for protecting personal data include (1) Management measure adopted by an organization or individual related to processing of personal data; (2) Technical measure adopted by an organization or individual related to processing of personal data; (3) Measure adopted by a competent authority according to regulations in this Decree and relevant law; (4) Investigation and procedure measures adopted by a competent authority; (5) Other measures as prescribed by law.

(iv)    The competent authority for personal data protection: the personal data protection authority is the Department of Cybersecurity and Hi-tech Crime Prevention under Ministry of Public Security that assists the Ministry of Public Security in performing state management of personal data protection

(v)    Data subject’s rights: Decree No. 13/2023/ND-CP specifies 11 rights of data subjects, including: Right to (1) be informed, (2) give consent, (3) access personal data, (4) withdraw consent, (5) delete personal data, (6) obtain restriction on processing, (7) obtain personal data, (8) object to processing, (9) file complaints, denunciations and lawsuits, (10) claim damage and (11) self-protection.

Decree 13/2023/ND-CP takes effect from July 01, 2023.