Vietnam: Notification of personal data protection violation

Apolat Legal

22nd July 2025

This article briefly introduces key legal matters regarding the obligation to notify violations, including the identification of responsible entities, the required contents of a notification, and the process of receiving and addressing such notifications.

The protection of personal data is an essential requirement in the context of digitalization and the increasing risk of violations against the rights and legitimate interests of data subjects. Personal data protection measures must go beyond preventive actions and include an effective and timely mechanism for detecting and handling violations. To establish a responsive framework and ensure accountability among relevant parties in the event of a breach, Article 23 of Decree No. 13/2023/ND-CP on Personal Data Protection provides detailed provisions regarding the notification of violations. This legal provision not only enhances the effectiveness of legal enforcement but also establishes a robust oversight mechanism, contributing to the safeguarding of individuals’ and organizations’ rights against personal data risks. This article briefly introduces key legal matters regarding the obligation to notify violations, including the identification of responsible entities, the required contents of a notification, and the process of receiving and addressing such notifications.

1. Entities responsible for Notification

Pursuant to Article 23 of Decree No. 13/2023/ND-CP, two main groups of entities are obligated to notify violations of personal data protection regulations:

(1) Data Controllers, Data Processors, and Data Controllers cum Processors;
(2) Other organizations and individuals.

1.1 Data Controllers, Data Processors, and Data Controllers cum Processors:

A Data Processor must notify the Data Controller as soon as possible upon detecting a violation of personal data protection regulations. Accordingly, the Data Processor is not responsible for directly notifying the competent regulatory authority but is instead required to immediately notify the Data Controller or the Data Controller cum Processor when a violation is identified. This limitation reflects the fundamental role of the Data Processor, which operates solely under contractual terms and instructions from the Data Controller without independent decision-making authority over the processed data;

Upon receiving notification from a Data Processor, or upon independently detecting a violation, the Data Controller and Data Controller cum Processor must fulfill the obligation to notify the competent regulatory authority of the violation. In addition to submitting a notification, these entities must:

- Prepare an official record documenting the occurrence of personal data protection violation;

- Cooperate with the Ministry of Public Security (Cybersecurity and High-Tech Crime Prevention Department) to address the violation.

1.2 Other Organizations and Individuals

Article 23 of Decree No. 13/2023/ND-CP extends the obligation to report personal data protection violations beyond organizations directly involved in data processing and control, including other organizations and individuals who detect such violations. This provision establishes a multi-stakeholder oversight mechanism, enhancing transparency and strengthening the protection of data subjects’ rights. Accordingly, organizations and individuals are responsible for reporting a personal data protection violation upon discovering any of the following:

Acts violating legal provisions on personal data;

Processing of personal data for improper purposes, contrary to the original agreement between the data subject and the Data Controller or Data Controller cum Processor, or in violation of legal regulations;

Failure to ensure or properly implement the rights of data subjects;

Other cases as prescribed by law.

2. Contents of a Violation Notification

A personal data protection violation notification must include the following:

Description of the nature of the violation, including the time, location, nature of the act, involved organizations or individuals, types of personal data affected, and the scope of the data involved;

Contact details of the designated data protection officer or the responsible organization/individual for handling the violation;

Assessment of potential consequences and damages arising from the personal data protection violation;

Description of remedial measures taken to address and mitigate the effects of the violation.

If it is not feasible to provide a comprehensive notification immediately, the notification may be submitted in phases, ensuring that critical information is reported as soon as it becomes available.

3. Competent Authority Receiving the Notification

Notifications of personal data protection violations are received, processed, and addressed by the Cybersecurity and High-Tech Crime Prevention Department of the Ministry of Public Security. If the notification is submitted by a Data Controller or a Data Controller cum Processor, it must be sent to the Cybersecurity and High-Tech Crime Prevention Department within 72 hours of detecting the violation, following the format specified in Form No. 03 in the Annex to Decree No. 13/2023/ND-CP. In cases where notification is submitted after the 72-hour period, the responsible entity must provide a justification for the delay.

4. Notification Procedure

According to the guidance published on the Public Service Portal of the Ministry of Public Security, the procedure for reporting a personal data protection violation is as follows:

Step 1: The notifying organization or individual shall access the National Personal Data Protection Information Portal (as announced by the Ministry of Public Security) or download Form No. 03 (Form 3a for organizations, Form 3b for individuals) issued with Decree No. 13/2023/ND-CP upon detecting a violation.

Step 2: The notifying organization or individual shall provide the required information as instructed on the National Personal Data Protection Information Portal or complete Form No. 03 as prescribed.

Step 3: The completed notification shall be submitted electronically through the National Personal Data Protection Information Portal (as announced by the Ministry of Public Security) or physically to the Cybersecurity and High-Tech Crime Prevention Department, Ministry of Public Security.

Step 4: The Cybersecurity and High-Tech Crime Prevention Department, Ministry of Public Security, shall acknowledge receipt of the notification and provide feedback regarding its processing.

5. Processing Timeline

The Cybersecurity and High-Tech Crime Prevention Department, Ministry of Public Security, shall process the notification within ten (10) business days from the date it acknowledges receipt of the personal data protection violation notification.

Conclusion

The notification mechanism for personal data protection violations, as prescribed in Decree No. 13/2023/ND-CP, establishes a clear legal framework to ensure accountability and enhance the effectiveness of personal data protection measures. By identifying specific entities responsible for notification, detailing the required contents of a notification, and defining the reporting and processing procedures, this regulation creates a robust oversight mechanism, mitigating risks and strengthening safeguards for data subjects. However, for this framework to be effectively implemented in practice, close coordination among Data Controllers, regulatory authorities, and other stakeholders is essential to ensure transparency, timely response, and strict compliance with personal data protection regulations.

Please Login or Register for Free now to view all updates and articles

Login Sign Up

In addition to free-to-view updates and articles, you can also subscribe to the full Legal Centrix Vietnam Service including access to:

Overview notes on the law
Thousands of high quality translations of legislation covering all key business areas
Legal and tax updates
Articles on important legal and tax issues
Weekly email alerts
Sophisticated web platform and search

Legal Centrix is trusted by top law and accounting firms.

Apolat Legal

Vietnam
https://apolatlegal.com/

Established in 2014, Apolat Legal is a licensed law firm providing a board range of legal services in multiple practice areas for domestic and international clients. The firm commits resolving legal issues regarding businesses thoroughly and in the most beneficial way for various clients in Vietnam.

Apolat Legal is also honored to receive numerous recognitions and/or articles posted by world-leading and local organizations and publications including: The Law Association for Asia and the Pacific (LawAsia, 1966), The Legal500, IP Link, AIPPI, IP Coster, Lexology, Global Trade Review (GTR), The Saigon Times, etc.

Apolat Legal lawyers have long been recognized for their legal expertise and paid attention to their dedication in work as well as the capacity to take advantages from their relationship to maximize the interests of clients. The lawyers will be grouped into specialized teams, directly participate in each case to provide advices and close support to customers, thereby quickly completing the assigned work in the most effective way.

APOLAT LEGAL’s reputation and the quality of its services are reflected by its clients. We are serving nearly 1,000 clients both local and foreign clients. Some past and current long-term clients which the firm worked with such as: LG Electronics, Coastal Living Land Joint Stock Company, Wall Street English, Hochiki Asia Pacific Pte.Ltd, Asus Technology (Vietnam) Company Limited, AEON Mall Vietnam, Baskin Robbin, Citigym, Woori Bank Vietnam Limited, Central Group, CJ Gemadept Logistics Holdings Company Limited, K Group Company Limited, Digiworld Corp., Yellow Cab Pizza, Bamboo Capital Joint Stock Company, Sinobright Pharma Co. Limited, Mayekawa, Sky Music Jsc, Oxalis Holiday Company Limited, PGT Holdings, Vinacapital, Capitaland, Donghyup,...

Click here to view the author's profile