Liên hệ
01/07/2025
Bình luận(0)In our series “Personal Data Protection & Compliance with Decree 13/2023/NĐ-CP,” we’ve explored the key provisions of Decree 13 and the anticipated forms of sanctions in the Draft Personal Data Protection Law (PDPL) and the Draft Administrative Sanctions Decree (CASD). To provide a clear and comprehensive overview of the escalating severity of upcoming penalties, we’ve compiled the comparison table below.
This table highlights not only the violation behaviors as defined by the current Decree 13 but also underscores the significant differences and the increased severity of the proposed sanctions. This is essential information for every organization and business to assess risks and prepare a compliance plan effectively.
Table 1: Comprehensive Comparison of Personal Data Violation Behaviors & Sanctions
| Violation Behavior (as per Decree 13/2023/NĐ-CP) | Relevant Article in Decree 13 | Proposed Sanctions/Penalties under Draft PDPL and Draft CASD |
| Violating personal data protection principles | Article 3 | Warning, fines from tens to hundreds of millions VND; compulsory remedial action; suspension of data processing activities; up to 5% of total preceding year’s revenue if serious or repeated violation |
| Infringing personal data subject rights | Article 9 | Fines, suspension of activities; compulsory execution of data subject rights; up to 5% of total revenue if significant damage caused |
| Violating regulations on data subject consent | Article 11 | Fines from 50-200 million VND; compulsory recall, deletion of illegally collected data; up to 5% of total revenue if serious violation |
| Violating regulations on consent withdrawal | Article 12 | Fines, compulsory cessation of data processing after consent withdrawal; up to 5% of total revenue if processing continues illegally |
| Violating obligation to send personal data processing notification | Article 13 | Fines, request for supplementary information, suspension of data processing if not rectified |
| Violating regulations on providing personal data | Article 14 | Fines, compulsory recall of illegally provided data; up to 5% of total revenue if serious violation |
| Violating regulations on personal data adjustment | Article 15 | Fines, compulsory execution of data adjustment based on lawful request |
| Violating regulations on personal data storage, deletion, destruction | Article 16 | Fines, compulsory deletion/destruction of data as regulated; up to 5% of total revenue if serious violation |
| Violating regulations on processing personal data collected from public audio/video recordings | Article 18 | Fines, suspension of activities; compulsory deletion of illegally collected data |
| Violating personal data protection regulations in marketing, advertising | Article 21 | Fines, suspension of marketing activities; up to 5% of total revenue if repeated or serious violation |
| Violating regulations on illegal collection, transfer, trading of personal data | Article 22 | Very heavy fines, potentially up to 5% of total revenue; confiscation of illegal profits; suspension of activities; criminal prosecution if serious |
| Violating regulations on personal data breach notification | Article 23 | Fines, compulsory timely notification; suspension of activities if not rectified |
| Violating regulations on personal data processing impact assessment | Article 24 | Fines, compulsory preparation of impact assessment dossier; suspension of activities if not performed |
| Violating regulations on cross-border personal data transfer | Article 25 | Fines, suspension of transfer; compulsory data recall; up to 5% of total revenue if serious violation |
| Violating personal data protection measures | Article 26 | Fines, compulsory application of protection measures; suspension of activities if not rectified |
Conclusion: Comprehensive Preparation to Avert Severe Risks
This comparison table clearly demonstrates that the anticipated sanctions under the Draft PDPL and Draft CASD are significantly more severe than currently referenced regulations. In particular, the potential fine of up to 5% of total revenue could cause immense financial damage, threatening the very existence of any business.
Even seemingly minor acts, such as failing to conduct a Data Protection Impact Assessment (DPIA) as per Article 24 or neglecting to comply with data protection measures under Article 26, can lead to very heavy penalties, including the suspension of operations. This is not merely a legal warning; it’s a powerful reminder of the importance of building a comprehensive data governance and protection system.
Compliance is no longer optional; it’s a mandatory requirement and a critical factor for business survival. Businesses need to act immediately to review and re-evaluate their data processing procedures, ensuring they are fully implementing appropriate security measures and legal compliance to avoid severe risks when the new regulations officially come into effect.
Disclaimer: The comparison table and information in this article are based on the current Draft Laws and Decrees and may be subject to change once the official legal documents are issued. This publication is intended for general informational purposes only. It should not be construed as professional legal advice for any specific case, organization, or inpidual.