Compliance Implementation: Key Obligations of Data Processors under Decree 13/2023/NĐ-CP

In our previous two posts, we explored the seven core principles of personal data processing and the 11 rights of data subjects under Decree 13/2023/NĐ-CP. Now, we turn to another equally critical dimension: the detailed obligations imposed on “Personal Data Processors”, typically organizations that process data under contract with “Personal Data Controllers” or “Personal Data Controllers and Processors.”

Understanding and fulfilling these obligations is essential not only for avoiding legal penalties but also for establishing a solid foundation of cybersecurity and customer trust.

 

I. Compliance Implementation: Key Obligations of Data Processors (Articles 11–26)

Decree 13 outlines extensive obligations for Data Processors, whose responsibilities—often under contract with Data Controllers—are detailed across Articles 11 to 26 and cover a wide range of operational and governance aspects.

 

  1. Consent Management (Articles 11 & 12)

Consent forms the foundation of most data processing activities. It must be informed, specific, and freely given, with data subjects made aware of the data type, purpose, processing entities, and their rights/obligations.
Valid consent can be provided via written forms, voice, tick boxes, SMS syntax, technical settings, or any action that clearly indicates consent, and must be reproducible or printable. Silence or non-response does not constitute consent.
Partial or conditional consent is allowed. For sensitive data, explicit notice must be provided.

Data subjects can withdraw consent at any time. The processor must immediately stop processing and notify all relevant parties. They must also inform the data subject of the consequences of withdrawal.

  • Implication: Businesses must implement verifiable systems for collecting, managing, and withdrawing consent—especially for sensitive data.

 

  1. Notification and Transparency (Article 13)

Processors must notify data subjects once before processing begins. The notice must include purpose, data types, processing methods, involved parties, potential risks/damages, and processing timeline.
Exceptions apply if the subject already knows and agrees, or if a state authority processes the data for official purposes.

  • Implication: Ensure privacy policies and data collection notices are clear, comprehensive, and accessible.

 

  1. Data Access, Correction, Retention, and Deletion (Articles 14–16)

Processors must provide personal data within 72 hours upon request (unless legally exempt), and correct it or notify the data subject within 72 hours if not possible.
They must store data appropriately and delete it upon request, withdrawal of consent, or when no longer needed—within 72 hours.
Irrecoverable deletion is mandatory once processing ends or the entity ceases operations.

  • Implication: Strong technical systems must be in place for secure retrieval, modification, and irreversible deletion of personal data within tight timeframes.

 

  1. Processing without Consent (Articles 17–18)

Consent is not required in emergency cases (life/health, with evidence), public disclosure by law, national security/order, contract fulfillment, or official government duties.
Data from public audio/video recordings can be processed for national security, public order, or lawful interests—though often with notification.

  • Implication: Clearly understand exceptions and be prepared to justify lawful processing without consent.

 

  1. Sensitive Data and Vulnerable Groups (Articles 19–20)

Sensitive personal data includes political/religious views, health and private life, race/ethnicity, genetics/biometrics, sex life, criminal records, finances, and location.
Processing children’s data (age 7+) requires dual consent from both the child and a guardian, plus age verification.
Processing must stop and data be deleted if consent is withdrawn or children’s rights are infringed.
For missing or deceased inpiduals, consent is required from spouses, adult children, or parents.

  • Implication: Businesses handling sensitive or children’s data must use enhanced safeguards including dual consent mechanisms and strict relationship/age verification.

 

  1. Data in Marketing and Advertising (Article 21)

Organizations may only use personal data for marketing with explicit, informed consent regarding the content, methods, format, and frequency.
The burden of proof lies with the organization.

  • Implication: Ensure marketing activities based on personal data are backed by provable consent.

 

  1. Prevention of Illegal Data Collection and Transfers (Article 22)

Processors must prevent unauthorized data collection from their systems.
It is strictly prohibited to set up systems or conduct activities that collect, transfer, buy, or sell personal data without consent.

  • Implication: Selling or transferring personal data without proper consent is forbidden—data monetization strategies must be reviewed for compliance and transparency.

 

  1. Breach Notification (Article 23)

Processors must notify the Data Controller as soon as possible after detecting a data breach.
The Controller must inform the Ministry of Public Security (MPS – Department of Cybersecurity and High-Tech Crime Prevention) within 72 hours.
The notice must include breach nature, data protection officer contact info, consequences, and mitigation steps.

  • Implication: Businesses must develop and test robust cybersecurity incident response plans, including timely breach notifications.

 

  1. Data Protection Impact Assessment (DPIA) (Article 24)

Processors must create and maintain a DPIA dossier when executing contracts with Data Controllers.
It must detail: processor info, processing activities, data types, processing duration, overseas transfers, safeguards, potential consequences, and mitigation.
The DPIA must be submitted to MPS within 60 days of beginning processing and updated upon any change.

  • Implication: DPIA is mandatory—businesses must proactively assess and document risks and impacts, especially for large-scale or sensitive data processing.

 

  1. Cross-Border Data Transfers (Article 25)

Transferring Vietnamese citizens’ personal data abroad requires a Cross-Border Data Transfer Impact Assessment (DTIA) and specific compliance procedures.
The dossier must include sender/receiver info, purpose post-transfer, data type, compliance measures, risk assessment, subject consent, and binding agreements.
It must be submitted to MPS within 60 days. Annual audits and enforcement by MPS are possible.

  • Implication: Strict requirements for international data transfers demand strong internal processes, ongoing monitoring, and readiness for audits or government intervention.

 

  1. Mandatory Safeguards (Article 26)

Safeguards must apply from the start and throughout the entire data lifecycle.
These include administrative measures (e.g., internal rules, appointing DPOs, training) and technical measures (e.g., encryption, firewalls, antivirus, regular backups, access control, and anomaly monitoring).

  • Implication: Data protection is an organizational responsibility—not just IT’s. A holistic, integrated approach to data security is required.

 

II. Implications for Cybersecurity and Business Operations

The obligations in Articles 11–26 of Decree 13/2023/NĐ-CP have deep impacts on how businesses manage operations and cybersecurity:

  • Comprehensive Data Governance: Businesses need not only technical tools but also clear policies, internal procedures, defined responsibilities, and continuous staff training.
  • Increased Investment in Cybersecurity: Data protection requirements and breach notification rules necessitate investment in advanced technologies like encryption, firewalls, intrusion detection, and backup systems.
  • Proactive Risk Management: Mandatory DPIAs and DTIAs encourage businesses to identify, assess, and mitigate risks before they escalate.
  • Transparency and Accountability: Companies must demonstrate compliance through detailed documentation, audit trails, and regular reporting to authorities.
  • Challenges for Global Operations: Stringent cross-border data transfer rules may disrupt global data flows, requiring legal and technical adjustments.

 

III. Conclusion: Building a Secure Digital Future in Vietnam

Decree 13/2023/NĐ-CP marks a significant step forward in Vietnam’s commitment to personal data protection. It establishes a strong legal framework, empowers inpiduals, and sets out clear and comprehensive responsibilities for organizations.

For businesses, compliance is not just a legal formality—it is a strategic necessity, demanding proactive measures, continuous adaptation, and deep understanding of Vietnamese legal nuances.

By implementing these regulations, Vietnam aims to foster a safer, more trustworthy digital environment, where inpidual privacy and responsible innovation go hand in hand.

Disclaimer: This publication is intended for general informational purposes only. It should not be construed as professional legal advice for any specific case, organization, or inpidual.