2025-12-04 Online Consultancy

COMPLIANCE WITH DECREE 13 (PDPD)

Lessons from Recent Corporate Inspections and the Data Protection Impact Assessment (DPIA) Process

Since Decree 13/2023/ND-CP on Personal Data Protection (PDPD) came into full effect on July 1, 2023, the “grace period” for enterprises has officially ended. Entering 2025, the Department of Cybersecurity and Hi-tech Crime Prevention (A05 – Ministry of Public Security) has intensified inspections across banking, insurance, e-commerce, and recruitment sectors.

Data privacy is no longer just an IT security issue; it has become a critical legal compliance requirement. Below is an analysis of common violations found during recent inspections and a guide to the mandatory DPIA process.

1. The “Wake-up Call”: Key Findings from Recent Inspections

Based on recent enforcement actions, regulatory bodies are focusing on three primary areas where businesses frequently fail:

A. The “Blanket Consent” Violation

Many enterprises continue to use broad, pre-ticked consent boxes or bury the consent clause within a lengthy “Terms & Conditions” document.

  • The Violation: Decree 13 requires consent to be voluntary, specific, and explicit. Silence or non-response does not constitute consent.
  • Lesson: Businesses must separate the “Privacy Consent Form” from the general contract. Consent must be granular (e.g., separate checkboxes for “Marketing,” “Sharing with 3rd parties,” and “Cross-border transfer”).

B. Unauthorized Data Trading (Secondary Processing)

This is the most severely penalized violation. It occurs when a company collects data for Purpose A (e.g., delivering goods) but sells or shares it with a Partner for Purpose B (e.g., insurance telesales) without the Data Subject’s explicit knowledge.

  • Lesson: Review all Data Sharing Agreements (DSA) with partners. Buying/selling data without the clear consent of the data owner is a criminal offense under the new regulations.

C. Failure to Appoint a DPO

Enterprises often forget the administrative requirement to designate a Data Protection Officer (DPO) or a Data Protection Department and notify A05.

  • Lesson: This is a low-hanging fruit for inspectors. Ensure the DPO’s contact information is publicly available on the company website.

2. The DPIA Dossier: The Core Compliance Obligation

Data Protection Impact Assessment (DPIA) is the “heart” of Decree 13 (Article 24). It is a mandatory dossier that the Data Controller (or Controller-cum-Processor) must establish and submit to A05.

Who must perform a DPIA?

  • Data Controllers (The entity deciding the purpose/means of processing).
  • Data Processors (The entity processing data on behalf of the Controller).

The 60-Day Rule

The dossier must be established and submitted to the Ministry of Public Security (Department A05) within 60 days from the date of commencing personal data processing activities.

Components of a Valid DPIA Dossier (Form 04):

  1. Contact Information: Details of the Controller and the DPO.
  2. Purpose & Scope: Clearly defining what data is collected, for what purpose, and the retention period.
  3. Data Flow Mapping: A description of how data moves from collection to storage, usage, transfer, and deletion.
  4. Risk Assessment: Identifying potential risks to the Data Subject (e.g., leaks, unauthorized access).
  5. Mitigation Measures: Technical and organizational measures (e.g., encryption, access control, NDA with staff) to minimize risks.

3. Cross-Border Data Transfer Assessment (TIA)

For FDI enterprises or companies using overseas cloud servers (AWS, Google Cloud, Microsoft Azure located in Singapore/US), this is a critical parallel obligation.

Under Article 25, before transferring data out of Vietnam, the transferor must prepare a Transfer Impact Assessment (TIA) dossier.

  • Key Requirement: The transferor must ensure that the recipient country has data protection standards equivalent to or higher than Vietnam’s, or there must be a binding contract ensuring data safety.
  • Submission: Similar to DPIA, the TIA dossier must be submitted to A05.

4. Strategic Recommendations: The Compliance Roadmap

To prepare for potential audits in 2025, Legal and Compliance teams should execute the following steps:

  1. Data Mapping (The Foundation): You cannot protect what you do not know. Conduct an internal audit to inventory all personal data flows (HR data, Customer data, Vendor data).
  2. Consent UX/UI Revision: Redesign website cookies, mobile app pop-ups, and physical application forms to ensure “Opt-in” mechanisms are compliant.
  3. Submit the DPIA & TIA: If the company has not yet submitted these dossiers to A05, do so immediately. The Ministry of Public Security is building a national database of compliant entities; absence from this list increases audit risk.
  4. Vendor Management: Amend contracts with third-party vendors (Processors) to include strict indemnification clauses regarding data breaches.

CONCLUSION

Compliance with Decree 13 is no longer a theoretical exercise. With the inspection machinery now active, the DPIA Dossier serves as the primary “shield” for enterprises. It proves to the authorities that the company has taken proactive, systematic measures to protect personal data, thereby mitigating liabilities in the event of a breach.

📞 CONTACT LEGAL CONSULTANT:

TLA Law is a leading law firm with a team of highly experienced lawyers specializing in criminal, civil, corporate, marriage and family law, and more. We are committed to providing comprehensive legal support and answering all your legal questions. If you have any further questions, please do not hesitate to contact us.

1. Lawyer Vu Thi Phuong Thanh, Ha Noi Bar Association

Email: vtpthanh@tlalaw.vn

2. Lawyer Tran My Le, Ha Noi Bar Association

Email: tmle@tlalaw.vn

Nguyen Hien Mai

Related Post

Violations of Regulations on Foreign Nationals Working in Vietnam

2025-12-05

Rights and Obligations of Foreign Nationals in Transit in Vietnam

2025-12-05

Adoption by Foreign Nationals Permanently Residing in Vietnam

2025-12-05