Cross-border data transfer – for a seamless flow of data

November 7, 2023

Decree 13/2023/ND-CP on the Protection of Personal Data (“Decree”) has finally been issued with many completely new regulations designed to protect personal data and control the “flow” of personal data, as well as set obligations that every business must comply with. In particular, an issue that businesses are especially concerned about is the regulation on controlling the transfer of personal data across borders. Here is an overview of the regulations that businesses are required to comply with from July 1, 2023:

What is personal data, personal data processing?

Personal data is information that is tied to a particular person or helps to identify a particular person. Some examples of personal data include full name, date of birth, nationality, phone number, photo, place of residence, etc. Personal data includes basic and sensitive data. Processing of personal data is defined as one or more activities affecting personal data which may include: collection, recording, analysis, confirmation, storage, correction, disclosure, association, access, retrieval, encryption, decryption, copy, sharing, transmission, provision, transfer, deletion, destruction of personal data or other related actions.

What is cross-border data transfer?

The Decree stipulates that the transfer of personal data abroad is the use of cyberspace, equipment, electronic means, or other forms of transferring personal data of Vietnamese citizens (not applicable to personal data of foreigners) to a location outside the territory of Vietnam or use a location outside the territory of Vietnam to process personal data of Vietnamese citizens, including:

1. Organizations, enterprises, and individuals transferring personal data of Vietnamese citizens to overseas organizations, enterprises and management departments for processing in accordance with the purposes agreed upon by the data subject;

(Example: Company A in Vietnam collects data about the user’s name, phone number, email, address and send this information via the internet to company B in a foreign country for company B to process the data and send back the statistics for company A to use)

2. Processing personal data of Vietnamese citizens by automatic systems located outside the territory of the Socialist Republic of Vietnam of the Data Controller, the Data Controller-cum-Processor, the Data Processor in accordance with the purposes agreed to by the data subject.

(Example: Company A – not based in Vietnam, operates a website on the internet that collects data of Vietnamese citizens directly through the website and processes the data using a server located abroad)

Is there any procedure for transferring personal data abroad?


All individuals and organizations, when transferring personal data abroad, must carry out the following procedures:

  1. Prepare a cross-border personal data transfer impact assessment dossier (Data Transfer Dossier) and submit it to the Department of Cybersecurity and High-Tech Crime Prevention (A05);
  2. Carry out the transfer of personal data abroad;
  3. Supplement the Data Transfer Dossier at the request of A05 if the dossier is incomplete;
  4. After transferring the data, send a written notice to A05 about the data transfer and contact details of the organization or individual in charge;
  5. Update and supplement the Data Transfer Dossier when there is a change in the contents of the dossier sent to A05.

What does the Data Transfer Dossier include?

The Data Transfer Dossier includes the following contents:

  1. Information and contact details of the Party transferring the data and the Party receiving personal data of Vietnamese citizens;
  2. Full name and contact details of the organization or individual in charge in the Party transferring the data related to the transfer and receipt of personal data of Vietnamese citizens;
  3. Describe and explain the objectives of the processing activities of Vietnamese citizens’ personal data after being transferred abroad;
  4. Describe and clarify the types of personal data being transferred abroad;
  5. Describe and clearly show compliance with regulations on personal data protection in this Decree, detailing the personal data protection measures applied;
  6. Assess the impact of the processing of personal data, potential consequences, unwanted damage, and measures to reduce or eliminate such risk or harm;
  7. The consent of the data subject as prescribed in Article 11 of this Decree on the basis of clearly knowing the feedback and complaint mechanism when problems or requests arise;
  8. Have a document showing the binding responsibilities between organizations and individuals transferring and receiving personal data of Vietnamese citizens for the processing of personal data.

Do state agencies conduct checks on the implementation of regulations on data transfer abroad?


Based on the specific situation, the Ministry of Public Security will decide to check the transfer of personal data abroad once a year. However, extraordinary inspections can be performed in case of detecting violations of the provisions of the law on the protection of personal data, or the disclosure or loss of Vietnamese citizens’ personal data.

What are the risks of not complying with regulations on cross-border data transfer?

The first risk when not complying with the above regulations on cross-border data transfer is that the party transferring data abroad will have to stop transferring data abroad, disrupting business operations.

The Decree also stipulates that depending on the level of violation, enterprises can be sanctioned at different levels from administrative to criminal. It is expected that the Vietnamese Government will soon issue detailed regulations on specific sanctions for each violation. In the spirit of the previous drafts, administrative sanctions can be very strict and greatly affect the finances of the business.[1]

PrivacyCompliance provides solutions related to ensuring compliance with personal data, assessing the impacts of personal data processing, drafting impact assessment dossiers, cross-border data transfer dossiers.



#Decree13 #personaldata #crossborder #dossier #privacy #impactassessment

[1]According to previous drafts, the highest fine can be up to 5% of the annual revenue of the violating enterprise/organization.

Do foreign enterprises have to store their data in Vietnam?

In this day and age, data in general is increasingly becoming more and more valuable. Most service-based companies live off data collected from their clients, prime examples of this type of companies include social media networks such as Facebook or search engines such as Google where user data is being used for commercial purposes on […]

Learn more

Privacy Compliance

The decree on personal data protection has been officially issued

On April 17, 2023, the Decree on Personal Data Protection has been issued as Decree No. 13/2023/ND-CP (hereinafter referred as “Decree”) and officially takes effect on July 1st, 2023. This is the first legal document that directly regulates the issue of personal data in Vietnam, which is anticipated to have substantial impacts on not only […]

Learn more

Privacy Compliance

Managing spam messages and calls in Vietnam

Spam messages and calls have been defined as advertising messages and calls which are made without users’ prior consent as well as not being under the receiving responsibility of the recipients. So the question to be raised is why, despite the unwillingness to receive advertising information, do people still get those undesirable messages and calls? […]

Learn more