Data protection impact assessment – statutory obligation for enterprises

November 8, 2023

The introduction of Decree No. 13/2023/ND-CP on Protection of Personal data (“the Decree”) has substantially altered the responsibilities of enterprises and organizations related to personal data protection, including the obligation to assess the impact of personal data processing.

Here are some important contents on the data protection impact assessment (DPIA) that every company needs to contemplate for serious implementation from July 1, 2023.

What is personal data? What is personal data processing?

“Personal data” (PD) refers to information associated with an individual or information that can be used to identify an individual; such as names, gender, personal identification number, political opinions, personal location and so on.

“Personal data processing” refers to one or multiple activities that have an impact on personal data, including collection, recording, analysis, confirmation, storage, rectification, disclosure, combination, access, tracing, retrieval, encryption, decryption, copying, sharing, transmission, provision, transfer, deletion, destruction or other relevant activities.

What is data protection impact assessment (DPIA)?

DPIA is a process of identifying possible risks from the processing of personal data, assessing the impact of such activities as well as the consequences and estimated damage if the risks occur; concurrently providing appropriate measures to protect PD and to avoid or reduce/eliminate the identified risks.

Is data protection impact assessment mandatory?


DPIA is a compulsory obligation imposed by the Decree on the PD controller[1] and the PD Controller-cum-Processor[2] (hereinafter referred to as the Controller); as well as the PD processor[3] when executing a contract with the Controller.

With regard to the scope of PD and PD processing activities specified in the Decree, it can be affirmed that most enterprises and organizations in Vietnam would have to carry out DPIA.

When must an enterprise conduct a data protection impact assessment?

From the time of beginning of the processing of PD, enterprises, organizations and individuals must draft and store their dossiers on assessment of impact of personal data processing throughout the process. The Decree does not regulate the time limit of the dossier storage, however, with the requirement that the dossier on assessment of impact of personal data processing shall be always available in order to serve the inspection and assessment by the Ministry of Public Security”, it is conceivable that the DPIA dossiers are required to be stored indefinitely.

How can enterprises assess the impact of personal data processing?

The assessment must be presented in the form of a dossier according to Form No. 04 in the Appendix of the Decree.

The DPIA dossier must be established in writing and is legally valid to ensure the validity of the assessing process. Legitimately valid documents could be understood as being issued by the legal representative of the enterprise or organization.

What is included in the dossier on assessment of impact of PD processing?

For the Controller, the required contents include:

(i) Contact information and details of the Controller and the employee assigned to protect PD;

(ii) Processing purposes;

(iii) Types of personal data to be processed;

(iv) Data-receiving organization or individual;

(v) Cases of oversea transfer of personal data;

(vi) Duration of processing of personal data; estimated time of deletion or destruction of personal data (if any);

(vii) Description of measures for protecting personal data;

(viii) Assessment of the impact of personal data processing; undesirable consequences and damage that may occur, measures for reducing or removing such consequences and damage.

For the PD Processor, the contents of the DPIA dossier are comparable to the aforementioned dossier of the Controller, except for the information about data recipient and processing purposes (which are decided by the Controller); however, the description of the processing of personal data under the contract with the Controller is additionally required.

Do enterprises have to submit their DPIA dossiers to the state agency?


Enterprises shall send 01 authentic copy of the DPIA dossier to the Ministry of Public Security (the Department of Cyber security and Hi-tech Crime Prevention) within 60 days from the date of processing of PD. The state agency shall make assessment of the submitted dossier and, in case the dossier is not complete and accurate according to regulations, the enterprise would be requested to supplement and/or complete the dossier.

When do enterprises have to update and amend their DPIA dossiers?

When there is any change to the contents submitted, the enterprises shall report the amended contents to the Ministry of Public Security (Department of Cyber security and Hi-tech Crime Prevention) according to Form No. 05 in the Appendix of the Decree.

Are there any risks if enterprises fail to comply with the regulations on DPIA?

The Decree stipulates that agencies, organizations and individuals that commit violations against regulations on the protection of personal data, depending on the severity of their violations, may be disciplined, or face administrative penalties or criminal prosecution. Currently, although there are no specific penalties for the breach of DPIA regulations, with reference to previous drafts, the expected sanction could be severe, having a direct and significant impact on the business results of the enterprise.

Therefore, starting to prepare and compile the DPIA dossier is an urgent task that most enterprises need to complete before July 1, 2023 in order to avoid possible legal risks./.

If you need further support, please contact us for further assistance!


PrivacyCompliance provides solutions to ensure personal data compliance, assess the impact of personal data processing (DPIA), build impact assessment records, cross-border transfer of personal data.



#data #PIA #DPIA #personal data #Decree13 #compliance #privacylaw #dataprotection #Vietnam

[1] “Personal Data Controller” refers to an organization or individual that decides the purposes and means of processing personal data.

[2] “Personal Data Controller-cum-Processor” refers to an organization or individual that jointly decides the purposes and means, and directly processes personal data.

[3] “Personal Data Processor” refers to an organization or individual that processes data on behalf of the Personal Data Controller via a contract or agreement with the Personal Data Controller.

Do foreign enterprises have to store their data in Vietnam?

In this day and age, data in general is increasingly becoming more and more valuable. Most service-based companies live off data collected from their clients, prime examples of this type of companies include social media networks such as Facebook or search engines such as Google where user data is being used for commercial purposes on […]

Learn more

Privacy Compliance

The decree on personal data protection has been officially issued

On April 17, 2023, the Decree on Personal Data Protection has been issued as Decree No. 13/2023/ND-CP (hereinafter referred as “Decree”) and officially takes effect on July 1st, 2023. This is the first legal document that directly regulates the issue of personal data in Vietnam, which is anticipated to have substantial impacts on not only […]

Learn more

Privacy Compliance

Managing spam messages and calls in Vietnam

Spam messages and calls have been defined as advertising messages and calls which are made without users’ prior consent as well as not being under the receiving responsibility of the recipients. So the question to be raised is why, despite the unwillingness to receive advertising information, do people still get those undesirable messages and calls? […]

Learn more