Sensitive personal data in Vietnam

November 7, 2023

Personal data requires particular protection in this digital age. In particular, sensitive personal data is even more vulnerable, easy-attacked and easy-abused; creating negative effects on data subjects and the whole society. Therefore, it is necessary to build a legal system to protect personal data in general and sensitive data in particular.

Definition of sensitive personal data
Before 2023, Vietnamese law did not have a specific and unified definition of both “personal data” and “sensitive personal data”. Accordingly, in 68 legal documents totally, which related to personal data protection in Vietnam, there are more than 10 similar terms referring to personal data, such as “personal information”, “private information”, “information on private life, personal secrets and family secrets”, “personal information in the network environment”,…[1] Meanwhile, there is no document that regulates sensitive personal data, including the definition and application of laws for this type of data.

In fact, along with the development of technology, personal data utilized is not only basic types such as name, age, address, phone number, and so on but also biometric data (fingerprint or eyeballs, for example) or political and religious views, etc. The aforementioned data can be exploited for illicit purposes if it is leaked or posted on the Internet and collected by cybercriminals.

Realizing the importance of protecting personal data in general and sensitive personal data in particular, many countries have issued legal regulations to ensure data safety. According to statistics, more than 80 countries have their own legal documents regulating this issue[2]. Some examples can be mentioned such as the General Data Protection Regulation (GDPR) of the European Union (EU) or China’s Personal Information Protection Law (PIPL), etc.

Updated with the global practice, Vietnam has also issued Decree No. 13/2023/ND-CP on personal data protection (hereinafter referred as Decree). About sensitive personal data, this is the first time Vietnam has clearly recognized and officially defined this type of data. Specifically, sensitive personal data is one of two types of personal data, along with the basic one[3]; such data is associated with an individual’s privacy that, when being infringed upon, shall cause a direct effect on the legitimate rights and interests of such individual.

Article 2.4 of the Decree also lists types of personal data that are considered sensitive, including:
(i) Political and religious views;
(ii) Information on health condition and private life that is documented in medical records, excluding information on blood type;
(iii) Information relating to racial origin and ethnic origin;
(iv) Information on inherited or acquired genetic characteristics of such individual;
(v) Information on distinctive physical attributes and biological characteristics of such individual;
(vi) Information on sex life and sexual orientation of such individual;
(vii) Data about crimes and criminal acts that are obtained and kept by law enforcement agencies;
(viii) Customer information held by credit institutions, foreign bank branches, intermediary payment service providers and other authorized organizations, including: customer identification information as stipulated by law, information on accounts, information on deposits, and so on;
(ix) Personal location data that are identified through positioning services;
(x) Other personal data that is regarded by law as specific and requires necessary security measures.

Considering Article 9 of GDPR on special categories data which has a similar nature to sensitive personal data, in comparison to the Decree, it can be seen clearly that the two regulations are quite parallel, except for some little differences:
Firstly, the regulation of GDPR includes information about trade union membership. This disparity stems from the distinct characteristics of European society in terms of trade union activities, resulting in the determination of trade union membership as special personal data in order to ensure equality between union members and other employees.Secondly, data on (i) crimes and criminal acts; (ii) personal location; (iii) Bank account and related information; (iv) other personal data that are stipulated by law is considered as sensitive personal data according to the regulation of the Decree.

In general, sensitive personal data stipulated in the Decree has a wide covered scope, even wider than the scope of GDPR, including most information of an individual’s living activities. For each data group, the types of information regulated are also considerably diverse. For example (within the scope of GDPR), according to an adjudication of the Court of Justice of the European Union (CJEU), name of an individual’s spouse is considered as special data (similar to sensitive personal data in Vietnam) because it can help to determine his/her sexual orientation (is one of special categories data)[4].

Regulations relating to sensitive personal data
Sensitive personal data is specially protected by the provisions of Decree No. 13/2023/ND-CP. Accordingly, the Decree set a few of obligations on the Controller and the Processor if they directly participate in or being involved in the sensitive personal data processing.

Firstly, among requirements for a valid consent of data subjects (voluntary and transparent), the law requires the data subjects to be fully and and specifically informed that the data to be processed is sensitive personal data before giving consent[5]. It is also a measure to protect personal data pursuant to Article 28.3 of the Decree. However, this action is not mandatory for the Controller processing sensitive personal data in the following cases: (i) The data subjects have acknowledged and given consent to all of the contents relating to the processing before authorising organisations/companies to collect his/her personal data; (ii) The personal data is subject to the processing by a competent state agency for the operation of the state agency in accordance with the law; (iii) The personal data is subject to the processing without requiring the consent of the data subject according to Article 17 of the Decree; (iv) Personal data processing obtained from audio and video recording in public locations by the competent authority.

Secondly, the Controller/Processor need to fully apply statutory measures to protect sensitive personal data, including: (i) management measures; (ii) technical measures; (iii) to develop and promulgate the regulations on personal data protection which are suitable for their own organizations; (iv) to apply standards for personal data protection appropriate to the fields, industries and activities in relation to the personal data processing, such as ISO 27001; ISO 27017, for instance; (v) To check the systems, facilities and equipment serving the personal data processing for network security before the processing, permanent deletion or destruction of devices containing personal data.

Thirdly, designate a department functioned with personal data protection, to appoint personnel in charge of personal data protection. It is the compulsory obligation for organizations which process sensitive personal data (however, with the wide scope aforementioned, most businesses and organizations would need to implement this activity). Accordingly, from the commencement of data processing, the Controller/Processor needs to designate the data protection officer and communicate the information on such department and individual in charge of personal data protection with the Specialized Agency for the Personal Data Protection.

The aforementioned responsibilities are mandatory for the Controllers/ Processors who handle sensitive personal data. Currently, although there are no specific penalties for the breach of these regulations, with reference to previous drafts of the Decree, the expected sanctions could be severe, having a direct and significant impact on the business results of the enterprise.

Therefore, fulfil these statutory obligations is an urgent task that most enterprises need to complete from July 1, 2023 in order to avoid possible legal risks./.


PrivacyCompliance provides solutions related to ensuring compliance with personal data, assessing the impacts of personal data processing, and DPO service.



#data #personaldata #sensitivepersonaldata #Decree13 #compliance #privacylaw #dataprotection #Vietnam
[3] Personal data means any information that is expressed in the form of symbol, text, digit, image, sound or in similar forms in electronic environment that is associated with a particular natural person or helps identify a particular natural person.
[4];  &
[5] Article 11.8 Decree No. 13/2023/ND-CP.

Do foreign enterprises have to store their data in Vietnam?

In this day and age, data in general is increasingly becoming more and more valuable. Most service-based companies live off data collected from their clients, prime examples of this type of companies include social media networks such as Facebook or search engines such as Google where user data is being used for commercial purposes on […]

Learn more

Privacy Compliance

The decree on personal data protection has been officially issued

On April 17, 2023, the Decree on Personal Data Protection has been issued as Decree No. 13/2023/ND-CP (hereinafter referred as “Decree”) and officially takes effect on July 1st, 2023. This is the first legal document that directly regulates the issue of personal data in Vietnam, which is anticipated to have substantial impacts on not only […]

Learn more

Privacy Compliance

Managing spam messages and calls in Vietnam

Spam messages and calls have been defined as advertising messages and calls which are made without users’ prior consent as well as not being under the receiving responsibility of the recipients. So the question to be raised is why, despite the unwillingness to receive advertising information, do people still get those undesirable messages and calls? […]

Learn more