Vietnam PDPL (Decree 13)

Vietnam

20 domains

32 controls

Vietnam Personal Data Protection Decree 13/2023/ND-CP + incoming PDPL 2026.

Verified

Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.

Framework Domains (20)

Assurance

1 controls

Controls in the Assurance domain of Vietnam PDPL (Decree 13) — 1 controls
Code	Title	Description
VN-PDPL-32	Audit and continuous monitoring	Article 28 requires periodic internal review of personal data processing. A05 may conduct inspections and request eviden...

Automated processing

1 controls

Controls in the Automated processing domain of Vietnam PDPL (Decree 13) — 1 controls
Code	Title	Description
VN-PDPL-20	Automated decision-making and profiling	Article 22 requires data subjects be informed of automated decision-making with legal or significant effects, granted ri...

Consent

2 controls

Controls in the Consent domain of Vietnam PDPL (Decree 13) — 2 controls
Code	Title	Description
VN-PDPL-03	Explicit unambiguous consent	Article 11 requires consent be explicit, freely given, unambiguous, in clear and understandable form, and provable. Sile...
VN-PDPL-04	Consent of minors and special categories	Article 20 requires parental/guardian consent for processing data of minors under 7. Children 7-15 require both child an...

Cross-border transfer

2 controls

Controls in the Cross-border transfer domain of Vietnam PDPL (Decree 13) — 2 controls
Code	Title	Description
VN-PDPL-14	Cross-border transfer impact assessment (TIA)	Article 25 mandates a cross-border transfer impact assessment before transferring Vietnamese personal data abroad. TIA m...
VN-PDPL-29	Localisation and storage considerations	Decree 53/2022/ND-CP (Cybersecurity Law implementing decree) introduces data localisation for certain foreign service pr...

DPIA

1 controls

Controls in the DPIA domain of Vietnam PDPL (Decree 13) — 1 controls
Code	Title	Description
VN-PDPL-13	Data Protection Impact Assessment (DPIA)	Article 24 mandates DPIA before processing personal data. DPIA must be filed with A05 within 60 days of start of process...

Data classification

1 controls

Controls in the Data classification domain of Vietnam PDPL (Decree 13) — 1 controls
Code	Title	Description
VN-PDPL-01	Personal data categorization (basic vs sensitive)	Controllers must classify personal data as basic (Article 2.3) or sensitive (Article 2.4, ten categories including polit...

Data subject rights

8 controls

Controls in the Data subject rights domain of Vietnam PDPL (Decree 13) — 8 controls
Code	Title	Description
VN-PDPL-05	Right to know	Article 9.1 grants data subjects the right to be informed about processing of their personal data, including purposes, r...
VN-PDPL-06	Right of access	Article 9.2 grants right to access processed personal data. Controller must respond within 72 hours of valid request unl...
VN-PDPL-07	Right to correction	Article 9.3 grants right to correct inaccurate personal data. Controller must correct or explain refusal within 72 hours...
VN-PDPL-08	Right to deletion	Article 9.4 and Article 16 grant right to delete personal data when consent is withdrawn, processing is no longer necess...
VN-PDPL-09	Right to restrict processing	Article 9.5 grants right to restrict processing within 72 hours of request. Common where accuracy disputed or processing...
VN-PDPL-10	Right to object	Article 9.6 grants right to object to processing including direct marketing and profiling. Objection must be honoured un...
VN-PDPL-11	Right to data portability	Article 9.7 grants right to receive personal data in a structured, commonly used machine-readable format and transmit to...
VN-PDPL-12	Right to complain and seek redress	Article 9.8 grants right to file complaints with the Ministry of Public Security and seek damages through civil action.

Enforcement

1 controls

Controls in the Enforcement domain of Vietnam PDPL (Decree 13) — 1 controls
Code	Title	Description
VN-PDPL-27	Penalties under Decree 15 and amendments	Administrative fines apply under Decree 15/2020/ND-CP (as amended) for breaches of Decree 13. Penalties can include fine...

Governance

3 controls

Controls in the Governance domain of Vietnam PDPL (Decree 13) — 3 controls
Code	Title	Description
VN-PDPL-18	Data protection function and DPO	Article 28 requires controllers and processors handling sensitive personal data or large-scale processing to designate a...
VN-PDPL-24	Record of processing activities (ROPA)	Decree 13 implicitly requires maintenance of processing records to support DPIA, TIA, DSAR, and A05 inquiries. Records m...
VN-PDPL-25	Training and awareness	Article 28.2 requires controllers to train staff handling personal data. Training must cover Decree 13 obligations, brea...

Incident response

2 controls

Controls in the Incident response domain of Vietnam PDPL (Decree 13) — 2 controls
Code	Title	Description
VN-PDPL-16	Breach notification 72 hours	Article 23 requires notification to A05 within 72 hours of becoming aware of a personal data breach. Notification must i...
VN-PDPL-17	Data subject notification of breach	Article 23.4 requires notification of affected data subjects without undue delay when breach is likely to result in high...

Lawful basis

1 controls

Controls in the Lawful basis domain of Vietnam PDPL (Decree 13) — 1 controls
Code	Title	Description
VN-PDPL-02	Lawful processing principles	Article 3 requires processing be lawful, transparent, purpose-limited, minimised, accurate, secure, and time-bound. All...

Marketing

1 controls

Controls in the Marketing domain of Vietnam PDPL (Decree 13) — 1 controls
Code	Title	Description
VN-PDPL-19	Direct marketing controls	Article 21 requires explicit consent for direct marketing, identification of sender, easy opt-out mechanism, and respect...

Operational

1 controls

Controls in the Operational domain of Vietnam PDPL (Decree 13) — 1 controls
Code	Title	Description
VN-PDPL-31	Language and Vietnamese-language compliance	All consent, notices, DSAR responses, and regulator filings must be in Vietnamese. Bilingual versions are acceptable pro...

Regulator engagement

1 controls

Controls in the Regulator engagement domain of Vietnam PDPL (Decree 13) — 1 controls
Code	Title	Description
VN-PDPL-15	A05 notification and filing	Multiple obligations require notification to the Department of Cybersecurity and High-Tech Crime Prevention (A05) under...

Regulatory change

1 controls

Controls in the Regulatory change domain of Vietnam PDPL (Decree 13) — 1 controls
Code	Title	Description
VN-PDPL-28	PDPL 2026 transition planning	The Personal Data Protection Law (PDPL) was approved by the National Assembly in 2025 and takes effect in 2026. It eleva...

Retention

1 controls

Controls in the Retention domain of Vietnam PDPL (Decree 13) — 1 controls
Code	Title	Description
VN-PDPL-21	Retention and deletion	Article 16 requires personal data be retained only as long as necessary for the stated purpose. After purpose ends, data...

Sectoral

1 controls

Controls in the Sectoral domain of Vietnam PDPL (Decree 13) — 1 controls
Code	Title	Description
VN-PDPL-30	Sectoral overlays (banking, health, telecom)	Decree 13 applies in addition to sectoral rules including SBV regulations on banking secrecy, Ministry of Health rules o...

Security

1 controls

Controls in the Security domain of Vietnam PDPL (Decree 13) — 1 controls
Code	Title	Description
VN-PDPL-23	Security measures	Article 26 requires technical and organisational measures appropriate to risk including access control, encryption, logg...

Special categories

1 controls

Controls in the Special categories domain of Vietnam PDPL (Decree 13) — 1 controls
Code	Title	Description
VN-PDPL-26	Children's data and protection	Articles 17 and 20 provide special protections for children's personal data including parental consent for under-7s, dua...

Vendor management

1 controls

Controls in the Vendor management domain of Vietnam PDPL (Decree 13) — 1 controls
Code	Title	Description
VN-PDPL-22	Processor obligations and contracts	Article 27 requires written processor agreements specifying scope, duration, purpose, types of data, controller instruct...

Frequently Asked Questions

What is Vietnam PDPL (Decree 13)?

Vietnam PDPL (Decree 13) is a compliance framework from Vietnam with 20 domains and 32 controls. Vietnam Personal Data Protection Decree 13/2023/ND-CP + incoming PDPL 2026. It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.

How many controls does Vietnam PDPL (Decree 13) have?

Vietnam PDPL (Decree 13) has 32 controls organised across 20 domains. The largest domains are Data subject rights (8 controls), Governance (3 controls), Consent (2 controls). Each control defines specific requirements that organisations must implement to achieve compliance.

What frameworks does Vietnam PDPL (Decree 13) map to?

Vietnam PDPL (Decree 13) does not currently have cross-framework mappings in our system. Check back as we continuously expand our mapping database.

How do I get started with Vietnam PDPL (Decree 13) compliance?

Start your Vietnam PDPL (Decree 13) compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about Vietnam PDPL (Decree 13) requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 32 controls and track your progress.

Start Your Compliance Journey

Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 769 frameworks.

Get Started Free →

Free forever — no credit card required