DPO Radio
Vietnam PDPL Decree 13 Legacy Compliance
Vietnam PDPL (Decree 13/2023 Era)
Vietnam's first dedicated personal data protection regulation
Manage legacy compliance records, evidence retention obligations, and transition gap analysis for the Decree 13/2023 era, the regulatory period that preceded Vietnam's comprehensive PDPL.
Decree 13/2023/ND-CP: Scope and Current Status
Decree 13/2023/ND-CP was Vietnam's first dedicated personal data protection regulation, issued by the Government of Vietnam on May 17, 2023, and administered by the Ministry of Public Security (MPS). It established initial obligations for personal data controllers, processors, and third-party processors operating in Vietnam, including requirements for processing registrations with MPS, consent management, cross-border transfer notifications, and breach reporting. Decree 13 is now superseded. Law 91/2025/QH15 (the PDPL) replaced it as Vietnam's primary personal data protection framework, with Decree 356/2025/ND-CP replacing the administrative procedure structures that Decree 13 had introduced.
Decree 13 operated as a standalone regulation issued under Government authority rather than as an implementing decree beneath a dedicated personal data protection statute. This legislative positioning meant that its obligations were not as comprehensive as those introduced by the PDPL, and its administrative procedures were less formally structured. Organizations subject to Decree 13 were required to register their personal data processing activities with MPS, provide consent notices in prescribed formats, notify MPS of cross-border transfers, and maintain basic breach notification processes. The enforcement mechanism under Decree 13 was primarily administrative penalty, with MPS having authority to inspect and penalize non-compliant organizations.
The supersession of Decree 13 by Law 91 and Decree 356 was a material regulatory transition. The new framework introduced significantly more prescriptive obligations – mandatory DPIA dossier filing, structured impact assessments, official Mau so and Phu luc forms, and detailed procedural timelines – that represent a higher operational bar than Decree 13 required. Organizations that were compliant with Decree 13 are not automatically compliant with the PDPL/Decree 356 regime, and the transition from one to the other requires deliberate gap analysis to identify obligations that are new, expanded, or restructured under the successor framework.
How Decree 13 Relates to the Vietnam PDPL
The Vietnam Personal Data Protection Law (Law 91/2025/QH15) is the successor framework that replaced Decree 13. For the current compliance obligations that apply to organizations operating in Vietnam today, see the Vietnam PDPL (Law 91/2025/QH15) compliance page. For the current implementing procedures, see the Decree 356 PDPL Implementation page.
Decree 13 matters to compliance practitioners because it defined the regulatory baseline during the period from mid-2023 through the transition to Law 91. Organizations that processed personal data during that period created compliance records – processing registrations, consent records, cross-border transfer notifications, breach notification filings – under Decree 13's requirements. Those records reflect the regulatory framework in force at the time they were created. Understanding Decree 13's requirements is necessary to evaluate whether those historical records are complete, correctly structured, and sufficient to satisfy a regulator examining that compliance period.
The transition from Decree 13 to the PDPL also introduced definitional changes. The PDPL introduced the concept of "sensitive personal data" with heightened obligations that did not exist under Decree 13. The DPIA filing requirement is new under the PDPL. The Phu luc data structures are new. An organization conducting a transition gap analysis must understand what Decree 13 required in order to correctly identify what has changed and what legacy records need to be supplemented, updated, or retained as historical evidence of good-faith compliance during the Decree 13 period.
Technical Provisions and Compliance Obligations Under Decree 13
| Obligation | Requirement Under Decree 13 | Status Under PDPL/Decree 356 |
|---|---|---|
| Processing registration | Organizations must register personal data processing activities with MPS | Replaced by DPIA dossier filing (Mau so 02a/02b) under Decree 356 |
| Consent notice | Consent must be obtained with prescribed information provided to data subjects | Continued under PDPL with enhanced documentation requirements (Phu luc V) |
| Cross-border transfer notification | Organizations must notify MPS of cross-border transfers before they occur | Replaced by Cross-Border Transfer Impact Assessment filing (Mau so 01a/01b + Mau so 09) under Decree 356 |
| Breach notification | Organizations must notify MPS of data breaches within prescribed timeframes | Continued under PDPL with official Mau so 08 form requirement and 72-hour window |
| Data processing agreement | Agreements required between controllers and processors | Continued under PDPL with Phu luc VII data structure requirements |
| Third-party processor registration | Third-party data processors must register with MPS | Superseded by service processing certificate procedures (Mau so 04-07) under Decree 356 |
| Annual compliance review | Organizations conducting high-volume processing must conduct periodic reviews | Continued under PDPL with Phu luc VIII annual compliance report structure |
| Concept | Decree 13 Treatment | Party Responsible | Compliance Implication |
|---|---|---|---|
| Sensitive personal data | Limited category definition | Expanded category with heightened obligations (explicit consent, separate processing records, DPO involvement) | Organizations must review all processing activities involving categories newly classified as sensitive under the PDPL |
| Data subject rights | Basic access and correction rights | Comprehensive rights regime (access, correction, deletion, portability, objection, restriction) | Rights request fulfillment workflows require expansion beyond Decree 13-era processes |
| DPIA requirement | Not required under Decree 13 | Mandatory for prescribed triggers under PDPL and Decree 356 | Organizations must assess which of their current processing activities require a DPIA and prepare filings |
| DPO designation | Not mandated | Required for organizations meeting threshold criteria | DPO designation and documentation is a new obligation for qualifying organizations |
| Record Type | Typical Retention Basis | Operational Action |
|---|---|---|
| Processing registration records | Retain for the duration of the compliance period covered plus applicable statute of limitations | Maintain in accessible format with original form structure |
| Consent records and notices | Retain for the life of the consent plus applicable limitation period | Map to current consent records where continuity exists; flag legacy consent for renewal assessment |
| Cross-border transfer notifications | Retain for the compliance period plus limitation period | Maintain as evidence of pre-PDPL compliance; prepare gap analysis against Decree 356 transfer filing requirements |
| Breach notification records | Retain per MPS guidance and internal incident retention policy | Cross-reference with current Mau so 08 records to ensure incident history is complete |
How ComplianceOne Supports Decree 13 Legacy Compliance Management
ComplianceOne supports Decree 13 legacy compliance through two operational capabilities: historical evidence retrieval and transition gap analysis workflows.
For historical evidence retrieval, the platform's Audit Trail module maintains tamper-evident, hash-chained records of all compliance actions with timestamps and contributor identity. Evidence packs can be generated for specified historical periods – including compliance periods that fall within the Decree 13 era – allowing organizations to respond to MPS inspection requests or internal audit inquiries covering historical periods. Evidence packs are generated with configurable redaction profiles for different audiences (internal, auditor, regulator) and can be scoped to specific frameworks, form types, or time ranges.
For transition gap analysis, the Program Governance module supports framework comparison workflows that document the obligations under the legacy instrument, the obligations under the successor instrument, the gap between them, and the remediation actions required to close the gap. This structured documentation provides a defensible record of the organization's transition process – evidence that the organization understood the transition and actively managed it, rather than simply switching from Decree 13 records to PDPL records with no documented assessment. The gap analysis record is itself an evidence artifact that can be produced during an inspection covering the transition period.
For Decree 13-era consent records that require assessment against PDPL Phu luc V requirements, the Consent Governance module supports legacy consent import and gap tagging, enabling organizations to identify which existing consent records satisfy the PDPL's enhanced documentation requirements and which require renewal outreach to data subjects.
Related Modules
Compliance Forms
Provides Mau so 01a, 01b, 02a, 02b, 03a, and 03b templates with both Decree 356 template IDs and DLCN-HC procedure codes.
Explore Compliance FormsDPIA and Assessments
Manages the DPIA dossier preparation and filing lifecycle aligned to the Mau so 02a/02b A05 procedure sequence.
Explore IncidentsIncident Response
Manages MPS supplement request loops for breach notification filings (Mau so 08, which follows Decree 356 but not a Decision 778 procedure).
Explore Data MappingAudit Trail
Captures the complete MPS interaction history for each Decision 778 procedure: submission, supplement, response, and determination.
Explore Audit TrailCompliance Readiness Checklist
Organizations managing Decree 13 legacy obligations should confirm:
See Legacy Compliance Management in Action
Ready to see how ComplianceOne manages Decree 13 legacy evidence, transition gap analysis, and historical audit-period readiness? Request a demo tailored to your organization's transition needs.
Tu Pham - Country Manager, AesirX
Head of Risk with 15+ years in fintech and banking across ERM, compliance, fraud, audit, and regulatory frameworks.
Frequently Asked Questions
Regulators can examine compliance for any period when an organization was subject to regulation. If an inspection covers processing activities that occurred during the Decree 13 era, the regulator will apply the framework in force at that time – Decree 13 – to assess whether the organization was compliant during that period. Non-compliance with Decree 13 during the period it was in force remains an enforcement risk regardless of whether the organization is now compliant under the PDPL. This is why historical evidence retention is operationally important even after supersession.
The DPIA filing obligation is the most structurally significant new obligation under the PDPL/Decree 356 that did not exist under Decree 13. Organizations that had not conducted any form of data processing impact assessment under Decree 13 need to assess all current processing activities against DPIA triggers under the PDPL and prepare filings for those that qualify. The second most common gap is the enhanced sensitive personal data category – the PDPL expanded the definition, meaning processing activities that were not subject to heightened obligations under Decree 13 may now qualify as sensitive personal data processing requiring additional controls.
Retention periods depend on the type of record and the applicable statute of limitations for administrative penalties under Vietnamese law. As a general principle, records should be retained for at least as long as the applicable inspection statute of limitations, plus a buffer. Organizations should consult their legal advisors to determine the specific retention period applicable to each record type. ComplianceOne supports configurable retention schedules that can be set per framework era and record type.
It depends on whether the consent was obtained in a manner consistent with PDPL requirements. The PDPL introduced enhanced documentation requirements for consent (Phu luc V structure), expanded categories of sensitive personal data requiring explicit consent, and more detailed disclosure requirements at the point of consent collection. Decree 13-era consent records that do not satisfy these enhanced requirements may need to be supplemented or replaced with renewed consent. ComplianceOne's Consent Governance module supports legacy consent assessment and renewal workflow management.
Next Steps
Start a Compliance Pilot
Test PDPL compliance workflows with your team – DPIA filing, rights requests, breach notification, and evidence generation.
Discuss Your Compliance Needs
Talk to our team about PDPL compliance operations, multi-framework coverage, and deployment options for your organization.
The evolution of Aesir is Aesir + 
(the Norse symbol for Necessity)"Needed in order to achieve a particular result"
♥Join the AesirX Privacy Newsletter. Stay Informed. Stay Compliant.
