Enhancing the Responsibilities of Data Controllers in Vietnam: Insights from the European General Data Protection Regulation

Abstract

  This article explores the evolving landscape of data protection law in Vietnam, focusing specifically on the responsibilities of data controllers under Vietnam's new Personal Data Protection Decree (Decree No. 13/2023/ND-CP - hereinafter referred to as Decree 13) and compares it with the European Union's General Data Protection Regulation (GDPR). The main objective is to assess how the provisions regarding data controllers’ responsibilities under Decree 13 align with international data protection standards, identifying its progress and challenges. The analysis uncovers both convergence and divergence points between the related provisions under Decree 13 and the GDPR, particularly in terms of clarity, scope, and enforcement mechanisms. A significant challenge identified is the ambiguity in Decree 13’s provisions on data controllers’ responsibilities and the absence of several essential elements, which could undermine the effectiveness of Vietnam's data protection framework. To address these issues, the article offers strategic recommendations for legislative improvements and practical adjustments for data controllers in Vietnam. In conclusion, while navigating the path to a comprehensive data protection framework poses challenges for Vietnam, this journey offers an opportunity to align with regional and global developments in data protection laws. By learning from the GDPR and adapting to its specific features, Vietnam can develop a robust, effective, and trustworthy data protection environment, safeguarding its citizens' privacy rights and facilitating a favorable international business climate.