Governance · VN · 8 min read
Vietnam's Decree 13 and the Cybersecurity Law: what AI programmes must design for.
Personal data, cross-border transfer, data subject rights, and the operational posture for AI programmes operating in or from Vietnam.
Vietnam's data regime is not a copy of GDPR. The cross-border rules, consent posture and Cybersecurity Law overlap create a distinct operational pattern for AI programmes.
Decree 13/2023 is the primary personal data protection instrument in Vietnam. It sets consent, data subject rights, cross-border transfer and breach notification obligations that AI programmes must design against from the start — not retrofit after launch.
For AI specifically, three things matter most. (1) Cross-border transfer of personal data — including the data that flows through a model provider — requires an assessment and, in many cases, a contractual mechanism. (2) Consent must be specific; a generic ‘we use your data to improve our services’ is insufficient when the data trains or queries a model. (3) Data subject rights — including access, correction and deletion — must be technically achievable inside the AI workflow.
The Cybersecurity Law adds an overlapping layer for certain sectors and data types. Where AI touches systems or data covered by the Cybersecurity Law, additional localisation and incident-handling requirements can apply.
Operationally, this means: model and provider choices must be evaluated on Vietnam-residency posture, not just accuracy and cost; consent records must be granular and machine-readable; and the deletion path must reach the model layer — not just the application database.
We run a Vietnam-specific readiness review as part of the Governance engagement — and where a build is in scope, we engineer the data path and the consent record to satisfy Decree 13 from day one.
Want to dig deeper?
Book a 30-minute briefing — we'll walk you through how the topic above lands on a real engagement.
