Vietnam's Personal Data Protection Decree: What HealthTech Must Do

Vietnam's Personal Data Protection Decree (Nghị định 13/2023/ND-CP, 'PDPD') came into full effect on 1 July 2023. It is Vietnam's first comprehensive personal data protection framework and bears significant similarities to the EU's GDPR, though with some important local differences.

For HealthTech companies, the PDPD is highly relevant because it explicitly categorises health data as 'sensitive personal data' with heightened protection requirements. Any product that collects, processes, stores, or transmits patient health information must comply — regardless of whether you are a Vietnamese entity or a foreign company operating in the Vietnamese market.

The PDPD distinguishes between basic personal data (name, date of birth, contact information) and sensitive personal data. Health and medical data is explicitly listed as sensitive and subject to stricter requirements: mandatory explicit consent, data impact assessments, and heightened security measures.

This includes: diagnostic records, prescriptions, treatment history, medical images, biometric data, and any health indicators collected via wearables or apps. It also covers data inferred from behaviour that reveals health conditions. If your product analyses heart rate or activity patterns to infer health status, that data is likely sensitive under the PDPD.

Consent under the PDPD must be explicit, specific, and freely given. For health data, consent must be in writing (including electronic form). Patients must be informed of: what data is collected, the purpose, who will access it, how long it will be retained, and their rights to access, correct, or delete it.

Blanket consent buried in Terms of Service does not meet the standard. If your product collects health data, the consent flow must be specific to that data and its purpose. Consent for primary care is separate from consent for research analytics — you cannot use one to cover the other.

The PDPD restricts cross-border transfer of Vietnamese personal data. To send personal data outside Vietnam, you must obtain explicit consent from the data subject that specifically mentions cross-border transfer, and notify the Ministry of Public Security (MPS) of the transfer.

For HealthTech companies with infrastructure outside Vietnam (AWS, GCP, Azure regions outside the country), this is a significant compliance requirement. Vietnam does not yet have a formal adequacy decision mechanism like the EU, so each transfer requires individual consent and MPS notification. The practical approach for most companies: use Vietnam-based data residency for personal data processing, and use international infrastructure only for non-personal analytics and model training data.

Build consent management into your product architecture from the start. This means a consent record per patient per purpose, with timestamp and method of consent, stored in a way that can be produced during an audit.

Implement data minimisation: collect only the data necessary for the stated purpose. AI models trained on aggregated or anonymised data have lower compliance risk than those requiring individual patient records in production.

Data retention limits apply. Health data cannot be retained indefinitely. Define and implement retention periods, and build the ability to delete patient data on request into your backend. Vietnamese hospitals will ask about data deletion capability during procurement evaluation.

Register as a data controller with the Ministry of Public Security if you process sensitive personal data. Appoint a Data Protection Officer (required for organisations that process sensitive data at scale). Conduct a Data Protection Impact Assessment (DPIA) for any new processing of sensitive health data. Document your lawful basis for each category of data processing. Maintain records of all data transfers, especially cross-border. Train staff on PDPD obligations and incident response procedures.

Non-compliance carries significant risk: administrative fines, criminal liability for responsible individuals, and — critically for a B2B HealthTech company — loss of hospital contracts. Vietnamese public hospitals increasingly require PDPD compliance attestation in procurement tenders.