Protection of Personal Data Under Decree 13/2023 in Vietnam and Its Impact on Businesses Outsourcing BPO Services

Digital transformation is accelerating across Vietnamese enterprises, especially in sectors that process large volumes of documents and records such as banking, finance, insurance, education, and public administration. As a result, personal data has become a core asset—and also the most targeted element in cyberattacks. The increasing adoption of Business Process Outsourcing (BPO) services—such as document digitization, data entry, and file processing—brings significant operational benefits but also raises concerns about data leakage or misuse.

To address these risks, the Government of Vietnam issued Decree No. 13/2023/ND-CP on Personal Data Protection, effective from July 1, 2023. This is the first legal framework that clearly defines the responsibilities of organizations in collecting, storing, processing, and sharing personal data—including cases where BPO services are engaged.

What Is Decree 13/2023?

Decree 13/2023/ND-CP establishes Vietnam’s first dedicated legal framework governing the protection of personal data. The regulation applies to all individuals and organizations that process the personal data of Vietnamese citizens, including businesses, institutions, digital platforms, and BPO providers.

The decree classifies personal data into two groups:

• Basic personal data: Full name, phone number, email address, residential address, etc.

• Sensitive personal data: National ID/citizen ID, bank accounts, health information, financial status, geolocation data, etc.

In digital document projects, these data types commonly appear in customer records, contracts, payroll files, financial verification documents, and more—making data protection requirements stricter than ever.

Key Requirements of Decree 13/2023 for Businesses

1. Data Collection: Consent Required

• Organizations must inform data subjects of the purpose of data collection and the retention period.

• Data cannot be used for any other purpose without explicit consent in writing or electronic form.

2. Data Processing & Storage: Right Purpose – Right Scope

• Data must only be processed within the scope agreed upon by the data subject.

• Transferring data to third parties (including BPO providers) is prohibited unless permission is granted.

3. Accountability Requirements

• Businesses must appoint a Data Protection Officer (DPO) or a dedicated personal data protection unit.

• Documentation proving lawful data processing must be maintained.

4. Incident Reporting

• In case of a data breach, organizations must notify the authorities within 72 hours.

This means that even when outsourcing, the business remains the party with the highest legal responsibility.

Implications for Businesses When Outsourcing BPO Services

Outsourcing BPO services inherently involves sharing personal data with a third party. This exposes the business to additional risks if the service provider lacks adequate security capabilities.

Under Decree 13/2023, the business becomes the data controller, while the BPO provider acts as the data processor.
If the processor causes a data breach, the business still faces penalties.

Minimum Requirements When Selecting a BPO Provider

• Strong NDA agreements and detailed data processing contracts

• ISO/IEC 27001 certification for information security management

• Strict access control following Zero Trust principles

• Comprehensive system monitoring and audit logs for data access history

Risks When Choosing Low-Cost, Non-Compliant Providers

• Employees using personal devices to copy or extract data

• Lack of access control—“anyone can view everything”

• Data stored on foreign cloud systems, causing legal and jurisdictional risks

BPO.MP – A BPO Partner Fully Compliant With Decree 13/2023 in Vietnam

BPO.MP implements enterprise-grade security measures, including:

• ISO/IEC 27001 – International standard for information security

• NDA agreements with businesses and all staff involved in data processing

• Zero Device Model: no phones, no USBs, no personal devices

• 100% audit log tracking of all data processing activities

• Dedicated private servers, not shared with any external organization

• AI & Automation applied to minimize manual handling, reducing risks of data exposure

Decree 13/2023 elevates the standard for personal data protection in Vietnam. While this presents challenges, it also offers an opportunity for businesses to enhance security frameworks, professionalize data management, and strengthen customer trust—especially when partnering with BPO providers that meet high compliance standards.