Data Protection Notice (Vietnam PDPL 2023)
This page is the formal Personal Data Protection notice required by Vietnam's Decree 13/2023/ND-CP for Vietnamese-resident travellers. The full Privacy Policy applies to everyone; this page summarises the VN-specific bits.
What this data protection notice (vietnam pdpl 2023) says in plain English
- ✓We're registered with the Ministry of Public Security data-protection registry as data controller [MPS_REG_NUMBER].
- ✓For cross-border transfers of VN-resident data, we use SCCs + maintain a Vietnamese-language record of processing.
- ✓VN PDPL rights mirror GDPR but with separate legal basis numbering (Art 9 consent · Art 11 contract).
- ✓DPO contact for VN residents: dpo@asiatravellinksdmc.com · also Vietnamese-language line at [VN_DPO_PHONE].
- ✓For complaints, file with the Ministry of Public Security (Cục An ninh mạng A05).
1.Legal framework
Vietnam s Personal Data Protection Law (Luật Bảo vệ Dữ liệu Cá nhân) implemented by Decree 13/2023/ND-CP, effective 1 July 2023. ATL is a "data controller" (Bên Kiểm soát Dữ liệu Cá nhân) under Art 2.9.
2.Processing notice register
ATL maintains an internal Processing Notice register in Vietnamese (per Decree 13 Art 38) accessible to Ministry of Public Security (MPS) auditors. Summary:
- Purposes: quote response · trip delivery · post-trip survey · marketing (consent-based)
- Categories: contact · trip preferences · travel documents · payment metadata (no card numbers)
- Recipients: hotel partners · tour guides · payment processors · government visa authorities
- Retention: 36 months quote · 7 years booking (tax)
- Cross-border: US (Google, Meta, Cloudflare) · EU (Wise) — SCC-protected
3.Legal basis under Decree 13
- Art 9 consent — marketing emails + WhatsApp opt-in
- Art 11.1 contract — quote response + trip delivery
- Art 11.2 legal obligation — tax retention + visa filing
- Art 11.4 legitimate interest — security log retention + spam-filter analytics
4.Cross-border transfer
Per Decree 13 Art 35, we registered the cross-border transfer impact assessment with MPS under registration [MPS_REG_NUMBER]. Recipients: Google US (Analytics), Meta US (WhatsApp Cloud), Cloudflare US (DDoS), Wise UK/EU/AU/SG. All bound by SCCs.
5.Sensitive data
We don t intentionally collect "sensitive personal data" as defined by Decree 13 Art 2.4 (political opinions, health beyond dietary/accessibility, biometrics). The exception: if your trip insurance broker requires medical disclosure (rare), we collect it as a one-time use, encrypted, deleted within 7 days of trip end.
6.Rights
All GDPR rights apply (see Privacy Policy §8). VN-specific:
- Withdraw consent in writing — Vietnamese-language template available on request
- File a complaint with Cục An ninh mạng và phòng, chống tội phạm sử dụng công nghệ cao (A05) —
[A05_ADDRESS]
7.Data protection officer
The ATL DMC Privacy Team — reachable at dpo@asiatravellinksdmc.com or [VN_DPO_PHONE] (Vietnamese-language, Mon-Fri 9-18:00 +07:00).
8.Breach notification
Per Decree 13 Art 23, we notify MPS A05 within 72 hours of confirming a personal data breach affecting Vietnamese residents, and notify affected residents within the same window via email or SMS.
Questions about this policy?
Privacy queries get a 7-day reply guarantee. For complex GDPR/PDPL data-subject-access requests, expect 30 days fulfilment with progress updates along the way.