Personal Data Privacy Protection Law: Comprehensive Guide

What is Personal Data Protection?

Personal data protection refers to the policies and practices designed to safeguard individuals' personal information from unauthorized access, use, disclosure, or destruction.

Tam Nguyen

Senior Manager, Business Advisory Services

In Vietnam, personal data protection regulation encompasses measures to ensure that personal data is collected, processed, stored, and transferred securely and transparently. The significance of personal data protection lies in its ability to prevent data breaches, protect privacy, and maintain the integrity and confidentiality of personal information.

The primary objectives of Vietnam's Personal Data Protection Law are to:

Ensure that individuals have control over their personal data and how it is used.
Implement measures to protect against unauthorized access and data leaks.
Urge organizations to be transparent about their data processing activities.
Hold organizations accountable for their data protection practices and ensuring compliance with legal requirements.
Align Vietnam's data protection regulations with global standards to facilitate international business and cooperation.

Governing texts

Effective from January 1, 2026, the PDPL consolidates and strengthens regulations across sectors, introducing clearer and more enforceable provisions while maintaining principles of lawfulness, transparency, purpose limitation, and data minimization.

Category	PDPD (Decree No. 13/2023/ND-CP)	Personal Data Protection Law (PDPL)
Effective Date	July 1, 2023	January 1, 2026
Legal Status	Sub-law (government decree)	Full law enacted by the National Assembly
Scope of Application	Broad, including foreign entities processing Vietnamese data	Clarified: applies to foreign entities only if directly processing data of Vietnamese citizens or persons of Vietnamese origin residing in Vietnam
Administrative Fines	General fines, not clearly quantified	Up to VND 3 billion or 10× revenue for data trading; 5% of annual revenue for cross-border violations
Cross-Border Data Transfer	Required DTIA, but lacked clarity	DTIA required within 60 days; exemptions for authorities, cloud storage, and personal transfers
DPIA Requirements	Mandatory for controllers/processors	Same requirement; must be updated every 6 months or upon major changes
Sector-Specific Regulations	General principles	Detailed rules for recruitment, banking, advertising, AI, blockchain, cloud, etc.
Data Protection Workforce	No specific structure	Requires DPOs or certified service providers; qualifications to be defined by the government
Transitional Provisions	Not specified	Exemptions for startups (5 years), microenterprises, household businesses, unless handling sensitive or large-scale data
Status of PDPD	Active	Expected to be replaced by a new decree implementing PDPL

Law on Cybersecurity

The Law on Cybersecurity (No. 24/2018/QH14), enacted on June 12, 2018, regulates activities in cyberspace that impact national security and social order. This law is critical for ensuring that digital activities do not compromise the security and privacy of personal data. It provides guidelines for securing information systems and responding to cyber threats, thereby protecting users' personal data from unauthorized access and breaches.

Law on Electronic Transactions

The Law on Electronic Transactions (No. 20/2023/QH15), adopted on June 22, 2023, and effective from July 1, 2024, governs electronic transactions in both the public and private sectors. It prohibits the use, provision, or disclosure of personal data accessed during electronic transactions without the individual's consent. This law ensures that electronic transactions are conducted securely and with respect for personal privacy.

Law on Information Technology

The Law on Information Technology (No. 67/2006/QH11), effective since June 29, 2006, governs the application and development of information technology. It outlines the rights and obligations of entities involved in IT activities and regulates the collection, processing, use, storage, and provision of personal data in the network environment. This law is fundamental to the protection of personal data in digital and online contexts.

Law on Telecommunications

The Law on Telecommunications (No. 24/2023/QH15), adopted on November 24, 2023, and effective from July 1, 2024, regulates telecommunications activities and the rights and obligations of those in the telecommunications industry. It specifically requires telecommunications enterprises to protect user information and not to disclose it without consent or a valid request from competent authorities.

Law on Credit Institutions

The Law on Credit Institutions (No. 32/2024/QH15), effective from July 1, 2024, governs the establishment and operations of credit institutions in Vietnam. It mandates that credit institutions keep user account information, assets, and transactions confidential unless consent is given or a valid request from a competent authority is received. This law is vital for protecting financial data and ensuring trust in the banking sector.

Law on Protection of Consumers' Rights

The Law on Protection of Consumers' Rights (No. 19/2023/QH15), effective from July 1, 2024, outlines various consumer rights and the obligations of organizations to protect consumer information. It emphasizes the importance of safeguarding consumer data against unauthorized use and disclosure, thereby enhancing consumer trust in the market.

Law on Publication

The Law on Publication (No. 19/2012/QH13), effective since November 10, 2012, regulates the rights and obligations of individuals and organizations in the publishing industry. It prohibits the unauthorized disclosure of national secrets, personal secrets, and other sensitive information, thereby ensuring the protection of personal data within the publishing sector.

Press Law

The Press Law (No. 103/2016/QH13), effective since April 5, 2016, governs the press and outlines citizens' rights to freedom of the press and speech in the media. It also defines the responsibilities of media organizations and prohibits the unauthorized access and disclosure of personal secrets and other protected information. This law plays a crucial role in maintaining the integrity and privacy of personal data in media activities.

Scope of application

Vietnam’s Personal Data Protection Law (PDPL) classifies personal data into two main categories, which determine the applicable management and protection requirements:

Basic personal data: Information such as a person’s full name, date of birth, gender, address, contact information, identification numbers, and other data that can be used to identify an individual.
Sensitive personal data: Data including biometric identifiers, health and genetic information, financial and credit records, location data, political or religious beliefs, social relationships, and information relating to children.

Under the law, data subjects are individuals whose identities can be directly or indirectly identified through personal data. Once data has been fully de-identified, it is no longer treated as personal data for regulatory purposes.

Consent remains a central legal basis for data processing. The PDPL requires:

Clear and specific consent for each separate processing purpose;
Prohibits implied consent, including the use of pre-selected boxes, silence, or inaction; and
Written or electronically authenticated consent for the processing of sensitive personal data.

Data Protection Authority

Main Regulator: Ministry of Public Security (MPS)

The Ministry of Public Security (MPS) serves as the chief regulatory body for data protection in Vietnam. The Department of Cybersecurity and Prevention of Cybercrimes is designated to enforce and implement data protection regulations.

Responsibilities

The Cybersecurity Department, holds extensive authority and responsibilities in data protection, including:

Aiding the government in overseeing personal data protection activities and offering essential guidance to ensure the proper implementation of data protection measures that comply with existing regulations.
Preventing and addressing violations of personal data protection laws to protect individual rights.
Proposing, promoting, and offering the creation or improvements of personal data protection standards.
Developing, managing, and operating the National Portal on Personal Data Protection, which serves as a centralized platform for data protection information and resources.
Assessing the effectiveness of data protection activities carried out by various entities, agencies, and individuals, ensuring that standards are met and maintained.
Processing submissions of portfolios, forms, and other information related to personal data protection, as stipulated by the Personal Data Protection Decree (PDPD).
Adopting innovative measures and conducting research to enhance personal data protection. This includes fostering international cooperation to align Vietnam's data protection standards with global best practices.
Conducting inspections and handling complaints, denunciations, and violations related to personal data protection, ensuring that entities and individuals comply with the laws and regulations in place.

Legal bases for data processing

Consent

One of the primary legal bases for processing personal data in Vietnam is obtaining the consent of the data subject. Consent must be given voluntarily and with full awareness of several key elements:

The type of personal data to be processed.
The purposes of the data processing.
The entities authorized to process the data.
The rights and obligations of the data subjects.
Whether the data includes sensitive personal information.

According to clause 3 of Article 4 of the Personal Data Protection Law 2025, the consent shall be displayed in a clear and specific manner, in a format that can be printed or copied in writing, including electronic forms or verifiable formats.

Contract

Data processing can also be based on the need to fulfill a contract with the data subject. This means that personal data can be processed if it is necessary to perform the contractual obligations that the data subject has with an entity or individual, in accordance with the law.

Legal obligations

Another legal basis for data processing is the requirement to comply with legal obligations. This involves processing personal data as mandated by laws and regulations, ensuring that the data controller adheres to statutory duties.

Interests of the Data Subject

In emergency situations, the processing of personal data may be justified to protect the vital interests of the data subject or other individuals. This includes immediate actions necessary to safeguard lives and health, emphasizing the urgency and necessity of such processing.

Public interest

Data processing can be carried out in the public interest, particularly in emergencies related to national defense, security, public safety, natural disasters, or disease outbreaks. This also extends to combating criminal activities such as terrorism, riots, or other legal violations.

In these cases, the processing is aimed at addressing significant risks or threats to public order and safety, even if a state of emergency has not been officially declared.

Other instances

In addition to the aforementioned bases, personal data may be processed to support activities of authorities as stipulated in specific sectoral laws. This includes instances where the data processing serves governmental functions or public administration tasks as defined by legal provisions in various sectors.

Key definitions

Data controller

A data controller is an entity or individual that decides the purposes and methods for processing personal data. Essentially, the data controller has the primary responsibility for determining how and why personal data is processed. This role involves making decisions about data collection, storage, and usage, ensuring that these processes align with legal and regulatory requirements.

Data processor

A data processor is an entity or individual that processes personal data on behalf of the data controller, based on a contractual or agreed arrangement. The data processor follows the instructions given by the data controller and handles data processing tasks such as collecting, recording, and storing data. Although the data processor manages the actual processing activities, the data controller retains overall responsibility for ensuring compliance with data protection laws.

Personal data

Personal data refers to any information that can identify a particular individual, either on its own or when combined with other data. This information can come in various forms, including symbols, letters, numbers, graphics, and audio. Personal data is categorized into basic personal data and sensitive personal data.

Basic personal data

Basic personal data includes a wide range of information such as:

Name and nickname;
Date of birth, date of death, or date of missing;
Gender;
Birthplace, permanent address, temporary address, current address, and contact address;
Nationalities;
Personal photographs;
Phone numbers, identification numbers, passport numbers, license plates, driver's licenses, tax numbers, social security numbers, and medical insurance numbers;
Marital status and family information (e.g., parents, children);
Information related to digital accounts and internet activity history; and,
Any other data that, alone or in combination with other information, can identify an individual but is not classified as sensitive personal data.

Sensitive personal data

Sensitive personal data includes information considered more private and requires a higher level of protection, such as:

Political opinions and religious views;
Medical conditions and private medical record information, excluding blood types;
Ethnicity;
Genetic information;
Biometric data and physical characteristics;
Sexual orientation;
Criminal records held by law enforcement agencies;
Customer information held by financial institutions and intermediary payment service providers, including Know Your Customer (KYC) information, account details, assets, transactions, and guarantor information;
Real-time location data obtained through location services; and,
Any other personal data deemed unique and requiring special security measures by law.

The law also defines data processing broadly to encompass nearly any action undertaken that involves the use of personal data, from collection and storage to analysis and deletion.

Controller and processor obligations

Data processing notification

In Vietnam, data subjects must be informed before their personal data is processed. This notification must be verifiable and can be in writing, digital format, or any other printable format. The notification should include:

The purposes of the data processing activities.
The type of personal data being processed.
The methods used for processing.
Information about the parties involved in the processing activities.
Potential unwanted consequences.
The start and end time of the processing activities.

However, if the data subject has already given consent or if the data is being processed by a competent authority for a lawful purpose, notification is not required.

Data transfers

The Personal Data Protection Decree (PDPD) distinguishes between basic personal data and sensitive personal data, with different compliance requirements applying to each category. Sensitive personal data is defined as information closely linked to an individual’s privacy and capable of materially affecting their lawful rights and interests if misused or compromised.

Domestic data transfers

Permitted domestic transfers of personal data include:

Transfers made with the data subject’s consent;
Internal sharing between departments within the same organization for the approved processing purpose;
Transfers required for corporate restructuring activities, such as mergers, demergers, reorganizations, ownership changes, or business takeovers;
Transfers between data controllers and data processors, or onward transfers to third-party processors under lawful arrangements;
Transfers made at the request of competent state authorities; and
Other circumstances expressly permitted by law.

Cross-border data transfers

Under the Personal Data Protection Law, a cross-border data transfer includes any of the following scenarios:

Personal data stored in Vietnam is transferred to data storage systems located outside Vietnam;
Organizations or individuals in Vietnam transfer personal data to overseas entities or individuals; or
Organizations or individuals in Vietnam or abroad use platforms located outside Vietnam to process personal data that was collected in Vietnam.

To lawfully transfer personal data outside Vietnam, organizations must comply with several procedural requirements, including:

Preparing a cross-border transfer impact assessment dossier and submitting one original copy to the competent data protection authority within 60 days of the first overseas transfer (subject to limited exceptions);
Conducting the impact assessment once for the entity’s operations and updating it as required by law; and
Being subject to periodic inspections by the competent authority, typically up to once per year, as well as ad hoc inspections in the event of suspected violations or data incidents.

Data processing records

Data controllers are required to maintain a system log of all data processing activities. This record-keeping ensures accountability and transparency in how personal data is handled.

Data Protection Impact Assessment

Both data controllers and processors must conduct a Data Protection Impact Assessment (DPIA) and submit it to the Cybersecurity Department. The DPIA should include:

Contact details of the data controller or processor.
Information about the data protection officer (if applicable).
The purpose and type of personal data being processed.
Details of data receivers, including those offshore.
Duration and protection measures of the processing activities.
Potential consequences and mitigation strategies.

This assessment must be submitted within 60 days after initiating the processing activities.

Data Protection Officer appointment

Organizations involved in processing sensitive personal data must appoint a data protection officer (DPO) and a department responsible for personal data protection. The details of the DPO must be reported to the Cybersecurity Department.

Data breach notification

Data processors must notify data controllers immediately upon discovering a data breach. Data controllers, in turn, must inform the Cybersecurity Department within 72 hours of the breach. The notification should detail:

The nature and scope of the breach.
Contact information of the person responsible for data protection.
Consequences and damages caused by the breach.
Measures taken to mitigate the breach's impact.

Data retention

Documents containing personal information must be retained according to relevant laws, such as the Law on Accounting and the Law on Enterprises, which specify the retention periods for accounting and corporate documents.

Children's data protection

The Law on Children prohibits the disclosure of personal data of children under 16 without parental or guardian consent. For children aged seven or older, both the child and the parent or guardian must consent to data processing.

Cybersecurity Law also mandates service providers to protect children from harmful information online and to cooperate with authorities in removing such content.

Special categories of personal data

When processing sensitive personal data, organizations must implement additional protection measures as outlined in Articles 26 and 27 of the PDPD. Data subjects must be informed that their data is sensitive and must be notified of the processing activities unless exceptions apply.

Controller and processor contracts

The PDPD requires that data controllers and processors enter into agreements or contracts for the processing of personal data. While there are no specific requirements for these contracts, they must outline the responsibilities and obligations of each party involved in data processing.

Data subject rights

Data subjects should exercise these rights judiciously, understanding their implications and the broader context of data use in our increasingly connected world.

For businesses and organizations handling personal data, these rights present both challenges and opportunities. While compliance may require significant adjustments to data handling practices, it also offers a chance to build trust with customers and stakeholders.

PDPD on Data Subjects’ Rights	Details	How to comply
Right to be informed	Be informed of their personal data processing.	Clearly communicate how their data is collected, processed, and used, including data types, purposes, and involved parties.
Right to consent	Give consent to the processing of their personal data.	Maintain clear documentation of consent to demonstrate compliance.
Right to access	Access their personal data to view, rectify, or request rectification.	Prepare to provide access promptly upon request.
Right to withdraw consent	Withdraw previous consent to personal data processing.	Ensure systems facilitate easy withdrawal of consent.
Right to data deletion	Delete or request a deletion of their personal data.	Establish efficient procedures for a quick and secure processing of deletion requests.
Right to restrict processing	Obtain restrictions on the processing of their personal data, to be implemented within 72 hours.	Ensure systems can accommodate and apply restrictions within 72 hours.
Right to obtain personal data	Request the Data Controller or Data Controller-cum-Processor to provide their personal data.	Set up secure and efficient protocols for providing data upon request.
Right to object	Object to processing to prevent/restrict disclosure or use for advertising/marketing. A Data Controller must comply within 72 hours.	Implement clear procedures for managing and responding to objections appropriately and promptly.
Right to file complaints, denunciations, and lawsuits	File complaints, denunciations, and lawsuits in case of rights infringement.	Maintain open communication channels to resolve concerns and reduce legal risks.
Right to claim damages	Claim damages when regulations on personal data protection are violated.	Follow diligent data protection practices and document compliance efforts.
Right to self-protection	Take measures to protect their own data, including requesting help from competent agencies.	Ensure privacy protection practices support individuals' rights to safeguard their personal data.

Penalties for non-compliance

Administrative penalties

Non-compliance with Vietnam's data protection laws can result in significant administrative penalties, as outlined in Decree 15/2020/ND-CP and its amendment Decree 14/2022/ND-CP. Fines vary based on the nature and severity of the violation:

Violation category	Fine range (VND)	Approx. fine range (USD)	Description
Minor violations	2 million - 5 million	$80 - $200	Retaining personal information beyond the legally required period or agreed terms.
Moderate violations	5 million - 10 million	$200 - $400	Failing to verify, correct, or delete personal information upon request. Using incorrect information after receiving a correction request. Providing incorrect information post-deletion request.
Significant violations	10 million - 20 million	$400 - $800	Collecting personal data without the data subject's consent. Sharing personal data with third parties against the data subject's request. Failing to notify data subjects of data deletion or technical issues affecting data protection. Not meeting technical standards for cyber information security. Neglecting required measures to prevent data loss, theft, disclosure, or destruction.
Severe violations	40 million - 60 million	$1,600 - $2,400	Using personal data outside the agreed scope or without consent. Unauthorized disclosure or business use of personal data. Failing to update, modify, or delete personal data upon request. Not adhering to technical standards and security measures for personal data protection.
Critical violations	30 million - 50 million 50 million - 70 million	$1,200 - $2,000 $2,000 - $2,800	Not addressing threatened breaches promptly. Inadequate security measures for personal data protection. Unauthorized access to collect data or control electronic devices. Failing to provide personal information related to terrorism or criminal activities when requested by authorities. Illegal sale, purchase, or transfer of personal information.
Criminal penalties	5 million - 50 million	$200 - $2,000	A warning. Non-custodial reform (similar to probation) of up to three years. Prison sentences ranging from one to three years.
Compensation for damages	N/A	N/A	Individuals suffering damages due to data protection violations are entitled to seek compensation from the infringing party under Article 13 of the Civil Code. Claimants must initiate legal action and prove actual damages incurred.

Sanctions and Enforcement under the Personal Data Protection Law (PDPL)

The PDPL (effective January 1, 2026) introduces a tiered penalty framework under Article 8, replacing the general provisions of Decree No. 13/2023/ND-CP.

While the law itself does not specify detailed enforcement mechanisms, it sets strict caps and principles for future government decrees to elaborate on. Key highlights include:

Violation Type	Maximum Fine
Cross-border data transfer violations	5% of the violator’s previous year’s revenue or VND 3 billion (approx. USD 115,000), whichever is higher
Illegal personal data trading	10× the illicit gains or VND 3 billion, whichever is higher
Other violations	VND 3 billion (USD 115,384)

For individuals, the maximum fine is 50 percent of the amount applicable to legal entities. If illicit gains cannot be quantified, the fallback fine is VND 3 billion (USD 115,384).

The PDPL confirms that criminal penalties may apply for certain violations. However, current criminal provisions are limited to acts such as:

Unauthorized use or publication of personal data on information systems,
Illegal collection or trading of banking and financial data.

Examples of enforcement decisions

Currently, specific enforcement decisions are not publicly available. However, the regulatory framework and established penalties indicate a robust approach to enforcing data protection laws in Vietnam, emphasizing accountability and compliance among organizations handling personal data.