Vietnam Personal Data Protection Law: Latest Developments and Insights

Posted by Written by Giulia Interesse Reading Time: 9 minutes
Available language

On June 26, 2025, Vietnam Personal Data Protection Law (Law No. 91/2025/QH15) was officially enacted, establishing the country’s first comprehensive legal framework dedicated solely to the protection of personal data. The new law will take effect on January 1, 2026, granting organizations a one-year transitional period to adapt their operations to comply with the updated legal requirements.

On February 29, 2024, the Vietnam Ministry of Public Security (MPS) announced the development of the Law on Personal Data Protection (“PDP Law”). This initiative, marked by the publication of a dossier on the government’s official website, aims to enhance data privacy measures within the country.

FIND BUSINESS SUPPORT
Seamlessly Manage Your Operations across Multiple Countries in Asia

On June 26, 2025, the Vietnamese National Assembly officially passed the PDP Law, establishing the country’s first comprehensive legal framework solely dedicated to the protection of personal data. This legislation replaces Decree No. 13/2023/ND-CP, which had served as the interim legal basis for regulating data privacy since its issuance. The new law will take effect on July 1, 2026, granting organizations a one-year transitional period to adapt their operations to comply with the updated legal requirements.

The PDP Law aims to strengthen data privacy and governance in Vietnam, aligning with global standards while supporting the government’s broader goals for digital transformation. It applies to both domestic and international entities that process personal data in Vietnam or of Vietnamese individuals, regardless of where the processing physically occurs. The Ministry of Public Security (MPS) remains the primary authority responsible for enforcement and regulatory oversight.

This article explores Vietnam’s PDP Law scope, key definitions, rights of data subjects, compliance obligations, and next steps for businesses.

Overview of Vietnam’s Personal Data Protection Law

Key definitions and scope

Vietnam’s new PDP Law retains and expands upon the definitions first introduced in Decree 13, including:

  • Basic personal data: Information such as full name, date of birth, gender, address, contact details, identification numbers, and other personally identifiable information; and
  • Sensitive personal data: Includes biometric data, health and genetic information, financial and credit records, location data, beliefs (political, religious), social relationships, and data related to children.

The PDP Law applies to:

  • Vietnamese individuals and organizations that process personal data within the country; and
  • Foreign entities that collect, use, or process personal data of Vietnamese individuals, even if processing occurs outside of Vietnam.

A significant update is the introduction of mandatory registration of certain data processing activities with the MPS. This includes the processing of sensitive personal data and any cross-border data transfers. Registration must be completed before the processing activity begins.

Rights of data subjects

The PDP Law broadens and solidifies data subject rights, expanding upon the foundations laid by Decree 13 and aligning more closely with international standards such as the GDPR. These rights include:

  • Right to be informed: Individuals must be clearly informed about how, why, and by whom their data is being collected and processed.
  • Right to provide and withdraw consent: Consent must be explicit, specific, and freely given. Individuals must be provided with easy-to-use mechanisms to withdraw consent at any time.
  • Right to access and rectify: Individuals may access their personal data and request corrections to inaccurate or outdated information.
  • Right to erasure: Under defined circumstances, individuals may request the deletion of their personal data.
  • Right to restrict or object to processing: Individuals can request limitations on how their data is used or object to specific forms of processing.
  • Right to file complaints and seek legal remedies: Individuals have the right to file complaints with the MPS or pursue legal action if they believe their data rights have been violated.

Consent requirements

Consent remains a cornerstone of lawful data processing under the new legislation. The PDP Law requires:

  • Explicit consent for each distinct processing purpose;
  • No use of pre-ticked boxes, silence, or inactivity as valid forms of consent; and
  • Written or digitally authenticated consent for processing sensitive personal data.

Consent exemptions are limited and apply primarily to cases involving national security, public health, legal obligations, or state interest.

Data protection impact assessments (DPIAs)

The PDP Law introduces a clear requirement for organizations to conduct data protection impact assessments (DPIAs) in the following scenarios:

  • When processing sensitive personal data.
  • When transferring personal data across borders.
  • When using personal data for high-risk activities, including profiling, automated decision-making, AI, or facial recognition.

DPIAs must include the type and purpose of data processing, risks and mitigation measures, and plans for data retention. These assessments must be submitted to the MPS and updated when there are material changes to processing activities.

Cross-border data transfers

The PDP Law tightens requirements for cross-border data transfers. Key conditions include:

FIND BUSINESS SUPPORT
Identify Business Risks with Entity Health Checks and Partner Review Services
  • Completion and submission of a DPIA for the transfer.
  • Assurance that the receiving country provides an “adequate level of protection,” as determined by the MPS.
  • Existence of legally binding instruments or agreements that safeguard personal data.
  • The MPS has the authority to suspend or prohibit transfers that pose threats to national interests or fail to comply with legal requirements.

These measures reflect Vietnam’s prioritization of data sovereignty and cybersecurity.

See also: Vietnam National Assembly Approves Law on Data

Organizational responsibilities and the role of the Data Protection Officer

Organizations that process sensitive data or conduct large-scale data operations must:

  • Appoint a Data Protection Officer (DPO) or establish a data protection team;
  • Maintain an internal record of processing activities; and
  • Develop internal rules for data protection and incident response plans.

Startups and small businesses may opt out of DPO and DPIA requirements for five years from the law’s effective date. On the other hand, microenterprises and household businesses are exempt from these obligations altogether.

The DPO is responsible for ensuring regulatory compliance, advising internal stakeholders, and acting as the liaison with the MPS.

Data breaches and enforcement

Organizations must act promptly in the event of a personal data breach:

  • Notify the MPS within 72 hours of discovering the breach; and
  • Implement immediate corrective actions to mitigate harm.

Non-compliance may result in:

  • Administrative fines of up to 10 times the revenue gained from unlawful personal data trading;
  • Fines of up to 5 percent of the previous year’s revenue for violations related to cross-border data transfers;
  • Fines of up to VND 3 billion (US$777,6) or other violations;
  • Suspension or termination of data processing activities; or even

Criminal liability for serious or intentional violations.

Objectives of the PDP Law announcement

The announcement of Vietnam’s PDP Law underscores significant developments in Vietnam’s efforts towards enhancing personal data protection.  The dossier released by the government in February 2025 comprises a comprehensive report assessing current social dynamics related to personal data protection and an impact assessment of proposed policies within the Vietnam PDP Law.

Despite the focus on social-political considerations, the report and impact assessment also delve into key legislative issues. These include:

  • Defining personal data;
  • Outlining data subject rights; and
  • Establishing measures for data protection.

Following the release of the dossier for public consultation, the MPS plans to gather feedback through various channels, including workshops and conferences. These initiatives aim to foster broader engagement and insight from stakeholders.

The introduction of the PDP Law holds the promise of resolving conflicts between existing regulations, such as the Vietnam Personal Data Protection Decree (Decree No. 13/2023/ND-CPhereinafter “PDPD”), and other laws concerning personal data protection. This alignment of legal frameworks is expected to contribute to a more cohesive and effective data protection environment.

Vietnam’s broader legal framework on personal data protection

In Vietnam, individuals enjoy constitutional rights to privacy and the protection of personal secrets. Before July 2023, regulations governing personal data protection could be found in different laws. These included the Civil Code of 2015 and the Law on Cyber Information Security No. 86/2015/QH13. Additionally, sector-specific laws also played a role in shaping the legal landscape surrounding personal data protection.

FIND BUSINESS SUPPORT
Build Your Asia Business with Turnkey Market Entry and Cross-Regional Support

The introduction of the PDPD in April 2023 represents a significant milestone in Vietnam’s data protection journey, consolidating and strengthening regulations previously dispersed across multiple laws. Effective on July 1, 2023, the PDPD mandates stringent requirements for businesses and organizations operating in Vietnam.

The PDPD introduces several key concepts and principles. It mandates adherence to fundamental data protection principles such as lawfulness, transparency, purpose limitation, data minimization, accuracy, integrity, confidentiality, and accountability.

Furthermore, the PDPD emphasizes the importance of data subject notification, consent, and rights. Data subjects must be informed about the collection and usage of their personal data, and their consent must be obtained explicitly. The regulation prohibits the collection, transfer, or sale of personal data without the data subject’s consent, and data subjects have the right to access and review their personal data.

What are the current key compliance requirements on Vietnam’s personal data protection?

Besides the recent officialization of the PDP Law, the PDPD still stands as one of the most fundamental instruments governing the protection of personal data in Vietnam.

Notably, the PDPD outlines key compliance obligations for organizations and individuals involved in processing personal data in Vietnam. Compliance with PDPD is of key importance for organizations operating in Vietnam that handle personal data. Failure to adhere to the regulations outlined in the PDPD will result in legal repercussions, including administrative fines or prosecution under the Penal Code for serious violations. Moreover, compliance ensures the protection of individuals’ privacy rights and fosters trust in data handling practices, contributing to a safer and more secure digital environment.

The following sections highlight key compliance requirements for organizations and entities handling personal data in Vietnam under the PDPD.

Roles in processing personal data

The PDPD introduced clear distinctions between the various roles involved in the processing of data, assigning specific responsibilities to each:

  • Data Controller: Assumes a pivotal role, being either an organization or an individual vested with the authority to determine the purpose and methodology of processing personal data. Their responsibilities encompass compliance with data protection requirements, including obtaining prior consent from data subjects for all processing activities and promptly notifying the MPS of any personal data breaches.
  • Data Processor: Refers to an entity or individual tasked with processing personal data on behalf of the Data Controller through a contractual agreement. Their duties include notifying the Data Controller of any breaches and processing personal data in accordance with the terms agreed upon in the contract.
  • Data controlling and processing party: Serves as a hybrid role combining elements of both Data Controller and Data Processor responsibilities.
  • Third party: Encompasses individuals or entities, distinct from the data subject, Data Controller, Data Processor, or Data Controlling and Processing Party, permitted to process personal data under specific conditions. They are obliged to archive personal data appropriately and adopt measures to protect the data as mandated by law. Businesses must accurately discern their roles in data processing to delineate their corresponding responsibilities effectively.

Data subject’s consent

The PDPD stipulates that obtaining prior consent from individuals is mandatory for all data processing activities, except for specific exemptions. Valid consent from a data subject requires it to be given freely and with full understanding of the type of personal data, the purpose of data processing, the entities involved in processing, as well as the rights and responsibilities of the data subject.

Express consent can take various forms, including written agreements, verbal confirmation, ticking consent boxes, or any other actions indicating consent. It’s important to note that silence or lack of response from the data subject does not constitute consent. In the event of a dispute, the responsibility of proving the data subject’s consent rests with the Data Controller and Data Controlling and Processing Party.

Assessment of the impact on personal data processing

Every Data Controller and Data Controlling and Processing Party must generate and uphold Impact Assessment Dossiers right from the initiation of personal data processing. These dossiers, which are forwarded to the MPS (A05 department) for assessment, should encompass comprehensive details like the objectives and categories of data processed, recipients (inclusive of foreign entities), instances of cross-border transfers, duration of data retention, measures for data protection, and an evaluation of potential ramifications along with strategies for mitigation.

Data Processors might also be obligated to comply with these regulations if stipulated in agreements with Data Controllers.

Cross-border data transfer requirements

Cross-border data transfer requirements under the PDPD allow for the transfer of personal data of Vietnamese citizens to foreign countries under specific conditions. Entities responsible for such transfers, including Data Controllers, Data Controlling and Processing Parties, Data Processors, and Third Parties, are obliged to compile a detailed dossier outlining the impact assessment of the transfer.

FIND BUSINESS SUPPORT
Scale Your Operations with AI Cloud Accounting, ERP, and Office Automation

This document must include information on the types of personal data transferred, the intended purposes of processing, and the responsibilities binding the transferor and the recipient. The dossier must be readily accessible for review by the MPS and submitted within a 60-day window from the commencement of data processing. If deemed insufficient, MPS may request further completion of the dossier. Furthermore, following the successful transfer of data, the transferor must provide written notification and contact information to MPS.

MPS retains the authority to suspend any cross-border transfer that fails to comply with these stipulations or poses risks to the interests, national security of Vietnam, or the personal data of Vietnamese citizens.

Notification requirement for personal data breach

In the event of a personal data breach, the PDPD mandates immediate notification. The Data Processor notifies the Data Controller, who, along with the Data Controlling and Processing Party, must inform the MPS within 72 hours.

Failure to do so promptly requires providing reasons for the delay. While comprehensive penalties aren’t yet in place, breaches may incur fines from VND 10 million to VND 70 million, or prosecution under the Penal Code for serious violations.

Transitional provisions and compliance roadmap

Although Vietnam’s PDP Law takes effect on January 1, 2026, businesses should begin preparing now. Recommended steps include:

  • Conduct internal audits to identify data processing risks and gaps;
  • Update consent mechanisms, privacy notices, and contractual agreements;
  • Establish or update internal data protection policies and training;
  • Appoint a DPO or designate a responsible individual/team, if required; and
  • Prepare DPIAs and ensure registration with the MPS where required.

Startups and small businesses have a five-year transitional exemption from key obligations.
Microenterprises and household businesses are permanently exempt from DPIA and DPO requirements.

Further guidance, including detailed compliance forms and procedural rules, is expected to be issued by the MPS through decrees and circulars in the lead-up to the law’s effective date.

Outlook

Predictions about Vietnam’s data economy in 2024 suggest a significant transformation in the country’s economic landscape, particularly in sectors such as e-commerce, fintech, healthcare technology, and smart production. As businesses increasingly rely on data-based solutions, the growth of these sectors is projected to contribute significantly to the overall output of the economy. Cross-border agreements and initiatives focused on knowledge exchange are anticipated to facilitate technology transfer and expand market access opportunities, further fueling the growth of Vietnam’s data economy.

This heightened reliance on data underscores the critical importance of robust legal frameworks to ensure the privacy and security of individuals’ information.

Vietnam’s PDP Law represents a critical advancement in the country’s digital regulatory environment. By aligning with global norms while preserving national oversight priorities, the law introduces a comprehensive regime that balances individual privacy with public and state interests.

With the countdown to implementation underway, both domestic and foreign organizations that process Vietnamese personal data must prioritize compliance planning. Proactive adaptation will not only reduce regulatory risks but also enhance consumer trust and operational resilience in Vietnam’s fast-evolving digital economy.

(This article was originally published on April 8, 2024. It was last updated on July 15, 2025.)

About Us

Vietnam Briefing is one of five regional publications under the Asia Briefing brand. It is supported by Dezan Shira & Associates, a pan-Asia, multi-disciplinary professional services firm that assists foreign investors throughout Asia, including through offices in Hanoi, Ho Chi Minh City, and Da Nang in Vietnam. Dezan Shira & Associates also maintains offices or has alliance partners assisting foreign investors in China, Hong Kong SAR, Indonesia, Singapore, Malaysia, Mongolia, Dubai (UAE), Japan, South Korea, Nepal, The Philippines, Sri Lanka, Thailand, Italy, Germany, Bangladesh, Australia, United States, and United Kingdom and Ireland.

For a complimentary subscription to Vietnam Briefing’s content products, please click here. For support with establishing a business in Vietnam or for assistance in analyzing and entering markets, please contact the firm at vietnam@dezshira.com or visit us at www.dezshira.com