Slated to take effect on 1 January 2026, the Vietnam PDPL will govern every stage of the data life cycle, from collection through cross-border transfer. The law applies not only to Vietnamese organisations but also to any foreign entity processing the data of Vietnamese residents. Here is a quick snapshot of the latest on the Vietnam Personal Data Protection law.
What is the Vietnam Personal Data Protection Law (Vietnam PDP Law)?
The Vietnamese National Assembly passed its latest data protection law, 91/2025/QH15, in June 2025. The law is expected to unify the data privacy regulations currently dispersed across different laws, including the Civil Code of 2015 and Decree No. 13/2023/ND-CP.
Quick summary of the Vietnam PDP principles
- Collect and use personal data only for clear, lawful, stated purposes
- Keep information accurate and store it only for as long as the purpose requires
- Implement the right organisational, technical and human controls to protect data
- Do not buy or sell personal data (subject to exceptions)
- Comply with the cross-border transfer rules
It grants data privacy rights to users and also lays down provisions for protecting children’s personal data.
Who does the Vietnam Personal Data Protection Law (PDPL) apply to?
Vietnam’s data protection law applies to the following entities:
- Vietnamese agencies, organisations and individuals;
- Foreign agencies, organisations and individuals in Vietnam;
- Foreign agencies, organisations, and individuals directly involved in or related to the processing of personal data of:
- Vietnamese citizens, and
- People of Vietnamese origin living in Vietnam whose nationality has not been determined and have been issued ID cards.
Exemptions/derogations to the Vietnamese PDP law
Small enterprises and start-ups get a five-year grace period from the law’s effective date to decide whether to comply with some provisions, like Article 21 (impact assessment of personal data processing), and Article 22 (updating the assessment dossier).
However, this exemption does not apply if these entities are:
- Involved in providing personal data processing services
- Directly handle sensitive data, or
- Process large volumes of data subjects’ information.
Business households and micro-enterprises are also broadly exempt from these requirements, unless they too engage in sensitive or large-scale personal data processing.
The Government might later detail the criteria and scope of these exemptions, ensuring clarity on how and to whom the exemptions apply. This tiered approach aims to reduce compliance burdens for smaller entities while maintaining safeguards where data risks are higher.
Important definitions under the Vietnam Personal Data Protection Law
Let’s look at how the Vietnamese privacy law defines different terms. Many of these terms are similar to those found in data privacy laws worldwide, particularly the GDPR.
| Name | Definition |
|---|---|
| Personal data | Any information that identifies or helps identify a specific person. De-identified data does not fall under the definition of personal data. |
| Sensitive personal data | Personal data associated with an individual’s privacy, which, when violated, will directly affect the rights and legitimate interests of agencies, organisations, and individuals. |
| Data subject | The person to whom the personal data belongs to |
| Data controller | An entity (agency, organisation or individual) that decides the purpose and means of processing personal data. |
| Data processor | An entity that processes personal data at the request of the data controller or the controller and processor through a contract. |
| Controller and processor of personal data | An agency, organisation or individual that decides the purpose, means, and directly processes personal data. |
| Third-party | A third party is an organisation or individual other than the data subject, data controller, controller and processor, or the data processor involved in processing personal data. |
What is consent under the Vietnam PDPL?
Consent is the permission given by a data subject for processing their personal data. It is valid only when the data subject is fully informed and freely agrees.
For the consent to be valid, organisations must meet every requirement below:
- Voluntary agreement: This means no pressure or bundling of hidden purposes.
- Prior disclosure of key facts:
- Type of personal data to be processed
- Purpose of each processing activity
- Identity of the data controller or controller-processor
- Rights and obligations of the individual
- Type of personal data to be processed
- Purpose-specific approval: Obtain separate consent for every distinct purpose (granular consent).
- Verifiable form: Consent must be recorded in a clear, printable or otherwise provable format, including electronic records.
- Silence is not acceptance: If the individual stays inactive or does not respond, there is no consent.
Collect cookie consent using CookieYes
Sign up and create a cookie consent banner today
Sign up for free14-day free trialCancel anytime
What are the obligations of businesses under the Vietnam PDP law?
#1 Purpose limitation
Vietnam’s draft law insists that businesses collect and process personal data strictly within the correct scope and for specific, clear purposes, retaining it only as long as necessary and keeping it accurate and up-to-date.
Operating outside the stated purpose or holding data indefinitely might constitute a breach.
#2 Data minimisation
Limit the collection of personal data to what is necessary for the specific purpose. Further use or disclosure, including sharing with ad networks, financial institutions, or affiliates, needs fresh consent or another legal basis.
#3 Storage and protection of personal data
Organisations must securely store personal data appropriate to their operational needs. All activities involving data, such as access, retrieval, or authentication, must strictly adhere to legal guidelines and mutual agreements.
#4 Data security
Implement sufficient technical, institutional, and human measures and solutions to protect personal data collected by your organisation.
#5 Data subject requests
Organisations must provide appropriate measures for consumers to exercise their rights. Respond and fulfil the requests within the prescribed time limit (yet to be decided).
#6 Consent requirements
Organisations should only collect personal data with the consent of the user, except when the law otherwise allows.
When can businesses process personal data without user consent under the Vietnam PDPL?
Consent is not required in specific urgent scenarios, such as:
- Protecting vital interests, life, health, or dignity.
- Managing national emergencies or security threats.
- Supporting state agency operations.
- Enforcing legal agreements.
- Other legally specified situations.
Organisations operating under these circumstances must establish rigorous monitoring mechanisms, clear processing guidelines, periodic compliance audits, and efficient feedback systems.
#7 Cross-border transfer of personal data
Cross-border data transfers would require an impact assessment dossier submitted to the agency within 60 days of the initial transfer date.
Exemptions include transfers by state agencies, employee data storage on cloud services, or personal transfers by data subjects themselves.
Agencies may conduct regular or surprise inspections to ensure compliance, and authorities can suspend transfers threatening national interests.
#8 Impact assessments for personal data processing
Organisations must conduct impact assessments on personal data processing activities. They should also submit these assessments within 60 days of initiating processing activities.
You must update these assessments immediately upon significant operational changes or every six months. Competent state agencies are exempt from this requirement.
#9 Breach notifications
You must promptly report data protection violations within 72 hours upon discovery, particularly when risks involve national security, public safety, or personal harm.
Additionally, organisations must maintain a formal record of violations and coordinate effectively to manage and mitigate impacts.
You must also implement measures to prevent future violations and support authorities during investigations.
#10 Withdrawal of consent
Personal data subjects have the right to withdraw consent or request restrictions on processing their personal data if there are doubts about the purpose, scope, or accuracy of the data being processed.
Organisations must promptly receive and act upon these requests within legally specified timeframes.
#11 Deletion and destruction of personal data
Businesses must erase, destroy, or irreversibly de-identify personal data when the purpose is fulfilled, storage duration has expired, or the data subject asks for deletion, unless a lawful exemption applies.
Deletion or destruction must involve secure methods that prevent unauthorised access and restoration.
Also, promptly notify users if you cannot delete their data due to legitimate reasons.
Moreover, closely monitor and secure the process of de-identifying personal data. Once you de-identify data, do not re-identify it unless the law explicitly allows such reversal.
#12 Disclosure of personal data
Businesses may disclose personal data only for a clearly stated purpose and without harming the data subject.
Some of the permitted grounds are the data subject’s consent, to comply with laws, fulfilment of contractual obligations, etc.
Businesses publicly sharing personal data must accurately reflect the original data and strictly control its dissemination to prevent unauthorised use, alteration, or destruction.
#13 Transfer of personal data
The law permits personal data transfers under certain conditions, including:
- Subject consent.
- Internal processing within the same organisation.
- Organisational restructuring, mergers, or administrative changes.
- Transfers mandated by competent authorities.
- Other legal provisions.
Such transfers, whether compensated or not, are not considered buying or selling personal data.
#14 Appoint or outsource data-protection personnel
Every organisation has to designate qualified in-house staff or contract a specialist provider to oversee compliance (Art33). Micro-businesses and most start-ups get a five-year grace period (Art 38).
Role-based obligations for controllers, processors and combined
Data controllers must:
- Clearly define responsibilities, rights, and obligations in agreements related to personal data processing.
- Determine purposes and methods for data processing in compliance with legal principles.
- Implement and update protective technical and management measures.
- Promptly report violations.
- Select appropriate data processors.
- Safeguard data subjects’ rights.
- Prevent unauthorised data collection.
- Cooperate with authorities on investigations and enforcement actions.
Processors must:
- Only process data upon formal agreements with controllers.
- Adhere strictly to agreed terms and protective measures.
- Assume responsibility for any damages caused by processing.
- Prevent unauthorised data collection.
- Cooperate with authorities to address violations.
Entities acting as both data controllers and processors must fully comply with all responsibilities outlined above for each role.
What are the rights of personal data subjects under the Vietnam PDP law?
Personal data subjects have the right to:
- Be informed about how their personal data is being processed.
- Agree, disagree, or withdraw consent to personal data processing.
- Access, edit, or request corrections to their personal data.
- Request the provision, deletion, or restriction of their personal data processing, or object to its processing.
- File complaints, report violations, initiate lawsuits, or seek compensation.
- Request that relevant authorities or entities take measures to protect their personal data.
Fines and penalties under the Vietnam PDP law
Organisations that violate Vietnam’s personal data protection law may face administrative sanctions or criminal prosecution depending on the severity and consequences of the violation. If damage is caused, they may also be required to pay compensation.
- For buying or selling personal data, Fines can be up to 10 times the revenue earned from the violation.
- For cross-border data transfer violations, organisations can be fined up to 5% of their revenue from the previous year.
- For all other personal data protection violations, the maximum fine is VND 3 billion for organisations.
The government will provide further guidance on calculating revenue related to violations and implementing these sanctions.
Data protection requirements for specific data processing activities (Artcle 24-32)
The Vietnam PDP law also specifies the data protection requirements for specific areas of personal data processing.
Protection of personal data for children and vulnerable individuals
- Legal representatives must act on behalf of minors and persons with limited capacity.
- Consent is required from both the child (age 7+) and the representative for disclosing sensitive info.
- Data processing must stop if consent is withdrawn or if authorities find risks to their rights.
Data protection in employment
- Only job-relevant data may be collected with the candidate’s consent.
- Data must be deleted if the candidate is not hired (unless agreed otherwise).
- Employers must destroy data after contract termination, unless laws or agreements state otherwise.
- Tech used for employee monitoring must be lawful, transparent, and not misused.
Health and insurance data protection
- Consent is mandatory for processing health-related or insurance data (except in legal exemptions).
- No sharing with third parties unless the subject consents or as allowed by law.
- Apps in these sectors must fully comply with data protection laws.
- Reinsurance contracts must disclose data sharing.
Data protection in finance, banking, and credit
- Sensitive data must be protected per financial laws.
- No credit scoring without the individual’s consent.
- Notify individuals of any data breaches.
- Ensure data security, confidentiality, and recovery measures are in place.
Personal data in advertising
- Data must be collected and used only with consent and for clearly explained purposes.
- Individuals must be able to opt out of ads and refuse data sharing.
- No sub-leasing or unauthorised delegation of advertising data.
- Behavioural and targeted advertising must provide control to users and specify data handling.
Social networks and communication services
- Clearly inform users what personal data is collected.
- No forced collection of ID images or videos for verification.
- Provide a do-not-track option
- Provide opt-outs for cookies and tracking.
- No spying on communications without consent.
- Publish transparent privacy policies and allow users to control their data.
Data protection in emerging technologies
- Process data lawfully and ethically in AI, big data, blockchain, metaverse, and cloud computing.
- Implement strong security, access control, and classification by risk level.
- Tech systems must not harm rights or national interests.
Location and biometric data
- Location tracking needs consent or a legal order.
- Mobile platforms must inform users and allow opt out from tracking.
- Physically secure biometric data and restrict access.
- Notify individuals if misuse causes harm.
Data from public recordings
- Consent is not needed for public event recordings that serve public interest or law enforcement.
- Individuals should be notified if they’re being recorded, unless legally exempt.
- Collected data must only be used for its original purpose and deleted after its usefulness ends.
- Entities recording in public must ensure compliance with data protection laws.
How to comply with the Vietnam PDPL? (Checklist)
To comply with the Vietnam PDPL, businesses must follow these key steps:
- Get explicit, granular, informed, and verifiable consent from data subjects before processing their personal data.
- Adhere to data principles such as purpose limitation, data minimisation, and accuracy.
- Establish technical, organisational, and human controls to securely store and protect personal data.
- Provide appropriate measures for individuals to exercise their rights.
- Be aware of and comply with additional data protection requirements for specific activities like advertising, employment, and processing children’s data.
- Conduct and submit a cross-border transfer impact assessment dossier to the agency.
- Appoint qualified in-house staff or outsource a specialist to oversee compliance.
- Perform impact assessments on all personal data processing activities and submit them within 60 days of initiation.
- Promptly report any data protection violations to the authorities within 72 hours of discovery.
FAQ on Vietnam Personal Data Protection Law
Vietnam’s main data protection law is the Personal Data Protection Decree (Decree 13/2023). It applies to any organisation that collects or processes personal data related to individuals in Vietnam, including foreign companies.
The law works alongside other laws like the Cybersecurity Law, Consumer Rights Protection Law, and the Civil Code to form the country’s broader data privacy framework.
CIPP/E from the International Association of Privacy Professionals (IAPP) | Data privacy writer at CookieYes.
