On 26 June 2025, the National Assembly passed Law on Personal Data Protection (“PDPL”). The PDPL will take effect on 1 January 2026.

The most important issue that has not been resolved from the current personal data protection regulations is that the new Law does not distinguish and exclude obligations of personal data controllers and processors for the purposes of normal communication, personal transactions or household transactions. Neither does the PDPL distinguish the scale of data processing to determine the corresponding obligations for these subjects. The PDPL has a number of notable new or amended provisions compared to Decree on Personal Data Protection No. 13/2023/ND-CP dated 17 April 2023 (“PDPD”), including:

1. Clarifying the concept of Personal Data

The PDPL (a) clarifies that personal data includes both digital data and information in other forms that identify or help identify a specific person; (b) limits the connotation of personal data by affirming that after de-identification, the data will no longer be personal data; (c) maintains the classification of personal data into two categories, in which basic personal data is data that is commonly used frequently, while sensitive personal data is closely related to the privacy of individuals, and when violated, will directly affect their legitimate rights and interests. A Decree providing guidelines for implementation of the PDPL will provide two categories for classification and specific guidance on these two groups of personal data.

2. Streamlining the Rights and Obligations of Data Subjects

The PDPL removes and consolidates 11 rights of data subjects into 6 rights, helping to clarify the scope of rights and align with international practices. And at the same time, the new Law also removes an obligation (of participating in the dissemination and dissemination of personal data protection skills) that is considered inappropriate and currently imposed on data subjects.

3. Stricter control over cross-border transfers of personal data

The PDPL

(a) In addition to two cases of cross-border transfer of personal data already regulated, including: (i) Agencies, organizations and individuals in Vietnam transfer personal data to organizations and individuals abroad; and (ii) Agencies, organizations and individuals in Vietnam or abroad use platforms outside of Vietnam to process personal data collected in Vietnam; a third case is added, which is transferring personal data currently stored in Vietnam to a data storage system located outside of Vietnam.

However, because the scope of such defined personal data transfer is very broad and unrestricted, this provision makes it difficult for entities to share information. For example, anyone who sends an email to a foreign customer or uses a mailbox with a server located abroad, whether or not they attach signatures or information containing personal data, can also be classified as case (i) above and must prepare a dossier to assess the impact of outbound transfer of personal data. This affects all entities and directly affects what are considered daily business activities of any enterprise, and creates inconvenience in practice.

(b) redefine the time limit for organizations and individuals transferring personal data abroad to prepare a dossier assessing the impact of cross-border transfer of personal data and send 1 original copy of this dossier to the agency in charge of protecting personal data, which is 60 days from the first day of cross-border transfer of personal data, instead of the date of processing personal data to facilitate compliance by enterprises and to be in line with reality.

4. Additional prohibited act

The PDPL includes a group of acts of appropriation, intentional disclosure, and loss of personal data in addition to six current groups of prohibited acts related to personal data.

5. Strictly sanctioning violations

To contribute to overcoming the current serious violations of the laws on data protection in Vietnam with cases of leakage of or trading in personal information, the PDPL for the first time stipulates strict penalties for violations, including: (a) The maximum fine for administrative violations of the act of buying and selling personal data is 10 times the amount of revenue obtained from the violation; (b) The maximum fine for administrative violations against organizations that violate regulations on cross-border transfer of personal data is 5% of the revenue of the organization in the previous year; and (c) In case there is no revenue in the previous year or the fine calculated based on revenue is lower than the maximum fine level for administrative violations against other violations in the field of personal data protection, which is VND 3 billion, the maximum level of VND 3 billion will be applied.

6. Providing guidelines for personal data protection in some specific areas

(a) To compensate for the shortcomings of the previous legal regulations and raise awareness of enterprises, the PDPL for the first time specifically stipulates the responsibility of agencies, organizations and individuals to protect personal data in recruiting, managing and using employees, including:

(i) In recruiting employees: Only information for recruitment purposes in accordance with the provisions of laws may be requested; information provided may only be used for recruitment purposes and other purposes as agreed in accordance with the provisions of laws; Information provided must be processed in accordance with the provisions of laws and must be agreed upon by the applicant; Information provided by the applicant must be deleted or destroyed in case of non-recruitment, unless otherwise agreed with the applicant;

(ii) In the management and use of employees: The processing of employee personal data collected by technological and technical measures must meet the following requirements: Only technological and technical measures in accordance with the provisions of law may be applied and the data subjects’ rights and interests must be ensured, on the basis that the employee clearly knows the measures; and the personal data collected by technological and technical measures must not be processed or used in violation of the provisions of laws. Employees’ personal data must only be stored for the period as stipulated by law or as agreed; and must be deleted or destroyed upon termination of the contract, unless otherwise provided by the agreement or laws.

(b) The PDPL also regulates the provision of health insurance information, which has long been left open, according to which agencies, organizations and individuals operating in the health sector will not provide personal data to third parties that are organizations providing health care, health insurance or life insurance services, except in the cases where there is a written request from the data subject or it is permitted by the PDPL. If an enterprise conducts reinsurance, reinsurance cession and transfer of personal data to partners, this must be clearly stated in the contract with the client.

(c) According to the PDPL, organizations and individuals operating in the fields of finance, banking, and credit information activities have the following new responsibilities: (i) Not to use credit information of data subjects to score, rank credit, evaluate credit information, and assess the creditworthiness of data subjects without their consent; (b) To only collect necessary personal data for credit information activities from sources in accordance with the provisions of the PDPL and other relevant laws; (c) To notify data subjects in case of disclosure or loss of information on bank accounts, finance, credit, and credit information.

(d) The PDPL also stipulates more clearly: (i) The processing of personal data of customers for marketing services and advertising product introduction must have the customer’s consent, on the basis that the customer clearly knows the content, method, form and frequency of product introduction; (ii) Organizations and individuals doing business in marketing services and advertising product introduction are responsible for proving that the use of personal data of customers whose products are introduced is in accordance with regulations; and (iii) Organizations and individuals using personal data for behavioural or targeted advertising or personalized advertising may only collect personal data through monitoring websites, electronic portals and applications with the data subject’s consent; and must establish a mechanism to allow the data subject to refuse a data share; determine the storage time; delete and destroy data when no longer needed.

(e) According to the PDPL, organizations and individuals providing social networking services and online communication services are responsible for: (i) Not requiring the provision of images or videos containing full or partial identity documents as a factor in account authentication; (ii) Providing options allowing users to refuse collection and share of data files (called “cookies”); (iii) Providing the option of “do not track” or only tracking service usage activities with the consent of the user; (iv) Not eavesdropping, wiretapping or recording calls and reading text messages without the consent of the personal information subject, unless otherwise provided by law; (v) making publicly available the privacy policy, clearly explaining how to collect, use and share personal data; etc.

(f) The PDPL also, for the first time, stipulates the protection of personal data in the processing of big data, artificial intelligence (AI), block chain, virtual universe, cloud computing to develop industry 4.0 and promote digital transformation in Vietnam; accordingly: (i) Personal data in this environment must be processed for the right purpose and limited to the necessary scope; (ii) Systems and services must be integrated with appropriate personal data security measures; use appropriate authentication and identification methods and delegate access rights to process personal data; (iii) Particularly, the processing of personal information using AI must be classified according to the level of risk to have appropriate personal data protection measures.

(g) The PDPL provides for a number of enhanced protection measures for certain types of sensitive personal data, including:

(i) For personal location data: Location tracking via radio frequency identification cards and other technologies shall not be applied, except in the cases where there is consent obtained from the data subject or a request from a competent authority as provided by law or otherwise provided by law; Organizations and individuals providing mobile application platforms must notify users of the use of personal location data; take measures to prevent the collection of personal location data by irrelevant organizations and individuals; provide users with options for tracking personal location.
(ii) For biometric data: Collecting and processing agencies, organizations and individuals must have physical security measures for their biometric data storage and transmission devices, restrict access rights and have a monitoring system to prevent and detect violations of this type of personal data, comply with relevant laws and international standards; In the case where the processing of biometric data causes damage to the data subject, the organization or individual collecting and processing such data must notify concerned data subject according to Government regulations.

7. Imposing conditions on forces and services for personal data protection

The PDPL requires: (a) All agencies and organizations that process personal data, not just agencies and organizations that process sensitive personal data under the former regulations, to be responsible for designating departments and personnel with sufficient capacity to protect personal data or hiring organizations and individuals to provide personal data protection services; and (b) Departments and personnel to protect personal data in agencies and organizations, and organizations and individuals providing personal data protection services or personal data processing services must meet the conditions and have the tasks prescribed by the Government. Therefore, these provisions creates a burden of compliance obligations when all agencies and organizations process personal data, at least personal data of their employees; and a Decree being drafted needs to be completed and issued by the Government soon to provide detailed guidelines for implementation of the PDPL, in which it is necessary to determine the obligations of each group of enterprises corresponding to the purpose, data subjects, and scale of data processing.

8. Certain cases to be exempted from compliance obligations

The PDPL stipulates that if an agency, organization or individual conducts an assessment of the impact of personal data processing, an assessment of the impact of cross-border transfer of personal data (hereinafter referred to as “impact assessments”) in accordance with the provisions of this Law, it is not required to conduct an assessment of the risk of personal data processing and an assessment of the impact of cross-border transfer of personal data in accordance with the provisions of the laws on data.

In order to reduce the burden of compliance obligations, the PDPL also allows business households and micro-enterprises not to comply and small enterprises and start-ups to choose whether or not to comply with the provisions on impact assessments and designate a qualified department or personnel to protect personal data or hire an organization or individual to provide personal data protection services within 5 years as from the effective date of this Law; except for small enterprises, start-ups, business households, and micro-enterprises that provide data processing services, directly process sensitive personal data, or process personal data of a large number of data subjects.

9. Transitional guidance

The PDPL clearly states: (a) The ongoing processing of personal data that has been agreed upon by the data subject or agreed upon in accordance with the provisions of the PDPD before the effective date of the PDPL shall continue to be carried out without having to obtain another consent or re-agreement; and (b) The impact assessment dossiers as stipulated in the PDPD that have been received by the agency specializing in personal data protection before the effective date of the PDPL shall continue to be used and without having to prepare other impact assessment dossiers under the PDPL; the updating of the above-prepared dossiers after the effective date of the PDPL shall be carried out in accordance with the provisions of the PDPL.

—–