The National Assembly of Vietnam has enacted the long-awaited Personal Data Protection Law (abbr "PDPL") on 26 June 2025. This law represents a significant milestone in finalising the legal framework for safeguarding the privacy and personal data in Vietnam. The PDPL is set to take effect on 1 January 2026, with the Government expected to issue guidance pertaining to certain articles of the law. During the interim period preceding the PDPL's coming into force, businesses must continue to adhere to the rules set forth in the Decree No. 13/2023/ND-CP ("PDPD").
The key highlights of the PDPL are:
- Data Protection Roles: Outsourcing is permitted, but providers must meet government-specified qualifications.
- Cross-border Data Transfer Impact Assessment (DTIA): New exemptions have been introduced, including an exemption for employers storing employee data on cloud storage.
- Sector-Specific Rules: Additional requirements apply to healthcare, insurance, finance/banking, social media, big data, AI, and cloud computing industries.
- Continuity: Consents and impact assessments conducted under PDPD remain valid.
- Penalties: For cross-border transfer violations, penalties can be up to 5% of the previous year's revenue. Other violations may incur fines of up to VND 3 billion.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
