Vietnam has officially passed Law No. 91/2025/QH15 on Personal Data Protection ('PDPL'), marking a shift from decree-level rules to a comprehensive legislative framework. The PDPL, effective from 1 January 2026, raises the stakes for compliance, especially for foreign businesses operating in Vietnam and/or processing personal data of Vietnamese individuals.
We set out below a breakdown of the key changes, compliance risks, and what businesses must do to prepare.
I. Key changes
1. New Prohibitions and Tough Sanctions (Articles 7 and 8)
The PDPL introduces several prohibitions with consequences for those handling personal data in Vietnam:
- Using another person's personal data—or allowing others to use one's own personal data—to commit unlawful acts.
- Buying or selling personal data, unless otherwise expressly permitted by law.
- Seizing, intentionally disclosing, or destroying personal data.
According to the Standing Committee of the National Assembly, a complete ban on trading personal data is necessary to combat the widespread sale of personal data online and prevent insider abuse. The Committee asserts that personal data is tied to privacy and personal identity and is not a commodity.
To enforce prohibitions, the PDPL introduces aggressive penalty schemes:
- Cross-border personal data transfer violations: Fines range from VND 3 billion (approx. US$115,000) to 5% of total revenue from the previous financial year.
- Illegal sale or purchase of personal data: Minimum fine is VND 3 billion, up to 10 times the illegal gain.
- Other violations: Fines of up to VND 3 billion.
These penalties signal that data protection is now a serious compliance obligation and no longer a mere policy aspiration.
2. Sector-Specific Rules for High-Risk Industries (Articles 25–32)
Unlike Decree 13/2023/ND-CP ('Decree 13'), the PDPL adds detailed provisions for data processing across sensitive industries and emerging technologies:
- Recruitment and Employment (Art. 25): Only data relevant to recruitment can be collected. Candidate consent is required for processing. Candidate data must be deleted if the person isn't hired—unless mutually agreed otherwise.
- Healthcare and Insurance (Art. 26): Consent is mandatory for health data processing (limited exceptions apply). Reinsurers must include data transfer terms in customer contracts if they transfer customer personal data to partners.
- Banking and Finance (Art. 27): Credit information cannot be used for scoring without consent.
- Social Media (Art. 29): Platforms must offer 'opt-out of tracking' features. Eavesdropping, call recording, and reading messages are all banned where there hasn't been express mutual agreement.
- Big Data, AI, Cloud, Blockchain (Art. 30): Systems must comply with the laws, align with ethical standards, have built-in security controls, etc.
- Biometric Data (Art. 31): Physical security and access restrictions are mandatory. Tracking and monitoring must be auditable.
3. Consent (Article 9)
Consent must be voluntary, specific, fully informed, and provided for each of the purposes. The PDPL additionally forbids businesses from including any condition requiring consent to purposes beyond those agreed upon. Therefore, bundled or broad consents tied to unrelated services could expose businesses to enforcement risk.
4. Mandatory Impact Assessments (Articles 20–21)
Businesses must submit to Vietnam's data protection authority:
- A Data Processing Impact Assessment ('DPIA'): One-time submission within 60 days of processing start.
- A Cross-border Transfer Impact Assessment
('CTIA') (in cases of cross-border transfer): Also, within
60 days of the first transfer. However, the PDPL exempts certain
activities from the CTIA, such as:
- Transfers by state agencies;
- Cloud storage of employee data;
- Data subjects transferring their own personal data.
If impact assessments are filed under this law, no further risk assessments are required under other laws on data. This harmonisation ensures that duplication is avoided but puts pressure on businesses to get the filings right the first time.
5. Conditional Exemptions for Small Enterprises and Start-ups (Article 38)
For five years after the law takes effect, small businesses and start-ups may:
- Skip DPIA filings; and
- Postpone appointing a Data Protection Officer (DPO).
But this exemption only applies if they do not:
- Process sensitive data or large volumes of personal data; or
- Provide data processing services.
While the Government will provide further guidance on these exemptions, businesses should assess carefully whether they qualify and revisit that assessment regularly as operations evolve.
6. Transition Rules Offer Limited Relief (Article 39)
Ongoing data processing under Decree 13 can continue without re-obtaining consent. Impact assessments already submitted under the Decree remain valid. However, any updates made to those assessments after 1 January 2026 must comply with the PDPL. Businesses should treat this as a short runway to upgrade their compliance framework.
II. A Tougher Enforcement Climate and Compliance Roadmap
The new law has been enacted and passed amid rising concern over widespread data breaches and government enforcement. In just the first half of 2025, authorities uncovered 56 illegal data trading operations involving over 110 million records.1 Notably, in May 2025, the government ordered telecom operators to block Telegram after it refused to share user data for criminal investigations.2 These events show the government's resolve. Failure to comply can mean more than fines—it could lead to blocked access to the Vietnamese market.
While the PDPL does not trigger significant immediate compliance obligations for those already in compliance with Decree 13, those that haven't completed compliance actions should closely monitor relevant legislative guidance and initiate the steps below:
Phase 1: Preparation
- Data Mapping: Identify all personal data types; classify as general or sensitive. Map how it flows in and out of the organisation.
- Gap Analysis: Compare current practices with PDPL requirements. Identify what must change.
- Personnel and Technical Preparation: Appoint a DPO. Allocate budget and tech support.
Phase 2: Implementation and Continuous Review
- Update Policies: Redraft consent forms and privacy policies to reflect the new requirements.
- Prepare and Submit Impact Assessments: Collect evidence to develop the assessment(s). Set up processes to meet the 60-day filing deadline.
- Engage External Counsel to develop a robust, forward-looking compliance strategy tailored to your business operations.
In short, Vietnam's PDPL brings legal certainty to data protection—but also requires swift and sustained action from businesses. Commercial entitles that take a minimal approach to compliance may face increased regulatory risk. In contrast, those that integrate data protection into their governance and operations will be better aligned with Vietnam's evolving digital economy.
Footnotes
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
