Legal Alert | July 2025 | Personal Data Protection Law

The new PDPL was passed by the National Assembly on 26 June 2025 and will become effective on 1 January 2026. This constitutes the first-ever comprehensive law in the Vietnam’s legal system governing personal data protection (PDP) and marks a breakthrough in Vietnam's data protection history. 

Key highlights in the PDPL include: 

• Subjects of application 
• Definition and categorization of personal data 
• Legal effectiveness of PDPL in comparison with other regulations 
• Sanctions for violations 
• Processing of personal data without the consent of the personal data subject 
• Data protection officer (DPO) or data protection department (DPD) 
• Cross-border personal data transfer 
• Data processing impact assessment (DPIA) 
• Notification of violations of PDP regulations 
• Data protection for vulnerable groups 
• Data protection in employment 
• Sector-specific regulations 
• Transitional cases 

1. Subjects of application 

Beside Vietnamese agencies, organizations individuals, the PDPL has extra-territorial application to certain foreign agencies, organizations and individuals, which are limited to: 

• The ones directly involved in or related to the processing of personal data of Vietnamese citizens; and 
• The ones directly involved in or related to the processing of personal data of people with Vietnamese origin whose nationality are not yet identified but who are living in Vietnam and have been granted an identity card. 

2. Definition and categorization of personal data

While the definition for personal data remains the same, in the sense that it points to information that is “used to identify a particular individual”, the PDPL has expanded “personal data” to not only include digital data but also data in other forms. 

This recent development under the PDPL could be interpreted as broadening the definition of personal data in a way that includes both traditional, paper-based information and information in electronic form.   

Regarding the different types of personal data, while the Decree 13 previously provides a detailed list of “basic” and “sensitive” personal data, the PDPL only provides a general description of these categories. Further guiding documents from the Government on the lists of basic and sensitive personal data are expected. 

3. Legal effectiveness of PDPL in comparison with other regulations 

• Application of personal data protection regulations

The rules for applying laws and resolutions of the National Assembly which have specific provisions on personal data protection are as follows: 

• Such law or resolution is issued before the effective date of PDPL, and the relevant provisions are not contrary to the principles of personal data protection prescribed under PDPL: the provisions of such law, resolution shall apply.  
• Such law or resolution is issued after the effective date of PDPL, and the relevant provisions are different from the provisions of PDPL: they must specify which contents shall be implemented/not implemented in accordance with the provisions of PDPL and which shall be implemented in accordance with such law or resolution instead. 

The personal data processing activities of enterprises may be subject to multiple regulations relating to personal data protection. In such case, enterprises should follow the aforesaid rules to apply accordingly. 

• Resolution for overlapping impact assessment obligations

Article 5.4 of PDPL specifically deals with the overlapping impact assessment obligations in both the Data Law and PDPL. For personal data already covered in the impact assessment for personal data processing or for cross-border personal data transfer (DPIA and CTIA) under the PDPL, an assessment of the risk and cross-border transfer under the Data Law shall be exempted. In other words, the DPIA and CTIA under the PDPL could replace the risk assessment and CTIA under the Data Law in terms of processing of personal data.  

The relationship between the Decree 13 and the PDPL has not been addressed. Since most of the contents in Decree 13 has been updated by PDPL, it should henceforth be read in conjunction with PDPL.   

4. Sanctions for violations 

While Decree 13 only lists out the main types of sanctions an entity may be subject to due to violations, PDPL takes a further step in providing the capped administrative fines for organizations which violate the law, as follows: 

• For sale and purchase of personal data: 10 times the revenue from the sale or VND 3 billion, whichever is higher.  
• For cross-border transfer violations: 5% of the violator’s revenue of the preceding year or VND 3 billion, whichever is higher.  
• Other violations: capped at VND 3 billion. 

It remains unclear whether the concept of revenue applies for the one generated within the territory of Vietnam only or also applies for overseas revenue as well. 

5. Processing of personal data without the consent of the personal data subject 

New cases of exceptions where the personal data is allowed to be process without data subject’s consent are prescribed under the PDPL. 

Regarding the new exception that allows processing personal data to implement “the agreement of the data subject with relevant agencies, organizations, and individuals as prescribed by law,” the wording in the PDPL suggests a broader and more flexible interpretation compared to Decree 13. In particular, any agreement for waiving of consent between the data subjects and relevant entities can be deemed an exception to the consent rule. On the other hand, Decree 13 only allows for the exception being cases of implementation of “data subject's contractual obligations”. 

Besides from the above, the PDPL also mandates that relevant agencies, organizations and individuals must establish a monitoring mechanism when processing personal data in this case. 

6. Data protection officer or data protection department 

Under the PDPL, companies are legally required to either (i) appoint internal personal data protection department or personnel within their organization; or (ii) hire external organizations and individuals to provide personal data protection services. 

Personal data protection personnel must be qualified in accordance with Government’s regulations.  

Small and start-up enterprises, household businesses and micro-enterprises may be exempt from this DPO requirements if certain conditions are satisfied. 

7. Cross-border personal data transfer 

The PDPL specifies cases in which entities are exempted from having to conduct the cross-border data transfer impact assessments (CTIA). Notably, including the following cases: 

• Agencies and organizations storing personal data of employees of those agencies and organizations on cloud computing services 
• Personal data subjects transferring their own personal data across borders 

Per the new approach adopted by PDPL, enterprises are still deemed to have conducted a cross-border transfer of personal data when using cloud or data server located overseas to store or process data. However, in this case, the requirement to carry out CTIA shall be waived for personal data belonging to employees of such entity.  

The Government is tasked with prescribing the components of the dossier, conditions, order and procedures for CTIA. 

8. Data processing impact assessment (DPIA)

Notable updates in the PDPL include: 

• Role of processor: Data processor shall prepare and retain a DPIA dossier conducted on behalf of the data controller. 
• Relevant exemption from the requirement to conduct a DPIA: Only a narrow window of exception to this requirement is allowed for small and start-up enterprises, household businesses and micro-enterprises if certain conditions are satisfied. 
• Timeline for conducting DPIA: Conducted once for the entire operation term of the organization and updated every six months or immediately in certain cases. 

The provision legally acknowledges the practical role of processors in managing data flows and technologies. Accordingly, although the data controller is primarily responsible for conducting the DPIA, the data processor must also prepare and retain the DPIA dossier on behalf of the data controller. For data controller cum processor, the DPIA dossier must cover both roles of data controller and data processor. 

9. Notification of violations of PDP regulations

Apart from data controller and data controller cum processor, third party is also obligated to notify violations of personal data protection to the Ministry of Public Security. 

Most notably, entities are only required to notify in case the breach may cause harm to national defense, national security, social order, or public safety, or infringe upon the life, health, honor, dignity, or property of the data subject.  

Regarding the timeline for notification, the 72 hours deadline to notify is now counted from the time the violation is detected, instead of from the occurrence of the violation as in Decree 13, which allows companies a reasonable timeframe to confirm breaches before notifying. 

10. Data protection for vulnerable groups

The PDPL extends special protections to three groups: (i) children, (ii) individuals who have lost or have limited civil act capacity, and (iii) individuals with cognitive or behavioral control difficulties. Amongst which, groups (ii) and (iii) were previously absent from Decree 13. 

Notably, the processing of children’s personal data for the purpose of disclosing or publishing information about their private life or personal secrets, for children aged 7 and older, must have the consent of both the child and the legal representative. This approach is different from Decree 13, where the consent of both the child and legal representative is required regardless of the purpose of processing. 

 11. Data protection in employment

The PDPL mandates that if a candidate is not hired, such person’s data must be deleted or destroyed, unless otherwise agreed.  

For employees, upon contract termination, employee data must be deleted or destroyed, unless otherwise agreed or required by law. 

12. Sector-specific regulations

Processing of personal data in the following fields are subject to enhanced data protection requirements (i) health and insurance; (ii) financial, banking and credit information; (iii) advertisement; (iv) social media platforms and online communication services; (v) big data, artificial intelligence, blockchain, virtual reality, and cloud computing. 

For location data and biometric data: Requirements of enhanced security measures, proper notification mechanism for biometric data, as well as data collection notice, opt-out option for location data are applicable under the PDPL. 

Data collected from public audio/video recording: Aside from the case mentioned in Decree 13, the recording and processing of personal data (audio/video) in public places or during public events can be done without consent in case of conferences, sports events, performances, or other public events, as long as it does not harm the honor, dignity or reputation of data subjects. 

13. Transitional cases

Personal data processing activities conducted with the data subject’s consent or pursuant to an agreement in accordance with Decree 13 prior to the effective date of the PDPL, shall continue without the obligation to obtain renewed consent or to renegotiate such agreements. 

DPIA and CTIA dossiers that were received by the A05 before the effective date of the PDPL pursuant to Decree 13, may continue to be used and do not need to be re-submitted under the PDPL. However, any updates to these dossiers made after the PDPL takes effect must comply with the PDPL.