Vietnam's new Personal Data Protection Law (PDP Law), passed on June 26, 2025, and set to take effect on January 1, 2026, marks a significant evolution in the country's data privacy landscape. It builds upon the existing Decree 13/2023/ND-CP of the Government on personal data protection (PDPD), introducing several new and enhanced requirements. 

Broader Applicability
PDP Law applies not only to Vietnamese organizations and individuals but also to foreign entities that process personal data of Vietnamese citizens even if they do not have a physical presence in Vietnam.

Specific sanctions and administrative fines
The Law introduces significant administrative fines, including up to 10 times the illegal gain for personal data trading or VND 3 billion, and up to 5% of annual revenue for unlawful cross-border transfers of personal data.

Serious violations may result in criminal prosecution, and data subjects have the right to claim damages.

More general definition of personal data, basis and sensitive personal data
The PDP Law retains the two-tiered classification of personal data regulated in the PDPD but unlike the PDPD, the PDP Law does not enumerate specific types of data within these categories in the statutory text. Instead, it delegates the task of issuing detailed lists of what constitutes basic and sensitive personal data to the Government. This approach allows for flexibility and adaptability as new types of data and risks emerge.

The PDP Law expressly regulates that if personal data has been deidentified such that it no longer identifies or helps identify any individual, it falls out the scope of “personal data” while the encrypted personal data are still regarded as personal data. This approach is consistent with global data protection frameworks, such as the EU’s GDPR, which also exclude truly anonymized (deidentified) data from the definition of personal data.

New lawful base for processing personal data
While the PDP Law is still a consent-centric regime, it introduces a new exception to allow processing personal data without consent to protect “legitimate” or “justifiable” rights or benefit (“quyền hoặc lợi ích chính đáng” in Vietnamese) of the data controller or another party, as necessary, in response to acts that violate such rights or benefits. This is typically interpreted as allowing processing in the context of legal claims, dispute resolution, or to defend against unlawful acts (e.g., fraud, infringement, or other violations). While this new ground reflects a long-time request and comment from practitioners and companies to the authorities to add “legitimate interests” as a lawful ground for processing personal data without consent, the scope of this justifiable rights or benefit under the PDP Law is narrower as compared to the legitimate interests of the GDPR. 

Cross-border data transfer impact assessment (DTIA)
Unlike the PDPD, which does not provide any exemptions from the DTIA requirement, the PDP Law introduces several specific exemptions, including (among other):
 

• Storage of employee data on cloud services by the employer; and
• data subjects themselves transfer their own personal data across border.

For example, if data subjects directly provide their personal data to service providers—resulting in the data being transferred out of Vietnam because the service provider uses platforms located outside the country—the DTIA requirement does not apply. Although the PDP Law is not entirely explicit, it appears that it treats data subjects as the transferors of their own personal data when they initiate such transfers, thereby exempting these cases from the DTIA requirement. As a result, service providers are effectively relieved from concerns about whether they are subject to the DTIA requirement in these scenarios, addressing the ambiguity that existed under Decree 13.

The PDP Law introduces detailed sector-specific requirements for the protection of personal data. These rules supplement the general obligations and are designed to address the unique risks and operational realities. We highlight below some notable requirements (non-exclusive): 
 

• Employment and Human Resources (Recruitment service and Labor Management): (i) only request and process personal data necessary for recruitment purposes, (ii) use technological monitoring (e.g., surveillance, tracking) only with employees’ clear awareness;
   
• Healthcare and Insurance provider: do not share health data with third-party health or insurance providers unless having a written request of the data subject or in the cases regulated in Article 19 of the law (e.g., in an emergency case). It is unclear whether a prior consent of the data subject for sharing health data with third-party health or insurance providers could serve as “written request”.
   
• Finance, Banking, and Credit Information Services Providers: (i) do not use credit information for scoring or profiling without explicit customer consent, (ii) collect only necessary personal data from lawful sources, and (iii) notify customers in case of data leakage or loss on bank account, financial or credit information.
   
• Advertising and Marketing Services Providers: (i) use personal data of customers for advertising only with explicit, informed consent with the customers’ clear awareness of content, method, form, frequency of product advertisement, (ii) provide clear opt-out mechanisms for customers to refuse receiving marketing information, (iii) do not subcontract or delegate the entire advertising services involving the use of personal data to third parties, (iv) for behavioral or targeted advertising, collect personal data through tracking electronic portals, websites, applications only with consent of data subjects and provide options to refuse tracking.
   
• Social media and Online Communication Platform Operators: (i) clearly inform users about data collection at the point of account creation or use, (ii) do not require users to provide images or videos of ID documents for account verification, (iii) provide options for users to refuse cookies and tracking (Do Not Track), and (iv) do not eavesdrop, record, or read messages without user consent.
   
• Emerging Technologies (Big Data, AI, Blockchain, Cloud, Metaverse): (i) process personal data only for legitimate, necessary purposes and within the required scope, (ii) integrate appropriate security and access controls into all systems using these technologies, using appropriate authentication methods.
   
• Location and Biometric Data: (i) do not track individuals’ locations via RFID or similar technologies without consent, except as required by law, (ii) mobile app providers must inform users about location data use and provide opt-out options, and (iii) for biometric data, parties who collect and process biometric data, to apply physical and logical security, restrict access, and monitor for breaches, comply with law and relevant international standards. 

The Vietnamese PDP Law imposes detailed, sector-specific obligations that require tailored compliance strategies. Business entities should proactively review their data processing activities in each relevant sector, update their compliance frameworks, and implement both technical and organizational measures to meet the PDP Law’s requirements.  

Small enterprises and start-ups are granted a five-year grace period from the effective date of the PDPL (i.e., until January 1, 2031) to comply with the requirements on DPIA dossiers and data protection officer. This transitional period is designed to give smaller and newly established businesses additional time to build the necessary compliance infrastructure and expertise before being subject to the full weight of the law’s requirements.

However, if a small or start-up business is involved in high-risk data processing activities (e.g., handling sensitive data, providing data processing as a service, or processing large volumes of data), it must comply with the PDP Law’s requirements from the law’s effective date (1 January 2026).