You are using an outdated browser and your browsing experience will not be optimal. Please update to the latest version of Microsoft Edge, Google Chrome or Mozilla Firefox. Install Microsoft Edge

Search
Close this search box.
August 27, 2025

Vietnam’s New Personal Data Protection Law: A Closer Look

Subscribe to Updates

Vietnam officially enacted Law No. 91/2025/QH15 on Personal Data Protection (“PDPL”) on June 26, 2025, marking a major milestone in the country’s legal landscape. While the PDPL retains many provisions from its predecessor, Decree No. 13/2023/ND-CP on Personal Data Protection (“PDPD”), it adds new concepts, exemptions, and compliance obligations. Notably, it sets out a framework regulation for penalties for violations, including monetary fines of up to 5% of the corporate violator’s annual revenue in the previous year for cross-border data transfer breaches.

With an effective date of January 1, 2026, the PDPL will apply to (i) Vietnamese agencies, organizations, and individuals; (ii) foreign agencies, organizations, and individuals in Vietnam; and (iii) foreign agencies, organizations, and individuals directly involved in or related to the processing of personal data of Vietnamese citizens and persons of Vietnamese origin without a determined nationality, currently residing in Vietnam, who have been granted a personal identification certificate.

Although the PDPL does not explicitly define its relationship with the currently effective PDPD, the government is drafting a new decree to guide the PDPL’s implementation, the first draft of which is expected to be completed by September 2025, with an effective date aligned with that of the PDPL. Once both the PDPL and its implementing decree come into force, the PDPD will presumably cease to have legal effect.

Some key takeaways from the PDPL are presented below.

1. Definitions of “Personal Data,” “Basic Personal Data,” and “Sensitive Personal Data”

The PDPL introduces broad definitions for “personal data,” “basic personal data,” and “sensitive personal data.” It expands the scope of personal data to include both digital and non-digital formats, such as paper-based records. Notably, de-identified personal data is explicitly excluded from the definition of personal data. The PDPL further delegates authority to the government to issue exhaustive lists specifying which types of data qualify as basic and sensitive personal data. These lists are expected to be detailed in the PDPL’s implementing decree.

2. Data Subjects’ Rights and Obligations

The PDPL retains the rights of data subjects as previously outlined in the PDPD, with clarifications of the rights themselves and certain strengthened procedural requirements. In addition to the data subjects’ rights, the PDPL imposes specific obligations on data subjects, including the obligations to:

  • Self-protect their own personal data;
  • Honor and protect others’ personal data;
  • Provide adequate and accurate personal data according to applicable laws and regulations, contracts, or consent given to the processing of their own personal data; and
  • Comply with the personal data protection laws and regulations and participate in the prevention of personal data infringements/violations.

These provisions are designed to prevent misuse of personal data rights and promote a culture of shared responsibility in the digital environment, while reinforcing individuals’ control over their own data.

3. Personal Data Trading and Transfer

The PDPL strictly prohibits the sale and purchase of personal data, except as otherwise prescribed by the law. This prohibition is part of a broader effort to combat the widespread illegal online trading of personal data and prevent insider abuse. Violations of this provision may result in severe penalties, including fines of up to 10 times the revenue gained from the unlawful act of personal data trading.

The PDPL provides clarification, however, that certain types of data transfers do not constitute the “sale and purchase of personal data.” These include:

  • When the data subject has given consent.
  • When data is shared between departments within the same agency or organization for processing in line with the determined purpose.
  • When data is transferred for continued processing due to the division, separation, or merger of agencies, organizations, or administrative units; the reorganization or transformation of ownership of state-owned enterprises; the division, separation, merger, consolidation, or dissolution of entities or organizations; or the establishment of entities or organizations based on the dissolution of other entities or organizations.
  • When the data controllers or data controller-processors transfer data to a data processor or third party (e.g., independent data controllers) for processing as prescribed.
  • Upon request from competent state authorities.
  • In circumstances where personal data can be processed without the data subjects’ consent as prescribed under the PDPL (see item 5 below).

These exceptions are expected to be further detailed in the PDPL’s implementing decree.

4. Maximum Administrative Sanctions for Violations

In addition to the maximum fine for illegal personal data trading, the PDPL sets the maximum administrative fine on an organization for violations related to cross-border personal data transfers at 5% of the violator’s revenue in the preceding fiscal year. In cases where the organization has no revenue in the preceding year, or where the fine calculated based on such revenue is lower than VND 3 billion (approx. USD 114,500), the latter will apply. The maximum administrative fine for other violations in the field of personal data protection is VND 3 billion. The method to calculate revenue arising from violation of personal data protection regulations will be further prescribed by the government under the PDPL’s implementing decree.

5. Consent Requirements

The consent-centric approach and strict consent formality requirements of the PDPD are maintained in the PDPL, which provides additional cases of consent-exemptions. These include, among others, situations where personal data processing is necessary to protect one’s own legitimate rights or interests, or those of others, as necessary against acts that infringe upon such interests (e.g., legal defense), and the fulfillment of contractual obligations not only of the data subjects but also of the service provider.

While the PDPL uses the term “legitimate interest,” its scope is significantly narrower than under the GDPR, and applies only when data processing is required to prevent infringement by third parties.

For situations where consent is exempted, the PDPL introduces a requirement for the data controllers and relevant data processors to implement a monitoring mechanism to protect the data, including but not limited to implementing appropriate data protection measures and regularly assessing possible risks, periodically inspecting and assessing compliance with the law, and receiving and addressing feedback and petitions from relevant parties.

The PDPL includes a transition clause allowing personal data processing activities that have been carried out prior to the effective date of the PDPL with the consent of the data subject or based on an agreement in accordance with the PDPD, to continue, without requiring new consent or a new agreement. This provision offers continuity for businesses already compliant with the PDPD, while signaling the need for updated practices that align with the PDPL’s enhanced standards.

6. Data Processing and Data Transfer Impact Assessment

The requirements for the preparation, submission, and maintenance of a Data Processing Impact Assessment (“DPIA”) and a Data Transfer Impact Assessment (“TIA”) under the PDPD are inherited by the PDPL. The PDPL has assigned the government to provide detailed requirements on the dossier, conditions, order, and procedures for each impact assessment in the PDPL’s implementing decree. However, it is anticipated that these requirements will generally align with those outlined in the PDPD.

To reduce the compliance burden, the PDPL makes it optional for small businesses and startups to comply with the DPIA requirements for five years from the PDPL’s effective date, while household businesses and micro-enterprises are exempt. However, entities that provide personal data processing services, directly process sensitive personal data, or process the personal data of a large number of data subjects are not eligible for this exemption.

The PDPL mandates a six-month update cycle for both the DPIA and the TIA if there are any changes. Immediate updates are required in specific circumstances, such as (i) company restructuring, termination, dissolution, or bankruptcy; (ii) change of organization or individual providing personal data protection services; or (iii) introduction of new business lines/activities or changes to the current business lines/activities involving personal data as declared in the DPIA and TIA.

DPIAs and TIAs received by the Cybersecurity and High-Tech Crime Prevention Department under the Ministry of Public Security (known as the “A05” department) before the PDPL’s effective date (i.e., January 1, 2026) in accordance with the PDPD will remain valid. However, any updates made to these dossiers made after the PDPL comes into force must comply with the requirements set out under the PDPL.

7. Notification of Violations

One of the key changes introduced by the PDPL is the revised timeline for notification of detected violations. Organizations are now required to report violations within 72 hours of detection, rather than from the time of occurrence as previously mandated under the PDPD. Moreover, while the PDPD only requires notification to the regulator (specifically, the A05), the PDPL expands this obligation to include notifying affected data subjects in cases involving biometric data incidents or incidents related to financial service providers.

8. Special Personal Data Protection Mechanisms

Some special data protection mechanisms are introduced under the PDPL, as follows:

For specific data subject groups: The PDPL sets out enhanced and more comprehensive safeguards for the personal data of vulnerable groups, such as children and individuals with limited or lost civil act capacity, or those with cognitive or behavioral impairments. For instance, the processing of children’s data generally requires only parental consent. However, if the data pertains to the child’s private life or personal secrets, and the child is age 7 or older, dual consent from both the child and the parent must be obtained.

For specific businesses and operational activities: The PDPL outlines tailored safeguards for personal data processing activities across various sectors and operational activities, including employment (recruitment and employee management); health data and insurance business; financial, banking, and credit information activities; advertising services; social network platforms and online communications services; big data processing, artificial intelligence, blockchain, virtual universe and cloud computing; and audio and video recording in public places and public activities. While some provisions are sector-specific, some can be generally applied to all enterprises; for instance, the requirement for deletion/destruction of information provided by job applicants who are not hired, unless there is a different agreement with the applicant.

For specific types of sensitive personal data: Specific safeguards required for processing location and biometric data are also prescribed under the PDPL.

9. Personal Data Protection Department and Personnel

The PDPL requires organizations to either designate a qualified department and personnel dedicated to personal data protection, or engage external data protection service providers. Such personal data protection departments, personnel, and service providers are components of what the PDPL refers to as the “personal data protection forces.”

While the government has yet to issue detailed regulations on “personal data protection forces,” further guidance on the conditions, responsibilities, and tasks of the designated data protection department and personnel are expected in the PDPL’s implementing decree.

Small and startup enterprises are granted a five-year grace period from the PDPL’s effective date to determine whether to comply, while household businesses and micro-enterprises are exempted from this requirement (save for cases where these entities provide personal data processing services, directly process sensitive personal data, or process the personal data of a large number of data subjects).

Outlook

The promulgation of the PDPL represents a major advancement in Vietnam’s legal landscape, reinforcing the existing data protection framework for better safeguarding the privacy and personal rights of Vietnamese citizens in the digital era, and at the same time promoting the digital economy and international integration in the country. Businesses will need to reevaluate and consolidate their data governance practices and internal controls to ensure prompt and effective PDPL compliance. It is also important for businesses to keep an eye on upcoming regulations and guidance to properly implement the PDPL.

Related Professionals

Industries

Technology

Location

RELATED INSIGHTS​

August 25, 2025
Artificial intelligence (AI), semiconductors, and digital assets are considered critical drivers of Vietnam’s future economic growth and are fundamental to the nation’s digital transformation targets. These sectors form the core of Vietnam’s strategy to build a robust, globally competitive digital economy. This strategic direction gained substantial momentum with the issuance of the Law on Digital Technology Industry (DTI Law) on June 14, 2025. The DTI Law was designed to attract investment, stimulate innovation, cultivate high-quality human resources, and ensure the responsible, secure, and sustainable growth of digital technologies like AI and digital assets, harmonizing Vietnam’s digital industry with international standards while safeguarding public interests and national security. Several key provisions of the DTI Law took effect on July 1, 2025, and the law will become fully effective on January 1, 2026. The government is delegated to provide further necessary guidelines and details for implementation of the law. Artificial Intelligence (AI): Principle-Driven and Risk-Based Regulations Under the DTI Law, there are seven core principles guiding the development, provision, and use of AI which are applicable to AI developers, providers and deployers. These principles favor values-based governance over purely technical prescriptions, and include the following: Taking a human-centered approach that upholds ethical values, inclusivity, flexibility, equality, and non-discrimination. Ensuring transparency, accountability, and explainability, with AI systems remaining under human control. Maintaining cybersecurity and system safety. Adherence to data protection and privacy regulations. Having the ability to control AI algorithms and models. Effective risk management throughout the entire lifecycle of AI systems. Compliance with consumer protection laws and other relevant legal frameworks. AI system management follows a risk-based approach, with the law categorizing systems into high-risk, high-impact, and other groups. High-risk AI systems are those that, in certain applications, may pose significant threats or harm to individuals or the public interest while
Read More
August 21, 2025
On August 19, 2025, the Trade Competition Commission of Thailand (TCCT) released its draft Guidelines on the Consideration of Unfair Trade Practices and Conduct Constituting Monopoly, Reducing Competition, or Restricting Competition in Multi-Sided Platform Businesses in the Category of Digital Platforms for the Sale of Goods or Services (E-commerce). A public comment period on the guidelines is open until September 18. The draft provides the first detailed framework for how the TCCT will interpret and enforce the substantive provisions under the Trade Competition Act against digital platforms, which have a unique network effect and require complex competition analysis. This development will profoundly impact the operations of e-commerce platforms, sellers, and associated service providers in Thailand. The guidelines primarily target e-commerce digital platform business operators, which are defined as follows: E-commerce digital platform: A medium facilitating the sale, purchase, or exchange of goods or services, including any operations to create transactions or interactions between business operators via an electronic transaction system, regardless of whether service fees are charged. E-commerce digital platform business operator: A service provider of a digital platform for the sale of goods or services who acts as an intermediary facilitating the sale of goods or services, including any operations to create transactions or interactions through an electronic transaction system by receiving orders for goods or services transacted via an electronic system, whether in the form of an e-marketplace, a social marketplace, or any other form that connects purchase orders for goods or services with business operators through an electronic system. Prohibited Conduct The guidelines classify potentially anticompetitive conduct and unfair trade practices into two categories: price-related and non-price-related conduct. 1. Price-related conduct The TCCT is targeting pricing strategies that can harm competition. Key prohibited behaviors include: Price below cost: Setting prices below the average total cost without
Read More
August 21, 2025
On August 18, 2025, Thailand’s Securities and Exchange Commission (SEC), in collaboration with the Ministry of Finance, the Anti-Money Laundering Office, and the Ministry of Tourism and Sports, announced the launch of TouristDigiPay. The initiative, implemented under the SEC’s Regulatory Sandbox, allows foreign tourists to convert digital assets into Thai baht for use in everyday transactions in Thailand. Foreign tourists who opt to participate in TouristDigiPay must open two accounts once they are in Thailand: An account with a licensed digital asset operator to sell or exchange digital assets for Thai baht; and A tourist wallet account with a licensed e-money operator regulated by the Bank of Thailand. Funds from digital asset sales will be transferred into the tourist wallet, enabling tourists to make payments at participating merchants that accept e-money. Key Regulatory Requirements The TouristDigiPay project will operate for a period of up to 18 months, with the following conditions: Only licensed digital asset brokers, dealers, and exchanges integrated with licensed e-money operators are eligible to participate. Operators must implement anti-money laundering (AML) protocols that are proportionate to the assessed risk level. These include: Conducting know-your-customer and customer-due-diligence (KYC/CDD) checks on all users. For monthly transactions exceeding THB 50,000 per person, verifying the source of the digital assets and assessing AML risk using internationally recognized blockchain forensic tools or equivalent procedures. Suspending or rejecting services if digital assets are transferred from wallets flagged for AML concerns. Ensuring that conversion between digital assets and fiat includes safeguards such as matching account names and returning digital assets only to the original wallet. The following transaction limits apply to participants in the TouristDigiPay initiative: Payments to small vendors are capped at THB 50,000 per month. Payments to vendors who have completed the know-your-merchant (KYM) process are capped at THB 500,000 per
Read More
August 15, 2025
More than a decade after the issuance of Decree No. 52/2013/ND-CP (as amended by Decree No. 85/2021/ND-CP; collectively, “Decree 52”), Vietnam’s legal framework for e-commerce is under growing pressure to keep pace with the evolving digital economy. While Decree 52 has provided a foundational framework, it has shown certain limitations in keeping up with issues such as counterfeit goods, intellectual property enforcement, unqualified products, and emerging models like livestream selling and affiliate marketing. To address these regulatory gaps, the Ministry of Industry and Trade (MOIT) has released the 2025 Draft E-Commerce Law (“Draft Law”) for public consultation. The Draft Law is intended to supersede the current framework under Decree 52 and establish a more detailed and comprehensive legal foundation for the regulations of e-commerce activities in Vietnam. It is currently expected to be submitted to the National Assembly for review and potential adoption during its 10th session in October 2025. In this article, we discuss the Draft Law’s most significant updates and legal developments in comparison to existing regulations, and assess the practical challenges that businesses may face in preparing for implementation in the near future. Platform Classification: Toward a More Nuanced Framework Unlike Decree 52’s simpler structure, which broadly categorized platforms into either (i) websites selling goods and services or (ii) websites providing e-commerce services, the Draft Law introduces a more detailed framework that aims to classify platforms based on their technical functions and business models. Specifically, the Draft Law introduces a four-tier classification system for e-commerce platforms, consisting of: (i) Direct Business Platforms, (ii) Intermediary Platforms, (iii) Social Networks with E-Commerce Functions, and (iv) Multi-Service Integrated Platforms. This approach reflects an effort to more accurately capture the complexity of today’s e-commerce landscape, including hybrid platforms such as TikTok Shop. While this approach reflects the growing complexity of
Read More

Contact

We have seven offices in six countries
across Southeast Asia.

Contact Us

Careers

We are always seeking great people to grow
our amazing team.

Join Us

Networks

© 2024 Tilleke & Gibbins International Ltd. All rights reserved.

© 2020 Tilleke & Gibbins International Ltd. All rights reserved.

Privacy Policy

| Fraudulent Communications

| Legal Notice