Vietnam’s new Personal Data Protection Law (PDPL) was passed by the National Assembly on June 26, 2025, and will enter into force on January 1, 2026. The PDPL introduces several new concepts, exemptions, and obligations in comparison with the current Decree No. 13/2023/ND-CP on personal data protection (PDPD), while other contents remain essentially the same. The relationship between the PDPD and the PDPL has not been clearly addressed; however, it is expected that the government will issue a new decree providing necessary guidance on certain requirements under the PDPL, and the PDPD will remain in effect until it is replaced by this new decree.
Some key points of the new PDPL include the following:
- Personal data will be further defined by lists of basic personal data and sensitive personal data to be issued by the government.
- The consent-centric approach of the PDPD remains in place, along with additional exemptions for certain data processing activities.
- The requirements for the data processing impact assessment (DPIA) and transfer impact assessment (TIA) remain unchanged. However, there are new exemptions for the TIA, including for the processing and storing in the cloud of employee data, and when the data subject is the person sending its own data outside of Vietnam.
- Consent obtained under the PDPD remains valid under the PDPL. DPIAs and TIAs submitted under the PDPD are valid under the PDPL but may need to be updated to be in line with the requirements of the PDPL.
- Administrative fines depend on the type of violation. The fine for sale and purchase of personal data will be 10 times the revenue from the sale or VND 3 billion (about USD 115,000), whichever is higher. The fine for cross-border transfer violations is 5% of the violator’s revenue of the preceding year or VND 3 billion, whichever is higher. Other violations are capped at VND 3 billion.
- Small enterprises and startups have a five-year grace period from the effective date of the PDPL to comply with regulations on preparing impact assessment dossiers and designating departments and personnel to protect personal data. Business households and micro-enterprises are exempted from these regulations. The exemptions and grace period, however, do not apply in cases where a large amount of personal data is processed, in the provision of data processing services, or in cases where sensitive personal data is directly processed.
Outlook
The new PDPL, set to take effect on January 1, 2026, introduces new regulatory requirements as well as new exemptions compared to the current PDPD. Enterprises will need to proactively assess and implement compliance measures ahead of this effective date.
It is important to note that while the PDPL builds upon the PDPD, many of its provisions will require further clarification and guidance from the government. Therefore, businesses should closely monitor regulatory developments to stay informed and prepared.
As this law is newly issued, this is a preliminary analysis only. We will soon provide a more comprehensive analysis of the PDPL to provide deeper insights and practical guidance.
