Businesses, digital platforms, and anyone handling personal data in Vietnam to watch out as Vietnam’s new personal data protection law is changing how data can be collected, used, and shared. 

Introduction: Why Vietnam Needed a Personal Data Protection Law 

Vietnam’s digital economy has expanded rapidly, with personal data now forming the backbone of banking, healthcare, employment systems, advertising, social media platforms, and emerging technologies such as artificial intelligence and cloud computing. Until recently, personal data protection was governed primarily through executive instruments (Decree No. 13/2023/ND-CP). While that decree laid important groundwork, it lacked the authority and permanence of a parliamentary statute. 

This changed with the enactment of the Law on Personal Data Protection (Law No. 91/2025/QH15), adopted by the National Assembly on 26 June 2025. The law came into force on 1 January 2026 and established detailed rules for the protection of personal data. As stated in Article 1, the law regulates personal data, personal data protection, and the rights and obligations of individuals, organisations, and state authorities involved in data processing. Its underlying philosophy, reflected in Article 3, is to protect personal data while balancing national security, public order, and socio-economic development. 

What Counts as Personal Data and Who Must Comply 

The law defines personal data broadly. Under Article 2, personal data includes any information, whether digital or otherwise, that identifies or helps identify a specific individual. This deliberately wide definition ensures that protection extends beyond obvious identifiers to data that may indirectly reveal identity. Once personal data has been properly de-identified so that identification is no longer possible, it no longer falls within the scope of the law. 

Personal data is classified into basic personal data and sensitive personal data. Basic personal data covers commonly used identifying and background information, while sensitive personal data includes information closely linked to privacy and capable of seriously affecting an individual’s lawful rights and interests if infringed. The law leaves the detailed listing of these categories to the Government, allowing flexibility as data practices evolve. 

The statute also clearly distinguishes between the key actors in data processing. Individuals whose data is processed are recognised as personal data subjects. Entities that determine the purpose and means of processing are personal data controllers, while those processing data on behalf of controllers under contractual arrangements are personal data processors. These role definitions in Article 2 are not merely descriptive; they determine where legal responsibility and liability lie. 

As for scope, Article 1 makes clear that the law applies not only to Vietnamese individuals and organisations, but also to foreign entities operating in Vietnam. Importantly, it also applies to foreign organisations and individuals located outside Vietnam if they are involved in processing the personal data of Vietnamese citizens or residents. This gives the law clear extraterritorial reach. 

Core Principles and Rights of Individuals 

• Personal Data: Under Article 3 Personal data must be collected and processed only for specific and lawful purposes, within an appropriate scope. Data must be accurate, updated when necessary, and stored only for a duration suitable for the processing purpose. Organisations are required to implement appropriate technical, organisational, and human safeguards to protect personal data and to actively prevent and address violations. 

  
  

• Individual Rights: Article 4 grants personal data subjects the right to be informed about data processing, to give or refuse consent, and to withdraw consent. Individuals may access their personal data, request corrections, demand deletion or restriction of processing, and object to processing in appropriate cases. Where violations occur, data subjects have the right to complain, initiate legal proceedings, and seek compensation for damage suffered. 

  
  

• Corresponding Responsibilities: Under Article 4, individuals are expected to protect their own personal data, respect the data of others, and provide accurate information when required by law or agreement. The exercise of data subject rights must not infringe upon the lawful rights and interests of the State or third parties. Importantly, organisations are legally obliged to facilitate the exercise of these rights and must not obstruct or delay legitimate requests. 

Consent, Lawful Processing, and the Data Lifecycle 

Consent is the primary legal basis for processing personal data under the law. Article 9 establishes that personal data may generally be processed only with the consent of the personal data subject. For consent to be valid, it must be voluntary and informed, with the individual clearly told what data is being processed, for what purpose, and by whom. Consent must be explicit and verifiable, including in electronic form, and must be tied to specific purposes. Silence or non-response does not amount to consent. 

The law also allows data subjects to withdraw consent or request restrictions on processing. Article 10 requires data controllers to act on such requests within the legally prescribed time limits, though processing carried out before withdrawal remains lawful. 

There are limited situations where consent is not required. Article 19 permits non-consensual processing in urgent situations involving threats to life or health, for national security and crime prevention, for lawful state management activities, and for the performance of valid agreements. Even in these cases, organisations must implement safeguards, establish monitoring mechanisms, and assess risks associated with processing. 

The statute regulates the full lifecycle of personal data. Collection must be lawful, inaccurate data must be corrected, and personal data must be deleted or destroyed once the processing purpose has been fulfilled or the lawful storage period has expired, as provided under Article 14. De-identification must prevent re-identification, and the unlawful restoration of deleted or destroyed data is prohibited. The law also expressly bans the buying and selling of personal data, subject only to narrow statutory exceptions. 

Cross-Border Transfers and High-Risk Processing Activities 

Cross-border transfer of personal data is treated as a high-risk activity under the law. Article 20 defines cross-border transfers broadly, covering the transfer of data stored in Vietnam to overseas systems, transfers to foreign entities, and the use of offshore platforms to process data collected in Vietnam. 

As a rule, organisations engaging in such transfers must prepare a cross-border personal data transfer impact assessment and submit it to the competent authority within sixty days of the first transfer. The authority has the power to inspect these transfers and may order suspension where national defence or security interests are threatened. Certain limited transfers, such as those carried out by competent state agencies or involving employee data stored on cloud services, are exempt. 

Separately, Article 21 requires organisations that process personal data on an ongoing basis to conduct personal data processing impact assessments, designed to identify and mitigate risks. These assessments must be updated when material changes occur. 

The law also introduces heightened safeguards for specific sectors and technologies, including children’s data, employment data, health and insurance information, banking and credit data, advertising services, social networking platforms, artificial intelligence systems, biometric data, and location data. These provisions reflect a clear legislative intent to regulate areas where misuse of personal data poses heightened risks. 

Enforcement and Penalties 

Responsibility for state management of personal data protection rests with the Government, with the Ministry of Public Security acting as the primary enforcement authority, except in matters relating to national defence. Organisations are required to designate responsible personnel or engage professional service providers to ensure compliance. 

Article 23 requires that personal data protection violations be reported to the competent authority within seventy-two hours of discovery. Organisations must also document violations and cooperate with authorities in investigation and remediation. 

The penalty regime under Article 8 is intentionally stringent. Illegal trading in personal data may attract fines linked to the revenue generated from the violation. Unlawful cross-border transfers may result in penalties calculated as a percentage of annual revenue. Other violations are subject to substantial administrative fines, with individuals facing proportionate liability. Criminal sanctions and civil compensation remain available where applicable. 

The law comes into force on 1 January 2026, with limited transitional relief for small enterprises and start-ups, subject to important exceptions where sensitive data or large-scale processing is involved. 

Conclusion 

Vietnam’s Personal Data Protection Law is an important statute to help align the country with the global standards of privacy and data governance. By elevating personal data protection from an executive regulation to a full parliamentary statute, the law provides legal certainty, stronger enforcement, and a more coherent framework for both individuals and organisations. It recognises personal data as an asset that must be protected, while also acknowledging its role in economic growth, digital transformation, and public administration. 

At its core, the law places individuals firmly at the centre of the data ecosystem. Through clearly articulated rights relating to consent, access, correction, deletion, and objection, the law gives data subjects meaningful control over how their personal data is used. At the same time, it avoids absolutism by permitting limited non-consensual processing for urgent situations, state functions, and national security, provided appropriate safeguards are in place. This balanced approach reflects a practical understanding of how data is used in the real world. 

For organisations, the law introduces clear responsibilities and accountability. Obligations around consent management, lifecycle controls, impact assessments, breach notification, and cross-border transfers signal a shift from informal compliance to structured governance. The introduction of revenue-linked penalties, particularly for unlawful data trading and cross-border violations, underscores the seriousness with which compliance will be enforced. 

Importantly, the law also looks forward. By explicitly addressing emerging technologies such as artificial intelligence, big data, biometric systems, and cloud computing, it ensures that personal data protection remains relevant in an evolving digital environment rather than becoming obsolete at the point of enactment. 

Want to Know More? 

Learn more about India's data protection environment, compliance frameworks, and in-depth analyses  

of privacy policies at Tsaaro.com.