On June 26, 2025, at the 9th session, the 15th National Assembly of Vietnam officially approved the Law on Personal Data Protection (PDPL), marking an important milestone in building a legal framework for personal data protection in the context of strong digital transformation. The PDPL with 39 articles, effective from January 1, 2026, is divided into 5 chapters, not only meeting the internal needs for the protection of citizens' rights but also in line with international trends in personal data management.
1. Implications of the new legal framework on personal data
In the context of unprecedented technological growth, personal data has become a valuable resource but is also vulnerable to being used for wrong purposes. Data breaches, ranging from leakage of personal information to unauthorized use for commercial purposes, have placed an urgent need for a comprehensive legal framework in Vietnam. Before this Law was promulgated, Vietnam had Decree No. 13/2023/ND-CP on personal data protection, but this document is only temporary, lacks comprehensiveness, and is effectively enforced. The PDPL 2025 was promulgated to overcome these limitations, and at the same time meet international standards such as the European Union's General Data Protection Regulation (GDPR) and harmonize with trade agreements to which Vietnam is a member.
The foundation for the development of PDPL is the regulations scattered in many different documents from the Civil Code 2015, the Law on Cyber Security 2018, Decree 13/2023/ND-CP to guiding documents.
2. Main provisions of the PDPL
2.1. Scope of regulation and subjects of application (Article 1)
It is worth noting that the PDPL applies to both domestic and foreign organizations and individuals that process personal data related to Vietnamese citizens, demonstrating the expansion of the scope of regulation in the context of globalization.
The law regulates the processing of personal data, including collection, analysis, encryption, correction, deletion, provision, disclosure, transfer and other related activities. Subjects of application include:
- Vietnamese agencies, organizations and individuals.
- Foreign agencies, organizations and individuals operating in Vietnam or processing personal data of Vietnamese citizens, especially in areas such as e-commerce, online advertising and social networks.
This ensures that international platforms such as Google, Facebook or TikTok when doing business in Vietnam, regardless of whether they are registered with the competent authorities of Vietnam or not, are also forced to comply with strict regulations on personal data protection.
2.2. Rights and obligations of personal data subjects (Article 4)
The law gives the subject of personal data (the person to whom the data is reflected) many strong controls, including:
- Right to know. The personal data subject is informed about how his or her data is processed.
- Right to Consent or Decline. The personal data subject may consent, withdraw consent or request restriction of data processing.
- Editing and deletion rights. The data subject has the right to request the correction, provision or deletion of personal data.
- Right to complain. Another important right of personal data subjects is the right to sue, demanding that the infringing party compensate for damages if the data is breached.
- The right to request protection. Personal data subjects have the right to request agencies and organizations to apply data protection measures.
In addition, data subjects are also obliged to protect their own data, respect the data of others, provide accurate information and comply with the law. These rights and obligations must be exercised on the principle of not obstructing the parties involved and not infringing upon the legitimate interests of the State or other individuals.
2.3. Prohibited acts (Article 7)
The PDPL 2025 lists a series of prohibited acts to prevent the misuse of personal data such as: (1) Obstructing data protection activities; (2) Taking advantage of data protection to commit illegal acts; (3) Unauthorized processing, trading, disclosure or appropriation of personal data.
In case individuals and organizations violate these prohibited acts, they must suffer very strict consequences from the sanctions prescribed by this Law as well as relevant guiding documents and laws. Sanctions that the party violating this clause may be subjected to:
Administrative sanctions. The violating party shall be subject to a maximum fine of up to VND 3 billion or 10 times the revenue from the act of buying and selling data. For cross-border data transfer violations, the fine can be up to 5% of the previous year's revenue.
Criminal sanctions. Violators of prohibited acts in the PDPL may be prosecuted for criminal liability for serious acts.
Sanctions to compensate for damages. In addition to the above sanctions, the violating party is also responsible for compensation if it causes damage to the personal data subject.
2.4. Regulations on consent and withdrawal of consent (Articles 9, 10)
The consent of the data subject is a core factor in the processing of personal data. The law requires consent to:
- Voluntary and clear, accompanied by sufficient information about the type of data, the purpose of the processing and the rights of the subject;
- Expressed in text or verifiable electronic format;
- Do not treat silence or non-response as consent.
The subject has the right to withdraw consent or request the restriction of data processing, except in some special cases (e.g. at the request of a state agency). These requests must be sent in writing and promptly handled in accordance with law.
Chairman of the Committee on National Defense, Security and External Relations, Senior Lieutenant General Le Tan Toi, presented the Summary Report on Explanation, Feedback, and Revision of the Draft Law on Personal Data Protection. Source: National Assembly
2.5. Deletion, destruction and de-identification of data (Article 14)
Personal data must be deleted or destroyed in the following cases:
- The subject requests and accepts risks and damages that may occur to him.
- Completion of the purpose of processing or expiration of the storage period.
- According to the decision of the state agency or agreement.
Data de-identification is required to be strictly implemented, with monitoring measures to prevent unauthorized access. Deleted data may not be re-identified, except as permitted by law. And personal data that has been de-identified is no longer considered personal data according to the provisions of the PDPL.
2.6. Cross-border data transfer (Article 20)
The PDPL strictly regulates the transfer of personal data abroad and this is also considered one of the most important provisions of this Law. According to the requirements of the PDPL , before transferring personal data abroad, individuals, agencies and organizations are required to carry out an impact assessment before transferring. In some cases, the specialized agency (Ministry of Public Security) has the right to periodically or irregularly inspect and request to stop data transfer if it detects a risk of affecting national defense and security.
In addition, the Law also stipulates a number of cases that are exempt from assessment, such as data transfer by state agencies or by the subject itself. A noteworthy provision in this exception is that agencies and organizations are not required to carry out impact assessments due to the act of transferring personal data abroad when agencies and organizations store their employees' data on cloud computing services. This regulation will solve the problem that many multinational businesses are very worried about in storing data on popular cloud computing platforms today such as Microsoft, Google, Amazon,...
2.7. Data protection in specific fields and subjects
The PDPL provides specific regulations for a number of specific subjects and fields, reflecting the diversity in personal data protection. Notable specific fields and subjects that the PDPL mentions such as:
Firstly, children and people with limited behavioral capacity
The legal representative exercises the rights of the data subject on behalf of this subject. The disclosure of children's information about their private lives and personal secrets requires the consent of children aged 7 years and older. In some necessary cases, the processing party of personal data of these subjects needs to stop at the request of the legal representative, children from 7 years old or competent authorities.
Second, recruitment and labor management
Only collect and store employee data for a period of time as prescribed by law or as agreed between the parties. The employee must delete the data after the termination of the contract, unless otherwise agreed. The use of technological measures to collect and process personal data of employees must be known.
For labor recruitment, personal data of candidates must be deleted or destroyed in case of non-recruitment, unless otherwise agreed between the parties.
Thirdly, in the field of finance, banking, credit information
Individuals and organizations operating in the fields of finance, banking, and credit information shall not use credit information of personal data subjects to score, rating, evaluating credit information, and assessing the creditworthiness of personal data subjects without the consent of personal data subjects. At the same time, when using personal data, organizations and individuals in these fields must notify the subject of personal data when the data is exposed. These are very noteworthy points for the field of using a lot of sensitive personal information in the process of operation.
Fourth, the field of advertising
The most notable point in the field of advertising in the PDPL is the requirement that organizations and individuals providing advertising services are not allowed to sublease or agree for other organizations and individuals to perform all advertising services using personal data on their behalf. This will greatly limit the activities of advertising companies in the coming time, especially for advertising companies that use KOLs to conduct advertising activities for customers to "book" (order) the services of advertising companies.
Fifth, for social media and online media platforms
The PDPL requires social media and online media platforms not to eavesdrop, eavesdrop or record calls and read text messages without the consent of the personal data subject. This may be a regulation that may be "favored" by many individuals who use social networking sites in Vietnam. However, the coming time will be a test to see whether this regulation will be implemented in practice effectively or not. Because it is not easy to clearly prove that users are spyed on by these platforms. The complex algorithms of social networks will be a major obstacle to the management activities of the competent authority.
Sixth, for the field of big data, AI, blockchain, cloud
This is a timely regulation with the trend of developing types of technology in Vietnam in the coming time. However, there needs to be detailed guidelines from the government to protect the data of individuals when participating in such a difficult and specialized field.
The PDPL obliges businesses in this field not to use personal data to harm national defense, national security, social order and safety or infringe upon the life, health, honor, dignity and property of others. These are the harms that any country is very concerned about.
Seventh, for location and biometric data
Biometric data is data on a person's physical attributes, distinctive biological characteristics, and stability to identify that person. This can be said to be the most specific data of a person. Therefore, the provisions of the PDPL only collect this personal data with consent or at the request of the competent authority. In the process of collecting, storing and processing, organizations must apply strict data security. In addition, for the location data of individuals and organizations, it is not allowed to apply location tracking via radio frequency identification cards and other technologies except in some special cases.
Finally, for audio and video recording in public places and public activities
The PDPL allows individuals and organizations to record audio and video in public places and public activities without obtaining permission from the personal data subject but must not harm the honor, dignity and reputation of the personal data subject.
In addition, the Law also stipulates that personal data obtained from audio and video recording activities in public places and public activities may only be stored for the period necessary to serve the purpose of collection, unless otherwise provided for by law. Upon the expiration of the storage period, personal data must be deleted or destroyed.
We believe that, with public spaces, the introduction of regulations is open but also has enough space and basis to both protect the rights of personal data subjects. At the same time, this regulation also creates favorable conditions for creative and entertainment activities that are on the rise of Vietnam's development.
Overview of the Drafting Session of the Law on Personal Data Protection. Source: National Assembly
3. Impact of the PDPL
3.1. For individuals who are the owners of personal data
The law gives each citizen more control, helping each individual to proactively protect their information in online transactions, financial services, advertising and social networks. The consent and right to withdraw consent regulations ensure that people have a say in how their data is used and processed after it has been used. This may be the biggest difference before the PDPL was promulgated, but rather before Decree 13/2023/ND-CP changed the perception of individuals and organizations in Vietnam. In addition, strict sanctions for violations will create a safer environment, minimizing the risk of data leakage or misuse.
3.2. For affected enterprises, organizations and individuals
Businesses, especially those operating in technology, finance, advertising, and social media, will have to invest heavily in security and legal compliance systems. Moreover, regulations on impact assessment and cross-border data transfer can increase operating costs, but at the same time create a level playing field and enhance the reputation of a well-compliant business. For small businesses and start-ups, the 5-year deferral is a significant support, helping to reduce financial pressure in the early stages. In general, organizations, more specifically businesses, will face more "pressure" in protecting personal data in the coming time when doing business in Vietnam. But no matter what, this is an irreversible policy in the current context of Vietnam and the world.
3.3. For state management
The law strengthens the role of the Ministry of Public Security in the management of personal data, and promotes international cooperation in data protection and prevention of cross-border violations. State agencies will need to build effective inspection, supervision and sanctioning mechanisms, and improve human and technological capacity to meet the requirements of the new legal framework for personal data protection. The implementation of the PDPL in the early stages may be a significant challenge. But with the initiative and flexibility of the management agency, the Ministry of Public Security hopes that the implementation of these regulations will soon become stable and show effectiveness in practice.
The PDPL 2025 is an important step forward in the journey to build a safe and transparent digital space in Vietnam. With quite progressive regulations on the rights of data subjects, responsibilities of stakeholders and sanctions, the Law not only protects the interests of citizens but also promotes the responsibility of businesses and state agencies in this new activity. In the context of global digital transformation, this is a testament to Vietnam's commitment to protecting privacy and integrating with international standards. The effective implementation of this Law will be the key for Vietnam to build a sustainable and reliable digital economy.
Lawyer Nguyen Van Phuc
HM&P Law Firm
.png)
+84 28 7308 0839.png)
hmplaw.vn
