• Instgram
  • LinkeIn
  • Lexologoy
One Asia Lawyers > NEWSLETTER > Vietnam > Vietnam: Introduction to Law on personal data protection

Vietnam: Introduction to Law on personal data protection

2025年08月21日(木)

We published a newsletter regarding Introduction to Law on personal data protection in Vietnam. To view PDF version, please click the following link.

Introduction to Law on personal data protection

 

Introduction to Law on personal data protection

19th August, 2025
One Asia Lawyers Vietnam Office

I. Introduction

Law on Personal Data Protection 2025 (“PDPL”) was introduced on 26 June 2025 and it was expected to come into effect on 1 January 2026. PDPL is expected to aim at improving the legal framework for personal data protection, addressing shortcomings in the implementation of Decree No. 13/2023/NĐ-CP (“Decree 13”), while ensuring consistency within the legal system related to human rights, citizens’ rights, and cybersecurity, thereby establishing a solid and harmonized legal foundation for relevant organizations and individuals to fully comply with their obligations and responsibilities in processing personal data.
The new law introduces additional prohibited activities compared to Decree 13, as well as new provisions related to the handling of administrative violations concerning personal data protection. It also includes further regulations on personal data protection in certain business-related activities, including the protection of employees’ personal data and certain specialized services such as insurance, finance, advertising.

II. New concepts in PDPL

1. Personal data de-identification

PDPL provides a new concept on Personal data de-identification[1]. Personal data de-identification refers to the process of altering or deleting information to create new data that cannot be determined or assist the identification of a specific individual. And personal data being de-identified is not considered as personal data. According to PDPL[2], it is prohibited to re-identify personal data after it has been de-identified.

2. Definition of personal Data Processing Impact Assessment

Compared to Decree 13, the PDPL provides a clearer definition of a personal data processing impact assessment, which refers to the evaluation of potential risks that may arise during the processing of personal data, in order to implement measures to mitigate those risks and protect the data[3]. Other than the definition, the PDPL does not stipulate the procedure for conducting a Data Processing Impact Assessment; this will be detailed by the Government in a future decree.

3. The transfer of personal data

The PDPL also introduces an additional concept related to personal data processing — the transfer of personal data. Accordingly, the transfer of personal data is not considered a sale or purchase of personal data if one of the following conditions is met[4]:

  • With the data subject’s consent;
  • Within the same organization, between departments, for purposes consistent with the original intent;
  • During organizational changes (e.g., mergers, splits, ownership transfers, or dissolution);
  • By data controllers/processors to data processors or third parties for lawful processing;
  • Upon request from competent state authorities.
  • Falls under the case of personal data processing without the consent of data subjects.

III. Prohibited acts and regulations on sanction for violation of PDPL

Comparing to Decree 13, three new provisions on prohibited acts have been added including:

  • Using another person’s personal data or allowing others to use one’s own personal data to carry out unlawful acts[5];
  • Buying or selling personal data[6];
  • Appropriating, intentionally disclosing, or losing personal data[7].


The PDPL also provides regulations on the handling of administrative violations related to personal data protection, under which, depending on the severity of the act, the violator may be subject to administrative or criminal liability.
The PDPL sets out general provisions on strict administrative penalties for two specific violations: the act of buying and selling personal data, and the unlawful cross-border transfer of personal data.

  • For the act of buying and selling personal data, the maximum administrative fine is ten times the revenue generated from the violation[8].
  • For the unlawful cross-border transfer of personal data committed by an organization, the fine is set at 5% of the organization’s revenue from the preceding year[9].
  • The maximum fine for other violations is VND 3 billion[10].


A future government decree will provide specific regulations on each type of violation as well as the corresponding penalties.

IV. Personal Data Protection in Certain Areas of Interest to FDI Enterprises

1. Personal Data Protection in Labor Management

The Personal Data Protection Law provides more detailed regulations on the protection of personal data in the recruitment, management, and use of labor. Accordingly, organizations that transfer employees’ personal data across borders to cloud-based electronic services for storage are not required to conduct a cross-border data transfer impact assessment[11].

During the recruitment process, enterprises must comply with the following requirements[12]:

  • Only request information necessary for recruitment purposes;
  • Ensure that any information provided is processed only with the consent of the applicant;
  • Delete or destroy the information provided by the applicant if the candidate is not hired, unless otherwise agreed with the applicant.


In the management and use of employees, compliance with this law, labor laws, and other relevant legal provisions is required. Employees’ personal data must be stored within the time limit prescribed by law[13] or as agreed upon. Personal data of employees must be deleted or destroyed upon termination of the employment contract[14].

2. Personal Data Protection in Certain Specialized Sectors
2.1. In the healthcare and insurance sector

In addition to complying with the general provisions on personal data protection, agencies, organizations, and individuals operating in the healthcare sector (such as hospitals and clinics) are not allowed to provide personal data to third parties for example insurance company, except where there is a written request from the data subject or in cases where personal data may be processed without the data subject’s consent, as provided under the PDPL[15].

2.2. In the finance and banking sector

In addition to complying with the general provisions on personal data protection[16]:(i) credit information of data subjects must not be used for scoring, credit rating, or credit evaluation without the consent of the data subject;(ii) only necessary information may be collected for credit information activities; and (iii) the data subject must be notified in the event of any data breach or loss.

2.3. In the advertising sector[17]

Advertisers must comply with the following requirements when using personal data in advertising:

Data Use Limitation: Advertisers may only use personal data obtained lawfully (by agreement or from their own business activities) and must respect the data subject’s rights.
Lawful Data Transfer: Data controllers and processors may only share personal data with advertisers in accordance with legal provisions.
Customer Consent Required: Personal data can only be used for advertising with the customer’s clear and informed consent, including details about the content, methods, and frequency of ads, and a way to opt out.
Compliance with laws on advertisement and laws on anti-spam: Advertising using personal data must follow laws on spam messages, emails, calls, and general advertising.
Right to Opt-Out: Data subjects have the right to request a stop to advertising, and advertisers must provide mechanisms and comply.
No Outsourcing of Entire Service: Advertisers cannot outsource the entire advertising service using personal data to third parties.

Accountability: Advertisers must be able to prove compliance with this Article and other relevant laws.
Behavioral or Targeted Ads: (i) Personal data for such ads can only be collected with consent via tracking (websites/apps); (ii) Users must be able to refuse data sharing, define storage duration, and request deletion when data is no longer needed.

V. Conclusion

In light of the upcoming enforcement of the Personal Data Protection Law (PDPL) on 1 January 2026, enterprises must proactively review and update their data processing practices to ensure compliance with the new legal requirements. This includes aligning internal policies with newly introduced concepts such as data de-identification, impact assessments, and cross-border data transfers; strengthening protections for employee and customer data; and preparing for stricter penalties and sector-specific obligations. Early preparation will be essential to minimize legal risks and demonstrate accountability under the new regulatory framework.

—–

[1] Article 2.11 PDPL
[2] Article 14.6 PDPL
[3] Article 2.12 PDPL
[4] Article 17.2 PDPL
[5] Article 7.5 PDPL
[6] Article 7.6 PDPL
[7] Article 7.7 PDPL
[8] Article 8.3 PDPL
[9] Article 8.4 PDPL
[10] Article 8.6 PDPL
[11] Article 20.6.(b) PDPL
[12] Article 25.1 PDPL
[13] According to Appendix I Circular 10/2022/TT-BNV the time limit to store original profiles of employees is 70 years; Time limit to store documents on occupational accidents on serious cases is permanent and for non-serious cases is 20 years.
[14] Article 25.2.(c) PDPL
[15] Article 26.2 PDPL
[16] Article 27.1 PDPL
[17] Article 28 PDPL


  |