I. Current Status of Vietnam’s Personal Data Protection Regulatory Framework

In June 2025, Vietnam officially passed the Personal Data Protection Law (PDPL), marking the establishment of a unified, nationwide legal framework for personal data protection. This law, set to take effect on January 1, 2026, is Vietnam’s most stringent and comprehensive privacy legislation to date, replacing Decree No. 13/2023/NĐ-CP (PDPD) issued in 2023. Vietnam’s personal data protection regime currently operates under a “multi-track” system, with the PDPL as the foundational law, supplemented by the Cybersecurity Law, the 2024 Data Law, and specific sectoral regulations. Notably, the Cybersecurity Law continues to impose binding requirements on cross-border data transfers, data localization, and cybersecurity responsibilities, while the Data Law establishes frameworks for “data ownership” and “national data resources,” complementing the governance of non-personal data.

The PDPL builds on the PDPD framework and introduces the following key provisions:

• Clear Penalties: Fines for buying or selling personal data can reach up to 10 times the illegal proceeds. Violations of cross-border data transfer rules may incur fines of up to 5% of the previous fiscal year’s revenue. Other violations may face fines of up to VND 3 billion (approximately USD 115,030). Penalties for individuals are set at half the amount imposed on organizations.
• Introduction of “Legitimate Rights and Interests”: This serves as a legal basis for data processing but is interpreted more narrowly than the “legitimate interest” concept in the GDPR.
• Exemptions for Small Businesses: Individual business households and micro-enterprises are exempt from certain requirements.

II. Detailed Analysis of Key Provisions

1. Scope and Definitions

The PDPL has a broad scope, applying not only to organizations, agencies, and individuals established in Vietnam but also to foreign entities processing personal data of Vietnamese citizens or long-term residents, regardless of their location. This means that businesses without a presence in Vietnam are subject to the law if they process data of Vietnamese individuals or residents. The law categorizes personal data into “basic data” and “sensitive data,” with the government tasked with defining lists for both. Sensitive data includes health information, biometric data, children’s data, geolocation, political and religious affiliations, and financial account details, with stricter processing thresholds and compliance requirements for these categories.

2. Legal Basis for Processing and Consent Mechanism (Article 9)

The PDPL maintains the requirement for obtaining data subject consent but allows processing without consent in specific cases, such as fulfilling contracts, complying with legal obligations, protecting the data subject’s life or health, performing national tasks, or pursuing “legitimate rights and interests.” The “legitimate rights and interests” provision, akin to GDPR’s Article 6(1)(f) “legitimate interests” basis, is narrowly interpreted in Vietnam, applicable only when consent is unobtainable and the impact on the data subject is minimal, with a higher burden of proof on data controllers.

Regarding consent, the PDPL mandates that it be explicit, specific, and obtained in writing or electronically for each distinct processing purpose. Implied consent, inaction, pre-checked boxes, or failure to read notices do not constitute valid consent.

3. Impact Assessment Mechanisms (Articles 21–22)

The PDPL introduces two key assessment mechanisms for data controllers: the Data Processing Impact Assessment (DPIA) and the Transfer Impact Assessment (TIA).

• DPIA (Article 21): Applies to any collection, storage, analysis, transfer, disclosure, or deletion of personal data. Data controllers and processors must prepare and submit a DPIA to the competent authority within 60 days of initial data processing, updating it every six months or upon significant changes in processing activities. Exemptions apply in specific cases outlined in Article 21(6). The authority may request corrections if the DPIA is incomplete or non-compliant. State agencies are exempt from DPIA requirements. The government will specify the content, conditions, procedures, and formalities for DPIAs.
• TIA (Article 22): Required for cross-border data transfers, unless exemptions apply (e.g., employee data stored in cloud services or data subjects actively transferring their data abroad). TIA reports must include details such as the recipient’s identity, the legal protections in the receiving country, data types, encryption measures, storage duration, and complaint mechanisms. Updates are required every six months or immediately in cases such as organizational restructuring, dissolution, bankruptcy, changes in data protection services, or modifications to registered data-related activities. Updates must be submitted via the National Personal Data Protection Information Platform or directly to the competent authority.

4. Data Subject Rights and Reporting Obligations (Articles 4, 23)

The PDPL grants data subjects nine core rights: access, correction, deletion, consent withdrawal, processing restriction, data portability, objection to processing, filing complaints, and seeking compensation. Data controllers must establish internal mechanisms to receive and promptly address data subject requests. In case of a data breach, controllers must report to the personal data protection authority within 72 hours of discovery. They are also required to maintain data processing logs, record cross-border activities, and establish data lifecycle management policies.

5. Specific Environments and Industry Rules (Articles 24–31)

The PDPL includes tailored provisions for specific industries and data types. For example:

• Children’s Data: Data of children under 7 requires parental consent, while data of children over 7 requires both parental and child consent.
• Health, Financial, and Advertising Data: These require explicit written authorization, with accessible opt-out and do-not-track options.
• Social Media Platforms: Must publish data processing policies and accept user complaints regarding personal data handling.

6. Sanctions and Transitional Arrangements (Articles 8, 39)

• Penalty Framework: Administrative fines for buying or selling personal data can reach 10 times the illegal proceeds or the maximum fine if no proceeds are identified. For cross-border data transfer violations, fines can reach 5% of the previous year’s revenue or the maximum fine if revenue is unavailable. Other violations in personal data protection face fines up to VND 3 billion, with individual fines set at half the organizational amount.
• Transitional Policy: Micro-enterprises and startups may opt out of Articles 21, 22, and 33(2) for five years after the law’s effective date, except for businesses providing personal data processing services, handling sensitive data, or processing large volumes of data.

III. Compliance Recommendations for Enterprises Expanding Abroad

The PDPL has broad applicability and strong enforcement. Enterprises should:

1. Assess Applicability: Determine if they are subject to the PDPL by processing data of Vietnamese data subjects, then classify data to identify sensitive or special categories.
2. Establish Consent Mechanisms: Ensure independent authorization for each processing purpose, with privacy policies clearly outlining processing methods, purposes, recipients, duration, and complaint channels.
3. Implement DPIA and TIA Processes: Complete and submit reports within 60 days of initiating processing or cross-border transfers, updating them regularly as business activities change.
4. Address Data Localization: For industries subject to the Cybersecurity Law (e.g., e-commerce, social media, OTT services, gaming, or payments), establish a local representative office and comply with data localization requirements. Even if exempt from TIA (e.g., employee data in cloud services), maintain supporting documentation.
5. Enhance Data Security: Implement encryption, access controls, physical isolation, audit logs, and anomaly detection for sensitive data. Establish a data breach response mechanism to meet the 72-hour reporting and notification obligation.
6. Manage Contracts: Sign written agreements with service providers, advertisers, or cloud providers, specifying data processing rights, purposes, responsibilities, restrictions on further processing, data destruction, and transfer controls to ensure PDPL compliance and mitigate risks from onward transfers.