New Law on Personal Data Protection Comes into Operation on 1 January 2026

Introduction

On 26 June 2025, the National Assembly approved the long-awaited Law on Personal Data Protection (“PDP Law“). The PDP Law, which comes into operation on 1 January 2026, is the first formal law dedicated specifically for personal data protection, elevating the subject beyond just a government decree (under Decree 13/2023/ND-CP on protection of personal data (“PDP Decree“)). Please refer to our April 2023 Legal Update titled “Decree on Personal Data Protection Issued” for further information on the PDP Decree. We had previously issued a Legal Update on the proposal for the development of the PDP Law. To view this Update, please click here.

As a general note, the PDP Law maintains many of the same principles for protecting personal data as set out in the PDP Decree. However, a number of provisions remain subject to further Government regulations (e.g. by way of decree), particularly on administrative procedures.

Key Features of the PDP Law  

1. Scope of Application 

Like the PDP Decree, the PDP Law applies to both Vietnamese and foreign organisations, agencies and individuals. However, its application to foreign organisations, agencies and individuals is limited only to those who directly engage or are involved in the processing of personal data of Vietnamese citizens and stateless persons of Vietnamese origin residing in Vietnam who have been issued a personal identification certificate.

2. Definition of Personal Data

The PDL Law contains a more general definition of “personal data” – comprising digital data or information in other forms that identifies or helps identify a specific individual. It retains the category of basic personal data and sensitive personal data from the PDP Decree. However, the PDP Law does not go further to regulate the specific types of data that fall within these categories, deferring them instead to future lists to be prescribed by the Government.

3. Rights and Obligations of Data Subjects

The PDP Law maintains much of the same rights and obligations of data subjects as set out in the PDP Decree, save that specific timelines for handling data subject requests will be the subject of future Government regulations. 

4. Consent Requirements 

Under the PDP Law, consent remains the primary basis for processing personal data. The law, however, simplifies the consent requirements, and has allowed for further details on these requirements to be issued by the Government. 

Similar to the PDP Decree, consent under the PDP Law is only valid if it is given voluntarily and where the data subjects clearly understand (i) the types of personal data being processed and the purposes of processing, (ii) the data controller or data controller-processor, and (iii) their rights and obligations. Consent must be provided for each specific purpose.

The exemptions to consent requirement are largely drawn from the exemptions set out in the PDP Decree. However, the PDP Law now makes it clearer that there is an exemption for processing personal data for the performance of agreements between the data subject and relevant organisations, agencies, or individuals in accordance with the law. 

5. Sanctions on Violations

Administrative or criminal penalties, as well as liability for damage, can apply to violations of the PDP Law and other applicable personal data protection regulations. The PDP Law sets forth the following maximum monetary fines for violations (which apply to organisations; fines for individuals are halved):

• For violations involving the trading of personal data, up to 10 times the illicit gain, or the statutory maximum set out in the third bullet point below if there is no illicit gain or if the calculated fine is lower than the statutory maximum.

• For violations related to the cross-border transfer of personal data, up to 5% of the violator’s revenue from the preceding fiscal year, or the statutory maximum in the third bullet point below if there is no revenue or if the calculated fine is lower than the statutory maximum.

• For other violations, VND3 billion. 

The Government will further regulate the method for calculating the illicit gains from violations of personal data protection laws. Furthermore, as is usually legislative practice in Vietnam, the Government is expected to pass a separate decree that will regulate the administrative penalties that apply for each relevant violation of the PDP Law.

6. Cross-border Transfers of Personal Data

The PDP Law clarifies cases that constitute cross-border transfers of personal data. In particular, such transfers comprise: (i) the transfer of personal data stored in Vietnam to a data storage system located outside of Vietnam; (ii) the transfer of personal data by agencies, organisations, or individuals in Vietnam to entities abroad; and (iii) the processing of personal data collected in Vietnam by agencies, organisations, or individuals in Vietnam or abroad using platforms located outside of Vietnam.

The PDP Law still requires a data transferor to prepare and retain a cross-border personal data transfer impact assessment (“TIA“), and submit this TIA to the data protection authority within 60 days from the initial date of the cross-border personal data transfer. However, this requirement does not apply for (i) transfers conducted by the state authorities, (ii) storage of employee personal data on cloud platforms by organisations or agencies, (iii) cross-border transfers carried out by the data subjects themselves, and (iv) other cases as may be further specified by the Government.

The TIA is required only once for the full operational duration of the transferor, but it must be updated every six months (if there are any changes) or immediately in specific cases set out in the law. The Government will issue further guidance on transfer cases, exemptions, stoppage, procedural steps, required documentation, and conditions that trigger updates to the TIA.

7. Impact Assessment of Personal Data Processing

The PDP Law maintains the same requirement for data controllers or controller-processors to prepare and retain a personal data processing impact assessment (“PDPIA“), and submit this PDPIA to the data protection authority within 60 days from the commencement of personal data processing.

This requirement does not apply to state agencies. The data processor must prepare and retain the PDPIA carried out on behalf of the data controller. The remaining provisions relating to the PDPIA mirror those applicable to the TIA.

8. Impact Assessments Carried out under Other Laws 

Organisations and individuals will not be required to conduct risk assessments and cross-border personal data transfer impact assessments under the laws on data if they have already conducted the TIA and PDPIA pursuant to the PDP Law.

9. Data Breach Notification

Data controllers, controller-processors, and third parties are required to notify the data protection authority within 72 hours of detecting any violation of personal data protection regulations that may impact national defence, security, public order, or the life, health, honour, dignity, or property of data subjects.

Upon detecting such violations, data processors must promptly inform the data controller or controller-processors.

Data controllers and controller-processors must also prepare a formal record of the violation and cooperate with the data protection authority in handling the violation.

The PDP Law does not regulate the specific breach notification procedures or contents. Instead, this will be subject to further guidance by the Government. 

10. Protection of Personal Data of Children and Vulnerable Individuals

The legal representative will exercise the rights of data subjects on behalf of children, persons with limited or lost legal capacity, and those with cognitive or behavioural difficulties.

When processing personal data of children aged seven years or older to the extent there is disclosure of their personal life and secrets, the consent of the legal representative and the child will be needed. 

11. Protection of Personal Data in Recruitment, Management and Use of Employees 

The PDP Law introduces specific regulations in the employment sector.

In recruitment, employers must only collect information necessary for the recruitment purpose in accordance with the law, with the candidate’s consent, and must delete such data if the candidate is not hired (unless otherwise agreed).

For employee monitoring in the workplace, the use of technology for this purpose must be lawful, respect the rights and interests of employees, and be transparently communicated. Employers must not process or use any data collected through unlawful methods.

12. Specific Sectoral Regulations 

The PDP Law now introduces several obligations on the protection of personal data processing in various sectors, including the following:

• financial, banking, and credit information activities;
• healthcare;
• advertising;
• social media and online communication platforms; and
• big data, artificial intelligence, blockchain, virtual reality, and cloud computing;

13. Processing of Location and Biometric Data

The PDP Law contains specific rules for processing location and biometric data.

For location data, tracking through radio-frequency identification tags or other technologies is not allowed unless (i) the data subject has consented, (ii) there is a lawful request from a competent authority, or (iii) otherwise prescribed by law. Mobile application providers must notify users of the use of their location data, implement safeguards to prevent unrelated parties from collecting such data, and offer users location tracking options.

For biometric data, entities that collect and process such data must (i) implement physical security measures for devices that store or transmit such data, (ii) limit access rights, (iii) maintain monitoring systems to detect potential breaches, and (iv) comply with applicable laws and international standards.

14. Personal Data Protection Services and Personal Data Processing Services 

Organisations are to appoint their internal departments and internal personnel who have sufficient capacity in personal data protection, or engage external organisations and personnel providing personal data protection services.

The PDP Law specifies that the Government will provide further guidance on the required qualifications and duties of internal data protection department, personnel in organisations; organisations and individuals providing personal data protection services; and personal data processing services. 

15. Enforcement and Transitional Regulations

The PDP Law takes effect on 1 January 2026.

For small enterprises and start-ups, however, there is a five-year grace period for compliance with obligations regarding the PDPIA, update of PDPIA and TIA, and designation of a dedicated department or personnel with qualified data protection capabilities or personal data protection service providers. Household businesses and micro-enterprises are exempt from these obligations altogether.

However, subject to further Government guidance, the exemption does not apply if these businesses engage in personal data processing services, directly process sensitive personal data, or process personal data of a large number of data subjects.

Further Information

Please feel free to reach out to our contact partners should you have queries on the above development.