Upcoming changes to Vietnam’s personal data protection regime

21 August 2025

Vietnam’s new Personal Data Protection Law No. 91/2025/QH15 was passed by the National Assembly on 26 June 2025 and will enter into force on 1 January 2026 (“PDPL”). The PDPL unifies data privacy regulations currently dispersed across different laws, most significantly in Decree No. 13/2023/ND-CP (“Decree 13”).

The PDPL significantly revises Vietnam’s framework for the protection of data with new compliance obligations, significant administrative sanctions, and sector specific requirements.

This article summarises some of the PDPL’s key provisions.

Scope

The PDPL regulates personal data, personal data protection, and the responsibilities of relevant agencies, organisations, and individuals. Both the PDPL and Decree 13 differentiate basic personal data from sensitive personal data. Under the PDPL, however, the exact data types covered by each category is left to be specified by the Government instead of being listed in the law itself, providing greater flexibility.

While both Decree 13 and the PDPL apply broadly to Vietnamese and foreign agencies, organisations, and individuals engaged in personal data processing, the PDPL introduces more explicit extraterritorial reach and broader subject coverage. Decree 13 already extended its reach to foreign entities that process the personal data of Vietnamese citizens within or outside Vietnam, but the PDPL expressly captures those involved in processing data of both Vietnamese citizens and persons of Vietnamese origin whose nationality has not been determined but who reside in Vietnam and have been issued identity certifications.

Data de-identification, encryption, and decryption

The PDPL introduces the new concepts of “de-identification of personal data” and “encryption and decryption of personal data”. Personal data de-identification refers to the process of altering or deleting information so as to produce data that cannot be used to identify, or assist in identifying, a specific individual. Personal data encryption refers to the process by which “data is converted into an unreadable format without decryption”. In this regard, the PDPL provides that while de-identified personal data will no longer be regarded as personal data, encrypted personal data continues to be categorised as personal data.

Consent

The PDPL maintains the consent-centric model utilised in Decree 13 but tightens it by providing that consent for the processing of personal data must be voluntary, informed, and specific to each processing purpose. It explicitly prohibits bundling unrelated services with consent.

The PDPL introduces a new lawful basis for personal data processing without consent, stipulating that this is possible where it is necessary to protect the “the life, health, honour, dignity, and legitimate rights and benefits of the personal data subject” or to “respond to emergencies or threats to national security”. Such thresholds appear to be considerably higher than the “legitimate interests” thresholds prescribed under the European Union’s General Data Protection Regulation (GDPR), which permits a broader balancing of organisational needs against data subject rights.

Data processing impact assessments

The requirements for a data processing impact assessment (“DPIA”) set out in the PDPL are largely similar to those set out in Decree 13 with entities required to submit a DPIA to the specialised data protection authority within 60 days of the commencement of personal data processing.

Cross-border transfer impact assessment

A data overseas-transfer impact assessment (“OTIA”) must be prepared and submitted within 60 days of the initiation of the cross-border transfer. Similar to Decree 13, the requirement to prepare and submit the OTIA is separate and distinct from the requirement to prepare and submit the DIPA. However, certain exemptions to the OTIA requirement apply, such as where the transfer is initiated by the data subject or where employee data is stored in the cloud.

Permitted data transfers

 The PDPL specifies the circumstances in which the transfer of personal data is permitted, including:

  • transfers upon obtaining the data subject’s consent;
  • sharing personal data between departments within the same agency or organisation for processing in line with intended purposes;
  • transfers by personal data controllers or by personal data controllers and processors to personal data processors or third parties for lawful processing;
  • transfers arising from restructuring, such as mergers or reorganisations;
  • transfers made at the request of relevant authorities; and
  • transfers where the law allows for the processing of personal data without the data subject’s consent.

The PDPL expressly provides that the transfers of personal data in the above circumstances will not be regarded as the sale and purchase of personal data, regardless of whether the transfers involve payments. There is a degree of ambiguity in these provisions, and it remains unclear whether the list of permitted transfers is intended to allow certain transfers (e.g. arising due to a merger) even where the consent of the data subject has not been obtained. The Vietnam Government is expected to provide further guidance on these provisions.  

Sector specific

The PDPL introduces more detailed rules tailored to sectors perceived to be high-risk. The table below sets out some of these rules.

Sector

Rules

Employment, Recruitment

·         Only data relevant to recruitment can be collected

·         Candidate consent is required for processing

·         Candidate data must be deleted if the person is not hired unless mutually agreed otherwise

·         Retain employees’ personal data as required by law or agreement

·         Delete or destroy such data upon contract termination, unless otherwise required by law or agreement

Healthcare, Insurance

·         Consent is mandatory for health data processing (limited exceptions apply)

·         Reinsurers must include data transfer terms in customer contracts if they transfer customer personal data to partners

Banking, Finance

·         Credit information cannot be used for scoring without explicit consent

·         Only collect personal data necessary for credit information activities from appropriate sources of information in accordance with the law

Advertising

·         Personal data may only be collected via digital platforms with the data subject’s consent

·         There must be measures to refuse data sharing, define retention periods, and delete data when no longer needed

·         Advertising providers must not delegate or sublease personal data-related services to third parties

Social media

·         Platforms must allow users to opt-out of tracking

·         Surreptitious audio or message access is prohibited

AI, Big data, Cloud, Blockchain

·         Systems must have security and ethical controls embedded


Administrative sanctions

The PDPL sets out the ceiling on the penalties for breach of its provisions (such ceilings were notably absent in Decree 13), imposing a cap on each of the following type of violations:

  • Trading personal data illicitly attracts a penalty of up to 10 times the illegally obtained revenue;
  • Cross-border breaches remain costly, with fines up to 5% of annual revenue; and
  • General violations other than the above will be subject to a fine of up to VND3 billion (approximately US$115,000).

Transitional provisions

Activities based on consent and impact assessments lawfully initiated under Decree 13 may continue under the PDPL. Consent already obtained under Decree 13 remains valid and does not require the consent being reobtained under the PDPL. DPIAs and OTIAs submitted under Decree 13 are also valid though any updates after 1 January 2026 must comply with PDPL requirements.