On 26 June 2025, the National Assembly of the Socialist Republic of Vietnam formally adopted the country’s inaugural Personal Data Protection Law (“PDPL”) with an overwhelming majority vote of 90.59% in favour, no dissenting votes, and 0.41% abstentions. The PDPL shall officially enter into force on 1 January 2026.
The enactment of the PDPL aligns Vietnam’s legal framework on personal data protection with prevailing international trends, following the path set by the European Union’s General Data Protection Regulation (“GDPR”) and comparable legislation in jurisdictions such as Singapore, Japan, and the Republic of Korea. The passage of this legislation evidences the State’s heightened recognition of the critical importance of safeguarding personal data in the digital age and its commitment to comprehensive data governance.
Key Provisions and Relationship with Decree No. 13/2023/ND-CP
The PDPL introduces a number of significant substantive provisions which, in various respects, enhance and expand upon the existing Decree No. 13/2023/ND-CP on Personal Data Protection (“PDPD”). Notably, the PDPL provides for clearer and more detailed definitions of personal data, delineates broader rights for data subjects, and imposes differentiated compliance obligations on enterprises, depending on their scale of operations.
While many core principles — including the consent-centric approach — are preserved under the new regime, the PDPL establishes more robust prohibitions and prescribes stricter sanctions for violations. At present, it remains unclear whether the PDPD will be repealed upon the effective date of the PDPL. It is expected, however, that the Government will promulgate a new implementing decree to provide detailed guidance on the PDPL’s provisions. Until such time, the PDPD is likely to remain operative.
Salient Features of the PDPL
Key highlights of the PDPL include the following:
- Prohibited Acts and Penalties:
The PDPL sets out expanded lists of acts prohibited in relation to the processing of personal data. Infringements may give rise to administrative sanctions or, where applicable, criminal liability. Notably:- The sale or purchase of personal data is subject to an administrative fine of up to ten times the unlawful gain derived from the breach.
- Violations concerning cross-border transfers of personal data may attract a fine of up to five percent (5%) of the infringing entity’s total revenue in the preceding fiscal year.
- Other violations are subject to fines of up to VND 3 billion.
- In the case of individual offenders, applicable fines are capped at fifty percent (50%) of the amounts prescribed for organisations.
- Consent and Lawful Bases for Processing:
The PDPL maintains the PDPD’s consent-based model as the principal basis for processing personal data, while introducing additional exemptions to facilitate certain legitimate processing activities. - Obligations for Micro, Small, Medium, and Large Enterprises:
Micro-enterprises and household businesses are wholly exempted from obligations such as preparing Data Protection Impact Assessments (“DPIAs”) and appointing Data Protection Officers (“DPOs”). Small enterprises and startups may, at their discretion, defer compliance with these requirements for up to five years (extended from the previous two-year period under the PDPD).
By contrast, medium and large enterprises are expressly required to designate at least one in-house personal data protection specialist with relevant legal or technical expertise. - Validity of Prior Consents and Assessments:
Consents validly obtained under the PDPD shall remain valid under the PDPL. Similarly, DPIAs and Transfer Impact Assessments (“TIAs”) already prepared and submitted pursuant to the PDPD shall continue to have effect but may require updates to ensure full alignment with the PDPL. - Definitions of Personal Data:
The PDPL provides for more granular classifications of personal data into “basic personal data” and “sensitive personal data”, with further details to be elaborated by subordinate legislation. - Cross-Border Transfers:
The requirements for conducting TIAs for cross-border transfers remain largely unchanged; however, new exemptions have been introduced, for example, for employee data stored in the cloud or where data subjects themselves voluntarily transmit their data abroad.
Outlook and Recommendations
The enactment of the PDPL marks a significant milestone in the development of Vietnam’s legal framework for personal data protection. Enterprises operating in Vietnam are strongly encouraged to undertake a comprehensive review of their data processing practices and to prepare for timely compliance with the new law.
Given that a number of substantive provisions under the PDPL will require further guidance from competent authorities, businesses should monitor upcoming implementing regulations to ensure that all compliance obligations are met in a timely manner.
How We Can Assist
The legal team at Midland & Partners possesses extensive expertise in advising domestic and foreign organisations on Vietnam’s data protection framework. We stand ready to provide practical, tailored support at every stage of your transition to full compliance under the PDPL.
By Phuong Thao – Associate at Midland & Partners
Related Post
-
Law on inheritance of property in accordance with current law
-
Will the Law on Bidding 2023 address the issue of selecting a pilot business for international football betting?
-
The Government Amended List of Prohibited, Restricted and Conditional Business Goods and Services
-
Incentive Policies for the Development of Self-Produced and Self-Consumed Solar Power
-
Tightening Regulations on Anti-Money Laundering
-
Update and change the new citizen identification information of the legal representative