Vietnam's New Personal Data Protection Law: Key Updates for Businesses

The Personal Data Protection Law (PDPL), officially Law No. 91/2025/QH15, passed by the National Assembly on June 26, 2025, and is set to take effect on January 1, 2026. Building upon Decree No. 13/2023/ND-CP (PDPD), the PDPL introduces a more robust and comprehensive framework designed to enhance individual privacy rights and impose stricter obligations on entities processing personal data. Proactive assessment and implementation of compliance measures are critical given the upcoming effective date and the anticipated issuance of further detailed government guidance.

What's New in Personal Data Definitions?

The PDPL largely maintains the core definitions of "personal data" (information linked to or identifying an individual) and its classification into "general" and "sensitive" categories, as established in Decree 13. However, the PDPL introduces important clarifications and new concepts:

• Refined Extraterritoriality: The PDPL provides greater clarity on its application to foreign organizations not based in Vietnam. It applies when they directly process or are involved in processing personal data of Vietnamese citizens or persons of Vietnamese origin with undetermined nationality residing in Vietnam and issued identification cards. This refines the broader extraterritorial scope of PDPD.

• Personal Data Processing: This term encompasses a wide range of activities related to personal data. It includes collecting, recording, analyzing, verifying, storing, altering, disclosing, combining, accessing, retrieving, erasing, encrypting, decrypting, copying, sharing, transmitting, providing, and transferring data. This broad definition ensures that virtually any interaction with personal data falls under the purview of the law.

• De-identification Mechanism: A notable new concept is the detailed regulation of "de-identification" of personal data. This is defined as altering or removing information to create a new dataset that cannot identify a specific individual. This mechanism was not explicitly detailed in PDPD.

Obligations for Businesses to Comply

The PDPL imposes a comprehensive set of new and enhanced obligations on businesses:

• Stricter Consent Requirements: The consent-centric approach remains, but consent must be freely given, specific, informed, unambiguous, and expressed through a clear affirmative action in a verifiable format (printable or electronic). Silence or non-response does not constitute valid consent. Data controllers must immediately cease processing upon withdrawal of consent .

• Mandatory Impact Assessments:

  • Data Protection Impact Assessments (DPIA): Required for any high-risk processing. Reports must be prepared and retained within 60 days of commencing processing and updated every six months or upon significant changes.

  • Outbound Transfer Impact Assessments (OTIA/DTIA): Mandatory for cross-border data transfers. Reports must be submitted to the Ministry of Public Security (MPS) within 60 days of the first transfer and updated every six months or upon business changes. There are limited exemptions for OTIAs, such as for cloud services for employee data.

  • "Core" and "Important" Data: The broader "Data Law" (Law No. 60/2024/QH15, effective July 1, 2025) introduces stricter regulations for cross-border transfers of "core data" and "important data," which may require government approval or security assessments.

• Data Protection Personnel: Controllers and processors must designate qualified individuals or departments (Data Protection Officer/DPO) to oversee data privacy compliance. External individuals or entities can be hired for these services. This is a more stringent requirement than PDPD.

• Prohibited Acts and Security: The PDPL explicitly prohibits processing data to oppose the State, unlawful use, or buying/selling personal data (with limited exceptions). Businesses must implement adequate technical and organizational safeguards and perform cybersecurity checks.

• Sector-Specific Regulations: The PDPL introduces detailed obligations tailored to specific sectors, including employment, healthcare, insurance, finance, advertising, social media platforms, online media, big data, AI, blockchain, metaverse, and cloud computing.

• Significant Administrative Sanctions: The PDPL introduces substantial administrative fines:

  • Unlawful Personal Data Trading: Up to 10 times the revenue gained from the violation, or up to VND 3 billion (approx. US$115,000).

  • Cross-Border Data Transfer Violations: Up to 5% of the previous year's revenue, or up to VND 3 billion.

  • Other Violations: Up to VND 3 billion.

  • Individuals face maximum fines capped at half the amount for legal entities.

Action Plan for Companies

Given the January 1, 2026, effective date, proactive preparation is crucial.

1. Assess and Map Data (Data Audit): Conduct a comprehensive data audit to map how personal data is collected, processed, stored, shared, and retained. Identify data types, purposes, legal bases, and retention periods. Document all internal and cross-border data transfers and perform a gap analysis against PDPL requirements.

2. Update Policies and Processes: Revise privacy notices and consent forms for clarity and compliance. Develop or update internal data protection policies and create robust procedures for handling data subject requests. Review and update data processing agreements with third parties.

3. Implement and Train: Designate a DPO or data protection department. Conduct mandatory DPIAs and OTIAs, establishing a schedule for regular updates. Enhance security measures and perform regular cybersecurity checks. Provide mandatory and ongoing training for all personnel to foster a "privacy-first culture" .

4. Monitor and Review: Establish ongoing compliance monitoring, with regular reviews and audits. Actively monitor for further clarification and guidance from the Vietnamese government, as many provisions await detailed decrees. Integrate privacy-by-design principles into new systems and services.

Suggestions for Multinational Corporations (MNCs)

MNCs with GDPR compliance frameworks will find parallels but must be mindful of distinct local nuances.

• "GDPR-plus-Local-Nuances" Approach: While both GDPR and PDPL have extraterritorial reach and grant data subject rights, the PDPL's specific focus on Vietnamese citizens/residents, more prescriptive consent requirements (e.g., verifiable format), and stricter DPO mandates (compared to PDPD) necessitate a tailored approach and a closer look to local terms should be taken into account.

• Cross-Border Transfer Complexity: The PDPL's mandatory OTIAs and the potential for government approval for "core" or "important" data transfers under the broader Data Law add layers of complexity. MNCs must navigate these additional local requirements, which may complicate existing global data transfer frameworks.

• Data Localization Trend: The PDPL's restrictions on cross-border data transfers, especially for "core" or "important" data, align with a broader trend of data localization laws emerging across Southeast Asia. This implies that MNCs operating in the region will increasingly face a complex patchwork of data transfer regulations, potentially requiring localized data infrastructure.

• Local Legal Counsel: The nuanced interpretation of Vietnamese law, the need for proactive engagement with authorities (implied by filings), and the potential for severe consequences necessitate specialized external legal expertise to ensure robust and future-proof compliance.

Conclusion

Vietnam's new Personal Data Protection Law marks a significant milestone in the country's regulatory development, reflecting a global trend towards stronger data privacy. While the PDPL introduces a robust and complex set of obligations, it also presents an opportunity for businesses to build deeper trust with their customers and stakeholders. By proactively assessing their data practices, implementing comprehensive compliance measures, and seeking expert legal guidance, companies can not only mitigate significant legal and financial risks but also transform data privacy into a strategic advantage in Vietnam's rapidly evolving digital economy. The time to act is now, to ensure readiness for January 1, 2026, and beyond.