On June 26, 2025, Vietnam adopted Law No. 91/2025/QH15 on personal data protection (“LPDP”). The LPDP incorporates provisions from Decree 13/2023/ND-CP on Personal Data Protection (“Decree 13“), which has served as Vietnam’s primary legal framework for personal data protection since July 1, 2023. If a company is in compliance with Decree 13, significant changes to core data governance is not required. But a company may have to make changes in its data practices in certain fields, including, importantly, marketing and AI. Review of personal data-related activities is essential as the LPDP introduces a 6-month update cycle for required impact assessments, with higher fines and anticipated heightened inspections if failure to comply is suspected.
De-identification of personal data
The LPDP introduces “de-identified data,” defined as information that has been altered or expunged so that no individual can be identified. Once data meet this threshold, they fall outside the LPDP’s scope. Comparable constructs exist abroad (for example, ‘anonymized data’ under the Singapore Personal Data Protection Act and ‘anonymously processed information’ under the Japan Act on the Protection of Personal Information). However, Vietnam’s approach is notably different as it omits any intermediate or, pseudonymized category that would allow reversible linkage under controlled conditions.
Although “de-identified data” (anonymized data) is exempt from substantive LPDP obligations, Article 14(6) imposes stringent restrictions on the act of de-identification itself: documented procedures, periodic audits, and prohibition on re-identification. This model mirrors Singapore’s and Japan’s regimes and is more prescriptive than the GDPR, in which anonymization practice is largely reduced to industry guidance.
The LPDP makes the entity performing de-identification accountable for any pre-processing risk that occurs and implicitly shifts post-processing risk to data controllers who continue to hold or exploit the data. The practical take-aways for companies to work with this new concept should include:
- Adopt a recognized risk methodology (for example, ISO/IEC 20889 or the NIST De-Identification Framework) to demonstrate a defensible anonymization process.
- Continuously monitor auxiliary datasets and breaches. A single leaked database, such as telecom metadata, can render previously de-identified datasets re-identifiable.
- Institute a review cycle for de-identified data, aligning with mandatory refresh intervals for data processing impact assessment and offshore data transfer impact assessment.
Impact Assessments and Data Protection Officer
The requirement to prepare, submit and maintain a data processing impact assessment (“DPIA”) and an offshore data transfer impact assessment (“DTIA”) remain unchanged in the LPDP. The DPIA and DTIA must be updated every 6 months if there is any change or immediately upon the occurrence of any of the following circumstances:
- Corporate restructuring or cessation: The agency, organization, or unit is reorganized, ceases operations, is dissolved, or is declared bankrupt;
- Change of service provider: There is any change in the information of the individual or organization that provides personal data-protection services;
- Expansion or amendment of business scope: Introduction or amendment of a business line that concerns the processing of personal data as previously recorded in the DPIA or DTIA.
The LPDP waives the DTIA requirement where the data subject personally transmits his or her own data overseas (for example, a data subject uses services provided by an offshore entity).
Under Decree 13/2023, organizations handling sensitive data merely had to establish a data-protection function and designate responsible personnel, without qualifying standards nor an explicit compliance framework. Earlier LPDP drafts introduced demanding requirements and conditions that apply to data protection officers and the provision of data protection or data processing services, but such language has been omitted from the final text. The LPDP simply states that these matters will be addressed in forthcoming secondary instruments, which will detail the qualifications and responsibilities of data-protection officers and departments as well as conditions to provide data protection or data processing services.
Sector-Specific Personal Data Protection
Section 2 of the LPDP sets out supplemental data-protection requirements that apply to particular sectors or activities. These provisions contain high level generic language and must be read in conjunction with related sectoral legislation; further Government guidance is expected. Below is an overview of the rules in the LPDP that are not presently addressed in existing sectoral statutes.
- Human Resources: Personal data collected during recruitment must be erased if the applicant is not hired, unless the applicant has expressly agreed otherwise. Data gathered throughout the employment relationship must be deleted upon termination except where legal retention is required. During employment, an employer may deploy lawful technological or technical monitoring tools, provided that employees are informed of their use.
- Advertisements: Processing customer data for advertising purposes is permissible only with the customer’s consent. Consent is valid only when the customer has been informed of the advertisement’s content, method and frequency and is able to opt out at any time. The same consent and an opt-out mechanism are required when personal data are used for targeted, personalized or behavioral advertising.
- Social network, online telecommunications:It is unlawful to demand photographs, videos or other images displaying all or part of a data subject’s ID as a form of verification. The collection of personal data through cookies or similar technologies likewise requires the user’s consent. Platforms must publish a privacy policy that clearly explains their data-collection, use and sharing practices; provides mechanisms for users to access, correct or delete their data; enables users to set privacy preferences; and allows them to report security or privacy breaches.
- Big data, artificial intelligence (AI), blockchain, virtual reality and cloud computing: Personal data processed in these environments may be used only for legitimate purposes and only to the extent strictly necessary while protecting the rights and lawful interests of data subjects. Systems employing these technologies must incorporate appropriate data security safeguards, authentication and identification procedures and access-control mechanisms. Where personal data are processed by AI systems, the data must be classified by risk level so that protective measures can be calibrated.
Penalties
The LPDP establishes a comprehensive penalty framework for breaches of personal-data-protection requirements, and it provides for both administrative sanctions and criminal liability. Monetary penalties may be severe: transactions involving the sale or purchase of personal data can attract fines of up to ten times the transaction value, while violations of the rules governing cross-border data transfers are subject to penalties of up to five per cent of the violator’s revenue for the preceding fiscal year.
In light of this exposure, businesses should promptly assess their compliance posture, identify areas of elevated risk, and monitor the development of legislation closely as more guidance and detailing instruments will be issued on the basis of the LPDP. As Vietnam continues to refine its personal data protection regime, staying abreast of evolving obligations will be essential.
Russin & Vecchi, with its market-leading expertise in privacy, data protection, and information-security regulation, stands ready to assist organizations to meet these new compliance challenges and to navigate the changing regulatory landscape.
For further information, please contact:
Le Ton Viet, Russin & Vecchi
LTViet@russinvecchi.com.vn
