On 26 June 2025, Vietnam’s National Assembly passed Law No. 91/2025/QH15 on Personal Data Protection (the “PDP Law”), ushering in a unified and rights-centric framework for personal data governance. This legislative move positions Vietnam in closer alignment with global data protection standards such as the EU’s General Data Protection Regulation (GDPR), marking a significant shift for both local and cross-border businesses operating in Vietnam’s digital ecosystem.
The PDP Law is planned to take effect on 1 January 2026 as the primary legal instrument on personal data protection in Vietnam, which will replace the in-effect Decree No. 13/2023/ND-CP (“Decree 13”) regulating this sector.
Key Takeaways
- Major Legislative Shift: PDP Law introduces stronger legal authority, broader scope, clearer definitions, and new rights for data subjects – all signaling higher compliance demands.
- Impact Assessment and Cross-Border Data Transfer: Businesses must prepare for the required impact assessments of personal data processing and offshore data transfers, which are subject to stricter rules and targeted exemptions.
- Actionable Compliance Steps: Organizations, especially those in digital, financial, healthcare, or marketing sectors, should urgently review data flows, update internal policies and consent mechanisms, and prepare systems and staff training to ensure full compliance.
This article provides valuable updates to help businesses better prepare for the upcoming legal shifting.
What’s New in the PDP Law
Greater Authority and Wider Application
As a formal statue, the PDP Law holds higher legal authority than Decree 13 and will typically prevail in case of inconsistencies. Regulators, however, have yet to make any comment on the validity of Decree 13 upon enforcement of the PDP Law.
The PDP Law no longer lists “Vietnamese agencies, organizations, individuals operating offshore” as one of its subjects of application, for this subject has been covered in the scope of “Vietnamese agencies, organizations and individuals”. Instead, the PDP Law applies extraterritorially to foreign organizations that process personal data of either “Vietnamese citizens” or “persons of Vietnamese origin residing in Vietnam with state-issued ID”.
The elevation in legislative hierarchy signifies a higher priority of data protection in Vietnam, bringing greater legal certainty for both domestic and foreign businesses. Relevant expanded application scope also emphasizes accountability across cross-border platforms. Global tech firms with Vietnam-based users must now prepare for broader compliance obligations regardless of corporate location.
New Definitions and Terminologies for Flexibility
Under the PDP Law, the definition of “personal data” has been adjusted to align with the concept of “digital data” under the new Data Law. Together with the comprehensive instead of enumerative approach of the two definitions of “basic personal data” and “sensitive personal data”, it brings clearer understanding for an easier identification of personal data being subjected to the governance of the PDP Law. Reading from the two aforementioned definitions, we can expect a detailed list of both basic and sensitive personal data to be issued by the Government, causing the possibility of amending Decree 13 instead of its replacement.
Minor revisions have been made to the definitions of “data processor” and “third party”, however helping to significantly identify and tell the difference between the two subjects. Accordingly, it is now clearer that “data processor” refers to the party that process personal data as requested by the “data controller” or “data controller and processor” in accordance with a [data processing] agreement. “Third party” has been pointed out as those participating in the personal data processing activities under the law, other than data subject, data controller, data controller cum processor, and data processor.
A new definition of “personal data de-identification” is introduced, excluding de-identified data from the scope of personal data, significantly reduce the abundance of businesses in related to data storage.
Expanded Data Subject Rights – Balancing with Businesses’ Benefit
The PDP Law reaffirms the rights of data subjects as provided in Decree 13. In addition, it further provides the data subjects with the right to request protection measures towards their personal data from not only competent authorities but also entities related to the processing activities of their personal data. The timeline for reacting upon receipt of data subjects’ request has been left for further guidance by the Government, instead of 72 hours as previously provided in Decree 13.
While protecting the rights of data subjects, the PDP Law also ensures the balance of businesses’ benefits. Accordingly, it mandates that when enforcing their rights, data subjects must ensure compliance with the law, not causing challenges to relevant entities in performing their legal obligations, and not infringing others’ legitimate interests.
Revenue-Based Penalties and Sanctions
Under the PDP Law, maximum administrative fines may reach:
- Up to 10 times of illicit revenue for personal data trading;
- Up to 5% of annual turnover for cross-border violations; and
- Up to VND3 billion (approx. USD118,000) for other breaches.
Violating individuals incur 50% of the aforementioned fines applicable to organizations.
This introduces proportional deterrence, especially for revenue-generating data misuse. It raises the stakes significantly for platforms and service providers, particularly in advertising, e-commerce, and social media, where monetization models often rely on personal data.
Protection over Vulnerable Subjects and Sector-Specific Provisions
The PDP Law extends its protection over a wider range of vulnerable subjects, including not only children but also persons without civil capacity or with limited civil capacity, and persons with cognitive or behavioral impairments. However, unlike Decree 13 which requires consents of both children from seven (7) years of age and their parents or legal guardians for the processing of such children’s personal data in general, the PDP Law only mandates such multi-consents for processing activities which aims to disclose information on personal life or secrets of such children from seven (7) years of age.
This leads to an implication that children from seven (7) years old can provide consent by themselves for the processing of their personal data, provided that such processing does not disclose their personal life or secrets, which may cause certain challenges for practical enforcement.
The PDP Law includes dedicated sections on employment, healthcare and insurance, finance and credit, and advertising. These tailored obligations recognize industry-specific risks, putting those sectors with the highest rate of data leakage incidents under legal monitoring. However, sector-specific guidance is critical for practical compliance planning.
Mandatory Impact Assessment and Cross-Border Data Transfer Oversight
Personal Data Processing Impact Assessment – PDPIA
Frankly, the PDP Law reaffirms regulations on PDPIA under Decree 13 while adding certain points facilitating businesses in meeting compliance requirements.
It has been clarified that PDPIA can be a one-time obligation during the whole term of business operation. Updates are required every 6 months in case of changes, or upon any significant operational changes.
The PDP Law does not mandate that the PDPIA Dossier must always be available for examination by the Ministry of Public Security. As of the time of this article, details on the dossier components as well as conditions and procedures for the PDPIA under the PDP Law have yet to be announced.
It is also worth noting that it is now a mandatory obligation for agencies and/or organizations to either appoint department and/or individual(s) qualified for personal data protection or engage providers of personal data protection services (“PDP Department”).
Offshore Personal Data Transfer Impact Assessment – OPDTIA
The PDP Law identifies three cases being considered as offshore transfer of personal data, including:
- Transferring of personal data being stored in Vietnam to storage system located outside of the territory of the Socialist Republic of Vietnam;
- Transferring of personal data by entities (agencies, organizations, and individuals) in Vietnam to entities located offshore; and
- Processing of personal data collected in Vietnam by [onshore or offshore] entities using platforms located outside of the territory of the Socialist Republic of Vietnam.
Accordingly, the concept of offshore personal data transfer under the PDP Law is no longer limited to personal data of Vietnamese citizen.
While reaffirming the requirement on preparing and submitting OPDTIA Dossier for offshore personal data transfer, the PDP Law also provides exceptions including:
- Offshore personal data transfer conducted by competent authorities;
- Storage of businesses’ employees’ personal data on cloud services;
- Self-transfer of data subjects’ personal data offshore; and
- Other cases regulated by the Government.
What Decree 13-Compliant Businesses Should Do
To lessen the regulatory burden on business, the PDP Law provides the following transitional provisions:
- Consents (for data processing) which have been duly obtained under Decree 13 remain valid upon the enforcement of the PDP Law; and
- PDPIA and/or OPDTIA Dossier(s) which has been accepted by the Department of Cybersecurity and Hi-Tech Crime Prevention (A05) under the Ministry of Public Security in accordance with Decree 13 prior to the effective date of the PDP Law are not required to be re-submitted. However, any updates to the said Dossier(s) after 1 January 2026 must be made in accordance with the PDP Law.
In addition, small businesses and start-ups (except for those providing personal data processing services, directly handling sensitive personal data, or processing data at scale) are entitled with a 5-year grace period, within which they can elect whether or not to conduct the PDPIA-related and PDP Department appointment obligations. Households and micro businesses (except for those providing personal data processing services, directly handling sensitive personal data, or processing data at scale) are exempt from the said obligations.
What Businesses Should Do to Remain a Ready Position
It is highly recommended that organizations collecting, storing, or processing personal data of Vietnamese residents, or personal data originating in Vietnam should promptly review their activities concerning data processing, especially those operating in e-commerce, fintech, telecommunications, healthcare, insurance, or digital marketing sectors.
In particular, here are some key recommended actions:
- Conduct data mapping to identify the data flows;
- Review and update privacy notice, consent obtainment methods and relevant forms and/or documents;
- Speed up the preparation and submission of PDPIA and/or OPDTIA Dossier(s) under Decree 13 to minimize the burden on new compliance requirements;
- Organize internal training to raise awareness; and
- Review and enhance data breach detections and responding systems.
Conclusion
The PDP Law marks Vietnam’s definitive pivot toward a rights-based, risk-aware, and accountability-driven privacy regime. Even though it has shed light on how businesses, especially TMT players, should shape their future compliance plans, further sector-specific guidance is essential for smooth practical enforcement.
Whether regulatory developments present challenges or opportunities, understanding your businesses is always the key to navigating them effectively. Here at Indochine Counsel, we stand ready to support our clients through this legislative transition.
For further information, please contact:
Dang The Duc, Partner, Indochine Counsel
duc.dang@indochinecounsel.com
