Vietnam’s National Assembly has formally enacted the Law on Personal Data Protection (“PDP Law”)—the country’s first comprehensive framework for personal data regulation. Notably, the Law imposes severe administrative sanctions for certain violations, with fines reaching up to 5% of annual revenue or ten times the illicit gains obtained.
The PDP Law will take effect from 1 January 2026, giving businesses a limited window to prepare for compliance.
This Legal Alert highlights some of the key changes under the PDP Law, areas that remain unclear, and potential impacts on businesses.
What’s New About the PDP Law?
1. Punitive Penalties. The PDP Law introduces a tiered framework for maximum administrative penalties on personal data violations (Art. 8).
– Cross-border transfer violations: Fines up to 5% of previous year’s revenue or VND 3billion (approx. USD 115,000), whichever is greater.
– Illegal personal data trading: Fines up to 10 times the illegal gains or VND 3 billion, whichever is higher.
– Other violations: VND 3 billion.
If an individual commits the same violation, their maximum penalty is capped at half that of a business.
2. Cross-Border Data Transfer. Transferring Vietnamese citizens’ data abroad or processing it on foreign platforms requires a Data Transfer Impact Assessment (“DTIA”). The DTIA must be filed with the data protection regulator within 60 days of the initial transfer and updated every six months or immediately in specific circumstances—such as changes in the registered business pertaining to personal data processing (Art. 20 and 22). Notably, DTIA is not required in cases business or organisations storing personal data of their employees on cloud services, among other cases as per the Government’s specific decree (which will be unveiled at a later date).
3. Ban on Personal Data Trading. The PDP Law prohibits all forms of personal data trading, although the language of this prohibition suggests it is not a blanket ban, as exceptions may be provided under other laws (Art. 7). The legislation also explicitly carves out certain cases of paid or non-paid personal data transfers from being classified as “trading”, such as internal sharing or transfers due to organisational restructuring (Art. 17).
4. Sector- and Activity-Specific Regulations. The PDP Law introduces tailored processing requirements for certain sectors and activities that regularly handle sensitive or large-scale personal data. These include employment, finance, insurance, credit information, advertising, social media, data of children and vulnerable individuals, biometric and location data, recordings in public spaces and emerging technologies such as AI, blockchain, metaverse, and cloud computing. For instance:
– Employers must delete data of unsuccessful candidates, unless otherwise agreed (Art. 25);
– Health sector entities must not share personal data with third-party healthcare providers or health/life insurers, except upon the data subject’s written request or where consents are exempted (Art. 26);
– Entities in the finance and banking sector must inform the data subject of data breaches pertaining to their financial/banking accounts or credit information (Art.27).
5. Personal Data Protection Personnel. Businesses are also required to appoint a data protection officer/department (“DPO”)or engage qualified external providers (Art. 33). This requirement is noticeably more stringent than the Personal Data Protection Decree, where a DPO is only required in cases of processing sensitive personal data.
Unresolved Matters
Many aspects of the PDP Law re left to future Government decrees. These include the deadlines to respond to the data subject’s request (Art. 4), calculation methods for illegal gains (Art. 8), forms for a valid consent (Art. 9), particulars for a DTIA and data processing impact assessment (Art. 20-22), data breach reports (Art. 23), DPO criteria (Art. 33), among other matters.
Businesses should thus be on the lookout for these guiding legislative instruments to ensure compliance.
What Businesses Should Do
With the PDP Law approaching, businesses—especially multinationals—must promptly audit their data systems, map personal data flows, and review third-party relationships to close compliance gaps.
Businesses in high-risk sectors like technology, finance, advertising, and digital platforms should invest further in legal compliance systems, robust internal controls, and advanced data security infrastructures to meet stricter standards and avoid punitive penalties.
Finally, proactive engagement with legal advisors, investment in staff training on data protection principles, and the integration of privacy-by-design into business processes are key to building accountability and with standing regulatory scrutiny.
For further information, please contact:
NGUYEN Anh Tuan, Partner, LNT & Partners
Tuan.Nguyen@lntpartners.com
