Vietnam Data Privacy Laws: Personal Data Protection Law 2025 Complete Guide

Vietnam governs personal data under Law No. 91/2025/QH15 on Personal Data Protection, passed June 26, 2025, and effective January 1, 2026. It covers collection, processing, storage, and sharing of personal data and applies to any organization processing data of Vietnamese residents, regardless of where processing occurs.

Quick Answer: Vietnam's Personal Data Protection Framework in 2026

Vietnam now has a comprehensive, statute-level data protection framework. The Law on Personal Data Protection, Law No. 91/2025/QH15, passed by the National Assembly on June 26, 2025, and effective January 1, 2026, is the governing law. It replaced Decree No. 13/2023/ND-CP, which had served as the country's first dedicated personal data protection regulation since July 1, 2023.

The new law covers the collection, processing, storage, sharing, and deletion of personal data. It applies to all Vietnamese and foreign agencies, organizations, and individuals that process the personal data of Vietnamese residents, regardless of where the processing occurs.

Implementing Decree No. 356/2025/ND-CP provides detailed operational guidance and took effect on the same date as the law. Together, these two instruments define the compliance obligations businesses must meet in 2026.

The Ministry of Public Security and its A05 Department remain the central enforcement authority. Penalties are now tied to annual revenue rather than fixed monetary caps, bringing Vietnam's framework closer to the GDPR's enforcement model.

From Decree to Statute: Vietnam's Data Protection Evolution

Understanding the current framework requires some historical context. Vietnam's pre-2023 data protection landscape was fragmented, relying on provisions scattered across the Civil Code (2015), the Law on Information Technology (2006), the Law on Cybersecurity (2018), and sector-specific regulations. None of these provided a unified personal data protection framework.

That changed when the Government issued Decree No. 13/2023/ND-CP on Personal Data Protection on April 17, 2023, effective July 1, 2023. Decree 13 was the first instrument dedicated entirely to personal data protection. It introduced definitions for basic and sensitive personal data, established consent requirements, created data subject rights, and imposed impact assessment obligations on cross-border data transfers. It was ground-breaking, but it was a government decree, lacking the legislative authority and permanence of a law passed by the National Assembly.

The National Assembly corrected that on June 26, 2025, by passing the Law on Personal Data Protection, Law No. 91/2025/QH15. The law comprises five chapters and 39 articles, and it formally repealed Decree 13 upon taking effect on January 1, 2026. Decree 356/2025/ND-CP, the implementing decree issued on December 31, 2025, provides the procedural and technical detail that the statute leaves to secondary legislation.

The elevation from decree to statute matters for three reasons. First, it gives the framework greater legal stability. Second, it provides the basis for criminal prosecution, which requires statutory authority. Third, it introduces revenue-based penalties that a decree-level instrument could not credibly impose.

Also relevant is the Law on Data (Law No. 60/2024/QH15), passed November 30, 2024, and effective July 1, 2025. This companion law covers all digital data, not just personal data. It introduces "important data" and "core data" categories tied to national security and socioeconomic stability, with additional cross-border restrictions on those categories. Together, the Law on Personal Data Protection and the Law on Data form the two-pillar structure of Vietnam's modern data governance regime.

The Ministry of Public Security as Regulator

The Ministry of Public Security (MPS) is the lead regulatory authority for personal data protection in Vietnam. Within the MPS, the Department of Cybersecurity and High-Tech Crime Prevention, known by its internal designation A05, handles day-to-day enforcement.

A05's responsibilities include:

• Receiving and reviewing data processing impact assessment dossiers filed by organizations
• Receiving transfer impact assessments for cross-border data transfers
• Operating the National Information Portal for Personal Data Protection
• Investigating complaints and violations
• Coordinating data breach response through the Vietnam Computer Emergency Response Team (VNCERT/CC)
• Issuing guidance and implementing regulations

Other ministries retain sector-specific oversight roles. The Ministry of Information and Communications oversees telecommunications and online service providers. The State Bank of Vietnam supervises financial sector data handling. Sector-specific agencies can impose additional obligations within their domains.

The A05 department reviews filed impact assessment dossiers within 15 days and may request revisions. Organizations whose dossiers are rejected or who receive revision requests must respond within specified timeframes before proceeding with the relevant processing activity.

Scope and Definitions

Who the Law Covers

The Personal Data Protection Law applies to:

• Vietnamese and foreign agencies, organizations, and individuals in Vietnam that collect, process, store, share, or delete personal data
• Foreign agencies, organizations, and individuals outside Vietnam that process the personal data of Vietnamese residents

The territorial scope is broad. A foreign company running a cloud platform used by Vietnamese customers is subject to the law, even if it has no physical presence in Vietnam and processes data on servers located entirely outside the country.

Basic and Sensitive Personal Data

The law preserves the two-tier classification from Decree 13.

Basic personal data includes names, dates of birth, gender, place of birth, nationality, images, phone numbers, email addresses, identification numbers, marital status, family relationship data, and social media account information.

Sensitive personal data includes political views, religious beliefs, health and genetic data, biometric data, sexual orientation, criminal records, financial data including account credentials and transaction history, precise location data, behavioral tracking data, and racial or ethnic origin. Under Decree 356, the sensitive category was expanded to explicitly include bank card details, loan information, and securities and insurance holdings held by authorized financial entities.

Sensitive data requires explicit consent and more rigorous security measures. Processing sensitive data also triggers mandatory data processing impact assessment filing requirements that do not benefit from small-business exemptions.

Legal Bases for Processing

The law maintains consent as the primary legal basis for processing personal data but introduces formal non-consent exemptions that did not exist in Decree 13.

Consent must be voluntary, specific, fully informed, and provided separately for each distinct processing purpose. Pre-ticked boxes, silence, inaction, and bundled consent mechanisms are expressly prohibited. Organizations must be able to demonstrate that valid consent was obtained and must maintain verifiable consent records.

Non-consent bases recognized by the law include:

• Protection of the life or health of the data subject or another person
• Fulfillment of a legal obligation
• Performance of a contract to which the data subject is party
• Response to national emergencies or public health crises
• Support for state agency operations in accordance with the law
• Other specific circumstances defined by law

Organizations relying on non-consent bases must document their legal basis for processing and implement monitoring mechanisms including risk assessments and compliance inspections.

For sensitive personal data, consent remains mandatory in most circumstances even when a non-consent basis would otherwise apply.

Data Subject Rights

The law expands and clarifies the data subject rights established in Decree 13. Decree 356 specifies the response timelines that the law itself leaves open.

Right to be informed. Data subjects must be clearly informed before or at the time of data collection about the types of data being collected, the purposes of processing, the identity and contact details of the data controller, any third parties who will have access to the data, and the data subject's rights and obligations.

Right to consent and withdraw consent. Data subjects may grant or refuse consent for processing and may withdraw consent at any time. Under Decree 356, controllers must act on consent withdrawals within 15 days.

Right of access. Data subjects may request information about what personal data is being processed, the purposes and legal basis for processing, and the categories of recipients. Controllers must respond within 10 days.

Right of rectification. Data subjects may request correction of inaccurate or incomplete data. Controllers must respond within 10 days.

Right of deletion. Data subjects may request deletion of personal data when the purpose of processing has been fulfilled, consent has been withdrawn, or the data was unlawfully collected. Controllers must respond within 20 days.

Right to restrict processing. Data subjects may request that processing be suspended while a dispute about accuracy or legality is pending.

Right to data portability. Data subjects may request their personal data in a format that allows transfer to another controller.

Right to object. Data subjects may object to processing in certain circumstances, including processing for direct marketing.

Right to complain. Data subjects may file complaints with the A05 department and seek compensation for damages caused by unlawful data processing.

The law also imposes obligations on data subjects, a departure from pure rights frameworks. Data subjects must self-protect their personal data, respect the personal data of others, provide accurate information when required by law or contract, and comply with data protection regulations.

Data Controller and Processor Obligations

Data Protection Officer

The law requires every organization processing personal data to designate a qualified data protection department or appoint a qualified individual responsible for data protection compliance. In practice, this functions as a Data Protection Officer requirement.

Decree 356 specifies qualification standards. In-house DPO candidates must hold at minimum a college degree, have at least two years of post-graduation work experience, and have a background in law, information technology, cybersecurity, data security, risk management, compliance, or human resources. External data protection service providers must employ at least three qualified personnel and demonstrate relevant expertise through prior work in technology, legal services, or compliance.

Exemptions and grace periods:

• Micro-enterprises and household businesses are permanently exempt unless they provide data processing services, handle sensitive personal data, or process data concerning more than 100,000 individuals.
• Small enterprises and qualifying startups have a five-year grace period running through January 1, 2031, subject to the same carve-outs.

Organizations must appoint their DPO or establish their data protection department by written decision, submit the DPO's credentials to the MPS, and implement internal data protection policies, consent management mechanisms, processing activity logs, breach response procedures, staff training programs, and compliance audit schedules.

Record Keeping

Organizations must maintain comprehensive records of all data processing activities, including the categories of data processed, the purposes and legal basis for each processing activity, the parties with access to the data, retention periods, the security measures applied, and any cross-border transfers. These records must be made available to the MPS upon request.

Security Measures

The law requires appropriate technical and organizational measures proportionate to the risks of unauthorized access, destruction, loss, alteration, or unauthorized disclosure. Sensitive data requires enhanced security measures. Decree 356 specifies that biometric data must be stored with physical security controls and auditable access restrictions. Banking and financial data must be processed using approved technical standards with end-to-end processing logs.

For AI-driven processing, organizations must ensure transparency about automated decision logic, provide explanations of impact to affected individuals, and offer opt-out mechanisms. Blockchain deployments must avoid storing identifiable personal data on-chain. Cloud computing contracts must clearly allocate data protection responsibilities between the cloud provider and the controller.

Breach Notification

Organizations must notify the A05 department within 72 hours of discovering a personal data breach. For breaches involving sensitive personal data in the banking or financial services sector, and for breaches involving biometric or location data, affected data subjects must also be notified within 72 hours.

Notifications must describe the nature of the breach, the categories and approximate volume of data affected, the likely consequences, the measures taken or planned to address the breach, and the contact details of the DPO or responsible personnel.

Organizations must maintain records of all breaches and support authorities in investigations.

Data Processing Impact Assessment Dossiers

When a DPIA Is Required

A Data Processing Impact Assessment is required before beginning processing activities that involve:

• Sensitive personal data
• Large-scale data processing
• Automated decision-making, profiling, or AI systems
• Facial recognition or other biometric processing
• Processing presenting high risks to data subjects' rights or interests

The DPIA dossier must be submitted to the A05 department within 60 days of commencing the processing activity. Regulators review submissions within 15 days and may request revisions.

Impact assessment dossiers filed under Decree 13/2023 before January 1, 2026 remain valid and do not need to be refiled unless material operational changes occur.

DPIA Content Requirements

Each dossier must document:

• The categories of personal data to be processed
• The purposes and legal basis for processing
• Consent mechanisms and records
• Security safeguards implemented
• Retention periods and deletion procedures
• The identities of any third parties with access to the data
• An assessment of risks to data subjects and the measures to mitigate them

Organizations must update their DPIAs within six months of any significant operational change, such as corporate restructuring, changes in service providers, or adoption of new processing activities. Immediate updates are required upon dissolution or significant changes to the data processing business.

Cross-Border Data Transfers

Transfer Impact Assessment Requirement

Any transfer of personal data outside Vietnam requires a Transfer Impact Assessment dossier submitted to the A05 department within 60 days of the first transfer. This is a key compliance obligation for international businesses.

The TIA dossier must include:

• A description of the data to be transferred, the categories of data subjects, and the volume of data
• The identity of the receiving party and its location
• The purpose and legal basis for the transfer
• A description of data protection measures in place in the receiving jurisdiction
• A risk assessment for data subjects
• The contractual safeguards governing the transfer

Under Decree 356, transfer agreements must specify the legal basis for the transfer, allocate data protection responsibilities between transferor and recipient, provide safeguards for data subjects to exercise their rights across jurisdictions, and establish procedures for coordinating responses to violations.

TIAs filed under Decree 13 before January 1, 2026 remain valid without mandatory refiling unless material changes occur.

Broad Definition of Cross-Border Transfer

The definition covers not only physical or electronic transmission of data to a recipient outside Vietnam, but also offshore cloud storage, processing using automated systems located outside Vietnam, and onward processing of data originally collected in Vietnam. This means routine use of international SaaS platforms, cloud infrastructure, or data analytics services based outside Vietnam constitutes a cross-border transfer subject to TIA requirements.

Transfer Exemptions

Certain transfers are exempt from the TIA filing requirement:

• Transfers by state agencies in performance of their official functions
• Transfers related to employee personal cloud storage
• Transfers by data subjects of their own personal data
• Transfers required to handle national emergencies
• Transfers of publicly disclosed data within the scope of the disclosure
• Transfers pursuant to specific contract terms where the data subject is the contracting party

Authority to Suspend Transfers

The MPS may inspect cross-border transfers and has the authority to suspend transfers that threaten national security, public order, or the rights and interests of data subjects. This gives the government broad discretion to block data flows it considers problematic.

Prohibition on Selling Personal Data

The law expressly prohibits the buying and selling of personal data except where expressly permitted by law. Cross-border transfers within a corporate group for defined internal purposes, transfers in connection with corporate restructuring, and transfers to third-party processors under contract are specifically recognized as not constituting prohibited data sales, provided the required impact assessments are filed.

Data Localization Under the Cybersecurity Law

Decree 13 and its successor deal with personal data protection rules. A separate, overlapping obligation comes from the Law on Cybersecurity 2018 and its implementing Decree No. 53/2022/ND-CP, which took effect October 1, 2022.

Under this framework, enterprises that provide services on telecommunications networks, the internet, or value-added services in cyberspace in Vietnam and that collect, exploit, analyze, or process data relating to personal information, user-generated content, or user relationship data of Vietnamese users must store that data on servers located in Vietnam.

Foreign service providers must comply with localization requirements upon written request from the MPS. Once a request is issued, the foreign provider must complete data storage in Vietnam and establish a local branch or representative office within 12 months. Data must be retained for a minimum of 24 months.

The data categories subject to localization include personal data of Vietnamese users, user-generated data such as access logs and search history, and user relationship data such as contact lists and group memberships.

The practical interaction between the personal data protection framework and the cybersecurity localization framework means that foreign technology companies face two distinct sets of obligations: they must comply with TIA filing requirements under the PDPL for any cross-border transfers, and they may separately face localization demands under the Cybersecurity Law.

Sector-Specific Provisions

Law No. 91/2025/QH15 and Decree 356 introduce targeted rules for specific industries, a significant expansion beyond Decree 13's general framework.

Employment. Employers may only collect personal data that is directly relevant to the employment relationship. Data collected during recruitment must be deleted if the candidate is not hired. Personal data must be destroyed after contract termination unless a longer retention period is agreed in the employment contract. Employee monitoring must be lawful, proportionate, and transparent.

Healthcare and insurance. Consent is mandatory before processing any health or insurance data. Data may not be shared with third parties without consent. Breach notification to affected individuals is required in addition to MPS notification.

Finance, banking, and credit. Organizations in this sector must apply approved technical standards for data processing, maintain end-to-end processing logs, conduct annual compliance assessments, and follow sector-specific breach notification protocols. Consent notices must explicitly disclose any credit scoring, profiling, or evaluation activities and specify the retention period for credit-related data. The State Bank of Vietnam supervises financial sector compliance alongside the MPS.

Advertising and marketing. Personal data may only be used for advertising with the data subject's consent. Opt-out mechanisms must be provided and honored. Behavioral targeting and profiling for advertising must offer user controls.

Social networks and online platforms. Platforms must clearly disclose their data collection practices, provide do-not-track and cookie opt-out options, and refrain from conducting surveillance of private communications without consent. Forced identity verification using biometric data is prohibited.

AI, big data, blockchain, cloud computing, and the metaverse. Processing in these contexts must be conducted lawfully and ethically. AI systems must provide transparency about automated decision logic and offer opt-out mechanisms. Blockchain deployments must avoid storing identifiable personal data on-chain. Cloud providers and their clients must clearly allocate data protection responsibilities by contract.

Children and vulnerable persons. Legal representatives act on behalf of children under 7. For children aged 7 and above, consent from both the child and their legal representative is required before disclosing sensitive personal data. Processing must cease immediately if consent is withdrawn or risks are identified.

Penalties and Enforcement

Administrative Penalties

The PDPL establishes a tiered administrative penalty framework that marks a significant escalation from Decree 13.

Cross-border transfer violations carry fines of up to 5% of the organization's prior-year revenue, with a minimum of VND 3 billion (approximately USD 115,000) applying where the calculated percentage would produce a lower amount.

Illegal personal data trading is subject to fines of up to 10 times the revenue generated from the unlawful sale or purchase of personal data. The minimum fine of VND 3 billion again applies if the multiplier would produce a lower amount.

All other violations are subject to a maximum administrative fine of VND 3 billion for organizations. Individual liability applies at one-third of the organizational fine amount for equivalent violations.

Remedial measures can accompany fines, including suspension of processing activities, mandatory deletion of unlawfully collected data, and suspension of cross-border data transfers.

A separate Decree on Administrative Sanctioning, expected to be submitted to the Government in April 2026, will provide the detailed penalty schedule for specific violations. Until that decree takes effect, enforcement actions remain possible but the specific fine amounts for individual violation types are not yet fully prescribed.

Criminal Liability

Serious or intentional violations can result in criminal prosecution. The Penal Code's provisions on cybercrime and privacy violations apply. Fines for criminal violations can reach VND 1 billion (approximately USD 40,000) for individuals, and imprisonment terms of up to seven years are available for the most serious offenses involving unauthorized access to, disclosure of, or destruction of personal data.

Enforcement Status in 2026

Enforcement activity under the new framework was ramping up at the time this article was updated. The MPS documented 56 illegal personal data trading operations in the first half of 2025 alone, involving more than 110 million records. The scale of that activity reflects the data protection concerns driving the new law.

The dedicated administrative sanctioning decree was pending Government approval as of mid-2026. Once that decree takes effect, the MPS will have a comprehensive basis for imposing graduated fines. In the interim, the prohibition on illegal data trading and the cross-border transfer requirements are already in force.

The Law on Data (Law No. 60/2024/QH15)

The Law on Personal Data Protection does not operate alone. Vietnam's Law on Data, Law No. 60/2024/QH15, passed November 30, 2024, and effective July 1, 2025, covers all digital data, not just personal data. The two laws together form the core of Vietnam's data governance framework.

The Law on Data introduces new data categories based on national interest considerations:

• Important data covers data whose unauthorized disclosure, loss, or manipulation could affect national defense, security, foreign affairs, or socioeconomic stability.
• Core data covers data whose compromise could have severe national consequences.

These categories face restrictions on cross-border transfers beyond those in the PDPL. The Law on Data also establishes a national data infrastructure framework including requirements for data centers and the development of a national data strategy.

Organizations collecting or processing data at scale should assess whether any of their data assets fall within the important data or core data categories, as additional compliance obligations may apply under this separate law.

Compliance Obligations for Businesses

Organizations operating in Vietnam or processing data of Vietnamese residents should prioritize the following steps.

Data mapping. Conduct a comprehensive audit of all personal data collected, processed, and stored, distinguishing basic personal data from sensitive personal data. Identify all processing activities and their legal bases.

Consent mechanism review. Audit existing consent mechanisms against the new requirements: verify that consent is explicit, granular, purpose-specific, and verifiable. Remove pre-ticked boxes, bundled consent, and any design that equates silence with acceptance.

DPIA filing. Identify all processing activities that require a data processing impact assessment. File dossiers with the A05 department within 60 days of processing commencement. Update filed DPIAs within six months of significant operational changes.

Transfer impact assessments. Identify all cross-border data flows, including transfers to cloud providers, SaaS platforms, and group affiliates. Confirm that TIA dossiers have been filed for each transfer not covered by an exemption. Update transfer agreements to include the contractual safeguards required by Decree 356.

DPO appointment. Determine whether the organization is within the scope of the DPO requirement. If so, appoint a qualified individual or designate a qualified team. Submit credentials to the MPS.

Data localization audit. Assess whether the organization's services bring it within scope of the Cybersecurity Law localization requirements. If so, evaluate the practical steps required to establish local data storage.

Breach response procedures. Establish or update procedures to detect, assess, and report breaches within the 72-hour notification window, including sector-specific notification obligations for financial and biometric data incidents.

Sector-specific obligations. If the organization operates in healthcare, finance, employment, advertising, social media, or technology sectors, identify and implement the sector-specific obligations under the PDPL and Decree 356.

Record keeping. Establish or update processing activity logs and data protection policy documentation to meet the requirements of Decree 356.

This article is for informational purposes only and does not constitute legal advice. Vietnam's data protection laws are evolving, and organizations should consult with qualified legal counsel in Vietnam for advice specific to their situation.