The Personal Data Protection Law (PDPL) of Vietnam was passed under Resolution No. 203/2025/QH15. It is Vietnam’s first comprehensive legal regime solely focused on personal data protection. The National Assembly passed the PDPL on June 26, 2025. It will come into force on January 1, 2026. The PDPL reflects the need for stronger protection of citizens’ data amid Vietnam’s growing digital economy. Earlier, data protection was governed by scattered laws. These included the Law on Cybersecurity 2018 and the Law on Information Technology 2006. The Personal Data Protection law (PDPL) aims to combine and elevate these fragmented provisions into one regime. It adopts an approach similar to the EU GDPR while considering national security.
Scope and Applicability
The Personal Data Protection law(PDPL ) applies to both Vietnamese and foreign individuals, agencies, and organizations that operate in Vietnam. It also applies to foreign entities that handle personal data of Vietnamese citizens, or people of Vietnamese origin living in Vietnam who don’t have a determined nationality but hold valid identity papers issued by Vietnamese authorities. The law sets rules for protecting personal data and outlines the duties and responsibilities of anyone involved in processing that data.
Key Definitions
The Personal Data Protection law in Article 2 provides a few definitions of important terms for interpretation and understanding of the law. The definitions are:
- Personal data is digital or other types of information that can directly or indirectly identify a person. It includes basic personal data and sensitive personal data. Data that has been de-identified is not considered personal data.
- Basic personal data refers to common information used in everyday transactions and social interactions. The Government provides an official list of what is included.
- Sensitive personal data involves private information. If misused, it can immediately affect the rights and interests of individuals, agencies, or organizations. This, too, is listed by the Government.
- Personal data processing means any activity involving personal data. This includes collecting, analyzing, encoding, editing, deleting, de-identifying, sharing, or transferring data.
- A personal data controller and processor is an agency, organization, or person that collects data, decides why and how to process it, and directly handles the data.
- A third party is anyone who is not the data subject, controller, or processor, but still participates in processing personal data under the law.
- De-identification is the process of changing or removing information so the data no longer identifies a specific person.
- A personal data processing impact assessment evaluates the risks in processing personal data. It helps plan measures to reduce risks and protect the data.
Data Subject Rights
According to Article 4 of the Personal Data Protection law(PDPL), defines the main rights and obligation of the subjects of data. Including the following rights and obligations:
The law gives individuals the right to be informed about the processing of their personal data. Also, have the right to give or refuse consent, and to withdraw consent at any time. They also have the right to view, edit, request access to, delete, or restrict the use of their data. They can object to data processing as well.
Data subjects may file complaints, denunciations, or lawsuits to claim damages, as permitted by law. They can also ask authorities to take steps to protect their data. Article 4 also outlines the duties of data subjects. These include protecting their own data, respecting the data of others, providing accurate information, and following the law. They must not interfere with or violate the rights and interests of data processors, collectors, or the State.
Obligations of Data Controllers and Data Processors, Data Processor and Controller
Article 37 outlines the responsibilities of the Data Controller. They must comply with all rules related to data processing. Also, decide the purpose and means of processing. They must follow the law and apply technical and organizational safeguards. Controllers must report any violations and protect data subject rights. They must prevent illegal data collection. They are required to help the state investigate and fix legal breaches. If damage is caused, they must compensate the data subject.
The article also defines the duties of the Data Processor. They may pro,cess data only under a valid agreement. Processing must follow the terms of that agreement. They are accountable to the controller for any harm caused. Also must avoid illegal data collection. They must support the state in investigations and remedies.
Consent Requirements
Before processing personal data, the data processor and controller must get the data subject’s consent. Consent is valid only if it is voluntary and informed. The subject must understand the data type, who collects and processes it, in what context, for what purpose, and their rights. Consent must also be clear, specific, accessible, and verifiable, including in electronic format. It must be given separately for each purpose. Silence or no response is not considered consent. Consent remains valid until the subject withdraws or changes it by law or by expressing a new choice.
The data subject can withdraw consent or limit processing if they have concerns about the scope, purpose, or accuracy. The withdrawal request must be in writing or a verifiable format sent to both controller and processor. After receiving the request, both must restrict processing within the legal timeframe. But the withdrawal or restriction applies only to processing done after the request.
Cross-Border Data Transfers
Cross border transfer is defined in Article 20 as either (1) transferring personal data stored in Vietnam to a data storage system outside of Vietnam or (2) transferring personal data to an organization and individual outside of Vietnam and organizations inside or outside of Vietnam that use a platform outside of the territory of Vietnam to process personal data collected in Vietnam.
Cross-Border Data Transfers Impact Assessment Dossier
An organization or individual involved in cross-border data transfer must prepare a dossier assessing its impact. This impact assessment must focus on the risks of transferring personal data outside the country. The original copy of the dossier must be submitted to the Data Protection Authority. It must be submitted within 60 days from the start of the cross-border data transfer activity.
There are some exceptions to this requirement. Certain state agencies do not need to submit the impact assessment. Organizations that store employee personal data on their own cloud services are also exempt. Data subjects transferring their own data across borders are not required to submit the assessment either.
The Data Protection Authority is responsible for monitoring cross-border transfers every year. It may also conduct sudden inspections if there are signs of a violation or a breach. If there is any concern about harm to national defense or security, the authority can suspend the data transfer.
Impact Assessment of Personal Data Processing
The Personal Data Protection law (PDPL ) requires Data Controllers and Processors to prepare and maintain a written impact assessment record. This is required under Article 21 of the law. One original copy must be submitted to the appropriate authority within 60 days of starting data processing. State agencies are exempt from this requirement.
This assessment must be done once during the organization’s operational period. It must also be updated as per Article 22 of the PDPL. The Data Processor must maintain written records of assessments for any processing done on the Data Controller’s behalf.
Appointment of Data Protection officer (DPO)
Organizations and agencies must assign specific department and personnel for data protection in their agency, or they may either assign a trained data protection staff qualified for data protection, or retain independent service in terms of data protection.
Exemption to the Small Enterprises and Start-Ups
Small businesses and start-ups are allowed to defer compliance with Articles 21 (Impact assessment), 22 (Updating assessment), and Clause 2 of Article 33 (Appointment of Data Protection Officer) for five years from the commencement of the law. However, this exemption does not apply if they engage in processing services of personal data, act on sensitive personal data, or process large amounts of personal data.
Likewise, business household and micro-enterprises are usually exempt from these provisions but must comply if they engage in sensitive data processing (for example health information), provide data processing services, and process a lot of personal data.
Security Measures and Breach Notification
When a data controller, joint controller, processor, or third party discovers a breach that may threaten national defense, security, social order, or the life and property of a data subject, they must notify the competent authority within 72 hours of discovery. Data processors must immediately inform the data controller of any breach. Data controllers must record the breach and actively coordinate with the Data Protection Authority to resolve the issue. Also, Individuals and organizations must report any observed breaches of the regulations. They must also report if someone processes data for unauthorized purposes or prevents data subjects from exercising their rights.
The agency charged with personal data protection is accountable for receiving notifications about, and determining the violation of regulations on personal data.
Government Supervision and Enforcement
The Government is collectively accountable for the enforcement of these personal data protection regulations. The Ministry of Public Security is the central agency for the works of state management of personal data protection on behalf of the Government – the exception being the matter of the Ministry of National Defense. However, other Ministries and Government agencies shall implement this within their own mandates. The Provincial People’s Committees are responsible for implementing this at the local level in accordance with national laws and policies on personal data protection.
Penalties for Non-Compliance
Article 8 specifies the penalties for violating provision of the law. If the violation to the violations of any provisions related to personal data protection is committed by any organization, agency and individual agency, they will be administratively sanctioned or criminally prosecute depending on the type or nature and extent of the violations. If due to the violations any damaged caused, then they are liable to compensate for the damages.
Administrative sanctions, violate for buying and selling of data maximum fine 10 times the illegally accounted for profit resulting from the violation and organization that is involved in the violations of the regulations on cross border personal data transfer will pay fine of 5% of organization’s revenue during previous calendar year, with a cap of VND 3Billion for other violations in the area of personal data protection, individuals who commit the same violation face maximum fine half of the amount applied to the organizations.
Compliance Roadmap for Organizations:
| S. No. | Compliance Step | Description | Timeline |
| 1 | Data Mapping & Inventory | Identify, document, and classify all personal data collected, processed, stored, and transferred (including sensitive data). | Immediately |
| 2 | Obtain Valid Consent | Ensure consent is obtained in a clear, specific, verifiable form for each purpose of data processing, except exemptions under Article 19. | Before or at the start of processing |
| 3 | Draft & Review Agreements | Include clear responsibilities, rights, and obligations in contracts with processors, third parties, and data subjects. | Before engagement starts |
| 4 | Conduct Data Processing Impact Assessment (DPIA) | Prepare and submit DPIA to the data protection authority within 60 days from the start of processing (once during operations, update as needed). | Within 60 days of processing start |
| 5 | Conduct Cross-Border Impact Assessment (if applicable) | For cross-border transfers, prepare a separate impact assessment dossier and submit it within 60 days from the first transfer. | Within 60 days of first transfer |
| 6 | Implement Data Protection Measures | Apply technical, organizational, and managerial measures to secure personal data (e.g., encryption, access controls, monitoring). | Ongoing |
| 7 | Establish Data Subject Rights Mechanism | Set up processes to handle requests for access, correction, deletion, restriction, objection, and withdrawal of consent. | Immediately |
| 8 | Notification of Breach | Notify the data protection authority of breaches within 72 hours of discovery; processors must notify controllers immediately. | Within 72 hours of breach |
| 9 | Retention & Destruction Policy | Establish policies for data retention and secure deletion/destruction after processing purpose ends, or upon request. | Ongoing |
| 10 | Prevent Unauthorized Collection | Deploy measures to prevent unauthorized collection or access to personal data from systems, devices, or services. | Ongoing |
| 11 | Assign Data Protection Personnel | Appoint in-house data protection personnel/department or hire external service providers as required under Article 33. | Before processing begins |
| 12 | Employee Training & Awareness | Conduct regular training for employees handling personal data to ensure compliance with PDPL. | Regular (at least annual) |
| 13 | Update Impact Assessments | Update DPIA and Cross-Border Assessments every 6 months or immediately upon significant changes (e.g., mergers, service changes). | Every 6 months or upon change |
| 14 | Maintain Records of Processing | Maintain records of all data processing activities and make them available to authorities upon request. | Continuously |
| 15 | Cooperation with Authorities | Coordinate with the Ministry of Public Security and relevant agencies for investigations, inspections, or audits. | As needed |
| 16 | Special Category Data Compliance | Apply additional safeguards for sensitive data (health, biometrics, location data, children’s data) including dual consent where applicable. | Immediately |
| 17 | Privacy Policy Publication | Publish clear, accessible privacy policies, especially for online services, apps, or platforms handling personal data. | Before service launch |
| 18 | Vendor & Processor Management | Ensure third parties/processors comply with PDPL through contracts, audits, and compliance checks. | Ongoing |
| 19 | Incident Response & Remediation Plan | Develop and maintain an incident response plan for handling data breaches, violations, and corrective actions. | Immediately |
| 20 | Audit & Compliance Monitoring | Conduct periodic internal audits and assessments to ensure continuous compliance with PDPL. | Annually or as required |
