Notable Provisions of the Personal Data Protection Law

On 26 June 2025, Vietnam’s National Assembly officially passed the Personal Data Protection Law (“PDPL”), which is the first piece of legislation in Vietnam to provide a comprehensive and specialized legal framework governing the processing of personal data. In the context of digital transformation and the growing impact of technology on daily life, business operations, and state governance, the enactment of this law lays a vital legal foundation for the protection of privacy rights, while also enhancing the accountability of organizations and individuals in the collection, storage, use, and sharing of personal data.

This article provides an overview of several key highlights of the PDPL, focusing on newly introduced provisions as well as rules that have been further clarified compared to those in Decree No. 13/2023/ND-CP on Personal Data Protection (“Decree 13”).

1. Prohibited Acts in the Processing of Personal Data

In addition to the prohibitions set forth under Decree 13[1], the PDPL introduces the following additional prohibited acts with the aim of enhancing the effectiveness of personal data management and protection[2]:

• Using another person’s personal data or allowing others to use one’s personal data to commit acts in violation of the law;
• Buying/selling personal data, except otherwise provided by law; and
• Appropriating, intentionally disclosing, or causing the loss of personal data.

The situation of illegal processing of personal data, impersonation for fraudulent purposes, violations of honor and dignity, and the trading of personal information have raised serious public concerns in recent times, particularly due to their severe impact on the legitimate rights and interests of data subjects. The addition of the above prohibitions is an important step towards perfecting the personal data protection mechanism, increasing enforcement in the digital environment, and ensuring privacy in the context of current digital transformation.

2. Increasing Penalties for Violations of PDPL

The PDPL directly stipulates administrative fines for specific violations, with the aim of enhancing deterrence and ensuring effective enforcement in practice. Specifically[3]:

• For the illegal trading of personal data, the maximum monetary fine shall be up to 10 times the revenue generated from the violation. In cases where the violation does not generate any revenue, or where the fine calculated based on such revenue is less than VND 3 billion, a maximum fine of VND 3 billion may be imposed.
• For violations involving the cross-border transfer of personal data, the maximum fine shall be 5% of the violating organization’s total revenue from the most recent financial year. If there is no revenue in the preceding year, or the fine based on such revenue is less than VND 3 billion, then a maximum fine of VND 3 billion may  be imposed.
• For other violations relating to personal data protection, the maximum monetary penalty is set at VND 3 billion.

It is important to note that the maximum fines mentioned above apply to organizations. For the same violations, the fines imposed on individuals shall be calculated at 50% of the amount applicable to organizations. The Government shall issue detailed regulations guiding the calculation of revenue derived from acts in violation of personal data protection laws, in order to ensure transparency and consistency in enforcement.

In addition, organizations and individuals that commit violations of the PDPL or other relevant laws on personal data protection may, depending on the nature, severity, and consequences of the violation, be subject to administrative sanctions as outlined above, or criminal liability. If the violation causes damage, the compensation shall be performed in accordance with the provisions of law.

3. Mechanisms for the Deletion, Destruction, and De-identification of personal data

The PDPL inherits and further develops the provisions set out under Decree 13, while offering more detailed regulation on the deletion, destruction of personal data and introducing a new legal mechanism for the de-identification of personal data, which is a highly technical mechanism to increase security and privacy protection in the current digital context.

a. Deletion and Destruction of personal data[4]

Except for the following cases: (i) The data requested for deletion or destruction falls within the category of data permitted to be processed without the data subject’s consent pursuant to Article 19.1[5] of the PDPL; and (ii) The deletion of the data would violate the principles set forth under Article 4.3[6] of the PDPL, the PDPL stipulates 06 circumstances under which the deletion or destruction of personal data shall be carried out, including:

• The personal Data subject requests the deletion or destruction of their personal data and accepts any associated risks or damages that may arise;
• The purpose of processing the personal data has been fulfilled;
• The data retention period has expired in accordance with the law;
• Deletion or destruction is carried out pursuant to a decision issued by a competent state authority;
• Deletion or destruction is conducted in accordance with an agreement; and
• Other cases as prescribed by law.

b.   De-identification of Personal Data

Under the PDPL, de-identification of personal data is defined as the process of altering or removing information to create a new data set that cannot identify or be used to identify a specific individual[7]. This process must comply with the following key principles[8]:

• Agencies, organizations, and individuals conducting de-identification are responsible for strictly monitoring and controlling the de-identification process, and must take measures to prevent unauthorized access, copying, appropriation, disclosure, or loss of personal data during the process.
• Re-identification of de-identified personal data is strictly prohibited, unless otherwise provided by law.
• The de-identification process must be carried out in accordance with the PDPL and other relevant legal provisions.

4.   Mechanism for the Disclosure of Personal Data

The PDPL provides clearer and more detailed provisions on the disclosure of personal data, thereby establishing a legal framework that seeks to balance the individual’s right to privacy with the public’s need for access to information in certain exceptional circumstances. Under the PDPL, personal data may only be disclosed in the following cases[9]:

• With the consent of the data subject;
• As required by law;
• For the purpose of responding to emergencies or addressing threats to national security that do not yet warrant the declaration of a state of emergency; for the prevention and combat of riots, terrorism, criminal acts, and legal violations; and
• For the performance of contractual obligations.

In addition, the PDPL establishes a set of principles that must be adhered to when disclosing personal data[10]. Agencies, organizations and individuals disclosing personal data are required to strictly monitor and control the disclosure process to ensure compliance with the stated purposes, scope, and legal regulations. They must also prevent illegal access, use, disclosure, duplication, modification, deletion, destruction, or other unlawful processing of the disclosed data to the extent of their capabilities and resources.

5.  Other Notable Provisions

The PDPL supplemented and specified in more detail the relevant provisions in Decree 13, including the following notable developments:

a. Addition of Principle on Data Subject Consent

The PDPL stipulates that “Consent must not be tied to mandatory acceptance of purposes other than those agreed upon in the contract”[11]. The PDPL also introduces a monitoring mechanism for cases in which personal data is processed by agencies, organizations and individuals without the data subject’s consent, ensuring proper oversight in exceptional circumstances where consent is not required[12].

b. Prescribe procedures for Cross-Border Personal Data Transfer Impact Assessments when transferring personal data across borders.

Agencies, organizations and individuals transferring conducting Cross-Border  Personal Data Transfer  specified in Article 20.1 of the PDPL are required to prepare  personal data transfer impact assessment dossier. The components, conditions, and procedures applicable to such dossiers will be specified in further detail by the Government through implementing regulations.

6.  Principles of applying the law on protecting Personal Data

Pursuant to Article 5 of the PDPL, personal data protection activities in Vietnam must comply with the PDPL and other relevant legal instruments, provided that such instruments are not contrary to the principles set forth in the PDPL. In the event that legal instruments enacted after the effective date of the PDPL contain provisions that differ from those of the PDPL, such instruments must clearly specify which provisions are governed by the new law and which remain subject to the PDPL.

In addition, where an organization or individual has already conducted a Personal Data Processing Impact Assessment or a Cross-Border Personal Data Transfer Impact Assessment in accordance with the PDPL, they shall not be required to repeat such assessments under other applicable data-related legislation.

7.  Effective Date and Transitional Mechanisms

The PDPL shall officially take effect from 01 January 2026, and establishes a temporary exemption mechanism for certain entities to support the transition process[13]:

• Small enterprises and start-ups may opt to apply or defer the application of the provisions under Article 21 (Personal Data Processing Impact Assessment), Article 22 (Updates to the Personal Data Processing Impact Assessment and Cross-Border Data Transfer Impact Assessment), and Clause 2 of Article 33 (Personal Data Protection Force) for a period of five (05) years from the effective date of the PDPL, except where they engage in personal data processing service businesses, direct processing of sensitive personal data, or processing personal data of a large number of data subjects.
• Household businesses and micro-enterprises are fully exempt from compliance with Articles 21, 22, and Clause 2 of Article 33, except in the cases where they provide personal data processing services, directly process sensitive personal data, or process the personal data of a large number of data subjects.

Additionally, any personal data processing activities lawfully consented to or agreed upon under Decree 13 prior to 01 January 2026, shall remain valid and may continue to be implemented. Likewise, impact assessment dossiers on personal data processing or cross-border data transfers that were submitted to the competent authority prior to the effective date of the PDPL under Decree 13 shall remain valid. However, any updates or amendments to such dossiers made after 01 January 2026 must comply with the requirements set out under the PDPL.[14]

Than Trong Ly – Partner
Nguyen Thi Hong Nhung – Junior Associate
Nguyen Dinh Viet Hung – Paralegal

DIMAC Law Firm 

[1] Article 8. Prohibited acts

1. Processing personal data in contravention of regulations of law on protection of personal data.

2. Processing personal data in order to provide information and data against regulations of the Socialist Republic of Vietnam

3. Processing personal data in order to provide information and data that affect national security, social order and safety, and legitimate rights and interests of other organizations and individuals.

4. Obstructing protection of personal data by competent authorities.

5. Taking advantage of protection of personal data to commit violations of law.
[2] Article 7 of the PDPL
[3] Article 8 of the PDPL
[4] Article 14.1,2,3,4 and 5 of the PDPL
[5] Article 19.1 – Cases Where Personal Data May Be Processed Without the Data Subject’s Consent

Personal data may be processed without the data subject’s consent in the following cases:

a) To protect the life, health, honor, dignity, rights, or legitimate interests of the data subject or others in urgent circumstances; or to protect one’s own legitimate rights or interests, or those of others, or those of the State, agencies, or organizations where necessary to prevent violations against such interests.

In this case, the personal data controller, personal data processor, personal data controller-cum-processor, or third party shall bear the burden of proving that such circumstances exist.

b) To respond to emergencies; or to address threats to national security not yet warranting a formal declaration of a state of emergency; or for the purposes of preventing and combating riots, terrorism, crime, and legal violations.

c) For the operation of state agencies or for the performance of state administrative functions in accordance with the law.

d) To perform an agreement between the data subject and relevant agencies, organizations, or individuals in accordance with the law.

đ) Other cases as prescribed by law.

[6] Article 4.3 of the PDPL stipulates that “Personal data subjects, when exercising their rights and obligations, must fully comply with the following principles:

a) Exercise their rights and fulfill their obligations in accordance with the law, and comply with contractual obligations applicable to personal data subjects. The exercise of such rights and obligations must aim to protect the lawful rights and interests of the personal data subject himself or herself;

b) Must not obstruct or interfere with the lawful exercise of rights and obligations by the personal data controller, the personal data controller-cum-processor, or the personal data processor;

c) Must not infringe upon the lawful rights and interests of the State, agencies, organizations, or other individuals.”
[7] Article 2.11 of the PDPL
[8] Article 14.6 of the PDPL
[9] Article 16.2 of the PDPL
[10] Article 16.1,3,4 and 5 of the PDPL
[11] Point b Clause 4 Article 9 of the PDPL
[12] Clause 2 Article 19 of the PDPL
[13] Article 38 of the PDPL
[14] Article 39 of the PDPL