Vietnam has passed its first comprehensive data protection law. Law No. 91/2025/QH15 on Personal Data Protection (the PDPL) takes effect on 1 January 2026, replacing the previous Decree 13/2023 framework and bringing Vietnam in line with global data protection standards.
If you operate in Vietnam, offer services to Vietnamese users, or process data of Vietnamese individuals from anywhere in the world, this law applies to you.
What Is the PDPL?
The PDPL is Vietnam’s first full legislative framework for personal data protection. Previous rules existed under Decree 13/2023, but decrees sit lower in Vietnam’s legal hierarchy than laws passed by the National Assembly. The upgrade to full law status signals that data protection is now a national priority.
The law covers the collection, storage, processing, and transfer of personal data. It applies to Vietnamese citizens and people of Vietnamese origin residing in Vietnam, regardless of where the data processing takes place.
Like other modern data protection frameworks, the PDPL distinguishes between general personal data and sensitive personal data. Sensitive categories include health information, biometric data, political opinions, religious beliefs, genetic data, and information about criminal records.
Key Changes from the Previous Framework
The PDPL introduces several significant changes that businesses need to understand.
Stricter Penalties
The penalty regime has teeth. Cross-border transfer violations can attract fines of up to 5% of the previous year’s revenue or VND 3 billion (approximately $115,000), whichever is higher. Illegal data trading carries penalties of up to 10 times the illegal gain or VND 3 billion. Other violations are capped at VND 3 billion.
These revenue-based penalties mirror the approach taken by the EU’s General Data Protection Regulation and represent a major shift from the previous framework’s more modest fines.
New Prohibitions
The PDPL introduces an outright ban on buying and selling personal data unless expressly permitted by law. This prohibition reflects concerns about widespread illegal data trading in Vietnam. In the first half of 2025 alone, authorities uncovered 56 illegal data trading operations involving over 110 million records.
The law also prohibits using another person’s data for unlawful purposes and the intentional disclosure or destruction of personal data.
Mandatory Impact Assessments
Businesses must now complete and submit impact assessments to the data protection authority. A Data Processing Impact Assessment (DPIA) is required within 60 days of starting data processing activities. For cross-border transfers, a separate Cross-border Transfer Impact Assessment (CTIA) must be submitted within 60 days of the first transfer.
These assessments are one-time submissions but must be updated when circumstances change. Some exemptions exist for cross-border transfers, including transfers by state agencies, storage of employee data on cloud services, and situations where data subjects transfer their own personal data.
Sector-Specific Rules
Unlike many data protection laws that apply general principles across all sectors, the PDPL includes detailed provisions for specific industries. Recruitment and employment data can only be collected if relevant to the hiring process, and candidate data must be deleted if the person is not hired. Healthcare and insurance providers need explicit consent for processing health data. Banks cannot use credit information for scoring without consent. Social media platforms must offer opt-out tracking features.
There are also specific provisions for emerging technologies including artificial intelligence, big data processing, blockchain, and cloud computing.
Breach Notification
The notification timeline has been clarified. Organisations must report data breaches within 72 hours of detection. The previous framework measured from the time of occurrence, which created uncertainty about when the clock started.
Familiar Concepts
If you have worked with the GDPR or similar frameworks, much of the PDPL will feel familiar.
Consent requirements follow the same principles: consent must be specific, informed, and voluntary. Bundled consents that tie data processing to unrelated services are not permitted. Each processing purpose requires separate consent.
Data subject rights mirror those found in other frameworks, including rights to access, correction, and deletion of personal data.
The extraterritorial application follows the GDPR model. Foreign entities that process personal data of Vietnamese individuals fall within scope, regardless of where the processing takes place.
Revenue-based penalties align with the approach that has made GDPR enforcement headlines globally.
However, the PDPL is not simply a copy of the GDPR. The complete ban on data trading goes further than European rules. The sector-specific provisions are more detailed than the GDPR’s general framework. And the exemption structure differs, with a five-year grace period for small businesses and startups to comply with certain requirements around impact assessments and appointing data protection personnel.
If You Offer Services in Vietnam
The PDPL applies to foreign entities “directly involved in or related to the processing of personal data” of Vietnamese citizens and residents. This language is broad.
If your app or service is available to users in Vietnam, collects personal data from Vietnamese users, or processes data on behalf of Vietnamese businesses, you likely fall within scope.
Key Considerations
Consent mechanisms require review. Ensure your consent flows are granular rather than bundled. Each processing purpose needs separate, informed consent.
Cross-border transfers may require a Cross-border Transfer Impact Assessment before data leaves Vietnam. Review whether any exemptions apply to your situation. The exemption for users transferring their own data may cover some scenarios, but this requires careful analysis.
Data trading prohibition affects business models that involve selling user data or purchasing data sets. If this describes any part of your operations, the PDPL creates significant compliance risk.
Sector-specific compliance adds requirements for businesses operating in healthcare, finance, insurance, social media, or using AI and big data. These are not optional add-ons but mandatory provisions.
Privacy policy updates should reflect PDPL requirements and terminology. Consider whether Vietnamese-language versions are appropriate for your user base.
Practical Steps
Start by auditing your data flows. Map what Vietnamese user data you collect, where it is stored, who has access, and where it travels. This foundation is essential for any compliance effort.
Review your consent flows against PDPL requirements. The prohibition on bundled consents may require changes to how you present choices to users.
Assess your cross-border transfer arrangements. Determine whether you need to complete a CTIA and whether any exemptions apply.
Update your privacy documentation to align with PDPL terminology and requirements.
Monitor for implementing guidance. The Vietnamese government is expected to issue further decrees providing detailed guidance on PDPL implementation. The regulatory landscape will continue to evolve through 2026 and beyond.
A Note on This Guidance
This article provides general information about Vietnam’s Personal Data Protection Law and does not constitute legal advice. Data protection requirements vary based on your specific business activities, data processing operations, and the nature of data collected.
Vietnam’s legal and regulatory environment has its own characteristics that require local expertise to navigate effectively. If you operate in Vietnam or process data of Vietnamese individuals, we strongly recommend engaging with a qualified local legal partner who can provide jurisdiction-specific guidance.
Firms with established Vietnam practices, including the major international law firms with Hanoi and Ho Chi Minh City offices, can provide the on-the-ground expertise that cross-border compliance requires.
The full text of Law No. 91/2025/QH15 on Personal Data Protection is available on Thư Viện Pháp Luật (in Vietnamese, with English translation). Additional legal resources are available through LuatVietnam (in Vietnamese).
