Legal Alert | September 2025

On June 26, 2025, the National Assembly officially passed the Law on Personal Data Protection No. 91/2025/QH15 (“Law on PDP”), which will take effect from January 1, 2026, marking an important step forward in protecting personal information and information security in the digital age. Based on Decree 13/2023/ND-CP, the Law on Personal Data Protection provides a uniform and comprehensive legal framework for personal data (“PD”) protection in Vietnam with many breakthroughs to protect people’s privacy as well as set stricter requirements for businesses in collecting, processing, storing and using PD in the digital age.

1. Exception when transferring PD is not considered as buying or selling PD

The Law on PDP strictly prohibits the purchase and sale of personal data. However, the transfer of PD by an enterprise in the following cases, whether or not a fee is collected, is not considered as the purchase or sale of PD[1]: (i) transfer with the consent of the personal data subject; (ii) share PD within the enterprise; (iii) transfer due to enterprise restructuring (such as division, separation, merger or reorganization); (iv) transfer to a PD processor or a third party for processing PD; (v) transfer as required by a competent state agency; and (vi) transfer without the consent of the data subject in certain cases as prescribed by law.

2. Assessing the impact of PD moving abroad

Cases requiring impact assessment: (i) transferring PD stored in Vietnam to a data storage system located abroad; (ii) enterprises in Vietnam transferring PD to enterprises abroad; and (iii) enterprises using overseas platforms to process PD collected in Vietnam.[2]
Exemption from impact assessment : enterprises store the PD of their employees on cloud computing services [3].
Impact assessment time: before transferring PD abroad and performed once for the entire duration of the enterprise’s operation and updated periodically every 6 months when there is a change in the PD that has been processed or updated immediately in some special cases such as termination of operations, dissolution, bankruptcy or change of information about the enterprise providing PD protection services,…[4]

3. Cases where it is mandatory to delete or cancel PD

Enterprises must delete or destroy PD in the following cases and must not intentionally restore deleted or destroyed PD illegally: (i) the purpose of processing PD has been completed; (ii) the storage period has expired; (iii) according to the decision of a competent state agency; (iv) according to an agreement; and (v) at the request of the PD subject (except where the request to delete or cancel PD may hinder or infringe upon the legitimate rights and interests of the State, other agencies, organizations and individuals; or where PD processing does not require the consent of the PD subject).[5]

4. Establish PD protection department

Enterprises are responsible for designating a department or qualified personnel to protect internal PD; or hiring a legal external PD protection service to protect the enterprise’s PD[6]. (Previously, only required for sensitive PD)

Exemptions: small enterprises, startups (exempted for a period of 05 years from January 1, 2026), business households and micro-enterprises that do not provide PD processing services, directly process sensitive PD or process PD of a large number of PD subjects.[7]

5. PD protection for workers[8]

PD collected during the recruitment process must be deleted and destroyed if the candidate is not hired, unless there is an agreement allowing retention.
Employee data generated during the course of employment is retained for the period prescribed by law or by agreement. After the employment contract is terminated, the enterprise must delete this data, unless the law or agreement allows continued retention.
The collection and processing of workers’ PD through monitoring tools using legal technology or techniques is only permitted when workers are informed in advance of the use of these tools.

6. Use customer PD for advertising[9]

PD is permitted to be used for advertising: (i) Customer PD transferred by the PD Controller, PD Controller and Processor according to the agreement; or (ii) data collected through the business activities of the enterprise.
PD is considered as legally collected: when the customer’s consent is obtained, on the basis that the customer clearly knows the content, method, form, frequency of product introduction, as well as the method of refusing to receive advertising information.
The use of PD for advertising must comply with the law on prevention of spam messages, spam emails, spam calls and the law on advertising.

7. Collecting PD from social media and online media users

The collection of PD through data files (cookies) or similar technology platforms must have the consent of users. Platforms are required to publish a privacy policy, which clearly states how data is collected, used and shared; provides a mechanism to access, edit or delete data; sets privacy rights and promptly handles violations. In particular, enterprises providing social networking and online media services are not allowed to ask users to provide images or videos containing identity documents to authenticate accounts.[10]

8. Big data processing, artificial intelligence (AI), blockchain, virtual universe, cloud computing[11]

PD in this environment must be handled appropriately and limited to the necessary extent.
Systems and services must incorporate appropriate PD security measures; use appropriate authentication, identification, and access authorization methods to process PD.
In particular, the processing of PD by AI must be classified according to the risk level to have appropriate PD protection measures.

9. Biometric data processing

When collecting and processing biometric data, enterprises must have physical security measures for their biometric data storage and transmission devices; limit access to biometric data; and have a monitoring system to prevent and detect biometric data breaches.[12]

10. Severe sanctions for violating the law on PD protection

Depending on the nature, level and consequences of the violation, the enterprise may be subject to administrative sanctions or criminal prosecution; if causing damage, it must compensate according to regulations.[13]

Regarding administrative fines: (i) trading in PD: fine 10 times the illegal income; (ii) violation of cross-border transfer of PD: fine 5% of revenue of the previous year; (iii) other violations: maximum fine of VND 3 billion.[14]

Regardless of their capacity, to ensure readiness before the Law on PDP comes into effect (i.e. January 1, 2026), enterprises need to be proactive: conduct a comprehensive review of the types of PD being collected and stored to classify and develop appropriate handling and protection measures; update procedures and instructions for handling PD in accordance with new regulations; establish a governance and compliance mechanism throughout the operation; and establish a PD protection department of the enterprises.

[1]Articles 7.6 and 17 of the Law on PDP

[2]Article 20.1 of the Law on PDP

[3]Article 20.6(b) of the Law on PDP

[4]Articles 20.3 and 22 of the Law on PDP

[5]Articles 14.1, 14.2 and 14.4 of the Law on PDP

[6]Article 33.2 of the Law on PDP

[7]Article 38 of the Law on PDP

[8]Article 25 of the Law on PDP

[9]Article 28 of the Law on PDP

[10]Article 29 of the Law on PDP

[11]Article 30 of the Law on PDP

[12]Article 31.4(b) of the Law on PDP