Vietnam enacts landmark law on personal data protection: stable standing with stricter compliance

The PDP Law represents a pivotal shift, moving Vietnam closer to international data protection standards while retaining unique local characteristics. We set out below an overview of critical changes that may significantly impact your operation in Vietnam.

1. Broad extraterritorial application

• PDP Law: Provides greater clarity on its applicability to foreign entities, extending to those directly involved in or related to the processing of personal data of Vietnamese citizens, even without a physical presence in Vietnam. This broad scope means foreign companies targeting the Vietnamese market must comply with the PDP Law, regardless of their physical presence in the country.
• Decree 13: Also has extraterritorial effect, applying to foreign agencies, organizations, and individuals directly or indirectly involved in processing personal data in Vietnam, though its scope was less explicitly defined.

2. Enhanced definitions and classifications of personal data

• PDP Law: Retains the two-tiered classification of basic and sensitive personal data but delegates the detailed enumeration of data types within these categories to the Government, allowing for greater flexibility as new data types emerge. Encrypted data is still considered personal data, unless it is properly de-identified.
• Decree 13: Was the first legal document to directly regulate "personal data" and provided definitions and classifications. Despite this, Decree 13 does not provide for the encryption and decryption of personal data.

3. Stricter consent requirements and new lawful basis

• PDP Law: Maintains a consent-centric approach, emphasizing that consent must be voluntary, clear, and expressed in text or verifiable electronic format, with silence or non-response not constituting consent. It also introduces a new exception for processing personal data without consent to protect "legitimate" or "justifiable" rights or benefits of the data controller or another party, though this is narrower than the "legitimate interests" ground in other major jurisdictions.
• Decree 13: Also makes prior explicit consent the main legal basis for processing personal information, requiring voluntary consent based on full understanding of purpose, data type, entities involved, and data subject rights.

4. Data subject rights

• PDP Law: Reinforces and grants data subjects strong controls, including the right to know about data processing; consent, decline or withdraw consent; view, edit or delete data; request provision, deletion, restriction of or objection to personal data processing; complain, denounce, initiate lawsuits, request compensation for damages; and request protection measures. It also specifies conditions for data deletion or destruction. Noticeably, the Law no longer imposes the strict 72-hour deadline to complete a data subject's request. Still, the upcoming guiding decree by the Government may elaborate on the response time and process.
• Decree 13: Establishes similar important rights for data subjects and mandates a strict 72-hour deadline to handle and complete a data subject's request.

5. Data protection impact assessment (DPIA) and cross-border transfer impact assessment (TIA)

• PDP Law: Continues to require DPIA and TIA, with updates every six months or immediately in certain cases. However, it introduces several specific exemptions for TIA, including transfers by competent state authorities, storing employee data on cloud services for internal use, cases where data subjects themselves transfer their personal data across borders, or as prescribed by the Government.
• Decree 13: Mandates DPIA and TIA reports for data controllers, processors, and controller-processors, without explicit exemptions.

6. Significant administrative fines and sanctions

• PDP Law: Introduces substantial administrative fines. For trading personal data, the maximum fine is 10 times the revenue from the violation or VND 3 billion (approximately USD 115,000), whichever is higher. For cross-border transfer violations, the fine can be up to 5% of the violator's revenue from the preceding year or VND 3 billion, whichever is higher. Other violations are capped at VND 3 billion. Criminal sanctions and compensation for damages are also possible. 
• Decree 13: Relies on general sanction decrees with lower fines.

7. Sector-specific regulations

• PDP Law: Introduces detailed sector-specific requirements for various areas: employment (e.g., explicit consent for employee monitoring, deletion of candidate data if not recruited), finance, banking, credit information, advertising, social media platforms, online media, big data, AI, blockchain, metaverse, and cloud computing. It also expands regulations on other matters, such as children, biometrics, location, people with limited or lost civil capacity, or public surveillance activities.
• Decree 13: Does not have the same level of detailed sector-specific regulations.

8. Exemptions

• PDP Law: Provides a five-year grace period for startups and small businesses to comply with DPIA/TIA and Data Protection Officer (DPO) requirements, with exemptions for business households and micro-enterprises, unless their core activity is data processing, or those that process sensitive personal data or process a large volume of data.
• Decree 13: Only offers a grace period of two years from the incorporation date for micro-enterprises, small enterprises, medium-sized enterprises, and startups to be exempt from appointing a DPO. Similarly, businesses engaging in data processing shall not be qualified for such an exemption.

While Vietnam's new PDP Law adopts many concepts familiar to those under the EU's GDPR—such as extraterritorial scope, high standards for consent, and severe, revenue-based fines—there are fundamental differences in approach and philosophy. For multinational corporations, understanding these distinctions is critical for ensuring compliance in Vietnam.

1. The nature of the regulator and role of national security

• Vietnam's PDP Law: Enforcement is placed under the direct authority of the Ministry of Public Security (MPS), which will house the specialized data protection agency. National security is a paramount consideration throughout the Law, serving as a basis for processing data without consent, halting cross-border data transfers, and triggering breach notifications.
• EU's GDPR: Enforcement is handled by independent Data Protection Authorities (DPAs) in each member state, which are structured to be free from government influence. While national security is recognized as a prerogative of member states, the GDPR itself is fundamentally centered on the individual's fundamental right to data protection, separate from state security interests.

2. Legal bases for processing: the absence of "legitimate interests"

• Vietnam's PDP Law: The Law is heavily reliant on consent as the primary legal basis for processing personal data. While it provides a specific, limited list of exceptions where consent is not required (such as to protect the life or health of the data subject in an emergency or to fulfill a contractual obligation), the Law does not include a broad, flexible legal basis equivalent to "legitimate interests."
• EU's GDPR: The GDPR provides six legal bases for processing, including the highly flexible "legitimate interests." This allows organizations to process data without consent if they can demonstrate that their interests are not overridden by the rights and freedoms of the data subject, subject to a balancing test. This is commonly used for purposes like direct marketing or internal analytics. The absence of this basis in Vietnam's PDP Law means businesses must secure explicit consent for a wider range of activities.

3. Impact assessment submission requirements

• Vietnam's PDP Law: Organizations are required to proactively submit their DPIA and TIA to the specialized data protection agency. This must be done within 60 days of commencing the processing or transfer activity. The agency can then review the submitted file and request modifications.
• EU's GDPR: A DPIA is generally an internal accountability document. It must be conducted for high-risk processing, but it only needs to be submitted to a DPA for "prior consultation" if the organization cannot mitigate the identified high risks. There is no blanket requirement to submit all DPIAs or TIAs to regulators. Vietnam's approach therefore involves more direct and routine government oversight.

4. Cross-border data transfer mechanisms

• Vietnam's PDP Law: The primary mechanism for transferring data out of Vietnam is the completion and submission of a TIA filing to the regulator. The Law does not explicitly provide for or recognize established international frameworks like Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs) as standalone, sufficient mechanisms for transfer.
• EU's GDPR: The GDPR offers a "toolkit" of transfer mechanisms, including adequacy decisions, the widely used SCCs, and BCRs for intra-group transfers. This provides multinational companies with more structured and varied options for legitimizing their data flows. Companies cannot simply rely on their existing GDPR-based SCCs for transfers out of Vietnam; they must adhere to the specific TIA submission process.

With the 1 January 2026 effective date approaching, businesses must act now to prepare. While the transitional provisions provide some relief, the new Law's requirements, particularly the penalty regime, necessitate a proactive approach.

1. Conduct a comprehensive data mapping and audit: Understand what personal data your organization collects, processes, stores, and transfers, including its flow across borders.
2. Review and update consent mechanisms: Ensure all consent mechanisms are clear, specific, voluntary, and verifiable, aligning with the stricter requirements of the new law.
3. Strengthen data protection measures: Implement robust technical and organizational measures to protect personal data, including encryption for sensitive data.
4. Assess and update DPIA and TIA procedures: Review existing impact assessment processes and update them to reflect the new requirements and exemptions. For cross-border data transfers, specifically evaluate whether the new exemptions apply.
5. Review and amend contracts: Update contracts with data processors, third parties, and employees to include personal data protection provisions and ensure clear responsibilities.
6. Develop or enhance internal policies and training: Establish comprehensive internal policies and provide regular training to employees on data protection obligations.
7. Monitor regulatory guidance: Stay abreast of forthcoming Government decrees and guidelines that will provide detailed implementation instructions for the new law and related regulations.
8. Leverage grace periods (if applicable): If your business qualifies as a startup or small business, understand the grace periods for DPIA and DPO requirements, but still strive for early compliance where feasible.