Vietnam passed their Personal Data Protection Law: What businesses need to know now

​On 25 June 2025, Vietnam’s National Assembly officially passed the Law on Personal Data Protection (PDPL), which will take effect on 1 January 2026. The new law introduces a more comprehensive and structured framework compared to Decree No. 13/2023/ND-CP (PDPD), aiming to strengthen individual rights and accountability in the handling of personal data.

     

The PDPL clarifies its scope to apply  to both domestic and foreign individuals and organizations that directly participate in or are involved in the processing of personal data of Vietnamese citizens or persons of Vietnamese origin residing in Vietnam who have not yet determined their nationality but have been issued an identity certificate.

     

The obligation to conduct and submit a Personal Data Processing Impact Assessment (DPIA) and a Cross-Border Transfer Impact Assessment (TIA) remains. Organizations must submit these dossiers to the Department of Cybersecurity and High-Tech Crime Prevention (A05) under the Ministry of Public Security within 60 days of commencing data processing. These are one-time submissions but must be updated every six months if changes occur, or immediately in cases of material changes such as business dissolution or changes to relevant business lines.

    

A five-year grace period is granted to small enterprises and startups from the effective date of the PDPL, during which they are not required to submit impact assessments or appoint a data protection officer. Business households and micro-enterprises are entirely exempt unless they process sensitive data, provide data processing services, or handle large volumes of personal data.

   

Notably, new TIA exemptions have been introduced, including for storing employee data in the cloud and when data subjects themselves transfer their data abroad.

    

The PDPL introduces significant penalties. The fine for selling or purchasing personal data is up to 10 times the revenue gained, or VND 3 billion, whichever is higher. Violations related to cross-border data transfers may result in penalties of up to 5 % of the violator’s previous year’s revenue, or VND 3 billion. Other breaches are capped at VND 3 billion.

    

While the PDPL provides greater legal clarity, many provisions will require further guidance from the authorities.  Businesses are encouraged to review their current data processing practices, ensure compliance with the PDPL, and prepare required documents such as Personal Data Processing Agreements and Data Transfer Agreements. Timely submission of DPIA and TIA is crucial to avoid violations and the risk of substantial administrative sanctions.