Vietnam’s new personal data Protection Law (PDPL) was passed in June 2025 and will enter into force on January 1, 2026. Vietnam’s PDPL will govern personal data collection and management, setting obligations for organizations and rights for individuals. The law applies not only to Vietnamese businesses but also to any foreign entity collecting or processing the data of Vietnamese residents.

This guide breaks down the key principles, obligations, cross-border transfers, security measures, and compliance steps under the PDPL.

Key Takeaways to Ensure Compliance with the PDPL

• Obtain explicit, specific, granular, and informed user consent to use their personal data.
• Adhere to purpose limitation and data minimization principles.
• Map and classify personal data within your systems.
• Create transparent privacy policies and regularly update them.
• Implement adequate data security measures.
• Provide appropriate measures for individuals to exercise their rights.
• Perform a Data Processing Impact Assessment and a Cross-border Transfer Impact Assessment.
• Appoint a data protection officer (DPO).
• Train employees on data protection best practices.
• Implement breach response mechanisms for timely notifications.

What Is Vietnam’s Personal Data Protection Law (PDPL)?

The Vietnam Personal Data Protection Law (PDPL) is Vietnam’s comprehensive data privacy law, protecting the personal data of Vietnamese residents, which regulates how Personal Information is collected, stored, processed, and transferred. The law applies to both domestic and foreign entities collecting or processing the data of Vietnamese residents.

The Vietnamese National Assembly passed the PDPL, originally called 91/2025/QH15, on June 26, 2025. The law will come into force on January 1, 2026. 

The law will unify the data privacy regulations dispersed across different laws, overcoming the current Personal Data Protection Decree (PDPD), also called Decree No. 13/2023/ND-CP, that came into effect in 2023.

Who Must Comply with Vietnam’s PDPL?

Vietnam’s data protection law applies to the following entities:

• Vietnamese agencies, organizations, and individuals, that collect or process personal data;
• Foreign agencies, organizations, and individuals offering services to Vietnam’s residents or transferring Vietnamese personal data abroad;
• Public institutions handling Vietnamese personal data.

This means businesses ranging from e-commerce platforms to financial services providers must comply with the PDPL.

Exemptions from the PDPL

Small businesses and start-ups get a five-year grace period when they have to decide whether to comply with some provisions, including Article 21 (impact assessment of personal data processing), and Article 22 (updating the assessment record).

Business households and micro-enterprises are also exempt from the PDPL requirements.

However, this exemption does not apply if these entities perform the following activities:

• Provide personal data processing services;
• Directly handle sensitive data; or
• Process large volumes of Personal Information.

This approach aims to reduce compliance burdens for small entities while maintaining safeguards when the processing of personal information increases.

Rights of Individuals Under Vietnam’s Data Protection Law

The Vietnam’s PDPL grants individuals the following rights:

• Right to be informed about data collection and processing.
• Right of access to their personal information.
• Right to correct or delete inaccurate or outdated data.
• Right to agree, disagree, or withdraw consent to personal data processing.
• Right to file complaints, report violations, initiate lawsuits, or seek compensation.
• Right to request relevant authorities or entities take measures to protect their personal data.

These rights align with global data protection trends, empowering individuals to control their digital footprint.

Obligations for Businesses and Organizations under the Vietnam’s PDPL

The Vietnam PDPL sets the following obligations for entities operating in Vietnam:

1. Purpose limitation
   Vietnam’s PDPL requires businesses collect and process personal data strictly within the disclosed scope and for specific, clear purposes, for which individuals gave consent. Clearly define and communicate processing purposes.
2. Data minimization
   Limit the collection of personal data to what is necessary for the specific purpose. Any other use or disclosure of personal data, such as sharing it with ad services, financial institutions, or affiliates, needs separate consent or a legal basis.
3. Consent requirements
   Organizations must obtain explicit user consent before processing personal data. Individuals have the right to withdraw consent at any time.
4. Data security
   Organizations must implement adequate technical and organizational security measures to protect the personal data of Vietnamese individuals.
5. Keep records of data processing
   Organizations must maintain records of processing activities.
6. Data subject requests
   Organizations must provide appropriate measures for individuals to exercise their rights. Respond to the requests within the specified time.
7. Cross-border transfer of personal data
   Organizations that transfer data overseas must conduct a data transfer impact assessment and ensure the recipient country has adequate data protection. State agencies, employee data storage on cloud services, or personal transfers made by data subjects themselves are exempt from the requirements of cross-border transfer.
8. Impact assessments for personal data processing
   Organizations must conduct impact assessments on personal data processing activities and submit these assessments within 60 days of the start of the processing activities.
9. Breach notifications
   Organizations must promptly report data protection violations within 72 hours upon discovery, especially when breaches are related to national security, public safety, or personal harm. Organizations must keep records of violations and breaches and cooperate with authorities to manage and mitigate impacts.
   Organizations must also implement measures to prevent future violations and support authorities during investigations.
10. Deletion of personal data
    Organizations must delete or destroy all personal data when the original purpose is fulfilled, storage duration has expired, or an individual asks for deletion of data. Use reliable methods that prevent unauthorized access of deleted data or data restoration.
    In the case when organizations can’t delete individuals’ personal data due to legitimate reasons, they must inform individuals.
11. Data Protection Officer
    Appoint a Data Protection Officer (DPO) where required. The DPO could be in-house staff or a contracted specialist. Micro-businesses and most start-ups get a five-year grace period.

What Are Consent Requirements under Vietnam’s PDPL?

Consent must be voluntary, specific, fully informed, and purpose-specific. Organizations must obtain user consent prior to collecting user personal information.

• Voluntary: There should be no pressure to grant consent. Don’t use text on a cookie notice that prioritizes giving consent.
• Specific: The PDPL forbids businesses from including any condition requiring consent to purposes beyond those agreed upon.
• Fully informed: Obtain explicit user consent and do not use dark patterns or other misleading behavior to obtain consent. If the individual does not interact with the Cookie Banner, continues scrolling, or does not take any action, there is no consent.
• Purpose-specific: Obtain separate consent for every distinct purpose. That means businesses must obtain granular consent. Bundled or broad consents tied to unrelated services is not valid consent and could expose businesses to enforcement risk.

Processing personal information without user consent

Under the Vietnam PDPL, there are specific scenarios when user consent is not necessary:

• When protecting vital interests, life, health, or the dignity of individuals;
• When managing national emergencies or security threats;
• When supporting state agency operations;
• When enforcing legal agreements;
• In other legally specified situations.

Organizations operating under these scenarios must establish accurate monitoring mechanisms, clear processing guidelines, and periodic compliance audits.

Use a CookieScript Consent Management Platform (CMP) to create a PDPL-compliant Cookie Banner and collect user consent.

Cross-Border Data Transfer Rules in Vietnam

Vietnam imposes strict conditions on transferring personal data outside of the country. Organizations that transfer data overseas must:

• Conduct a data transfer impact assessment.
• Obtain approval from the Ministry of Public Security (MPS) (in some cases).
• Ensure the recipient country has adequate data protection.

Before transferring data abroad, organizations must conduct a transfer impact assessment that includes the purpose of the transfer, types and volume of personal data involved, the country and organization receiving the data, security measures, and potential risks if the data is leaked.

Organizations that perform cross-border data transfers must perform an impact assessment and submit it to the authorities within 60 days of the initial transfer date.

Failure to follow these rules may result in suspended transfers or legal penalties. Authorities have the right to inspect and suspend transfers threatening national interests.

Mandatory Impact Assessments (Articles 20–21)

Organizations must submit to Vietnam’s data protection authority:

1. A Data Processing Impact Assessment (DPIA).
2. A Cross-border Transfer Impact Assessment (CTIA).

The DPIA must be submitted within 60 days of the start of processing.

In cases of cross-border data transfer, the CTIA must also be submitted to Vietnam’s data protection authority within 60 days of the first transfer. However, the PDPL exempts certain activities from the CTIA, such as:

• Transfers by state agencies;
• Cloud storage of employee data;
• Data subjects transferring their own personal data.

If impact assessments are filed under this law, no further risk assessments are required under other laws on data.

Not sure if your website uses cookies? Scan your website for free and see what cookies your website uses:

Data Protection Requirements for Specific Data Processing Activities

Articles 24-32 of the Vietnam PDP law also define the data protection requirements for specific areas of personal data processing.

Protection of personal data for children and vulnerable individuals

• Legal representatives must act on behalf of minors and vulnerable individuals.
• Both the child (over 7 years old) and the representative must provide consent for disclosing sensitive personal data.
• Organizations must stop data processing immediately if consent is withdrawn or authorities find risks to their rights.

Data protection in employment

• Organizations must obtain the candidate’s consent to collect and process their data.
• Organizations could only collect job-relevant data.
• Organizations must delete personal data if the candidate is not hired (unless agreed otherwise).
• Organizations must destroy data after the contract ends (unless laws or agreements state otherwise).

Data protection in finance, banking, and credit sectors

• Organizations must protect sensitive data.
• Organizations need to obtain user consent to perform credit scoring.
• Organizations must notify individuals of any data breaches.
• Organizations must implement adequate data security, confidentiality, and recovery measures.

Health and insurance data protection

• Consent is mandatory for processing health-related or insurance data.
• Organizations can’t share personal data with third parties (unless the subject consents or as allowed by law).
• Organizations could use only those apps that fully comply with the PDPL.
• Reinsurance contracts must disclose data sharing.

Social networks

• Organizations must clearly inform users what personal data is collected.
• Organizations are not allowed to collect ID images or videos for verification excessively.
• Organizations must provide a Do-not-track option.
• Organizations must provide opt-outs for cookies and tracking.

Data from public recordings

• Consent is not required for public event recordings in the case of public interest or law enforcement.
• Organizations must notify individuals if they’re being recorded, unless legally exempt.
• Collected data must only be used for its original purpose and deleted when no longer needed.
• Organizations recording in public spaces must ensure compliance with the PDPL.

Fines and Penalties for Non-Compliance with PDPL

Unlike the EU and other countries, Vietnam does not have an independent data protection authority. Instead, different authorities divide the power to enforce data protection laws via different legislations.

Penalties for non-compliance with PDPL depend on the severity of the breach. Violations of PDPL can lead to:

1. Fines and administrative sanctions.
2. Suspension of data processing activities.
3. Criminal liability (in serious cases).

Fines can be up to ten times the revenue earned from the violation.

For cross-border data transfer violations, fines can reach up to 5% of organizations’ previous year’s revenue or VND 3 billion (around €100.000), whichever is higher.

For trading of personal data, the maximum fine is either ten times the revenue gained from the violation or VND 3 billion (around €100.000), whichever is higher.

For other violations, the maximum fine is VND 3 billion (around €100.000).

How Vietnam’s PDPD Compares to GDPR?

Vietnam’s PDPL shares many similarities with the EU’s General Data Protection Regulation (GDPR), such as consent requirements, data subject rights, business obligations, and accountability principles. Businesses familiar with GDPR will find the PDPD framework recognizable. However, there are certain differences. PDPL is different from the GDPR in:

• Government oversight of certain data processing activities via the Ministry of Public Security.
• Stricter cross-border transfer approval processes.
• Local data storage obligations in certain cases.

CookieScript Consent Management Platform (CMP) can help you to comply with Vietnam’s PDPL and avoid penalties.

In Spring 2025, CookieScript received its fourth consecutive G2 badge as the Best Consent Management Platform for a whole year!

The platform is also recognized as a Google-certified CMP in the Gold tier, highlighting its compliance with privacy and the latest consent management requirements.

Practical Steps to Ensure Compliance with the PDPL

Organizations can take the following steps to comply with the PDPL and avoid penalties:

1. Obtain explicit, specific, granular, and informed user consent to use their personal data.
2. Adhere to purpose limitation and data minimization principles.
3. Map and classify personal data within your systems.
4. Create transparent privacy policies and regularly update them.
5. Implement adequate data security measures.
6. Provide appropriate measures for individuals to exercise their rights.
7. Perform a Data Processing Impact Assessment (DPIA) and a Cross-border Transfer Impact Assessment (CTIA) (in cases of cross-border data transfer).
8. Appoint a data protection officer (DPO).
9. Train employees on data protection best practices.
10. Implement breach response mechanisms for timely notifications.

Frequently Asked Questions

What is Vietnam’s personal data protection law (PDPL)?

The Vietnam Personal Data Protection Law (PDPL) is Vietnam’s comprehensive data privacy law, protecting the personal data of Vietnamese residents, which regulates how personal information is collected, stored, processed, and transferred. The law applies to both domestic and foreign entities collecting or processing the data of Vietnamese residents. CookieScript CMP can help you comply with the PDPL.

Does Vietnam have a data privacy law?

The new Vietnam Personal Data Protection Law (PDPL), a comprehensive data privacy law in Vietnam, will come into force on January 1, 2026. CookieScript CMP can help you comply with the PDPL.

What are the consent requirements under Vietnam’s PDPL?

Under Vietnam’s PDPL, consent must be voluntary, specific, fully informed, and purpose-specific. Organizations must obtain user consent prior to collecting user personal information. CookieScript CMP can help you to create a cookie banner and collect user consent.

What are the user consent requirements under Vietnam’s PDPL for children?

Legal representatives must act on behalf of minors. Both the child (over 7 years old) and the representative must provide consent for disclosing sensitive personal data. CookieScript CMP can help you collect user consent for adults and children.

What are fines for non-compliance with Vietnam’s data privacy law?

Under Vietnam’s PDPL, for cross-border data transfer violations, fines can reach up to 5% of organizations’ previous year’s revenue or VND 3 billion (around €100.000), whichever is higher. For trading of personal data, the maximum fine is either ten times the revenue gained from the violation or VND 3 billion (around €100.000), whichever is higher. For other violations, the maximum fine is VND 3 billion (around €100.000).

How to comply with Vietnam’s data privacy law PDPL?

Organizations must obtain explicit user consent, adhere to purpose limitation and data minimization principles, create transparent privacy policies, implement adequate data security measures, provide appropriate measures for individuals to exercise their rights, perform a Data Processing Impact Assessment (DPIA) and a Cross-border Transfer Impact Assessment (CTIA), appoint a data protection officer (DPO), train employees, and implement breach response mechanisms for timely notifications. CookieScript CMP can help you comply with the PDPL.