Vietnam’s National Assembly has officially passed the long-awaited Personal Data Protection Law (PDPL), which will come into force on 1 January 2026. The PDPL imposes more detailed and stringent compliance obligations and is expected to have a broad impact on both domestic and international businesses operating in Vietnam.
Table of contents
- Clearer definitions of personal data, including encrypted data
- Clearer requirements for approval of PDP
- Data subject rights and business response framework
- Organizational requirements and cross-border transfers
- Harsher penalties
- Grace periods for SMEs and startups
- What businesses should do now
- Conclusion
Clearer definitions of personal data, including encrypted data
Under the PDPL, personal data continues to refer to information that can be used to identify an individual. However, the government is expected to release an official list categorizing data into:
- Basic personal data, and
- Sensitive personal data.
Notably, encrypted data will still be considered personal data, meaning encryption alone will not exempt data from PDPL compliance requirements.
Clearer requirements for approval of PDPL
The PDPL introduces clearer requirements for approval of personal data processing in certain activities, namely:
- Recruitment, management, and employment
- Health-relevant information in insurance business
- Financial and banking
- Marketing
- Social media and online communication services
- Big Data, AI, Blockchain, Metaverse, and Cloud Computing
- Personal location data and Biometric data
- Audio and video recording in public places and events
Some consent exceptions eased, CCTV use clarified
The PDPL continues not to recognize “legitimate interests” as a basis for bypassing consent. However, exceptions are now explicitly stated, such as the use of CCTV for security purposes, which no longer requires consent.
That said, areas such as cloud computing, AI, and big data processing remain legally ambiguous regarding whether they qualify for consent exemptions, posing potential risks for data-driven businesses.
Data subject rights and business response framework
The PDPL reinforces the rights of data subjects, including the right to rectify, delete, or restrict data processing. However, organizations are permitted to refuse or defer such requests under certain conditions, such as:
- Protection of legal rights
- Litigation or legal proceedings
- Preparation or defense of legal claims
This provides businesses with safeguards against excessive or abusive claims from data subjects.
Organizational requirements and cross-border transfers
New implementation decrees are expected to detail the requirements for appointing Data Protection Officers (DPOs) and establishing Data Protection Departments (DPDs). In addition, Transfer Impact Assessments (TIAs) will be required for most cross-border data transfers, including:
- Transfers to storage systems outside Vietnam
- Transfers to foreign organizations or individuals
- Processing via platforms located outside Vietnam
Some exceptions apply—for example, routine employee data processing via cloud systems or data personally transmitted abroad by the data subject.
Harsher penalties
The PDP law introduces penalties of up to VND 3 billion or 5% of prior-year revenue for violations of the PDP law, specifically:
- For unauthorized data trade, the maximum administrative fine is 10 times the revenue gained from such violations.
- For violations involving cross-border data transfers, the maximum administrative fine is 5% of prior-year revenue or 3 billion VND (equivalent to 120.000 USD), whichever is higher.
For other violations, the maximum administrative fine is 3 billion VND (equivalent to 120.000 USD).
Grace periods for SMEs and startups
Some small businesses, startups, and individual business households will benefit from a five-year grace period for requirements like Data Protection Impact Assessments (DPIAs) and DPO/DPD appointments. However, this grace period will not apply to businesses that:
- Process large volumes of personal data
- Act as data processors
- Handle sensitive personal data
As such, businesses should monitor the upcoming official list of “sensitive data” closely.
What businesses should do now?
To prepare for PDPL compliance, companies are advised to begin the following steps:
- Reassess internal data processing workflows and consent mechanisms
- Conduct an inventory of cross-border data flows and plan for TIA requirements
- Evaluate internal budgets and compliance structures to account for potential fines
- Update existing DPIAs, TIAs, and consent documentation at least every six months or upon major organizational changes
Conclusion
The PDPL marks a significant step toward aligning Vietnam’s data protection standards with global norms. It not only raises the bar for data transparency and accountability but also emphasizes the importance of trust-based data management frameworks.
Moving forward, businesses will need to go beyond basic compliance to build robust, transparent systems that earn and maintain trust from customers, partners, and regulators alike.
If you need assistance, RBA WTS Vietnam is ready to provide expert guidance to meet your needs. Please contact us for support or a personalized consultation.
