In the context of digital transformation and data-driven business becoming increasingly prevalent, personal data has become one of the most critical assets for enterprises. However, accompanying these opportunities are increasingly stringent legal obligations regarding the protection of individual privacy.
With the official entry into force of the Law on Personal Data Protection 2025 and Decree No. 356/2025/ND-CP detailing a number of articles and implementation measures of the Law (the “PDPL”), one of the issues causing the most confusion for enterprises is distinguishing between Basic Personal Data and Sensitive Personal Data.
Failure to correctly identify data types leads to the application of incorrect procedures, lack of necessary security measures, deficiencies in impact assessment dossiers, and potential exposure to substantial administrative penalties.
The following article by Siglaw will assist enterprises in accurately classifying Basic and Sensitive Personal Data while identifying the corresponding compliance obligations for each data type under current laws.
What is Basic Personal Data?
Basic Personal Data comprises common identifying information about an individual—typically personal and background information frequently used in transactions and social relations. The list of Basic Personal Data includes:
- Full name, date of birth, place of birth, gender, nationality.
- Personal image.
- Phone number, Email address, Permanent/Temporary residential address.
- Citizen Identity Card number, Passport number, Personal Tax Code, Social Security Number, Vehicle license plate number.
- Marital status and family relationships.
- Information regarding the individual’s digital accounts.
- What is Sensitive Personal Data?
Sensitive Personal Data refers to personal information closely associated with an individual’s privacy which, if infringed, would directly affect their legal rights and interests. This category requires a higher level of protection due to its sensitive nature and the risk of significant harm.
Sensitive Personal Data includes:
- Information on private life, political opinions, and religious beliefs;
- Health data and private information in medical records;
- Information on racial or ethnic origin;
- Genetic data and biometric data (e.g., fingerprints, facial recognition data);
- Data regarding criminal records or criminal acts;
- Financial information of customers at banking institutions (such as identification information, account details, transactions);
- Location data determined via GPS or positioning services;
- Other personal information specified by law as requiring special protection.
Expert Insight: The Thin Line Between “Account” and “Card”
Let us examine a typical example regarding Bank Account Numbers versus Payment Card Information—two types of data often defaulted as “sensitive” due to their association with finance. However, this generalization is inaccurate when considering the actual nature of the risk.
- Bank Account Number: In essence, a Bank Account Number is normally public for receiving transactions. Expanding knowledge of an account number does not enable a perpetrator to misappropriate assets without security verification factors (Password, OTP). Therefore, in terms of nature, this information is analogous to identification data and should be classified as Basic Personal Data (specifically “Information regarding the individual’s digital accounts”).
- Card Information & Financial Data: Conversely, card information and financial data are fundamentally different and require strict protection under Sensitive Personal Data standards, because:
- Card Information (Embossed Number, CVV): These are the direct keys to a wallet. Disclosure immediately leads to the risk of theft via online payments.
- Transaction History and Balance: These are data reflecting private life. Disclosure exposes living habits, consumption behaviors, and the financial capacity of the individual.
The core difference lies in the level of privacy and the consequences of infringement. For basic data, a breach often results in nuisance (spam). However, for sensitive data (e.g., exposed account balances, travel itineraries, or medical records), the consequences can be significant financial loss, blackmail, or severe damage to honor and dignity.
Consequently, the law mandates stricter protection measures for enterprises processing sensitive data—such as the mandatory appointment of a Data Protection Officer (DPO) and the execution of a Data Protection Impact Assessment (DPIA)—requirements from which controllers of basic data may be exempt in certain cases.
Compliance Obligations: Basic vs. Sensitive Data
The distinction in classification leads to a significant difference in the responsibilities of the enterprise (Data Controller & Processor):
| Compliance Obligation | Basic Personal Data | Sensitive Personal Data |
| 1. Consent & Transparency | Explicit Consent is required. | Explicit Consent is required. The Data Subject must be clearly informed that the data being collected is sensitive. |
| 2. Security Measures | Apply standard administrative and technical measures. | Apply Enhanced Security Measures (e.g., high-level encryption, strict access control). |
| 3. Personnel (DPO) | Designation of personnel is encouraged. | MANDATORY appointment of a department or Data Protection Officer (DPO). |
| 4. Regulatory Filing (DPIA) | Prepare a Dossier for Impact Assessment of Personal Data Processing (DPIA) (SMEs may be exempt for a specific period). | MANDATORY preparation and submission of the DPIA to the Ministry of Public Security for all processing activities. |
Recommendations for Enterprises
Distinguishing between basic and sensitive personal data under the new Law helps enterprises determine the level of risk and legal obligations when processing specific information. Siglaw recommends that Enterprises take the following steps:
- Data Mapping: Conduct a comprehensive review of all data types the enterprise is currently collecting from customers, partners, and employees.
- Classification & Protection: Classify data correctly according to the law and apply corresponding protection measures. Ensure full customer consent is always obtained, establish strict internal procedures, and enhance security for sensitive data.
- Regulatory Compliance: Proceed to prepare the Dossier for Impact Assessment of Personal Data Processing (DPIA) if the enterprise controls and processes sensitive data.
Compliance with these requirements not only helps enterprises avoid legal violations but also builds a reputation for protecting customer privacy in today’s digital business environment.
The article above analyzes in detail the differences between Basic Personal Data and Sensitive Personal Data. If you have any questions or require legal assistance, please contact Siglaw Firm for comprehensive consultation.
Head Office in Hanoi: No. 44/A32 – NV13, Area A Geleximco, Le Trong Tan Street, Tay Mo Ward, Hanoi, Vietnam.
Email: vphn@siglaw.com.vn
Southern Branch: No. 103 – 105 Nguyen Dinh Chieu Street, Xuan Hoa Ward, Ho Chi Minh City, Vietnam.
Email: vphcm@siglaw.com.vn
Central Branch: VIFC DN – ICT Building, Software Park No. 2, Nhu Nguyet Street, Hai Chau Ward, Da Nang, Vietnam.
Email: vphcm@siglaw.com.vn
Hotline: 0961 366 238
Facebook: https://www.facebook.com/hangluatSiglaw
