The Law on Personal Data Protection No. 91/2025/QH15 (the PDPL) and Decree No. 356/2025/ND-CP dated 31 December 2025 detailing a number of articles and implementation measures of the PDPL (Decree 356), which officially came into effect on 1 January 2026, have completed Vietnam’s legal framework on privacy rights and personal data control, while aligning it more closely with international data protection standards. This legislation has a direct impact on all organizations and enterprises, both domestic and foreign, that engage in personal data processing activities in Vietnam.
The following article summarizes the fundamental and core aspects of the PDPL that individuals and enterprises should pay particular attention to.
Scope of regulation and subjects of application
The PDPL governs the entire process of personal data processing, from collection, recording, and storage to analysis, sharing, transfer, or deletion of personal data. Its scope of application is not limited to the territory of Vietnam but also extends to foreign organizations and individuals that process the personal data of Vietnamese citizens, regardless of whether such processing is conducted within or outside the territory of Vietnam. This provision demonstrates Vietnam’s approach toward international standards on personal data protection.
Definition and classification of personal data
Under the PDPL, personal data is defined as information in the form of symbols, letters, numbers, images, sounds, or similar forms that is associated with or capable of identifying a specific individual. Based on this definition, personal data is classified into two categories:
– Basic personal data:
- Full name and date of birth;
- Gender and nationality;
- Phone number, email address, and residential address;
- Other identifying information associated with an individual.
– Sensitive personal data:
- Data relating to health, biometric, and genetic characteristics;
- Financial and credit-related data;
- Data concerning location and service usage behavior;
- Information on political opinions, religious beliefs, and private life.
Principles of personal data processing
One of the core contents of the PDPL is the establishment of principles for personal data processing. Accordingly, all data processing activities must be carried out in a lawful and transparent manner and for purposes that have been clearly notified to the data subject. Personal data may only be collected to the extent necessary and appropriate for the stated processing purposes and must be protected in terms of safety and security throughout the entire processing process. As a general rule, the processing of personal data requires the consent of the data subject, except for specific cases permitted by law for the purpose of serving public interests, national security, or legal obligations.
Rights of personal data subjects
Pursuant to the PDPL, personal data subjects are entitled to a number of important rights, including:
- The right to be informed of personal data processing activities;
- The right to give consent or withdraw consent;
- The right to access, correct, and update personal data;
- The right to request deletion of data, restriction of processing, or to object to personal data processing;
- The right to lodge complaints, denunciations, and claims for compensation for damages when personal data is infringed.
Obligations of enterprises to comply with the PDPL
As personal data controllers or both controllers and processors, enterprises are subject to clearly defined roles and responsibilities under the PDPL, including the following obligations:
- Issuing internal data protection regulations and applying corresponding technical measures to safeguard personal data;
- Establishing a dedicated unit or appointing personnel responsible for personal data protection, namely a Data Protection Officer (DPO);
- Notifying competent state authorities and data subjects of personal data breaches when incidents occur;
- Transferring personal data to third parties only when statutory conditions are satisfied;
- Preparing Dossier for Impact Assessment of Personal Data Processing (DPIA Dossier) and cross-border data transfer impact assessment dossiers in accordance with the law.
Cross-border transfer of personal data
The cross-border transfer of personal data is controlled under the PDPL through risk assessment and management mechanisms. Accordingly, personal data may only be transferred abroad when data protection conditions are met, the rights and interests of data subjects are safeguarded, and the procedures prescribed by Vietnamese law are complied with. These regulations are particularly significant for foreign-invested enterprises (FDIs) in Vietnam that use group-wide human resource management (HRM) software of their parent companies or overseas data storage and processing systems such as Google Cloud, Azure, or AWS.
Legal liabilities for violations
Organizations and individuals that violate the PDPL may be subject to substantial administrative penalties, including fines of up to 5% of the previous year’s revenue for cross-border violations or up to ten times the unlawful gains obtained from illegal personal data trading by individuals. In serious cases, criminal liability may also be imposed if the violation constitutes a criminal offense. In addition to legal sanctions, non-compliance with personal data protection regulations poses significant risks to an enterprise’s reputation and brand value.
The Law on Personal Data Protection No. 91/2025/QH15 and Decree 356 have established a relatively comprehensive legal framework governing personal data processing activities in Vietnam. As compliance requirements become increasingly stringent, particularly for foreign-invested enterprises, technology (IT) and artificial intelligence (AI) companies, or entities engaged in cross-border data processing, proactively reviewing and strengthening personal data protection mechanisms has become essential to mitigating legal risks and ensuring stable and sustainable business operations.
With extensive experience in corporate and investment legal advisory services, Siglaw Firm provides comprehensive consulting services on compliance with personal data protection regulations. These services include reviewing data processing procedures, developing internal policies, and advising on and assisting with personal data processing impact assessments and cross-border personal data transfer procedures, thereby accompanying enterprises in meeting the requirements of the PDPL and its implementing regulations.
Contact us today for an initial free consultation with Siglaw’s experienced legal professionals.
Head Office in Hanoi: No. 44/A32 – NV13, Area A Geleximco, Le Trong Tan Street, Tay Mo Ward, Hanoi, Vietnam.
Email: vphn@siglaw.com.vn
Southern Branch: No. 103 – 105 Nguyen Dinh Chieu Street, Xuan Hoa Ward, Ho Chi Minh City, Vietnam.
Email: vphcm@siglaw.com.vn
Central Branch: VIFC DN – ICT Building, Software Park No. 2, Nhu Nguyet Street, Hai Chau Ward, Da Nang, Vietnam.
Email: vphcm@siglaw.com.vn
Hotline: 0961 366 238
Facebook: https://www.facebook.com/hangluatSiglaw
