In the context of digital transformation and the rapid development of artificial intelligence (AI), e-commerce, digital banking, and social networks, personal data is increasingly becoming a valuable asset for individuals, businesses, and government agencies. However, along with the increase in data collection and processing activities comes the risk of information leakage, misuse of data, or infringement of individuals’ privacy rights. In reality, Vietnam has recorded many cases of customer data being illegally bought and sold or exploited without the full consent of the data subject.
To meet the requirements for protecting personal data in the digital environment, Vietnam has gradually perfected its legal framework through Decree No. 13/2023/ND-CP and the Law on Personal Data Protection 2025 (effective from January 1, 2026). In this framework, the principles of personal data processing play a fundamental role, guiding the collection, use, sharing, and storage of data by agencies, organizations, and businesses.
In this article, Siglaw Firm introduces and analyzes the principles of personal data processing under Vietnamese law, while clarifying the new points of the Law on Personal Data Protection 2025, its practical significance, and issues that businesses need to be aware of when complying with the law on personal data protection.
Principles for Processing Personal Data under the 2025 Law on Personal Data Protection
Principle of Compliance with the Law
The principle of compliance with the law is a fundamental principle in the processing of personal data in Vietnam. Clause 1, Article 3 of the 2025 Law on Personal Data Protection stipulates that the processing of personal data must comply with the Constitution, this Law, and relevant legal regulations. Similarly, Clause 1, Article 3 of Decree No. 13/2023/ND-CP requires that personal data be processed only in accordance with the law and that data subjects must be informed of the data processing activities related to them, except where the law provides otherwise. This affirms that personal data cannot be exploited arbitrarily but must be subject to legal control to protect the privacy and personal rights of individuals.
Essentially, this principle requires that all activities involving the collection, storage, use, analysis, or sharing of personal data must have a clear legal basis, be within the proper authority, and be for the intended purpose. In the context of a rapidly developing digital economy, this regulation helps prevent the misuse of personal data for commercial purposes and ensures a balance between business interests and individual privacy.
Practical experience demonstrates the significant importance of this principle. Between 2022 and 2024, many online lending applications were criticized for requesting access to contact lists, location, or photo libraries even when unnecessary for loan assessment. In some cases, contact data was even used to contact relatives and colleagues to pressure borrowers into repaying debts. These actions show signs of processing data beyond the permitted scope, lacking legal basis, and risking infringing on the right to privacy protected by Article 21 of the 2013 Constitution and Article 38 of the 2015 Civil Code.
Principle of specific purpose and limitations
Vietnamese law stipulates that personal data may only be collected and processed for specific, clear purposes and within the necessary scope. Clause 2, Article 3 of the Law on Protection of Personal Data 2025 requires that data processing must be for the correct purpose, in accordance with legal regulations, and not exceed the necessary scope. Similarly, Clause 3, Article 3 of Decree No. 13/2023/ND-CP stipulates that personal data may only be processed according to the purpose registered, declared, or notified to the data subject. This principle aims to prevent the collection of data for one purpose but its use for multiple purposes without the individual’s proper consent.
The principle of specific purposes and limitations is established to ensure the data subject’s right to control their information. Individuals have the right to know how their data is used and the extent of its exploitation. Clearly defining the purpose of processing not only increases transparency but also provides a basis for the data subject to give genuine consent. In an era where personal data has increasingly significant commercial value, the principle of specific purposes and limitations plays a crucial role as a legal mechanism to prevent data abuse and protect individual privacy in the digital economy.
Therefore, violations of this principle are quite common in recruitment, e-commerce, and online marketing. For example, businesses may collect candidate information for recruitment purposes but then use it to send advertisements or share it with partners without the employee’s consent. Similarly, many consumers report receiving related advertisements on other platforms after searching for products on e-commerce platforms, raising concerns about the exploitation of consumer behavior data beyond the scope previously announced.
Principles of Accuracy and Limited Storage
Besides requiring data processing to be lawful and for the intended purpose, Vietnamese law also sets out the principle of ensuring the accuracy, timeliness, and limited storage time of personal data. Clause 3, Article 3 of the Law on Protection of Personal Data 2025 stipulates that personal data must be ensured accuracy, be corrected or updated when necessary, and only be stored for a period appropriate to the purpose of processing. This regulation inherits the principles already stated in Clauses 5 and 7 of Article 3 of Decree No. 13/2023/ND-CP, reflecting the view that risks to personal data stem not only from theft but also from the continued use of inaccurate or outdated data.
This requirement is particularly important in the financial and banking sector. If a customer’s credit history information is not updated after a loan has been repaid, the individual may be misjudged in terms of credit risk, leading to loan rejection or restricted access to financial services. This shows that personal data can directly impact the rights and economic opportunities of the data subject.
The law also requires that personal data not be stored indefinitely after the purpose of processing has ended. The principle of limited storage aims to reduce the risk of information leakage and prevent data exploitation beyond the necessary scope. In fact, many businesses retain customer or candidate data for extended periods to support marketing activities. For example, an unsuccessful candidate may still receive advertising or recruitment information years later because the data has not been deleted or new consent has not been obtained from the individual. In this case, retaining data beyond what is necessary may be considered inconsistent with personal data processing principles.
The Principle of Synchronized Protection Measures
The principle of synchronized protection measures is built on the understanding that protecting personal data depends not only on technology but also requires a combination of legal, technical, and human factors. Clause 4, Article 3 of the Law on Personal Data Protection 2025 stipulates that data processing activities must be accompanied by the synchronized application of appropriate protection measures to prevent the risk of data breaches. Inheriting the provisions of Clause 6, Article 3 of Decree No. 13/2023/ND-CP, the 2025 Law expands the approach to be more comprehensive by emphasizing the requirement to combine institutional, technical, and human resource management measures.
This principle stems from the reality that personal data can be breached at many different levels. A business with a modern security system can still experience data leaks if employees arbitrarily share customer information; Conversely, even a rigorous management process is unlikely to be effective if the technological infrastructure lacks security. Therefore, data protection should be viewed as a comprehensive risk management activity rather than just a technical issue.
Practice in Vietnam shows that many cases of customer data being sold online in the banking, real estate, or e-commerce sectors are not due to cyberattacks but rather to the copying and disclosure of information by internal employees. This demonstrates that investing in technology alone is insufficient if businesses lack mechanisms for access control, authorization, and personnel training in data security.
For businesses, implementing comprehensive protection measures not only helps minimize legal risks but also protects brand reputation and strengthens customer trust. This is especially important for sectors that process large volumes of personal data, such as banking, financial technology (fintech), e-commerce, and digital services.
Principles of Prevention, Detection, and Handling of Violations
The principles of prevention, detection, and handling of violations are based on the understanding that acts of violating personal data can have long-lasting and difficult-to-remedy consequences. Therefore, protecting personal data does not stop at handling violations after they occur, but also requires a proactive mechanism for preventing and early detection of risks. Clause 5, Article 3 of the Law on Protection of Personal Data 2025 stipulates that data processing activities must ensure the ability to prevent, promptly detect, stop, and handle violations related to personal data.
Unlike Decree No. 13/2023/ND-CP, which only integrated this content into the obligation of data confidentiality and security, the 2025 Law has elevated it to an independent principle. This represents a shift from a reactive approach to a proactive risk management model, emphasizing the responsibility for regular control and monitoring to mitigate the risk of breaches from the outset.
In reality, many cases have involved the leakage of customer data from banks, real estate companies, or e-commerce platforms on online forums, leading to users receiving numerous advertising calls or fraudulent messages. These incidents demonstrate that if businesses build mechanisms to monitor access, detect anomalies, and respond to incidents promptly, the risk of data leaks can be significantly reduced.
This principle is even more significant in the context of the rapid development of artificial intelligence (AI), big data, and digital platforms. The application of automated data processing systems requires businesses to regularly check, monitor, and detect errors to prevent the risk of using inaccurate data or making decisions detrimental to the data subject. Therefore, the requirement of “prevention – detection – handling” applies not only to traditional data leak incidents but also as a risk control mechanism in the modern digital environment.
Principle of balancing interests
Unlike some legal systems that place almost absolute emphasis on individuals’ data control rights, Vietnamese law chooses a balanced approach between privacy and public interest. This is reflected in Clause 6, Article 3 of the Law on Personal Data Protection 2025, according to which the processing of personal data must ensure harmony between the legitimate rights and interests of individuals and the requirements of national defense, security, social order, and socio-economic development.
Compared to Decree No. 13/2023/ND-CP, this is a noteworthy new point. While the Decree only indirectly addressed this issue through cases of data processing without the data subject’s consent, the 2025 Law has elevated it to an independent principle. This reflects the view that the protection of personal data needs to be placed in a harmonious relationship with the requirements of state management and public interest in the context of digital transformation.
The principle of balancing interests aims to ensure the privacy of individuals without hindering activities that serve the common good. In some cases, such as disease prevention, disaster response, or national security, state agencies may need to process personal data to carry out their duties.
This applies to public affairs. If all processing activities depend entirely on the consent of each individual, the effectiveness of management and the ability to respond to emergencies could be significantly affected.
However, applying this principle also requires clearly defining the scope of “national interest” and “public interest” to avoid the risk of excessive exceptions that would diminish individual privacy. This is also a notable difference between Vietnamese law and the European Union’s General Data Protection Regulation (GDPR), as GDPR places individual rights at the center and more strictly limits exceptions for the public interest.
Inheritance and Changes Between the Principles of Personal Data Processing under the 2025 Law on Personal Data Protection and Decree No. 13/2023/ND-CP
Although both regulate the processing of personal data, the 2025 Law on Personal Data Protection and Decree No. 13/2023/ND-CP differ significantly in the design of their data processing principles. While Decree 13 stipulated eight principles in a detailed and technical manner, the 2025 Law only has six principles, streamlined and focused on the core values of personal data protection. This change reflects a shift from an initial management mechanism to a more stable legal foundation at the law level.
In terms of content, most of the principles of the 2025 Law are inherited from Decree 13 but are arranged and generalized in a more systematic way. The principle of legal compliance continues to be upheld, while also being placed in relation to the Constitution, the Civil Code, and regulations protecting personal rights, reflecting an approach that views personal data as an object intrinsically linked to human rights.
The principle of specific purpose and limitations is formed by merging the principle of processing for the right purpose and the principle of limiting the scope of processing in Decree 13. Similarly, the principle of accuracy and limited storage is built on the basis of combining the requirement to update and correct data with a time limit on storage. The merging of these principles makes the legal system more streamlined while still ensuring core content.
Regarding the principle of comprehensive protection measures, the 2025 Law expands the scope of protection from technical measures to a more comprehensive approach, including institutions, internal governance processes, personnel training, and security technology. This reflects the understanding that data risks stem not only from cyberattacks but also from human factors and limitations in governance mechanisms.
Furthermore, the 2025 Law for the first time recognizes the principle of prevention, detection, and handling of violations as an independent principle. This regulation shows a shift from a reactive approach to a proactive risk management model, requiring organizations and businesses not only to protect data but also to build mechanisms for monitoring, warning, and responding to incidents.
In particular, the principle of balancing national and ethnic interests with the legitimate rights and interests of individuals is a prominent new feature of the 2025 Law. Unlike Decree 13, which focused more on the rights of data subjects, this principle emphasizes the need for harmony between protecting privacy and the goals of national defense, security, social order, and socio-economic development. This also clearly demonstrates the unique approach of Vietnam compared to GDPR.
From this, it can be seen that the Personal Data Protection Law of 2025 does not completely replace but mainly inherits, streamlines, and upgrades the system of principles of Decree No. 13/2023/ND-CP, thereby building a more stable and suitable legal foundation for data governance requirements in the digital economy.
Assessment of the System of Principles for Processing Personal Data under Vietnamese Law
The establishment of six principles for processing personal data in the 2025 Law on Personal Data Protection marks a significant step forward in perfecting the legal framework for protecting privacy in Vietnam. This system of principles not only guides the data processing activities of state agencies, businesses, and organizations but also reflects a shift from a decentralized management approach to a holistic data governance model. However, alongside its outstanding advantages, the application of these principles also poses numerous challenges in practice.
Firstly, regarding advantages, the system of principles contributes to strengthening the protection of privacy and the right to control individuals’ data through requirements for legality, purpose of processing, accuracy, and data storage limits. Simultaneously, establishing clear standards for data processing strengthens user trust in digital services, thereby promoting the development of e-commerce, digital banking, and the digital economy in general.
The 2025 Law reflects a proactive approach to data governance by recognizing the principle of preventing, detecting, and handling violations as an independent principle. This provides a basis for organizations and businesses to build more effective internal control mechanisms, risk monitoring, and incident response. The system of principles is also highly flexible thanks to its general design, facilitating its application to new technologies such as artificial intelligence (AI), big data, and cloud computing. Furthermore, the addition of the principle of balancing national interests with the legitimate rights and interests of individuals harmonizes the requirements of data protection with the needs of state management, ensuring national defense, security, and socio-economic development.
Secondly, regarding limitations and challenges, some principles are stipulated in a general way, which can lead to inconsistent interpretations and applications if detailed guidance is lacking. Concepts such as “appropriate retention period,” “fair processing purpose,” or “national interest” still need clarification to ensure transparency in implementation.
Compliance costs for businesses, especially small and medium-sized enterprises, may increase due to the required investment in security infrastructure, data governance processes, and personnel training. Furthermore, legal awareness among both businesses and citizens regarding personal data rights remains limited, affecting the effectiveness of regulations in practice.
Regarding the principle of balancing national interests and individual rights, although it is important in the context of Vietnam’s governance, its application needs to be accompanied by transparent control mechanisms and clear limits to avoid the risk of excessive expansion of exceptions, thereby undermining the level of protection of individual privacy.
Overall, the system of principles for processing personal data under the 2025 Law on Personal Data Protection is a significant step forward in the process of perfecting data protection legislation in Vietnam. However, for these principles to be effective in practice, further improvements to guiding documents are needed, along with enhanced compliance capacity of businesses and increased public awareness of personal data rights in the digital environment.
Recommendations for Foreign Businesses and Investors
Given the increasingly stringent compliance requirements of the 2025 Personal Data Protection Law, foreign businesses and investors need to shift from a mindset of maximizing data collection to a data governance model based on legal compliance, limiting processing purposes, and controlling risks from the business model development stage.
Accordingly, businesses should proactively review their processes for collecting, using, and storing personal data; build internal governance mechanisms, appropriate data access control and security; and establish measures to prevent, detect, and handle data incidents. For foreign-invested enterprises, fintech companies, e-commerce businesses, or technology platforms, regularly updating regulations and implementation guidelines is essential to ensure legal compliance during operations in Vietnam.
Complying with personal data protection regulations not only helps businesses minimize legal risks, penalties, and disputes, but also contributes to enhancing brand reputation, strengthening customer trust, and creating a competitive advantage in the digital economy. Therefore, Siglaw Firm recommends that businesses proactively coordinate with legal consultants from the data governance system development stage to ensure that business operations are implemented safely, transparently, and sustainably.
In the context of personal data becoming an increasingly important resource in the digital economy, businesses need to focus not only on the efficiency of data exploitation but also on ensuring the legality of data processing activities, complying with personal data protection principles, and controlling legal risks during operation. Building a governance mechanism is crucial.
Data protection, information security, internal controls, and compliance strategies implemented from the outset will help businesses mitigate the risk of violations, enhance brand reputation, and strengthen customer trust.
In the future, the effectiveness of enforcing principles for handling personal data will depend on coordination between state management agencies, businesses, and citizens. Only when all stakeholders raise awareness and responsibility in protecting personal data can the goal of developing a safe, transparent, and sustainable digital economy be realized.
With experience in providing legal advice to businesses in the field of personal data protection, including reviewing privacy policies, building internal data governance processes, and assessing legal risks in data processing activities, Siglaw Firm is always ready to accompany businesses and investors in ensuring compliance with Vietnamese law, especially when the Personal Data Protection Law of 2025 officially comes into effect.
For businesses and investors requiring consultation on personal data protection compliance, data processing review, internal security policy development, legal risk assessment, or implementation of data governance systems in accordance with the latest regulations, please contact Siglaw Firm:
Headquarters in Hanoi City: No. 44/A32 -– NV13, Area A Geleximco, Le Trong Tan Street, Tay Mo Ward, Hanoi City.
Branch in the South: No. 103 – 105, Nguyen Dinh Chieu Street, Xuan Hoa Ward, Ho Chi Minh.
Branch in the Central Region: VIFC DN – ICT Building Software Park No. 2, Nhu Nguyet Street, Hai Chau Ward, Da Nang City
Email: vp@siglaw.com.vn
Hotline: 0961 366 238
Facebook: https://www.facebook.com/hangluatSiglaw
