Personal Data Protection Law (PDPL) Vietnam

• April 17, 2023 – Decree 13/2023/ND‑CP issued
• July 1, 2023 – Decree 13 took effect
• June 26, 2025 – PDPL passed by the National Assembly
• January 1, 2026 – PDPL enters into force

The PDPL applies to:

• Vietnamese entities processing personal data of individuals in Vietnam
• Foreign entities handling Vietnamese data through websites, apps, or digital services
• Data controllers, processors, and third parties
• Public and private sector organizations, regardless of size or revenue

There is no threshold for number of records or revenue—any organization processing personal data of Vietnamese residents is within scope.

The following activities may be exempt from some or all PDPL requirements:

• Personal data processing for private or household use
• Processing by state agencies for national defense, public security, or law enforcement
• Anonymized data used for research or statistics
• Journalistic and artistic purposes, where protected by freedom of expression (subject to limitations)

Organizations must:

• Establish a legal basis for data collection and processing (e.g., consent, contract, legal obligation)
• Notify data subjects about data use, purpose, retention, and third-party sharing
• Maintain Data Protection Impact Assessments (DPIAs) for high-risk or large-scale processing
• Assign a Data Protection Officer (DPO) for specific processing activities (e.g., sensitive data)
• Keep internal records of processing activities and submit reports upon request
• Implement organizational and technical safeguards to protect personal data

Website and app operators must:

• Display clear privacy notices, in Vietnamese (and English if needed)
• Use opt-in consent banners for non-essential cookies or tracking technologies
• Provide tools for withdrawing consent
• Securely manage cross-border transfers of personal data
• Maintain consent logs and cross-border transfer records
• Offer DSR request portals (e.g., for access, deletion, correction)

• Parental consent is required for processing data of children under 16
• Sensitive data includes biometrics, health, financial, ethnicity, religious beliefs, and location
• DPIAs are mandatory for:
  • Automated profiling with legal or significant effects
  • Cross-border transfers
  • Large-scale processing of sensitive data
• Cross-border transfers require a data transfer impact assessment and must be notified to the Ministry of Public Security; further regulations may require prior approval

Under the PDPL, individuals have the right to:

• Be informed about how their data is used
• Access their personal data
• Correct or delete inaccurate or unnecessary data
• Restrict processing in certain circumstances
• Withdraw consent or object to data use
• Request data portability (in applicable cases)
• File complaints with authorities or pursue legal action
• Response timelines will be clarified through implementing guidance.

• Regulator: Ministry of Public Security holds significant authority, including the power to investigate, impose administrative penalties, and prohibit non-compliant cross-border data transfers
• Administrative fines:
  • Up to VND 3 billion (approx. USD ~$120,000)
  • For serious violations, fines can reach 5% of the company’s global preceding’s year revenue
• Other enforcement tools:
  • License suspensions
  • Processing bans
  • Publication of violations
  • Criminal liability under other applicable laws in severe cases