Vietnam’s Personal Data Protection Law (PDP Law) was officially enacted on 26 June 2025, and is set to take effect from 1 January 2026. This new legislation marks a significant shift from a fragmented regulatory approach to a comprehensive and unified legal framework for personal data protection.

In this legal update, we will provide a detailed comparative analysis of the PDP Law against the current Decree13/2023/ND-CP (PDP Decree), clarify the intricate relationship between impact assessment obligations under the PDP Law and those under the Data Law, and outline actionable steps that businesses should undertake to ensure future compliance.

1. PDP Law – Key Innovations from PDP Decree

a. Refined extraterritorial application: While the PDP Law retains domestic and extraterritorial application provisions established by the PDP Decree, its extraterritorial scope is now narrowed to capture only foreign agencies, organisations and individuals directly involved in or related to the processing of personal data of Vietnamese citizens or persons of Vietnamese origin residing in Vietnam with identification certificates.

b. Broadened personal data-related definitions: Under the PDP Law, “personal data” is broadly defined as digital data or information in any other form that identifies or helps identify a specific person. The PDP Law’s explicit inclusion of non-digital forms, such as traditional, paper-based information, helps to ensure its comprehensive coverage across various data formats.

For “basic personal data” and “sensitive personal data”, unlike the PDP Decree, which provided exhaustive lists for these two categories of personal data, the PDP Law only provides for general determination criteria, and defers to the government on the issuance of detailed lists.

c. Newly introduced definitions of “anonymisation” and “encryption”: Another significant innovation of the PDP Law is its introduction of definitions for both “anonymisation” (i.e., the process of changing or removing information to create new data from which a specific person is not or no longer identifiable) and “encryption” (i.e., the conversion of personal data into a form in which the personal data cannot be recognised if it is not decrypted). Under the PDP Law, personal data that has been successfully anonymised is no longer considered as personal data, thereby falling outside the direct scope of personal data protection laws, whereas encrypted data still retains its classification as personal data.

d. Consent collection mechanism: The PDP Law mandates that consent must be (i) obtained for each specific purpose of data processing and (ii) not accompanied by a mandatory acceptance to other purposes beyond the agreed content. This provision reinforces and clarifies the PDP Decree’s principle pertaining to consent for multiple processing purposes, explicitly requiring there to be a mechanism enabling data subjects to selectively choose which purpose(s) they consent to, there by preventing the practice of “bundled consent”.

e. Responsible exercise of data subject rights: With an aim to strike a balance between protecting data subjects’ privacy rights and ensuring the exercise of these rights does not unreasonably disrupt legitimate data processing activities of businesses, the PDP Law stipulates that data subjects, when exercising their rights and obligations must, inter alia, not cause difficulties or hinder the exercise of legal rights and obligations by the personal data controller, personal data controller-processor, or personal data processor. Notably, the rigid 72-hourdeadline for responding to data subject requests under the PDP Decree has also been adjusted to a more flexible “timely” manner under the PDP Law, with specific details to be provided by the government.

f. Transfer of personal data: Apart from cases where the transfer of personal data has been consented by the data subject, or cases where personal data processing (including transfers) does not require the data subject’s consent as provided under the PDP Decree, the PDP Law further clarifies other cases where personal data is allowed to be transferred (without consent). These include (i) internal sharing of personal data between departments within an agency or organisation for processing in line with established purposes, (ii) transfer of personal data in the event of business reorganisations, (iii) transfer of personal data by the personal data controller or personal data controller-processor to the personal data processor or third party for processing in accordance with the laws, and (iv) transfer of personal data pursuant to request of the competent state agency.

g. Data(Cross-border) Transfer Impact Assessment (DTIA): The PDP Law introduces three scenarios of cross-border transfer of personal data, including (i) transfer of personal data stored in Vietnam to offshore storage system, (ii) transfer of personal data by onshore agencies, organisations or individuals to offshore organisations or individuals, and (iii) the use of offshore platforms by onshore or offshore agencies, organisations or individuals for the processing of personal data collected in Vietnam. Except for some special cases provided under the PDP Law (e.g., agencies or organisations storing personal data of employees on cloud storage services, self-transfer by the data subjects of their personal data to overseas, or other cases as specified by the government), the DTIA must be prepared and submitted to the competent authority within 60 days of the initial transfer by the data transferor. Additionally, the DTIA must be updated periodically every six months upon any changes (to the submitted contents), or immediately upon specific material changes (e.g., reorganisations, changes in data protection service provider, changes in registered business lines involving personal data processing).

h. Data Processing Impact Assessment (DPIA): Similar rules have been introduced by the PDP Law in respect of the preparation, submission and update of the DPIA.

i. Personal Data Protection Personnel: A significant shift in the PDP Law is the requirement that all agencies and organisations processing personal data must appoint a data protection officer/department (DPO) or engage a qualified data protection service provider, whereas under the PDP Decree, the DPO appointment is often tied only to sensitive personal data processing. Detailed guidance on the qualifications and duties of DPOs and data protection service providers is expected to be issued by the government.

j. Exemptions from DPIA, DTIA and DPO requirements: Compared to the blanket imposition under the PDP Decree, the PDP Law has recognised the varying capacities of businesses and thus introduced specific exemptions from the DPIA and DPO requirements for SMEs (but not including DTIA requirements, according to the current wordings of the PDP Law). Particularly, small enterprises and start-ups shall have the discretion to choose whether to comply with the DPIA and DPO requirements within 05 years from the effective date of the PDP Law. Micro-enterprises and business households, in contrast, are generally not required to comply with these requirements. However, these exemptions shall not be triggered if the concerned enterprise, start-up or business household (i) engages in the business of personal data processing services, (ii) directly process essensitive personal data, or (iii) processes personal data of a large number of data subjects.

Furthermore, the PDP Law includes a transitional provision clarifying that businesses shall not be subject to its DPIA and DTIA submission requirements if their DPIA and DTIA reports have already been prepared in accordance with the PDP Decree and received by the competent authority before the PDP Law’s effective date. Any subsequent updates or modifications (i.e., after 1 January 2026), however, must be conducted in accordance with the PDP Law’s requirements.

k. Sector-specific data protection rules: The PDP Law introduces tailored provisions governing personal data protection in specific sectors, including protecting personal data of vulnerable persons, employment, healthcare and insurance, finance and banking, advertising, social media and online communications, big data/AI/block-chain/metaverse/cloud computing, location and biometric data, and recordings in public places. That said, businesses in different sectors will be required to comply with varying personal data protection requirements.

l. Sanctions for non-compliance: The PDP Law establishes severe and revenue-based administrative sanctions, alongside potential civil and criminal liabilities, for non-compliance with personal data protection regulations. Specific monetary fines for organisations include (i) up to 10 times the proceeds earned from illegal trade in personal data, (ii) up to 5% of the revenue from the preceding year for non-compliance with cross-border personal data transfer regulations, and (iii) up to VND 3 billion for other non-compliances (monetaryfines for individuals are set at one-half of those applicable to organisations).

Generally speaking, the PDP Law has significantly altered the legal landscape for personal data protection as established by the PDP Decree. Although the PDP Law does not contain explicit provisions that formally invalidate the PDP Decree, from a legal hierarchy perspective, it is likely that the PDP Law (a law) will prevail over the PDP Decree (a government decree) in cases of inconsistency. Given the above, it is highly anticipated that the government’s guiding decree will be issued before the PDP Law’s effective date, which will either formally terminate the effectiveness of the PDP Decree or fundamentally amend its provisions for alignment with the PDP Law’s framework.

2. Overlapping Impact Assessment Obligations under PDP Law and Data Law

The Data Law and its guiding Decree 165/2025/ND-CP have recently been promulgated and are set to take effect from 1 July 2025. These two instruments establish a broader regulatory scope beyond personal data protection under the PDP Law, there by providing the general legal framework for data governance in Vietnam.

Under the Data Law, the preparation and submission of impact assessments are mandated for the cross-border transfer and processing of “important data” (e.g., basic personal data of 100,000 or more Vietnamese citizens, sensitive personal data of 10,000 or more Vietnamese citizens, etc.) and “core data” (e.g., basic personal data of 1,000,000 or more Vietnamese citizens, sensitive personal data of 100,000 or more Vietnamese citizens, etc.). Notably, while the cross-border transfer and processing of “important data” may proceed if no negative assessment is received from the competent authority, “core data” requires a positive assessment from the authority before it can be transferred or processed abroad.

The impact assessment obligations introduced by the Data Law may, to some extent, overlap with those provided under the PDP Law. To address this issue, both the Data Law and the PDP Law contain exemption provisions. Specifically, the Data Law stipulates that entities which have already complied with impact assessment obligations in respect of “important data” and/or “core data” are exempt from the obligation to conduct impact assessments under the personal data protection laws (i.e., the PDP Law). Conversely, the PDP Law provides that if an agency, organisation or individual conducts a DPIA or DTIA in accordance with its provisions, then they are not required to perform impact assessment obligations under the Data Law.

3.What you need to prepare

Below are actionable steps that need to be taken by businesses to ensure future compliance:

a. Conduct a comprehensive review on data classification: As the data regulations are evolving under two legal regimes, i.e., the DPD Law and the Data Law, each with different approaches to legal compliance, businesses should carefully assess their data processing activities. This assessment should cover not only basic and sensitive personal data (as classified under the PDP Decree and the PDP Law) but also any important or core data under the Data Law.

b. Conduct a comprehensive gap analysis: Businesses should conduct an internal comprehensive analysis regarding the gap between the laws and their existing compliances. The gap analysis should examine current internal policies, procedures and operational practices to ensure alignment with both the personal data protection framework (the PDP Decree and the PDP Law) and the compliance obligations imposed by the Data Law. For effectiveness, this analysis should be tailored to the organisation’s specific business operations by considering other applicable laws such as cybersecurity regulations, consumers’ information protection regulations, and sector-specific compliance requirements. Based on this review, businesses will be able to identify are as requiring updates or alignment – such as consent forms, internal policies, impact assessments, or contractual terms with vendors and third parties – to ensure the highest compliance as possible with the legal landscape.

c. Stay updated on the forthcoming guiding decree of the PDP Law: Close attention should be paid to the forthcoming guiding decree of the PDP Law, as it will provide essential details for ensuring timely compliance and regulatory alignment.