Vietnam's PDPL in focus: What to know and watch for

Vietnam's lawmakers probably didn't sleep much earlier this summer as they hammered out dozens of laws and decrees in the course of a month. Their efforts propelled the country's historic transition to a two-tier local government structure, effective 1 July, and encouraged fresh mindsets to advance the country's digital dominance.

Vietnam's Personal Data Protection Law — issued 26 June and effective 1 Jan. 2026 — emerged as a timely upgrade to a scattered domestic data privacy regime. The country's first comprehensive legal framework for protecting personal data demonstrates its recognition of personal data as an important economic driver and marks the Ministry of Public Security's success in developing a unified protection framework.

The PDPL outranks the 2023 Personal Data Protection Decree and will prevail when it takes effect. It retains the decree's core EU General Data Protection Regulation-like structures while adding new specific requirements and enabling the government to introduce further details at a later date.

In order for the PDPL to be operative and enforceable, the government must issue a guiding decree and a sanction decree, which merit close tracking. The guiding decree is anticipated to be released and passed before the end of the year with the sanction decree expected to follow.

Governing scope

The PDPL draws a broad circle, encompassing virtually any individual and organization handling personal data with ties to Vietnam — from local agencies and individuals to foreign entities operating within the country, as well as those abroad but engaged in or related to the processing of data of Vietnamese citizens or stateless individuals of Vietnamese origin residing in Vietnam.

This extraterritorial reach echoes Article 3 of the GDPR, which keeps tabs on non-EU firms processing EU residents' data. However, it deviates slightly by thoughtfully acknowledging national demographics — particularly for those returning to contribute to domestic development.

Data protection principles

While current data protection principles closely align with those under the GDPR, the PDPL introduces notable changes compared to its predecessor, the PDPD. The PDPL removes the principles of "individuality" and "compliance and accountability," consolidates the remaining six principles into four, and adds two new principles emphasizing the prevention of violations and the balance between national interest and individual rights.

The six principles under the PDPL's Article 3 are:

• Lawfulness: Comply with Vietnam's Constitution, the PDPL and relevant laws.
• Purpose limitation: Collect and process personal data within a specific, clear and lawful scope and purpose.
• Accuracy and storage limitation: Ensure personal data is accurate and that such data is modified, updated and supplemented when necessary and store personal data for a period conforming with the purpose for processing, unless otherwise prescribed by the PDPL.
• Security: Implement institutional, technical and human measures and solutions synchronously and effectively to protect personal data.
• Violation prevention and management: Proactively prevent, detect and combat all violations and handle them in a timely and rigorous manner.
• Balancing national interests and rights: Protect personal data in alignment with national benefits and ensure harmony between personal data protection and the protection of legitimate rights and benefits of agencies, organizations and individuals.

Lawful processing bases

Consent is currently the dominant legal basis for processing data. Marking stakeholders' success in a long-fought advocacy campaign since the PDPD's 2020 inception, the PDPL breaks this status quo and introduces legitimate interest to alleviate the consent constraint. That said, the concept of "legitimate interest" under the PDPL has a potentially narrower scope of application than its counterpart under the GDPR, being relevant in limited contexts, such as fraud prevention or internal investigations. Its application should be carefully considered on a case-by-case basis to prevent excessive reliance.

Under Article 9 of the PDPL, consent is mandated as voluntary, informed, explicit and granular, spanning data types, objectives and controllers with easy revocation.

Resembling GDPR allowances, non-consent scenarios are contemplated under Article 19, covering vital interests, emergencies, state mandates or contracts. Article 19(2) further imposes accountability in monitoring processing activities based on non-consent bases, requiring firms to — among other obligations — set up procedures and policies and regularly conduct risk assessments.

Data subjects' rights

The PDPL, under Article 4, equips data subjects with a solid lineup of rights, including their right to be informed of data processing activities, access their information, revoke their consent, amend or erase their data, restrict processing, and object to processing. This mirrors Articles 15 through 22 of the GDPR.

Data portability is not recognized under the PDPL; the law newly requires data subjects to adhere to legal and non-infringing principles, curbing any potential abuse of rights.

The PDPD's previously controversial 72-hour deadline for responding to a data subject request has been removed, following widespread concerns about its practicality. In its place, the PDPL opts for a more flexible "timely" mandate in Article 4(5), which is subject to further adjustments by the government.

Data processing impact assessments

Data processing impact assessments continue to be a required action for all controllers; processors can now tackle them on a contractual basis — a relief from the current catch-all DPIA regime. A copy of the DPIA must be submitted to the MPS within 60 days of the commencement of processing.

The law does not provide specific templates for DPIAs, leaving the government to determine the details. This begs the question of whether the same standards for DPIAs under the PDPD will continue to apply.

Cross-border data transfers

The PDPL swaps the PDPD's "overseas transfer" for "cross-border personal data transfer" with a sweeping definition that covers exporting data stored in Vietnam, transfers by domestic to foreign entities, or processing local collections on external platforms.

More notably, it widens the PDPD's focus on Vietnamese citizens' data to cover any natural person's info stored in Vietnam before export, regardless of nationality. This shift broadens transborder data flows overall under the regulated scope.

Unlike the GDPR's flexible toolkit for enabling cross-border data transfers — with adequacy decisions, standard contractual clauses or binding corporate rules — the PDPL sticks to a narrower path of impact assessment preparation and submission, spotlighting Vietnam's more controlled stance on data flows. All transferring data must be accompanied with a cross-border transfer impact assessment and a copy must be sent to the MPS within 60 days of beginning transfer.

Again, the law does not provide any specific template for the CBTIA, leaving practitioners to wonder whether it will resemble the current regime of overseas transfer impact assessments. Exemptions to the CBTIA requirement under Article 20(6) span state actions, storage of employee personal data on cloud-computing services, self-moves by data subjects, and other cases to be added by the government.

To ease the transition for PDPD-compliant companies, the PDPL exempts those whose OTIA and DPIA have been "received" by the MPS from also submitting a CBTIA or DPIA under the new law. However, for any updates or changes to these impact assessments, companies must follow the law's updating procedures.

The law additionally grants the MPS the power to conduct annual audits of transfers with the possibility for random checks or those triggered by leaks or losses. 

Breach notification requirements

On data breaches, the PDPL maintains the same approach as its predecessor, the PDPD. Its Article 23 casts a much wider net than the GDPR's security focus, capturing any violation of personal data protection rules that might even remotely threaten national security, social order, or a data subject's vital interests, dignity or property. This catch-all scope could snag everything from a minor glitch to outright mishaps.

Controllers must flag these violations to the MPS within that familiar 72-hour window, as under the GDPR, while processors must notify the controller promptly upon spotting any such issue.

Echoing the GDPR once more, controllers under the PDPL must maintain incident logs, but the law introduces fresh twists with user notifications confined to the banking/finance and biometric processing arenas. Banks and financial institutions must alert data subjects to any breach or loss — no matter how minor and without needing proof of actual harm, which adds a layer of urgency. Notification requirements for biometric processing are more limited, applying only when harm occurs to the data subject — introducing a measure of practicality within an otherwise expansive regulatory framework.

Further details about the breach notification process will be provided in the government's guiding decree.

Sectoral and activity-specific aspects

A key improvement under the PDPL is the introduction of detailed requirements tailored to specific sectors and activities. These span employment, health care and insurance, finance, advertising, communications, location and biometric data, closed-circuit television and frontier technologies, like artificial intelligence, blockchain and virtual reality.

Companies eyeing Vietnam's digital scene or having already entered the market should pore over these intricacies to ensure compliance.

Penalties and enforcement

As a local legislative practice, the PDPL does not specify penalties for noncompliance. On the other hand, the law sets out principles for the government to develop the penalties in a decree. The PDPL establishes hefty, hard caps for administrative sanctions, which should compel multinational companies to carefully review data flows and related practices when conducting operations in Vietnam.

Article 8 allows administrative fines to top out at VND3 billion — around USD115,000 — for most breaches. Violations tied to cross-border data transfers can sting even more with fines up to 5% of the offending entity's prior-year revenue. For businesses allegedly illegally buying or selling personal data, fines can escalate to as much as 10 times the illicit gains, potentially turning a quick profit into a costly nightmare if regulators can quantify those earnings. If those gains prove elusive to calculate, the fine reverts to the VND3 billion cap.

The PDPL's penalty framework appears to be more targeted at specific violations with potentially lower absolute impacts for large global firms. In contrast, the GDPR's fines are broader, more uniformly applied across violation types, and can reach much higher amounts for multinational companies due to its global turnover calculation.

The PDPL also confirms that violators may face criminal liabilities. However, the current Criminal Code only penalizes certain personal-data related acts, such as illegally using or uploading information on information systems or illegally collecting and trading banking details.

Countdown to PDPL clarity

The PDPL's guiding decree is expected to be released for public comments and passed by the end of 2025. It will offer direction on many outstanding issues under the PDPL, like detailed classification of basic and sensitive personal data, requirements for data protection officers, procedures for data breach notification, and more.

This decree should also supersede and repeal the PDPD, which would otherwise technically remain in effect.

The sanction decree will be instrumental in ensuring local regulators have a basis to handle noncompliance. While clear deadlines for this decree are currently unknown, it should promptly follow the guiding decree.

Huyen-Minh Nguyen is a special counsel at BMVN International, and Alex Do, CIPP/E, is an IPTech executive cum patent coordinator at BMVN International, in alliance with Baker McKenzie Vietnam.