Banner

Vietnam's 2025 Law on Personal Data Protection: Key Highlights for Businesses

August 5, 2025 | Legal Updates

Vietnam has taken a landmark step in data privacy with the official passing of the Law on Personal Data Protection (Law No. 91/2025/QH15) by the 15th National Assembly on June 26, 2025. Set to take effect on January 1, 2026, this comprehensive legislation establishes an entirely new legal framework, superseding the former Decree 13/2023/NĐ-CP. For businesses and individuals alike, understanding its core provisions is critical.

I. What is Personal Data?

According to Article 2 of the Law on Personal Data Protection No. 91/2025/QH15 dated June 26, 2025 ("LPDP"), personal data includes the following content:

Personal data is digital data or information in other forms that identifies or helps to identify a specific person, including: basic personal data and sensitive personal data. Personal data that has undergone anonymization is no longer personal data.

Basic personal data is personal data that reflects common personal and biographical factors, regularly used in transactions and social relations, falling under a list issued by the Government.

Sensitive personal data is personal data associated with an individual's right to privacy, which, when violated, will directly affect the legitimate rights and interests of agencies, organizations, and individuals, falling under a list issued by the Government.

II. Handling Violations of the Law on Personal Data Protection

Article 8 of the Law stipulates very strict and highly deterrent administrative fines:

- Buying and selling personal data: The maximum fine is 10 times the revenue obtained from the violation.

- Violating regulations on cross-border transfer of personal data: The maximum fine for an organization is up to 5% of its total revenue of the preceding year.

- Other violations: The maximum fine is VND 3 billion.

Note: The maximum fine for an individual committing the same violation shall be one-half (1/2) the fine for an organization.

III. Cross-Border Transfer of Personal Data

1. Cases of cross-border transfer of personal data include:

a) Transferring personal data stored in Vietnam to a data storage system located outside the territory of the Socialist Republic of Vietnam.

b) Vietnamese agencies, organizations, and individuals transferring personal data to foreign organizations and individuals.

c) Vietnamese or foreign agencies, organizations, and individuals using platforms outside the territory of the Socialist Republic of Vietnam to process personal data collected in Vietnam.

2. According to Article 20, organizations and individuals transferring personal data out of Vietnam must:

a. Prepare an impact assessment file: A Cross-Border Personal Data Transfer Impact Assessment file must be prepared.

b. Submit to the supervisory authority: Submit one original copy to the supervisory authority for personal data protection (under the Ministry of Public Security) within 60 days from the first day of the transfer.

c. Update periodically: This file must be updated upon any changes.

3. Cases exempt from the requirement to conduct a cross-border data transfer impact assessment include:

a) The cross-border transfer of personal data by a competent state agency.

b) An agency or organization storing the personal data of its employees on a cloud computing service.

c) A data subject transferring their own personal data across borders.

d) Other cases as prescribed by the Government.

IV. Protection of Personal Data in the Processing of Big Data, Artificial Intelligence, Blockchain, Virtual Universe, and Cloud Computing

1. Personal data in the environment of big data, artificial intelligence, blockchain, virtual universe, and cloud computing must be processed for the correct purpose and limited to the necessary scope, ensuring the legitimate rights and interests of the data subject.

2. The processing of personal data in these environments must comply with the provisions of this Law and other relevant laws; and be consistent with the ethical standards and fine customs of Vietnam.

3. Systems and services using big data, artificial intelligence, blockchain, virtual universe, and cloud computing must integrate appropriate personal data security measures; and must use suitable authentication and identification methods and access control to process personal data.

4. The processing of personal data by artificial intelligence must be classified by risk level to apply appropriate personal data protection measures.

5. It is prohibited to use or develop systems for processing big data, artificial intelligence, blockchain, virtual universe, and cloud computing that use personal data to harm national defense, security, social order, and safety, or to infringe upon the life, health, honor, dignity, or property of others.

The information contained in this article is general and intended only to provide information on legal regulations. DB Legal will not be responsible for any use or application of this information for any business purpose. For in-depth advice on specific cases, please contact us.

For more information: 

📞: +84 357 466 579

📧: contact@dblegal.vn

🌐Facebook:  DB Legal Vietnamese Fanpage or DB Legal English Fanpage 

🐦X(Twitter)

💼Linkedin

🎬Youtube

 

 

Contact us

Add 1: 3rd Floor, Indochina Riverside Tower, 81 Tran Phu Street, Hai Chau Ward, Danang City, Vietnam

Add 2: 28 Thanh Luong 20, Hoa Xuan Ward,  Danang city, Vietnam

Hotline 1: (+84) 357 466 579

Hotline 2: (+84) 985 271 242

Phone: (+84) 236.366.4674
Email: contact@dblegal.vn

zalo
whatsapp