.png)
Vietnam's 2025 Law on Personal Data Protection: Key Highlights for Businesses
Vietnam has taken a landmark step in data privacy with the official passing of the Law on Personal Data Protection (Law No. 91/2025/QH15) by the 15th National Assembly on June 26, 2025. Set to take effect on January 1, 2026, this comprehensive legislation establishes an entirely new legal framework, superseding the former Decree 13/2023/NĐ-CP. For businesses and individuals alike, understanding its core provisions is critical.
Table of contents:
I. What is Personal Data?
According to Article 2 of the Law on Personal Data Protection No. 91/2025/QH15 dated June 26, 2025 ("LPDP"), personal data includes the following content:
Personal data is digital data or information in other forms that identifies or helps to identify a specific person, including: basic personal data and sensitive personal data
Basic personal data is personal data that reflects common personal and biographical factors, regularly used in transactions and social relations, falling under a list issued by the Government
Sensitive personal data is personal data associated with an individual's right to privacy, which, when violated, will directly affect the legitimate rights and interests of agencies, organizations, and individuals, falling under a list issued by the Government
II. Handling Violations of the Law on Personal Data Protection
Article 8 of the Law stipulates very strict and highly deterrent administrative fines
- Buying and selling personal data: The maximum fine is 10 times the revenue obtained from the violation
- Violating regulations on cross-border transfer of personal data: The maximum fine for an organization is up to 5% of its total revenue of the preceding year
- Other violations: The maximum fine is VND 3 billion
Note: The maximum fine for an individual committing the same violation shall be one-half (1/2) the fine for an organization
III. Cross-Border Transfer of Personal Data
1. Cases of cross-border transfer of personal data include
a) Transferring personal data stored in Vietnam to a data storage system located outside the territory of the Socialist Republic of Vietnam
b) Vietnamese agencies, organizations, and individuals transferring personal data to foreign organizations and individuals
c) Vietnamese or foreign agencies, organizations, and individuals using platforms outside the territory of the Socialist Republic of Vietnam to process personal data collected in Vietnam
2. According to Article 20, organizations and individuals transferring personal data out of Vietnam must
a. Prepare an impact assessment file: A Cross-Border Personal Data Transfer Impact Assessment file must be prepared
b. Submit to the supervisory authority: Submit one original copy to the supervisory authority for personal data protection (under the Ministry of Public Security) within 60 days from the first day of the transfer
c. Update periodically: This file must be updated upon any changes
3. Cases exempt from the requirement to conduct a cross-border data transfer impact assessment include
a) The cross-border transfer of personal data by a competent state agency
b) An agency or organization storing the personal data of its employees on a cloud computing service
c) A data subject transferring their own personal data across borders
d) Other cases as prescribed by the Government
IV. Protection of Personal Data in the Processing of Big Data, Artificial Intelligence, Blockchain, Virtual Universe, and Cloud Computing
1. Personal data in the environment of big data, artificial intelligence, blockchain, virtual universe, and cloud computing must be processed for the correct purpose and limited to the necessary scope, ensuring the legitimate rights and interests of the data subject
2. The processing of personal data in these environments must comply with the provisions of this Law and other relevant laws; and be consistent with the ethical standards and fine customs of Vietnam
3. Systems and services using big data, artificial intelligence, blockchain, virtual universe, and cloud computing must integrate appropriate personal data security measures; and must use suitable authentication and identification methods and access control to process personal data
4. The processing of personal data by artificial intelligence must be classified by risk level to apply appropriate personal data protection measures
5. It is prohibited to use or develop systems for processing big data, artificial intelligence, blockchain, virtual universe, and cloud computing that use personal data to harm national defense, security, social order, and safety, or to infringe upon the life, health, honor, dignity, or property of others.
The information contained in this article is general and intended only to provide information on legal regulations. DB Legal will not be responsible for any use or application of this information for any business purpose. For in-depth advice on specific cases, please contact us.
For more information:
📞: +84 357 466 579
📧: contact@dblegal.vn
🌐Facebook: DB Legal Vietnamese Fanpage or DB Legal English Fanpage
Related posts:
- Resolution 222/2025/QH15: A New Era for the International Financial Center in Vietnam
- New Visa Exemption Policy 2025: Details of Decree 221/2025/ND-CP`
- New UBO Regulations (Part 2): Detailed Criteria and Declaration Under Decree 168
- New provisions concerning beneficial owners in accordance with the amended and supplemented Law on Enterprises
- Effective July 1, 2025: 5+ Civil Status Procedures with Foreign Elements to be Handled at Commune Level
- Decree No. 146/2025/ND-CP – Decentralizing Industrial & Commercial Management
- GENERAL TERMS AND CONDITIONS ON PERSONAL DATA PROTECTION AND PROCESSING (Effective from December 31, 2024)
- Decree No. 135/2024/ND-CP introduces new mechanisms to promote the development of self-generated and self-consumed rooftop solar power
- Official Dispatch No. 3227/TCT-CS on Corporate Income Tax on Interest from Bank Deposits of Representative Offices of Foreign Traders in Vietnam
- Resolution No. 136/2024/QH15 Organization Of Urban Government And Pilot Implementation Of Specific Regulations And Policies On Da Nang City Development
