Vietnam Personal Data Protection 2026: What Foreign Organizations Need to Know

Vietnam’s personal data protection legal framework has evolved significantly in recent years to address the growing importance of data privacy and security in the digital economy. Previously governed by Decree 13/2023/ND-CP (“Decree 13“), the regime has now been elevated with the enactment of Vietnam’s first comprehensive Personal Data Protection Law (Law No. 91/2025/QH15) (the “PDPL“) and its implementing decree (Decree No. 356/2025/ND-CP) (“Decree 356“). Both instruments took effect on 1 January 2026, replacing Decree 13 as the primary legal framework for personal data protection.

Below are the questions most frequently raised by foreign enterprises operating in Vietnam regarding their compliance obligations under the personal data protection framework. The answers will help you plan your compliance strategy in 2026.

1. Does the PDPL apply to our organization?

• Yes, if your organization is established in Vietnam and engages in personal data processing activities.
• Yes, if your organization is established outside Vietnam but directly participates in, or is otherwise connected to, the processing of personal data of Vietnamese citizens or individuals of Vietnamese origin whose nationality remains undetermined, provided such individuals reside in Vietnam and have been issued identity certificates.

2. What constitutes “Personal Data”?

• Personal Data means digital data or information in other forms that identifies or enables the identification of a specific individual.
• Personal Data includes the following categories:
  
  (i) Basic personal data: personal data reflecting common personal identity and background elements that are frequently used in transactions and social relations, as listed in the Government-issued catalogue (e.g., full name, date of birth, marital status).
  (ii) Sensitive personal data: personal data that is closely linked to an individual’s privacy and which, if violated, would directly affect the lawful rights and interests of agencies, organizations, or individuals, as listed in the Government-issued catalogue (e.g

3. What constitutes personal data processing?

Personal data processing refers to any activity that impacts personal data, including one or more of the following: collecting, analyzing, compiling, encoding, decoding, modifying, deleting, destroying, de-identifying, providing, disclosing, or transferring personal data, as well as any other activity that impacts personal data.

Accordingly, performing any one or more of these activities will result in an organization being considered as engaged in personal data processing, thereby potentially triggering the obligation to comply with Vietnam’s personal data protection regulations.

4. What are the lawful bases for processing personal data?

Consent remains the primary legal basis for processing personal data under the PDPL. However, several exemptions apply as outlined below.

• Requirements for valid consent:
  
  – Content: The data subject must be provided with sufficient information to give consent voluntarily and with full knowledge of the following: (i) the type of personal data to be processed and the purpose of the processing; (ii) the identity of the personal data controller or the personal data controller cum processor; and (iii) the rights and obligations of the personal data subject.
  – Form: Consent from personal data subjects may be obtained through the following methods: (i) in writing; (ii) via recorded telephone calls; (iii) through consent syntax in SMS messages; (iv) via email, websites, platforms, or applications with technical settings configured for obtaining consent; or (v) by other appropriate methods capable of being printed or copied in writing, including electronic form or any verifiable format.
  
  Such methods must ensure verifiable capability regarding the identification of the data subject who provided consent, the time at which consent was given, and the content to which consent was provided.
  
  – Principles: Consent must satisfy the following principles: (i) Consent must be specific to each processing purpose; (ii) Consent must not be made conditional upon acceptance of purposes beyond those expressly stated; (iii) Consent remains valid until withdrawn by the data subject or as otherwise prescribed by law; and (iv) Silence or non-response does not constitute valid consent.
  
  
• Exemptions from consent requirement:
  
  (i) Processing is necessary to protect the life, health, honor, dignity, rights, or lawful interests of the data subject or other individuals in urgent situations, or to safeguard the legitimate rights or interests of the data subject, other parties, the State, or relevant agencies and organizations against acts infringing such interests. The personal data controller, personal data processor, combined controller-processor, and third parties bear the burden of proving the applicability of this exemption;
  (ii) Processing necessary to address emergencies, threats to national security not yet declared as a state of emergency, or the prevention and control of riots, terrorism, crimes, or other legal violations;
  (iii) Processing necessary to serve the activities of state agencies or state management functions in accordance with applicable law;
  (iv) To perform contractual obligations arising from agreements between the personal data subject and relevant agencies, organizations, or individuals as prescribed by law;
  (v) Other cases as expressly provided by law.
  
  
• Rights of personal data subjects in relation to consent:
  
  (i) Except in cases where personal data processing does not require consent, the personal data subject has the right to withdraw consent previously given for personal data processing and to request restrictions on the processing of their personal data.
  (ii) The personal data controller or personal data controller-cum-processor must receive and implement, and require the personal data processor to implement, requests for withdrawal of consent and restrictions on personal data processing submitted by the personal data subject within the timeframes prescribed by law.

5. Beyond the right to consent to data processing, what other rights do data subjects have? What corresponding obligations does our organization have in respect of these rights?

• Rights of personal data subjects:
  
  (i) The right to be informed of personal data processing activities;
  (ii) The right to consent or withhold consent, and to request withdrawal of consent, for personal data processing;
  (iii) The right to access, correct, or request correction of personal data;
  (iv) To request the provision, deletion, or restriction of processing of personal data, and to lodge objections to personal data processing;
  (v) To complain, denounce, initiate lawsuits, and claim compensation for damages in accordance with law; and
  (vi) To request that competent authorities, agencies, organizations, and individuals involved in personal data processing implement measures and solutions to protect their personal data in accordance with law.
  
  
• Obligations of regulated enterprises in respect of data subject rights:

Where an organization is classified as a personal data controller or personal data controller-cum-processor, it shall be subject to the following obligations:

1. Establish clear processes, procedures, and forms to facilitate the exercise of personal data subject rights, in accordance with the organization’s personal data processing activities and the responsibilities of relevant departments;
2. Ensure that personal data subjects are duly informed of the procedures for exercising their rights as prescribed by law;
3. Respond to and implement requests from data subjects to exercise their rights within the timelines prescribed by law:

Data subject request	Timeline for response	Timeline for implementation
Withdrawal of consent / Restriction of personal data processing / Objection to personal data processing	Two (2) working days	Fifteen (15) days from receipt of the request (or twenty (20) days if a personal data processor or third party is involved). This period may be extended depending on the nature and complexity of the request.
Viewing, editing, or requesting the editing of personal data; provision of personal data	Two (2) working days	Ten (10) days from receipt of the request (or fifteen (15) days if a personal data processor or third party is involved). This period may be extended depending on the nature and complexity of the request.
Deletion of personal data	Two (2) working days	Twenty (20) days from receipt of the request (or thirty (30) days if a personal data processor or third party is involved). This period may be extended depending on the nature and complexity of the request.
Implementation of measures and solutions to protect personal data	Two (2) working days	Fifteen (15) days from receipt of the request. This period may be extended depending on the nature and complexity of the request.

Note: Failure to respond within the prescribed timelines may expose the organization to regulatory scrutiny and potential administrative penalties under the PDPL.

6. What are the data breach notification requirements?

• Responsible parties: The personal data controller, personal data controller-cum-processor, and any third party involved in the processing activity.
• Government body receiving notification: The Department of Cyber Security and Hi-Tech Crime Prevention under the Ministry of Public Security (the “A05 Department”).
• Reportable data breaches: Violations of personal data protection regulations that may cause harm to national defense, national security, social order and safety, or that infringe upon the life, health, honor, dignity, or property of personal data subjects.
• Notification deadline: Within 72 hours of the occurrence of the violation, using the prescribed mandatory form. Where an information system attack poses a risk to consumer information cybersecurity, the notification deadline is reduced to 24 hours. Any notification submitted after the applicable deadline must include an explanation for the delay. The notifying party is required to cooperate with the A05 Department in any subsequent investigation.

7. What are the requirements for preparing, filing, and updating a Data Protection Impact Assessment (“DPIA”)?

• Responsible parties: The personal data controller, the personal data controller-cum-processor, and the personal data processor, as applicable.
• Obligations:
  (i) Prepare, retain, and submit a copy of the DPIA to the A05 Department within sixty (60) days from the commencement of the relevant personal data processing activity.
  (ii) Update the DPIA periodically every six (6) months in the event of any regulated changes, or immediately in other cases as required by law.
• Application form: The prescribed form is set out in Article 19 of Decree 356.
• Exceptions: The DPIA requirement does not apply to, among others, household businesses and micro-enterprises, except where such entities are engaged in personal data processing services, directly process sensitive personal data, or process personal data of a large number of data subjects.
  

8. What are the requirements for appointing a data protection officer (“DPO”) or establishing a data protection department (“DPD”)?

• Under the PDPL, agencies and organizations are required to designate a DPO or DPD with adequate capacity to protect personal data in accordance with applicable legal requirements, or alternatively, to engage organizations or individuals providing personal data protection services.
  This represents a departure from the former Decree 13, which applied this requirement only to agencies and organizations processing sensitive personal data and did not impose qualification requirements on appointed personnel.
  
• The designation of personal data protection personnel or a personal data protection department must be documented in writing.
• Agencies and organizations may appoint internal personnel or, where necessary, engage external service providers — whether individuals or organizations — that satisfy the applicable legal requirements for the provision of personal data protection services.
• Note: Organizations should ensure that appointed personnel or engaged service providers possess demonstrable expertise in data protection law and practice, as the PDPL now imposes qualification requirements that were absent under the former Decree 13.

9. What are the requirements for the transfer of personal data?

• Permissible grounds: Agencies and organizations may only transfer personal data on certain permitted grounds specified by law (e.g., transfer of personal data with the consent of the data subject; sharing of personal data between departments within the same agency or organization to process personal data in accordance with the established processing purpose)
• Agreement requirements: Organizations and individuals transferring personal data must, prior to the transfer, enter into an agreement with the personal data recipient that clearly specifies the content required by law (e.g., the purpose of the transfer, the duration of processing, and the legal basis for the transfer).

Exceptions: An agreement is not required where personal data is shared between departments within the same agency or organization for processing in accordance with the established processing purpose.

10. Is cross-border transfer of personal data permitted under the PDPL? If so, what are the applicable requirements?

• What constitutes a cross-border transfer of personal data under Vietnamese law?

1. Personal data storage activities involving the transfer of personal data collected and stored in Vietnam to server systems located outside the territory of the Socialist Republic of Vietnam, or to cloud computing services provided by foreign service providers;
2. The transfer of personal data from agencies, organizations, or individuals in Vietnam to recipient organizations or individuals located abroad; and
3. Personal data processing activities in which data collected in Vietnam is transferred to platforms located outside the territory of the Socialist Republic of Vietnam for continued processing.

• Requirements for cross-border data transfers:

From a data privacy perspective, the PDPL does not impose outright restrictions on cross-border data transfers. However, as with all personal data processing activities, in order for such transfers to comply with the PDPL, the party transferring personal data abroad (the “Personal Data Transferor“) must satisfy the following requirements:

1. As a data controller, obtain valid consent from the relevant data subjects for the cross-border transfer of their personal data;
2. Prepare, retain, and submit a copy of a cross-border transfer impact assessment dossier (the “TIA”) in respect of the cross-border data transfer.

• Filing, Maintaining, and Updating the TIA Dossier
  

1. Responsible party: The Personal Data Transferor.
2. Specific obligations: (i) submit the TIA to the A05 Department within 60 days from the first day of the cross-border data transfer; (ii) periodically update the TIA every six months in the event of any regulated changes, or update it immediately in other cases as required by law; and (iii)  retain the TIA at the head office throughout the operating period of the relevant organization or individual.
3. Application form: The TIA must be prepared using the prescribed form set out in Article 18 of Decree 356 and is required to be submitted once.
4. Exceptions: The TIA filing requirement does not apply to, among others:
   – cross-border personal data transfers conducted for cross-border personnel management purposes in accordance with applicable labor rules, regulations, and collective labor agreements;
   – Cross-border provision of personal data for the purpose of executing contracts or completing procedures relating to cross-border transportation, logistics, remittances, payments, hotel reservations, visa applications, or scholarship applications;
   – Household businesses and micro-enterprises, except for those engaged in personal data processing services, those directly processing sensitive personal data, or those processing personal data of a large number of data subjects.

• The A05 Department is entitled to inspect and audit the Personal Data Transferor’s personal data management practices and policies, including those governing cross-border transfers of personal data, on an annual basis or more frequently where deemed necessary.
  
• Note: Organizations are advised to maintain comprehensive records of all cross-border data transfer activities and to ensure that internal policies and procedures are audit-ready in order to facilitate any inspection by the A05 Department.

11. Are there sector-specific rules applicable to our industry or business activities?

The PDPL represents a significant regulatory development by introducing sector-specific compliance requirements applicable to particular industries and activities, including employment, healthcare, insurance, financial services, advertising, telecommunications, cloud computing, and virtual reality.

Entities operating in or seeking to enter Vietnam’s digital market should carefully review these industry-specific provisions to ensure full compliance with the applicable regulatory framework.

12. What are the penalties for non-compliance, and what is the current enforcement landscape?

• Penalties for non-compliance:

Vietnam has not yet enacted a dedicated decree on administrative penalties for data privacy violations. However, the PDPL establishes guiding principles pursuant to which the Government is expected to promulgate such penalties in a forthcoming implementing decree.

Notably, the PDPL introduces significant statutory caps on administrative sanctions, permitting fines of up to VND 3 billion (approximately USD 115,000) for most violations. Violations relating to cross-border transfers of personal data may attract more severe sanctions, with fines of up to 5% of the offending entity’s revenue in the preceding fiscal year. In cases involving the illegal purchase or sale of personal data, administrative fines may be imposed at up to 10 times the unlawful proceeds, which could substantially exceed the general cap. Where such proceeds cannot be determined, the fine reverts to the VND 3 billion statutory maximum.

In addition to these PDPL-specific caps, penalties are also prescribed under existing laws governing consumer protection, electronic transactions, and telecommunications. Key violations subject to such penalties include: (i) Collecting or using consumers’ information, or providing, sharing, or disseminating such information to other parties without obtaining consent as required by law; and (ii) Collecting, using, disseminating, or unlawfully trading in another person’s personal information.

• Enforcement environment

In practice, while compliance with the PDPL among Vietnamese enterprises is improving, it remains incomplete. Many businesses have not yet fulfilled procedural requirements, such as the preparation and submission of DPIA and TIA dossiers, due to implementation complexity. Given the increase in government inspections and regulatory directives, companies are strongly advised to ensure compliance with PDPL requirements and to seek periodic legal consultation regarding regulatory developments.

The enforcement risk for non-compliance with personal data protection regulations remains relatively low due to practical challenges faced by Vietnamese authorities. However, regulators are increasingly prioritizing data protection enforcement and have demonstrated a greater willingness to scrutinize and penalize non-compliance.

For further guidance on compliance strategies tailored to your organization’s specific circumstances, please contact DFDL.

The information provided here is for information purposes only and is not intended to constitute legal advice. Legal advice should be obtained from qualified legal counsel for all specific situations.

Key Contacts