After a prolonged period marked by visible delays in the enforcement of Vietnam privacy regulations under Decree No. 13/2023/ND-CP dated 17 April 2023 (“Decree 13”), the Vietnamese National Assembly has officially passed the Law on Personal Data Protection on 26 June 2025, commencing on 1 January 2026 (“Privacy Law”).

This legislative development represents a significant upgrade to Vietnam’s privacy framework, elevating it from a subordinate decree to a full-fledged law with higher legal authority. It reflects the Vietnamese Government’s acknowledgment of:

(i) the growing importance of personal data protection in what it identifies as the “era of data as a new form of capital in production”; and
(ii) the practical challenges of ensuring compliance with data protection obligations in Vietnam.

However, the Privacy Law is not expected to bring about immediate practical changes, due in part to:

(i) the legislature adopting a legislative drafting approach based on principles, under which the Privacy Law provides high-level rules to be further detailed in future implementing instruments (e.g., Government decrees); and
(ii) the continuity of key provisions from Decree 13.

The following highlights some key features of the Privacy Law:

(i) Continuity of key concepts from Decree 13:

The fundamental concepts introduced under Decree 13 have been adopted under the Privacy Law. As such, businesses that have already implemented compliance measures in accordance with Decree 13 are unlikely to need substantial revisions to their internal policies, data governance frameworks, or operational practices. To be more specific, core notions such as personal data (including the distinction between basic and sensitive data), data controller, processor, third party, valid consent from data subject, as well as regulatory tools like the Data Protection Impact Assessment (DPIA) and the Transfer Impact Assessment (TIA), remain conceptually consistent under the new legislation.

(ii) Several notable amendments warrant attention, though some remain unclear in terms of implementation and are expected to be clarified through forthcoming Government guidance:

a. Clearer extraterritorial scope for foreign entities: Compared to Decree 13, which ambiguously extended its applicability to personal data processing activities “conducted in Vietnam” (directly or related to) by foreign entities, in addition to Vietnamese entities and foreign entities located in Vietnam, the Privacy Law provides a more definitive scope – “foreign organizations, individuals, and agencies that directly participate in or are related to the processing of personal data of Vietnamese citizens and persons of Vietnamese origin residing in Vietnam who have not yet had their nationality determined but have been issued a personal identification certificate”.

b. Broadened definition of the forms of personal data: The Privacy Law confirms that personal data, regardless of whether it is presented in electronic form or “other forms” (i.e., non-electronic or physical formats), falls within its regulatory scope. This marks an important clarification that paper-based records and other analog forms of personal data are also subject to the Privacy Law’s requirements.

c. Upcoming Government decree to define categories of personal data: Unlike Decree 13 which provides a non-exhaustive list defining basic and sensitive personal data, the Privacy Law authorizes the Government to issue a Decree specifying the official list of basic personal data and sensitive personal data. Hence, businesses will need to wait for this upcoming Decree to determine whether the scope of these personal data categories will differ from those under Decree 13.

d. Introduction of new foundational concepts which are subject to further detailed guidance: For the first time, the Privacy Law formally introduces several privacy-related concepts such as personal data de-identification, encryption, and decryption of personal data. It also places greater emphasis on certain previously underdefined notions such as the transfer of personal data, public disclosure of personal data, and the aggregation and analysis of personal data. While these concepts have the potential to significantly shape future privacy compliance practices in Vietnam, the Privacy Law currently provides only high-level definitions. In each case, it defers detailed implementation to a forthcoming Government Decree, which is expected to be issued in the second half of this year, prior to the Privacy Law’s effective date on 1 January 2026;

e. Introduction of guiding principles for administrative sanctions for violations of the Privacy Law: For the first time, the Privacy Law establishes overarching principles for the imposition of administrative penalties for privacy violations, which will serve as the basis for the Government to issue implementing decrees. Specifically:

For organizations (including legal entities):

1. The maximum monetary fine for the act of buying or selling personal data is set at ten times the revenue generated from the violation. If no revenue is generated, or if ten times the revenue is less than VND 3 billion, then a maximum fine of VND 3 billion applies.
2. The maximum monetary fine for violations involving cross-border transfers of personal data by organizations is 5% of the violator’s revenue from the preceding year. If there is no revenue from the preceding year, or if 5% of the revenue is less than VND 3 billion, then the maximum fine is capped at VND 3 billion. The Privacy Law does not yet specify how the preceding year’s revenue is to be calculated (e.g., revenue in Vietnam or global revenue), leaving this to be detailed in a forthcoming Government decree.
3. For other types of personal data protection violations, the maximum administrative fine is VND 3 billion.

For individuals: The applicable fines will be 50% of the maximum fines imposed on organizations as outlined above.

f. Cross-border Transfer Impact Assessment (TIA) and Data Protection Impact Assessment (DPIA) under the Privacy Law:
some key new elements in two major compliance obligations for businesses are as follows:

1. DPIA: controllers and processors are still required to prepare and submit a DPIA, similar to the requirements under Decree 13, within 60 days from the date they commence personal data processing.
2. TIA: The Privacy Law continues to require that the data transferor prepare and submit a TIA to the competent state authority within 60 days from the date of initiating a cross-border data transfer. However, TIA preparation and submission is not required in certain cases, including: (i) Transfers conducted by competent state authorities; (ii) Entities storing employees’ personal data on cloud computing services for internal use; (iii) Cases where data subjects themselves transfer their personal data across borders; (iv) Other cases as stipulated by the Government.
3. Inspection and oversight: State authorities may carry out an annual review of DPIA and TIA documentation or conduct ad-hoc inspections when there are signs of violations.
4. Update requirements: Both DPIA and TIA are to be conducted once for the entire duration of the relevant data processing activity, but must be updated every six months if there are any changes. Immediate updates are required in specific circumstances, including: (i) Reorganization, cessation of operations, dissolution, or bankruptcy; (ii) Changes in the information of the organization or individual providing personal data protection services; (iii) The commencement or termination of any new business lines, services, or products related to personal data that were previously registered in the DPIA or TIA.
5. Submission procedures and forms: The detailed procedures and templates for submitting DPIA and TIA documents will be specified in a forthcoming Government decree. The submission procedures can be carried out either through the official online portal of the state authority on data privacy (https://baovedlcn.gov.vn/) or directly at the office of the competent state authority.

g. Data privacy officers (DPO) and departments (DPD): The Privacy Law requires businesses to appoint a qualified department or personnel, or to engage third-party service providers, to carry out personal data protection functions. However, once again, the Privacy Law defers to the Government to specify the detailed conditions, responsibilities, and competency requirements for internal DPOs, designated DPDs, as well as external personal data protection service providers and personal data processing service providers.

h. Grace period and exemptions:

1. As mentioned, the Privacy Law will take effect on 1 January 2026. However, small businesses and startups may opt out of the DPIA requirement for a period of five years from the effective date of the Privacy Law, unless they engage in: (i) personal data processing services; (ii) direct processing of sensitive personal data; or (iii) processing the personal data of a large number of data subjects.
2. Household businesses and micro-enterprises are exempt from conducting and updating a DPIA, except where they (i) provide personal data processing services; (ii) directly process sensitive personal data; or (iii) process the personal data of a large number of data subjects.
3. The Privacy Law further requires the Government to issue a Decree providing additional guidance on the scope and application of this grace period.

Proactive Steps for Privacy Law Readiness

The Privacy Law introduces overarching provisions and relies on the Government to issue detailed regulations. In practice, businesses will need to await such regulations to fully understand their compliance obligations under the new privacy framework.

But in the meantime, businesses can take the following proactive steps to prepare for the new requirements:

• Review the Privacy Law or seek legal advice to better understand its scope and anticipate what guidance may be issued in the forthcoming decree.
• Standardize, document, and organize internal data processing procedures, data flows, privacy-related contracts, internal regulations, and policies to ensure readiness for compliance once the decree is issued.
• Conduct internal assessments – or seek professional legal advice – to determine whether the business qualifies for the DPIA grace period and/or other exemptions under the Privacy Law, to adopt a tailored and efficient compliance strategy.
• Monitor regulatory developments and ensure ongoing compliance with Decree 13, to mitigate potential legal risks during the transitional period.

The information provided here is for information purposes only and is not intended to constitute legal advice. Legal advice should be obtained from qualified legal counsel for all specific situations.