Effective January 1, 2026. Whether you run a business, manage a team, or simply use the internet in Vietnam, this law now applies to you. (This article was originally published on 17 April 2026 on our Substack)
Think about the last time you signed up for an app. A privacy notice appeared, several paragraphs long. You scrolled to the bottom and tapped Accept. Within seconds, that app had access to your name, phone number, location history, device identifiers, and a behavioral trail built from months of browsing. You did not read any of it. Neither did most people. That was just how things worked.
Now think about the other side of that transaction. You run a small business. A customer fills out a contact form on your website, drops you a card at a networking event, or subscribes to your newsletter. You add their details to your CRM and keep moving. It did not feel like a legal act. It felt like running a business.
Both of those situations are now regulated under Vietnamese law, and how you handle them has consequences.
The Law on Personal Data Protection (Law No. 91/2025/QH15) was passed by the National Assembly and officially came into force on January 1, 2026. Before this, Vietnam had scattered provisions spread across various decrees and regulations. Now there is one unified law covering the full lifecycle of personal data, with real obligations and real penalties. Here is a summary of what matters in this new law for individuals and businesses.
First Things First: Who Does This Law Actually Cover?
If you are reading this in Vietnam, it probably covers you.
The law applies to Vietnamese agencies, organizations, and individuals. It applies to foreign agencies, organizations, and individuals operating inside Vietnam. And it applies to foreign entities located entirely outside Vietnam if they are involved in processing the personal data of Vietnamese citizens.
That last category is where things get significant for technology companies, SaaS platforms, and anyone running a digital product with users in Vietnam. It does not matter where your servers are hosted. It does not matter where your company is registered. If you collect, store, or process data about Vietnamese users, you are within scope.
What Exactly Is “Personal Data”?
The law defines personal data as any digital data or information in any other form that identifies or helps identify a specific individual.
This breaks into two categories, and the distinction carries real operational weight.
Basic personal data is the everyday kind: full name, date of birth, gender, phone number, email address, home address, national ID or citizen identification number, marital status, and educational background. These are the data points that flow through business processes all the time, registration forms, job applications, client databases, email marketing lists.
Sensitive personal data is a separate, higher-protection category. It includes health records and medical history, biometric data (fingerprints, facial recognition, voice prints), information about sexual life, financial and credit information, religious beliefs, political views, criminal records, personal location data, and data relating to children. When any of these are involved, the obligations on whoever holds that data are significantly more demanding.
One technical note worth keeping in mind: once data has been fully anonymized, it is no longer considered personal data under this law. This matters for businesses that work with aggregate analytics or anonymized datasets for research purposes.
Your Rights as an Individual
This is the section that tends to surprise people, because it turns out you have considerably more power over your own data than most people realize.
Under Article 4, every person, referred to in the law as the “data subject,” holds the following rights.
The right to know. You are entitled to be informed about any and all activities involving the processing of your personal data: who has it, what they are doing with it, and why.
The right to consent or refuse, and to withdraw. You can agree to allow someone to process your data, and you can say no. More importantly, you can change your mind and withdraw consent at any time. Withdrawal does not undo what already happened, but it stops further processing from that point forward.
The right to access and correct. You can view your own data that a company or organization holds and request corrections if anything is wrong or outdated.
The right to demand deletion or restriction. You can ask for your data to be deleted, or request that its use be limited to specific purposes. You can also formally object to certain processing activities and ask that they stop.
The right to complain, report, and pursue legal action. If you believe your data rights have been violated, you can file a complaint, report the violation to the relevant authorities, initiate legal proceedings, and claim compensation for damages.
The right to request protective measures. This one is often overlooked, but it is explicitly in the law. You can request that competent state authorities, or any agency, organization, or individual involved in processing your data, take specific measures to protect your personal data in accordance with the law. In other words, you do not have to wait for a breach to happen. You can actively call on the relevant parties to act.
There is one rule that ties all of these rights together and changes how a lot of current business practices need to work: silence is not consent. A pre-ticked checkbox is not consent. A clause buried in terms and conditions stating that continuing to use a service constitutes agreement is not consent. Consent must be voluntary, informed, expressed clearly, and specific to each individual purpose. You cannot bundle five different uses of someone’s data into a single approval and call it done.
Your Obligations as an Individual
Rights come with corresponding responsibilities. The law also places obligations on data subjects themselves.
You are responsible for protecting your own personal data. You are expected to respect and protect the data of other people. You are obligated to provide accurate and complete information when sharing data with others under lawful circumstances. And you are required to comply with data protection laws and to participate in preventing violations where you are able to.
When exercising your rights, you cannot do so in a way that obstructs the lawful operations of whoever holds your data, or that infringes on the legitimate rights of other parties.
The Six Core Principles That Govern Everything
Before getting into what specific sectors need to do, it helps to understand the six principles the entire law is built on.
The first is legality: all data processing must comply with the Constitution and relevant legislation.
The second is purpose limitation: data may only be collected and used for a clearly defined, specific purpose.
The third is accuracy: data must be kept accurate, corrected when wrong, and stored only for as long as the stated purpose requires.
The fourth is security: appropriate technical, institutional, and human measures must be implemented and maintained.
The fifth is proactive prevention: violations must be anticipated and addressed promptly.
The sixth is proportionality: personal data protection must be balanced against national interest and the legitimate rights of all parties involved.
What the Law Explicitly Prohibits
Article 7 sets out a list of acts that are absolutely forbidden under this law. Understanding these is useful for both individuals and businesses, because several of them describe things that have become common practice in Vietnam’s digital landscape.
Processing data against the State. Using personal data in ways that undermine national security, public order, or the legitimate rights of organizations and individuals is strictly prohibited.
Obstructing data protection. Interfering with, blocking, or disrupting activities that protect personal data is not permitted.
Exploiting data protection as a cover. Using the banner of “data protection” to commit violations of other laws is expressly prohibited.
Processing data unlawfully. Any collection, storage, use, or transfer of personal data that violates the provisions of this law is prohibited.
Using another person’s data illegally, or allowing your own to be misused. This includes using someone else’s data to commit unlawful acts, and knowingly allowing another party to use your own data for illegal purposes.
Buying and selling personal data. The commercial trade of personal data is prohibited, except in cases where the law specifically provides otherwise. This is the provision that makes many lead-generation practices, data broker operations, and purchased marketing lists legally problematic.
Misappropriating, intentionally disclosing, or causing the loss of personal data. Stealing data, deliberately leaking it, or negligently allowing it to be lost are all prohibited acts.
How Consent Works in Practice
Because consent is so central to the entire framework, it is worth being precise about what it actually requires.
Consent is only valid when the person giving it genuinely understands and freely agrees to three things: what type of data is being processed, who is processing it and for what purpose, and what their rights are throughout the process.
Consent must be given separately for each specific purpose. If you want to use a customer’s email address for a newsletter and also share it with your advertising partners, those are two separate consents. You cannot combine them into one checkbox and expect that to hold up.
The format must be clear and specific, expressed in writing or a verifiable electronic form. Verbal agreement in an informal setting does not meet the legal standard.
Consent remains valid until the person withdraws it. If someone changes their mind, they must submit a written withdrawal request (electronic form is acceptable), and the data controller must act on it within the legally prescribed timeframe. Critically, withdrawal only applies going forward. It does not invalidate processing that occurred before the request was made.
One important operating principle: silence or non-response cannot be treated as consent. If a user does not respond to a data request, that is not an agreement.
The Full Lifecycle of Data: Collection, Encryption, Correction, Deletion, and Transfer
The law regulates every stage of what happens to personal data from the moment it is collected to the moment it is deleted. These provisions in Articles 11 through 18 matter for anyone who handles data in the course of running a business.
Collection and analysis. Personal data may only be collected with the data subject’s prior consent, unless the law provides an exception. Organizations other than authorized state agencies can only analyze or aggregate personal data from sources that are lawfully permitted for processing.
Encryption. Personal data classified as a state secret must be encrypted under the relevant law. For other personal data, organizations decide their own encryption approach, but it must be appropriate to the processing activity. Encrypted data remains personal data.
Correction. Data subjects have the right to correct their own data directly where that is technically possible, or to request corrections from the data controller. Controllers are obligated to make corrections upon request, or to explain in writing why they cannot. They must also notify any third parties who received the original data to correct their records.
Deletion and de-identification. Personal data must be deleted when the data subject requests it (and accepts any associated risks), when the processing purpose has been fulfilled, when the retention period expires, or when ordered by a competent authority. After deletion, data must not be intentionally restored. De-identification, which strips data of identifying information, must be supervised carefully to prevent unauthorized re-identification. Once de-identified, data may not be re-identified except where the law explicitly allows it.
Provision of data. Data subjects can authorize their data to be provided to other parties, and data controllers can provide data to other parties under specific conditions: when the data subject consents, when required by law, or in certain other circumstances defined by the law. Providing data to another party does not, in itself, constitute a commercial sale of that data.
Public disclosure. Personal data may only be disclosed publicly for a specific, legitimate purpose. The scope of disclosure must match the purpose. It must not exceed what the data subject has consented to, and it must not infringe on their legal rights. Organizations that publicly disclose personal data must actively monitor and control ongoing access to that disclosed data.
Transfer of data. Personal data can be transferred internally within an organization for legitimate processing purposes, transferred to authorized processors or third parties under contract, or transferred at the request of a competent state authority. Internal transfers between departments do not constitute a commercial sale. The law is clear on this.
Other processing activities. Storage, retrieval, connection, coordination, verification, and authentication of personal data must all comply with the provisions of this law and any related data legislation. The law also prioritizes using personal data to support state management and public service activities as part of Vietnam’s national digital transformation agenda.
When Can Data Be Processed Without Consent?
The law permits data processing without the data subject’s consent in a defined set of situations. These are not broad exceptions. They come with their own obligations.
Consent-free processing is permitted to protect life, health, reputation, or property in urgent circumstances; to address national security threats or prevent crime; to support lawful state management activities; to fulfill contractual obligations the data subject has already agreed to; and in other cases specified by law.
Organizations that rely on these exceptions cannot simply invoke them and move on. They must establish an internal oversight mechanism that includes documented procedures, regular risk assessments, and a functioning channel for receiving and handling objections from relevant parties.
Cross-Border Data Transfers
This is the provision that tends to cause the most operational concern for technology companies and international businesses.
The law defines three scenarios as cross-border data transfers. Moving data stored in Vietnam to a storage system outside Vietnamese territory. Transferring data from a Vietnamese organization to a foreign partner. And using a platform hosted outside Vietnam to process data that was originally collected inside Vietnam.
If you are running a product that stores user data on AWS, Google Cloud, or any internationally hosted infrastructure, that third scenario applies to your situation directly.
Organizations conducting cross-border transfers must prepare a data transfer impact assessment and submit it to the Personal Data Protection Department under the Ministry of Public Security within 60 days of the first transfer date. This assessment is not a one-time exercise. It must be updated every six months, or immediately when significant organizational changes occur, such as a restructure, a change in the service provider overseeing data protection, or a new type of data being transferred.
The competent authority can order transfers to stop if it determines that data is being used in ways that threaten national security.
For small businesses and startups that do not directly process sensitive data or operate at large scale, there is a five-year grace period from January 1, 2026, to fulfill the formal impact assessment and filing requirements. The grace period does not, however, exempt them from the law’s broader obligations. Core requirements around consent, purpose limitation, and data security apply from day one. The grace period specifically covers the more resource-intensive administrative processes of formal documentation and reporting to the competent authority.
Impact Assessment and Breach Notification
Data controllers must prepare a personal data processing impact assessment file from the first day of processing. This must be submitted to the competent authority within 60 days, kept updated every six months, and revised immediately whenever there are material changes to the organization’s structure, industry activities, or the nature of the data being processed.
On breach notification: if a violation is discovered that could plausibly harm national security, public safety, or a data subject’s life, health, or property, the data controller or processor must notify the competent authority within 72 hours of discovery. The controller must also prepare a formal breach record and cooperate with the authority in addressing the violation. That 72-hour window is consistent with GDPR standards, and it is not flexible.
What Businesses Must Do by Sector
Children, Minors, and Individuals with Limited Capacity
This is a category that deserves attention, because the rules are stricter than many organizations currently realize.
Personal data of children, individuals who have lost or have limited legal capacity, and individuals with cognitive difficulties must be handled with elevated care. Legal representatives exercise data rights on their behalf. Crucially, for children aged seven and above, processing their personal data to disclose information about their private life requires the explicit consent of both the child and their legal representative. Not one or the other. Both.
For organizations running apps, platforms, or services that children use, this has direct implications for how consent flows are designed, what data is collected during registration, and how parental consent is obtained and documented.
Hiring and Managing Employees
During recruitment, your organization may only ask candidates for information directly relevant to the hiring process, and you must have their consent to process it. If someone is not hired, their data must be deleted unless a separate written agreement exists to retain it.
For existing employees, data must be stored only for the legally prescribed period and deleted when employment ends, unless the law or a specific agreement provides otherwise. Any workplace monitoring technology, whether cameras, activity tracking software, or keystroke logging, must be disclosed to employees and must comply with the law’s requirements on transparency and purpose limitation.
Insurance
Insurers and health service providers cannot share a customer’s health data with third party insurance companies or healthcare service organizations without the customer’s written consent. Applications in healthcare and insurance must comply fully with personal data protection requirements. Any reinsurance or retrocession arrangements that involve data transfers must be explicitly stated in the contract with the customer.
Financial Services and Banking
Banks and financial institutions cannot use a customer’s credit information for scoring, ranking, or trustworthiness assessment without prior consent. In the event of a data breach involving banking, financial, or credit information, the organization must notify affected customers immediately. Credit information agencies must maintain strict technical security measures, have a data recovery plan, and keep all data collected for credit assessment purposes confidential throughout the collection and processing process.
Advertising
Customer data can only be used for advertising when the customer has consented and has a clear understanding of what they are agreeing to: the content, channel, format, and frequency of the advertising they will receive. Users must be given a straightforward mechanism to opt out of receiving advertising communications at any time, and organizations must honor those requests.
Advertising businesses cannot fully subcontract their data-dependent operations to another party. For personalized or behavioral advertising, data collection through website or app tracking is only permitted with explicit user consent. Organizations must also provide users with the ability to refuse data sharing, set a retention period, and delete data when it is no longer needed.
Social Media and Online Platforms
Platforms operating in Vietnam face a detailed and specific set of obligations. When a user installs or registers, the platform must clearly disclose exactly what personal data it collects. Platforms cannot require users to provide identity document images or videos as a standard account verification step. A cookie opt-out option must be available. A “Do Not Track” setting must exist. Phone calls and private messages cannot be intercepted or recorded without consent. Privacy policies must be publicly disclosed in clear, accessible language, and platforms must provide users with mechanisms to access, correct, and delete their data.
AI, Big Data, Blockchain, and Cloud Computing
The law extends into newer technology environments with specific requirements. Data processed by AI systems or within Big Data environments must be handled only to the extent necessary for the stated purpose and must conform to Vietnamese ethical standards and social norms. AI systems that use personal data must incorporate appropriate security controls, authentication mechanisms, and access restrictions. AI-based data processing must be classified by risk level, with protective measures applied proportionally to that risk.
The law explicitly prohibits developing or deploying AI, Big Data, blockchain, metaverse, or cloud computing systems that use personal data in ways that harm national security, public order, or the physical safety, reputation, or financial interests of individuals.
Location Data and Biometric Data
Location tracking using RFID or similar technologies is not permitted without consent, except where law enforcement or competent authorities require it. Mobile apps that collect location data must notify users and provide meaningful options for controlling how that data is used.
Biometric data, including fingerprints, facial recognition, and voice identification, requires physical security measures for storage and transmission infrastructure, strict access controls, and active monitoring systems to detect unauthorized access. If biometric data processing causes harm to a data subject, the collecting party must notify that individual directly.
Recording in Public Spaces
Recording audio or video in public spaces without individual consent is permitted in specific, defined circumstances: national defense and security operations, public events such as conferences, seminars, sports competitions, or artistic performances (provided the recording does not damage the dignity or reputation of individuals), and other cases defined by law.
Even when recording is lawful, the responsible organization must notify individuals that they are being recorded, unless the law provides otherwise. Data collected from recording may only be stored for as long as is necessary for the stated collection purpose, and must be deleted once that period ends.
The Penalties: What Happens If You Ignore This
The law establishes three main penalty tiers.
For the illegal buying and selling of personal data, the fine is up to 10 times the revenue generated from the unlawful activity. If there is no traceable revenue, or if the revenue-based calculation falls below the general ceiling, the general ceiling applies instead.
For organizations that violate cross-border data transfer requirements, the maximum fine is 5% of the organization’s revenue from the previous financial year. For a company reporting 100 billion VND in annual revenue, that represents a 5 billion VND exposure.
For all other violations in the area of personal data protection, the maximum administrative fine is 3 billion VND for organizations. Individuals who commit the same violations face a maximum of 1.5 billion VND, which is half the organizational ceiling.
Beyond administrative fines, the law makes clear that criminal liability is possible depending on the nature and severity of the violation. Anyone who causes actual harm through a data violation is also required to compensate the affected parties.
The Ministry of Public Security is currently finalizing a more detailed decree on administrative penalties. Under the current draft, intentionally disclosing personal data could result in fines of up to 100 million VND, with the specific amount determined by scale and severity of the incident.
Who Is Actually Responsible When Data Gets Leaked?
This is the question that has been playing out in the Vietnamese media and legal community in the months since the law’s implementation.
When personal data is leaked, the instinctive public response sometimes focuses on what the affected individuals could have done differently. Legal experts and commentators, including analysis from Thanh Nien newspaper, have been pushing back on that framing clearly. The responsibility, they argue, must sit primarily with the organizations that collect and process data, not with the individuals who trusted those organizations with their information.
The law supports this position. Data controllers are legally required to implement appropriate technical and organizational security measures, maintain a breach response plan, and compensate individuals harmed by their failures. The burden of protection sits with the processor, not the person whose data it is.
That said, the practical debate continues. In a landscape where data leaks occur regularly, where many organizations do not yet have robust security infrastructure in place, and where enforcement mechanisms are still being developed, the gap between what the law requires and what actually happens remains a real concern worth watching.
What the Enforcement Structure Looks Like
The law establishes a four-part personal data protection system. The Personal Data Protection Department under the Ministry of Public Security serves as the lead competent authority. Organizations and agencies must designate dedicated data protection personnel or departments. Third-party data protection service providers can also be engaged to fulfill these requirements. And broader societal participation is provided for through mobilization of relevant organizations when needed.
For the organizational side, the law places clear accountability on data controllers. They are responsible for determining the purpose and means of data processing, implementing appropriate security measures, notifying authorities of violations, ensuring data subject rights are respected, and cooperating fully with the Ministry of Public Security during investigations.
For most businesses, full compliance with the law applies from January 1, 2026. However, there is a transitional provision worth understanding carefully. Small businesses and startups, specifically those that do not directly process sensitive personal data and do not handle personal data at a large scale, are granted a five-year window from the law’s effective date to comply with the most resource-intensive requirements: the formal data processing impact assessment and the associated reporting obligations to the competent authority. This is a meaningful concession for smaller operators who need more time to build the necessary infrastructure. It is not, however, a general exemption from the law. Obligations around consent, data subject rights, purpose limitation, and security still apply from day one. The grace period covers documentation and formal reporting, not the fundamental principles.
The Honest Summary
Vietnam’s Personal Data Protection Law is comprehensive in a way that previous data regulations were not. It creates a real legal framework with real consequences, and it applies broadly: to local companies, international businesses, individuals, platforms, employers, advertisers, and anyone who handles personal data in the course of their work or daily life.
For individuals, the law gives you more legal control over your own data than you have ever had under Vietnamese law. Use those rights. Ask to see what a company holds about you. Withdraw consent when you are no longer comfortable. File a complaint if your rights are being ignored.
For businesses, this law requires a genuine audit of your current practices. Consent mechanisms, privacy policies, data retention schedules, breach response plans, and employee data handling all need to be reviewed against the new requirements. The question is not whether to take this seriously. It is whether you start now with time to prepare, or later under pressure.
For anyone operating at the intersection of technology, data, and user trust, this law describes a standard that is worth building toward regardless of what the penalties look like. Collecting only what you need, being honest about how you use it, giving people real control, and building the infrastructure to protect it properly. These are not compliance boxes to tick. They are how you build a product or business that people can actually trust.
The enforcement infrastructure is still developing. The detailed penalty regulations are being finalized. But the law is in effect, and the direction is clear.
If you are building or operating a business in Vietnam, personal data protection is now something you need to get right early. If you need help reviewing your processes or understanding what applies to your case, Easytiger.vn can connect you with the right legal and compliance specialists.
This article is for informational purposes only and does not constitute legal or tax advice. Consult a qualified lawyer or advisor for guidance specific to your business situation.
Source:
Law on Personal Data Protection, Law No. 91/2025/QH15
