Vietnam recently passed Law No. 91/2025/QH15 on Personal Data Protection (“PDP Law”) on 26 June 2025. The law advances beyond the existing privacy framework under Decree No. 13/2023/ND-CP on Personal Data Protection (“PDP Decree”) by layering in heightened obligations across various contexts. The PDP Law echoes the EU GDPR’s architecture yet embeds unique Vietnamese priorities like national security. Effective from 1 January 2026, the PDP Law demands attention from various stakeholders from a global perspective.
This analysis dissects the PDP Law’s fundamentals such as scope, lawful bases, cross-border transfer rules, breach reporting, drawing parallels and contrasts with the EU GDPR. It highlights operational implications for multinational operations and closes with insights for practitioners.
PDP Law’s scope echoing EU GDPR’s reach
The law stipulates the scope and targeted subjects under Article 1, which encompasses a wide array of entities engaged in personal data processing tied to Vietnam, spanning local agencies, organizations, and individuals; foreign players active in the country; and overseas firms handling data of Vietnamese citizens or stateless persons of Vietnamese origin residing in Vietnam. Its extraterritorial grip aligns with EU GDPR Article 3, extending oversight to non-EU processors of EU residents’ data. Yet the PDP Law stands apart by safeguarding stateless Vietnamese-origin individuals, a provision attuned to national demographics that broadens its protective umbrella beyond the EU GDPR’s citizenship focus.
Oversight falls under the Ministry of Public Security (MPS), infusing the framework with a security lens that differentiates it from the EU GDPR’s privacy-centric model. The EU GDPR carves out leniencies for low-risk, small-scale activities, but the PDP Law offers narrower reprieves, including a five-year deferral for data processing impact assessment and data protection officer/department appointment for SMEs barring those in sensitive or high-volume data handling.1 This structure signals Vietnam’s drive to balance digital growth with sovereignty, compelling global entities to scrutinize data flows involving Vietnamese nationals. The shift from the PDP Decree’s location-based ties to nationality-driven coverage expands risks for international operations, where inadvertent processing of such data could trigger compliance demands.
EU GDPR-like data processing principles with national security emphasis
Article 3 of the PDP Law incorporates principles mirroring the EU GDPR: lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, and accountability. National interests weave through these principles, bolstered by MPS-led enforcement that heightens scrutiny beyond EU GDPR flexibility in accountability.
EU GDPR interpretations often permit adaptive measures, whereas the PDP Law requires MPS audit cooperation for both controllers and processors, fostering a more stringent environment.
Basic and sensitive personal data awaiting clarification by the Government
The PDP Law divides personal data into basic personal data and sensitive personal data. This classification parallels the EU GDPR’s personal and special categories. However, unlike the PDP Decree that provides long lists of basic and sensitive personal data,2 the PDP Law defers such lists to a guiding decree.
EU GDPR Articles 4 and 9 deliver explicit delineations, curbing uncertainty. The law’s postponement could breed interim challenges, especially if the Government is unable to issue a guiding decree by the law’s effective date.
It remains unclear whether local lawmakers will continue to adopt the existing lists of basic personal data and sensitive personal data, which encompasses financial data, under the PDP Decree. Generally, lawmakers intent to establish general legal bases or a non-exhaustive list, allowing flexibility for later additions or references to other specialized regulations.
Consent leads lawful processing bases while legitimate interest emerges
Under Article 9 of the PDP Law, consent is mandated as voluntary, informed, explicit, and granular (purpose-specific), spanning data types, objectives, and controllers, with easy revocation. Non-consent scenarios are contemplated under Article 19, covering vital interests, emergencies, state mandates, or contracts, resembling EU GDPR allowances.
From a practical perspective, consent has been the core lawful basis to enable data processing in Vietnam. This approach will likely persist under the PDP Law and its implementing guidance.
Legitimate interest was included in the PDP Law in the last minute, marking stakeholders’ success in their advocacy efforts since the PDP Decree’s inception. However, this basis is different from the approach under EU GDPR Article 6(1)(f). The EU GDPR offers a more “proactive” approach, where controllers or third parties may proactively apply this with certain limitations with balancing tests between the legitimate interest of the controllers / parties and the interests and fundamental rights and freedoms of the data subjects. Meanwhile, the law takes a more “reactive” approach, that processing activities based on legitimate interests may only be invoked when there is a threat to legitimate interests of the data subject or other entities, and the processing is necessary to protect them from such a threat. This means that it may be more restrictive for controllers and third parties to rely on legitimate interests under the PDP Law.
Balanced data subject rights with unclear compliance timeframe
Data subjects are entitled to access information, revoke consent, amend or erase data, limit processing, object, aligning with EU GDPR’s Articles 15-22. Data portability is not recognized under the PDP Law. Data subject rights must adhere to legal and non-infringing principles, mitigating the risk of abusing.
The PDP Law does not provide any time window to respond to data subject right requests, which differs from the seemingly infeasible 72-hour response window under the current PDP Decree. The law vaguely stipulates that data controllers must timely accommodate the request within the timeframe provided under the law. Specific timeframes and the process to handle a data subject right request will be further elaborated under the Government’s guiding decree.
Constrained option for cross-border data transfers
The PDP Law broadly defines cross-border transfers of personal data: exporting Vietnam-stored data, domestic-to-foreign shifts, or external platforms handling local collections. All data transferors are required to prepare a Cross-Border Transfer Impact Assessment (CBTIA) and submit a copy of the same to the MPS within 60 days from the date of transfer. Exemptions to the CBTIA requirement span state actions, storage of employee personal data on cloud-computing services, and self-transfers by data subjects. The CBTIA is not an approval type of procedure, but may potentially restrict the cross-border data transfer of an entity if the submission reveals risks or activities that may harm national security.
In contrast to the CBTIA requirement, EU GDPR furnishes different avenues for cross-border data transfer like adequacy rulings, standard contractual clauses, and binding corporate rules. This stark contrast highlights Vietnam’s limited approach to cross-border data transfer.
Breach notification with overly broad scope
Unlike the EU GDPR where a personal data breach is triggered when there is a breach of security, Article 23 of the PDP Law imposes an overly broad requirement that any violation of the laws on personal data protection potentially impairing national security, social order, and/or the data subject’s vital interests, dignity, and properties necessitates the controller to notify the MPS of the violation. The reporting timeframe matches EU GDPR’s – within 72 hours. Similar to EU GDPR, the processors must inform the controller swiftly upon detection of any personal data protection violation. Coverage spans even minor events, which can burden response teams with additional reporting duties.
Similar to the EU GDPR, controllers are required to log incidents. User notice requirements are newly introduced under the PDP Law, but limited to the fields of banking and finance and biometric processing. Particularly, banking and financial services firms will have to notify data subjects of any leakage or loss of their information. The coverage again spans even minor events and does not require any degree of harm to the data subjects. However, for biometric data processing, the notification requirement will only apply when there is harm caused to the data subject.
Further details about the breach notification process will be provided in the Government’s guiding decree.
Revenue-tied limits for administrative sanctions
Under the PDP Law, administrative fines are capped at VND 3 billion or 5% prior-year revenue for violation concerning cross-border data transfers.3 For illegal sale and purchase of personal data, the fine may reach 10 times the illegal gains. The forthcoming sanction decree should outline computation methods concerning illicit gains from the violating act.
The PDP Law’s penalties appear more targeted at specific violations with potentially lower absolute impacts for large global firms. In contrast, EU GDPR’s fines are broader, more uniformly applied across violation types, and can reach much higher amounts for multinational companies due to the global turnover calculation.
Ambiguous requirements for data protection personnel
Unlike the PDP Decree where the appointment of the data protection officer (“DPO”) and the data protection department (“DPD”) are only required when processing sensitive data, the law imposes a broad mandate that all organizations and agencies either appoint DPO and DPD or those providing personal data protection services. This deviates from the PDP Decree, which somewhat aligns with the EU GDPR’s approach to DPO, wherein both the controller and the processor will need to appoint a DPO if their core activities involve processing of sensitive data on a large scale or involve large scale, regular and systematic monitoring of individuals. This PDP Law expansion adds a local layer of accountability, potentially easing burdens via service providers but risking overreach until details are provided, while EU GDPR’s narrower scope gives EU businesses greater flexibility for compliance.
No specific requirements on the DPO and DPD are provided at this time. Companies again will need to wait for specifics under the Government’s guiding decree.
Sector-specific requirements
The PDP Law introduces detailed sectoral and activity requirements, spanning employment (Article 25), healthcare and insurance (Article 26), finance (Article 27), advertising (Article 28), communications (Article 29), frontier technologies like AI, blockchain, virtual reality (Article 30), location data and biometric data (Article 31), and CCTV (Article 32). This built-in specificity gives the PDP Law a more prescriptive edge, potentially easing compliance for data-heavy industries in Vietnam’s context where privacy is still emerging. Meanwhile, the EU GDPR maintains a technology-neutral, horizontal approach that applies uniform data protection rules across all sectors – with limited sector-specific nods like Article 88 for employment contexts. The EU GDPR relies on member states for any sectoral fine-tuning.
Considerations on PDP Decree’s effect after 1 January 2026
The PDP Law technically does not repeal the PDP Decree, leading to the possible scenario of coexistence once the PDP Law takes effect in 2026. Under local legal hierarchy, the PDP Law will take precedence over any inconsistencies with the PDP Decree while the decree will support, among others, the classification of basic personal data and sensitive personal data.
From a legislative perspective, aside from giving operative details to the PDP Law, the law’s forthcoming guiding decree will likely amend or replace the PDP Decree. If the Government is able to issue the guiding decree before 2025 ends, the above scenario should not happen.
Additionally, those that submitted the Overseas Transfer Impact Assessment and the Data Processing Impact Assessment per the PDP Decree to the MPS and received a confirmation from the ministry are exempt from doing the CBTIA or the DPIA per the PDP Law. However, for any updates or changes to the impact assessments, companies must follow the law’s procedures.
Practical takeaways
The PDP Law’s guiding decree and sanction decree, expected to be issued before 2025 ends, merit close tracking. In the meantime, while the enforcement of PDP Decree should remain low, impact and gap evaluations are strongly recommended to align EU GDPR setups to the law’s new requirements and intricacies. Companies should also consider arranging local staff training programs with an emphasis on consent granularity and rights handling, using scenario-based modules to bridge EU GDPR familiarity with PDP Law nuances.
Potential difficult hurdles to overcome will likely include satisfying lawful processing basis requirements and successful submission of the CBTIA. As there are still many uncertainties under the PDP Law and the legislative deadline for the guiding decree is fast approaching, industry groups will need to collaborate proactively for advocacy to ease cross-border frictions.
