Logo
Law on Protection of Personal Data 2025 (Law No. 91/2025/QH15): Key Highlights and Compliance Roadmap

Law on Protection of Personal Data 2025 (Law No. 91/2025/QH15): Key Highlights and Compliance Roadmap

15/01/2026

The Law on Protection of Personal Data 2025 marks Vietnam’s first specialized legislation in this field, establishing a modern legal framework with robust rights for data subjects and strict revenue-based penalties for non-compliant enterprises.

View and download the infographic

Below are the details of the key provisions stipulated in the Law:

I. Scope of Regulation and Applicable Subjects

1. This Law prescribes personal data, the protection of personal data, and the rights, obligations, and responsibilities of relevant agencies, organizations, and individuals.

2. This Law applies to:

a) Vietnamese agencies, organizations, and individuals;

b) Foreign agencies, organizations, and individuals in Vietnam;

c) Foreign agencies, organizations, and individuals directly participating in or involved in the processing of personal data of Vietnamese citizens and persons of Vietnamese origin without determined nationality residing in Vietnam who have been issued with identification certificates.

II. Key Provisions Stipulated in the Law

1. Classification of Personal Data (Pursuant to Article 2)

The Law clearly distinguishes between two groups of data with varying levels of protection:

  • Basic Personal Data (Article 2, Clause 2): Data reflecting common identity and background factors frequently used in social transactions (e.g., Full name, date of birth, phone number, gender, address, etc.).
  • Sensitive Personal Data (Article 2, Clause 3): Data associated with privacy which, if infringed, directly affects the legitimate rights and benefits of agencies, organizations, and individuals (e.g., Biometric data, health information, financial data, location data, sexual orientation, etc.).

2. Rights of Data Subjects (Pursuant to Articles 4, 13, 14, 15)

The Law empowers data subjects with significant control through 06 fundamental rights prescribed in Article 4, Clause 1:

  • Right to be Informed: To be clearly notified regarding processing activities, data types, purposes, and retention periods.
  • Right to Consent or Withdraw Consent: To allow or disallow data processing, with the right to withdraw consent at any time.
  • Right to Access and Rectify (Article 13): To request to view and correct one’s own information.
  • Right to Access, Delete, and Restrict (Articles 14, 15): To request the Controller to provide data, delete, or restrict processing; to object to data processing.
  • Right to Complain and Claim Damages: To file lawsuits and claim compensation when rights are infringed.
  • Right to Request Protection: To request competent authorities to implement protective measures.

> Note: According to Article 4, Clause 5, the Data Controller is responsible for promptly fulfilling these requests from the data subject.

3. Seven Prohibited Acts (Pursuant to Article 7)

The following acts are strictly prohibited under the Law:

  1. Processing personal data to oppose the Socialist Republic of Vietnam or in ways that affect national defense, security, social order, safety, and legitimate rights and benefits of agencies, organizations, and individuals.
  2. Obstructing personal data protection activities.
  3. Taking advantage of personal data protection activities to violate the law.
  4. Processing personal data against the law.
  5. Using personal data of others and/or letting others use one’s personal data to violate the law.
  6. Trading personal data unless otherwise prescribed by the law.
  7. Appropriating, intentionally leaking, or causing the loss of personal data.

4. Strict Penalties (Pursuant to Article 8)

The penalty system is designed similarly to the European Union’s GDPR (General Data Protection Regulation) model , utilizing revenue-based fines to increase deterrence:

  • For illegal data trading (Article 8, Clause 3): Fine of up to 10 times the revenue generated from the violation. If the revenue cannot be determined or the fine is lower than VND 3 billion, a fine of VND 3 billion applies.
  • For illegal cross-border data transfer (Article 8, Clause 4): Fine of up to 5% of the total revenue of the preceding financial year. If there is no revenue or the fine is lower than VND 3 billion, a fine of VND 3 billion applies.
  • Other violations (Article 8, Clause 5): Fine of up to VND 3 billion for organizations (individuals are subject to a fine equal to 1/2 of that for organizations).
  • Compensation and Criminal Liability (Article 8, Clause 1): In addition to monetary fines, the violating party must compensate for all damages and may face criminal prosecution if the elements of a crime are constituted.

5. Regulations on Public Disclosure of Data (Pursuant to Article 16)

Data may only be publicly disclosed when there is a specific purpose, appropriate scope, and no infringement on the rights of the data subject (Clause 1). There are 04 cases where disclosure is permitted (Clause 2), including: (1) With consent, (2) Pursuant to law, (3) In emergencies/crime prevention, and (4) Pursuant to contractual obligations.

6. Special Protection in Specific Sectors

Enterprises operating in the following sectors must note specific provisions:

  1. Children (Article 24): For children aged 7 and above, the disclosure of private life information requires the consent of both the child and their guardian.
  2. Recruitment & Labor (Article 25):
    1. Only information serving recruitment purposes may be requested; information of unsuccessful candidates must be deleted/destroyed (unless otherwise agreed).
    2. According to points b and c, Clause 2, Article 25: Personal data must be retained for the period prescribed by law or by agreement. Upon termination of the Labor Contract, employee data must be deleted unless otherwise agreed or prescribed by law.
    3. Technology-based monitoring at the workplace must be clearly disclosed to employees

3. Healthcare & Insurance (Article 26): Requires explicit consent. Data must not be provided to third parties (e.g., insurance companies) without a written request or legal provision.

4. Finance & Banking (Article 27): Credit information must not be used for credit scoring/rating without consent (Clause 1, point b).

5. Advertising & Social Media (Articles 28, 29): Must provide an “opt-out” (refusal to track) feature. No recording (audio/video) without clear consent.

7. Cross-border Data Transfer (Pursuant to Article 20)

Activities such as transferring data out of the territory, transferring to foreign organizations, or using foreign platforms to process data collected in Vietnam are considered cross-border transfers (Clause 1).

  • Obligation: Must prepare a Data Protection Impact Assessment (DPIA) dossier and submit 01 original copy to the specialized agency within 60 days from the first transfer (Clause 2).
  • Frequency: Carried out once for the entire duration of operations (Clause 3).
  • Exemption: Storing employee data on the Cloud or data subjects self-transferring their own data does not require this assessment (Clause 6).

8. Data Processing Impact Assessment – DPIA (Pursuant to Articles 21, 22)

  • Requirement: Personal Data Controllers, and Personal Data Controllers-cum-Processors, shall prepare a DPIA dossier and submit it to the specialized agency within 60 days from the first date of data processing.
  • Updates: The dossier shall be updated every 6 months or immediately upon any change in organization or services (Article 22).

9. Breach Notification (Pursuant to Article 23)

Upon detecting a violation likely to cause harm, the enterprise must notify the specialized agency no later than 72 hours from detection (Clause 1). Simultaneously, minutes must be recorded, and coordination for remediation must be undertaken.

10. Transitional Provisions (Articles 38, 39)

  • Consent obtained before January 1, 2026 (under Decree 13) remains valid.
  • However, from January 1, 2026, all updates, amendments, or new processing activities must comply 100% with the regulations of the 2025 Law.

View & download the Personal Data Protection Law 2025

III. Additional Recommendations from Crowe Vietnam

Be cautious when sharing data through messaging apps in Vietnam.

In late December 2025, just prior to the official effective date of the Personal Data Protection Law 2025 (January 1, 2026), a messaging application in Vietnam unexpectedly notified users to update their terms of service, thereby expanding the application’s rights to collect and use user data.

To ensure the security of your financial, accounting, and human resources data, Crowe Vietnam recommends the following measures to safeguard your enterprise:

  • Do not send sensitive data via chat: Avoid taking photos or sending files containing payrolls, employee Citizen Identity Cards (CCCD)/Passports, commercial contracts, or unpublished financial data via this messaging application.
  • Switch communication channels: Use corporate email to exchange and send important documents. Corporate email systems offer better security and essential audit trail features.
  • Process previously sent data: Review work chat groups on this application, “Recall” (revoke) old data files, and archive them on the company server in accordance with legal retention regulations.
  • Establish an internal “Social Media Usage Policy”: To prevent employees from using personal chat applications without authorization, which risks exposing company data.
  • Strengthen technical safeguards on chat applications: Require employees to disable “auto-download” (to prevent files from being saved to personal devices), use disappearing messages for important information, and mandatorily enable Two-Factor Authentication (2FA) to minimize the risk of data leaks, breaches, or theft.
  • Share this article on:
Facebook
Twitter
LinkedIn
  • Article Author:
Picture of Crowe Vietnam Team

Crowe Vietnam Team

This content has been prepared by the expert team at Crowe Vietnam, aiming to deliver valuable and practical insights to enterprises.

Related insights

Insights

Latest News

Scroll to Top