Vietnam will implement the Personal Data Protection Law (PDPL) on January 1, 2026, introducing several new concepts, exemptions, and obligations in comparison with the current Decree No. 13/2023/ND-CP on personal data protection (PDPD). While many contents remain essentially the same between the two frameworks, the PDPL represents a targeted evolution addressing specific gaps and providing enhanced clarity in Vietnam's data protection regime.

Regulatory Framework Transition

The PDPL builds upon the foundation established by Decree No. 13/2023/ND-CP while introducing selective modifications across key areas. The relationship between the PDPD and PDPL has not been clearly addressed; however, it is expected that the government will issue a new decree providing necessary guidance on certain requirements under the PDPL. The PDPD will remain in effect until it is replaced by this new implementing decree.

This transition approach ensures regulatory continuity while allowing for the integration of new requirements and clarifications that address practical implementation challenges identified since the PDPD's introduction.

Key Innovations and Modifications

The PDPL introduces several new concepts and provisions that distinguish it from the current PDPD framework, while maintaining consistency with established data protection principles.

• Enhanced Extraterritorial Scope

  The PDPL explicitly extends coverage to foreign organizations and individuals processing personal data of Vietnamese citizens, including those abroad. This clarification addresses ambiguities present in Decree 13 and establishes clear jurisdictional boundaries for data protection obligations.

• Strengthened Administrative Sanctions

  Administrative sanctions have been substantially increased, with penalties reaching up to 10 times the revenue gained from unlawful personal data trading and up to 5% of the previous year's revenue for cross-border data transfer violations. Other violations may incur fines up to VND 3 billion, representing a significant escalation from previous penalty structures.

• Sensitive Data Protection Requirements

  The law mandates encryption and technical safeguards for sensitive data categories, including biometric, location, financial, and health data. This represents a departure from the more general approach of Decree 13, introducing specific technical requirements for high-risk data types.

• Sector-Specific Regulatory Provisions

  The PDPL introduces tailored provisions for critical sectors including healthcare, finance, insurance, artificial intelligence, blockchain, cloud computing, social media, and advertising. This granular approach acknowledges the distinct data protection challenges faced by different industries.

• Enhanced Consent and Data Subject Rights Framework

  Building on the PDPD foundation, the PDPL establishes more stringent consent requirements, mandating that consent be explicit, informed, and documented. Organizations must clearly specify the purpose, data types, processing entities, and rights of data subjects when obtaining consent.

  The law introduces a new prohibition against forcing consent for data use beyond original collection purposes, addressing a significant gap in the previous regulatory framework. This requirement necessitates careful consideration of data collection practices and consent management systems.

  Processing without consent faces enhanced compliance obligations, requiring organizations to establish alternative legal bases for data processing activities that cannot rely on consent mechanisms.

• Cross-Border Data Transfer Innovations

  While maintaining the Transfer Impact Assessment (TIA) framework from the PDPD, the PDPL introduces specific exemptions that provide operational flexibility in certain contexts.

  • Employee data stored and processed in the cloud for internal use is exempt from the TIA requirement, recognizing the practical realities of modern HR and cloud services. This exemption reduces compliance burdens for employers utilizing cloud-based systems for workforce management.

  • When data subjects themselves initiate the transfer of their personal data outside Vietnam, a TIA is not required. This exemption respects individual autonomy in data transfer decisions while maintaining regulatory oversight for organizational transfers.

  These exemptions represent pragmatic adjustments that acknowledge common business scenarios while maintaining the overall framework for cross-border data transfer oversight.

• Formalized Data Protection Officer Requirements

  The PDPL formally introduces the Data Protection Officer position with defined responsibilities, addressing the ambiguity present in Decree 13 regarding responsible personnel. This formalization provides clarity for organizational compliance structures while building on existing data protection role concepts.

  Organizations must evaluate whether their current data protection roles and responsibilities align with the new DPO requirements, potentially necessitating structural adjustments to compliance functions.

Transitional Relief and Business Accommodations

• Grace Periods for Startups and Small Businesses

  The PDPL introduces a five-year grace period from its effective date for startups and small enterprises to comply with certain obligations, including Data Protection Impact Assessments (DPIAs) and Data Protection Officer (DPO) appointments. This relief acknowledges the resource constraints faced by smaller organizations.

• Exemptions for Microenterprises

  Microenterprises and household businesses are exempt from DPIA and DPO requirements unless they process large volumes of data, provide data processing services, or handle sensitive personal data directly. This tiered approach recognizes the varying capacity of different business sizes.

• Consent Continuity

  Consent obtained under Decree 13 remains valid under the PDPL, easing the transition for organizations that have already established consent frameworks under the previous regime. This continuity provision reduces immediate compliance disruption during the transition period.

Outstanding Implementation Questions

Several key provisions remain ambiguous and require further government guidance for practical implementation.

• Scope and Applicability

  It is unclear whether the applicability of PDPL includes only personal data of Vietnamese nationals, foreigners residing in Vietnam, or all individuals whose data is processed in Vietnam. This ambiguity affects the scope of protection for non-citizens and stateless persons. The extraterritorial reach is broad, but the precise triggers for foreign organizations' obligations need clarification.

• Data Classification and Definitions

  The PDPL states that the government will issue detailed lists of basic and sensitive personal data, but these have not yet been published. Organizations cannot fully classify or protect data types until these lists are available.

• Consent and Processing Requirements

  The law tightens consent rules but does not recognize "legitimate interest" as a legal basis for processing, unlike the GDPR. The scope of exceptions and the process for obtaining, documenting, and withdrawing consent require more guidance. The prohibition on requiring consent for unrelated purposes is clear, but practical implementation needs further instruction.

• Data Protection Roles and Obligations

  The law mandates appointment of PDP Organization and PDP Expert roles for both basic and sensitive data processing, but the specific qualifications and responsibilities need more detail. The criteria for micro and small enterprise exemptions and the process for claiming them require further clarification.

• Impact Assessments and Documentation

  The law requires regular updates to Data Processing Impact Assessments (DPIA) and Transfer Impact Assessments (TIA), but does not specify templates or detailed content requirements. It is unclear if existing templates from Decree 13 remain valid.

• Cross-Border Data Transfers

  The law's broad definition of cross-border transfer includes scenarios such as sending emails or publishing data online, which may be impractical for daily business. Further guidance is needed to clarify what constitutes a regulated transfer. While new exemptions exist for employee data in the cloud and self-initiated transfers, the boundaries and documentation for these exemptions need to be specified.

• Sector-Specific and Technical Requirements

  The law introduces special rules for sectors like finance, healthcare, AI, and cloud computing, but many of these are high-level and require detailed implementing guidance. The law mandates encryption for sensitive data and special protections for biometric data, but does not specify technical standards or acceptable encryption methods.

Looking forward

International organizations operating in Vietnam must evaluate their current PDPD compliance frameworks against new PDPL requirements, particularly for cross-border data transfers and sector-specific obligations. The enhanced penalty structure necessitates robust compliance systems, while the clarified extraterritorial reach requires foreign entities processing Vietnamese personal data to assess their obligations even without local presence. Organizations should use the transition period to prepare for enhanced requirements while monitoring forthcoming government guidance that will clarify implementation details.

Terix Institute provides specialized analysis of emerging regulatory frameworks and their implications for international business operations. Our experts offer strategic guidance on navigating complex compliance environments and developing effective risk management strategies.