Open navigation
Search
Search
All expertise
Explore our breadth of expertise.
International Desks
Helping you access overseas markets with support from our country and region-specific experts.
Sectors View all
Practice Areas View all
Offices
Discover the scope of our presence in the jurisdiction.
Global Reach
Learn about our capabilities beyond borders.
CMS Singapore
All insights
Leverage our expert analysis, intelligence and thought leadership for your strategic advantage.
Personalised updates
Receive tailored insights and intelligence that apply directly to your business.
Topics in Focus View all
Insights by type
CMS News
Stay up to date with our growth, evolution and our many successes.
Contact us
For all general enquiries.
About CMS
CMS Careers

Select your region

International Europe Africa Asia-Pacific The Americas Middle East
Legal Update

Demystifying Vietnam’s New Laws Regulating Data and Navigating Key Compliance for Businesses

26 Sep 2025 APAC 20 min read

Introduction

Vietnam has recently enacted 2 laws regulating data (collectively, “New Laws”), taking a similar approach to China. The Data Law imposes requirements on some types of data, such as core and important data (discussed below) and the PDPL (coming into effect in 2026) imposes obligations similar to data protection laws in other countries.  Understanding these New Laws and how they will apply to your business is key.

Vietnam's new Law on Data ("Data Law") took effect on 1 July 2025 (see our previous article, "Understanding Vietnam’s Data Law: Key Objectives and Business Implications").

The Vietnamese government has also released a series of decrees in relation to the Data Law:

  • detailing measures to implement the Data Law ("Implementation Decree");
  • regulating scientific, technological, innovation activities, and data products and services ("Data-related Decree");
  • regulating the management of data in the health sector (“Health Data Decree”); and
  • creating the National Data Development Fund ("NDDF Decree").

Vietnam’s Law on Personal Data Protection (Law No. 91/2025/QH15) (“PDPL”), passed on 26 June 2025 and effective from 1 January 2026, will establish a comprehensive personal data protection framework in the country for the first time. The Vietnamese government recently completed a public consultation (from 16 to 26 September 2025) on the draft decree clarifying the provisions of the PDPL (“Draft PDPL Decree”) which, when passed, will also be effective from 1 January 2026.

Key Definitions and Classifications under the New Laws

Understanding the key definitions and classification of data is fundamental to compliance.

For the Data Law, Decision No. 20/2025/QD-TTg sets out what is “Core” and “Important” Data:

  • Important data: Refers to data that, if illegally collected or used, may impact national defence, security, foreign relations, the macro-economy, social stability or public health and safety. “Important” data includes all categories of core data as well as the following categories:
    • Non-public data related to internal affairs, transportation, social insurance funds, health insurance and unemployment insurance collected and managed by state agencies;
    • Non-public financial and banking data of state agencies;
    • Non-public data on works and performances for which the State acts as the representative of copyright and related rights owners, on the foreign investment activities of state-owned enterprises and in the field of information, communication and education and training, collected and managed by state agencies;
    • Non-public biosafety data collected and managed by state agencies; and
    • Non-public data on organisations and citizens, comprising of:
      • Basic data of 100,000 or more Vietnamese citizens;
      • Sensitive data of 10,000 or more Vietnamese citizens; and
      • Data on bank accounts, payment history or debt obligations of 10,000 or more Vietnamese enterprises and organisations.
  • Core data: On the other hand, is defined as a subset of important data whose illegal collection or use would directly endanger these same national interests. “Core” data includes:
    • Non-public data concerning investment and procurement activities in the fields of defence, security, cryptography, and national reserves;
    • Non-public data concerning military, defence, security, cryptographic works, and critical projects related to national security;
    • Non-public data on strategies, policies, procedures and activities for monitoring, preventing and responding to cybersecurity incidents and protecting critical information infrastructure, collected and managed by state agencies;
    • Non-public data transferred by foreign agencies, organisations, and international organisations under international treaties to which the Socialist Republic of Vietnam is a party, and which requires protection;
    • Non-public data on the activities of Vietnamese representative agencies abroad, collected and managed by state agencies;
    • Non-public data on ethnicity, beliefs, and religions managed by state agencies;
    • Non-public geospatial data, aerial photo data, remote sensing data of key areas and locations serving national defence, security and cryptography, collected and managed by state agencies;
    • Non-public data in the financial and budgetary fields, collected and managed by state agencies;
    • Non-public data medical data collected and managed by state agencies; and
    • Non-public data on organisations and citizens, comprising of:
      • Basic data of 1,000,000 or more Vietnamese citizens;
      • Sensitive data of 100,000 or more Vietnamese citizens; and
    • Data on bank accounts, payment history or debt obligations of 100,000 or more Vietnamese enterprises and organisations.

The PDPL identifies two main types of personal data: (a) basic personal data and (b) sensitive personal data:

  • Basic Personal Data: Personal data reflecting common personal details and background information, frequently used in transactions and social relations. Sensitive Personal Data listed in the Draft PDPL Decree is excluded from the scope of Basic Personal Data.
  • Sensitive Personal Data:  Personal data associated with individuals’ privacy rights that, if infringed on, directly affect legitimate rights and benefits of agencies, organizations, and individuals. Under the Draft PDPL Decree, Sensitive Personal Data includes:
    • Data revealing racial or ethnic origin;
    • Opinions on politics, religion, or personal beliefs;
    • Data associated with one’s private life;
    • Health status;
    • Biometric data and genetic characteristics;
    • Data revealing one’s sexual life or sexual orientation;
    • Data regarding crimes or criminal acts collected and stored by law enforcement agencies;
    • Location data determined by positioning services;
    • An individual’s electronic identity;
    • Account usernames and passwords; bank card information, data on bank account transaction history; financial, credit information and other information related to financial, securities, insurance transactions of customers at credit institutions, foreign bank branches, payment intermediary service providers, securities, insurance, and other permitted organisations;
    • Data on the activities and activity history of telecommunications subscribers;
    • Data tracking behaviour, use of telecommunications, social network, online media services, and other services in cyberspace; and
    • Other types of personal data as prescribed by law or as determined by organisations or individuals to require strict security measures.

Further guidance is expected to be provided the additional compliance requirements when processing sensitive personal data.

Businesses Most Impacted by the New Laws

The Data Law will have a broad reach, impacting both Vietnamese and foreign entities involved in digital data activities in Vietnam, even if they lack a physical presence in Vietnam. Significantly impacted businesses include:

  • Technology & Digital Service Providers: This covers a wide range of entities such as cloud service providers, e-commerce platforms, social media companies, online gaming platforms, data analytics firms, and businesses offering data intermediary services. Their core business models often involve extensive data processing and potential cross-border transfers.
  • Multinational Corporations (MNCs) with Operations in Vietnam: MNCs often transfer significant amounts of data (including personal data and operational data) between their Vietnamese entities and headquarters or other global branches. They must reassess their global data flows.
  • Companies Handling Large Volumes of Sensitive or Critical Data: This includes companies in the financial services, healthcare and pharmaceuticals, telecommunications, retail and consumer goods, and human resources sectors.
  • Businesses Providing Services to State Agencies or Operating Critical Infrastructure: Companies involved in government contracts or those whose data could affect national security or public services (e.g., energy, utilities, transportation) will face heightened scrutiny, especially regarding "core" and "important" data.

The PDPL also has a similar broad reach and applies to both (a) Vietnamese and foreign entities in Vietnam and (b) foreign entities outside Vietnam if they are involved in the processing of personal data of Vietnamese citizens and persons of Vietnamese origin residing in Vietnam (without a determined nationality) who have been issued an identification certificate.

Key Compliance Obligations for Businesses

Impact Assessments and Cross-border Data Processing and Transfer of Data

Both Laws contain requirements for conducting impact assessments.

The Data Law mandates stringent requirements for the processing and cross-border transfer of Important and Core data. Businesses must conduct a self-assessment of the risks relating to the transfer and processing of such data, specifically:

  • The legality, necessity, scope, methods of data transfer, and how the transferee processes the data;
  • The data protection standards of the receiving party compared to the applicable Vietnamese technical regulations and standards;
  • The scale, scope, data types, risks of data being forged, destroyed, leaked, lost, or illegally transferred or used after the transfer; and
  • The responsibilities and obligations of the parties.

    This self-assessment forms part of the impact assessment dossier that must be prepared in accordance with Form No. 02 issued with the Implementation Decree. This requirement applies to both “core” and “important” data equally, but with differences in submission and approval procedures:
  • For "Core” Data: Organisations wishing to transfer or process core data abroad must seek prior approval from the Ministry of Public Security ("MPS") by submitting an impact assessment dossier to the MPS. If the data includes military, national defence, or cipher material, an impact assessment dossier must be sent to the Ministry of National defence (“MND”) for approval. The transferor will be notified in writing of the assessment results. Upon receiving an approval, the cross-border core data transfer/processing can then be conducted.
  • For "Important” Data: While no approval is required before the transfer, organisations must also prepare an impact assessment dossier before transferring or processing such data abroad and submit it to the MPS or the MND within 15 days from the date of data transfer/processing.

Separately, the PDPL provides for the requirement for a controller (or controller-processor) to prepare and retain a PDPIA for the cross-border transfer of personal data and personal data processing. A data processor must also conduct a Personal Data Protection Impact Assessment (“PDPIA”) as agreed with the controller.

The controller (or controller-processor) must send the PDPIA to the personal data protection agency (“PDP Agency”) within 60 days of the first day of processing. The PDPIA must be updated by the controller, controller-processor or processor (as applicable) (a) every 6 months if there are any changes or (b) immediately in certain circumstances such as where there are changes in the services related to the personal data processing.

The Draft PDPL Decree provides certain exemptions from the requirement to conduct a PDPIA including, among other things, (a) storage of employee data on cloud services; (b) transfers of personal data already made public by law; (c) emergencies to protect life, health or property; (d) cross-border HR management under labour rules and collective agreements; and (e) transfers for contracts or cross-border logistics, remittance, payment, hotel, or visa procedures.

The Draft PDPL Decree also provides that, unless the transfer has been requested by competent state agencies or the transfer is done under the permitted situations pursuant to Article 19(1) of the PDPL (i.e. processing personal data without the data subject’s consent), a written agreement must be entered into between the relevant parties specifying the following:

  • The purpose of the transfer;
  • The data subjects and types of personal data transferred;
  • The processing period, requirements for deletion/destruction after the purpose is fulfilled;
  • Legal basis for transfer;
  • Responsibility for personal data protection during transfer and processing;
  • Responsibility for complying with data subject requests when data subjects exercising their rights under the PDPL; and
  • For transfers of sensitive personal data, physical security measures for storage and transmission devices, encryption, anonymisation and other security measures.

Importantly, Article 5.4 of the PDPL clarifies there is no need to conduct a risk assessment under other data laws (which would include the Data Law) where a PDPIA is conducted under the PDPL. Presumably, the requirement to conduct a risk assessment under the Data Law is only exempted for the transfer or processing of personal data that is also “core” or “important” data under the Data Law (and not for non-personal data transferred or processed by organisations that constitutes “core” or “important” data), but we expect further guidance to clarify this.

Compliance for Certain Service Providers or Entities

Under the Data Law, businesses providing intermediary data products and services or data analysis and aggregation services will be subject to additional requirements.

For Intermediary Data Services: Businesses wishing to obtain a certificate of eligibility to provide data intermediary services must meet the requirements on:

  • Human resources – including a requirement that the legal representative must be a Vietnamese citizen;
  • Physical infrastructure, technical equipment, service management procedures, and security and order assurance plans – including having infrastructure and equipment located in Vietnam, certified for information security and safety in accordance with legal regulations, and accompanied by an operational plan; and
  • Financial conditions – including a deposit of at least 5 billion VND at a local bank to cover risks and compensation.

For Data Analysis and Aggregation Services: Depending on the specific services, businesses may need to obtain a certificate of eligibility. The following organisations require certification:

  • Organisations that offer products or services for data analysis performed entirely by artificial intelligence with or without human supervision during the process which may endanger national security, public safety, defence, or public health;
  • Organisations that rely on national or specialised databases to provide data analysis products or services; and
  • Organisations that offer products or services that analyse and aggregate data involving the use of core or important data.

Under the PDPL, the Draft PDPL Decree has stated entities in finance, banking or dealing with credit information must do the following:

  • protect personal data according to international and Vietnamese standards;
  • conduct annual compliance assessments;
  • log all processing activities;
  • when seeking consent from data subjects, to specify (a) all purposes for processing, including scoring, credit rating and trust assessment; (b) data sources and all parties collecting or sharing personal data; (c) retention period of personal data; (d) mechanisms for consent withdrawal; (e) policies for deletion/destruction; and
  • notify the affected data subjects within 72 hours of discovering a data breach affecting bank, financial, or credit account information.

The Draft PDPL Decree also specifies additional (and specific) requirements for entities that deal with the following types of services/products/technologies such as, among other things, impact assessments and annual compliance assessments:

  • Big data processing (i.e. large-scale, continuous, integration from multiple sources, capable of behavioural analysis, trend prediction, or user clarification).
  • Artificial intelligence (i.e. machine-based systems with varying autonomy, capable of adapting after deployment to achieve explicit or implicit goals, inferring from input data to generate predictions, content, recommendations, or decisions affecting real or electronic environments).
  • Metaverse (i.e. a digital universe combining social media, online gaming, augmented reality (AR), virtual reality (VR), the Internet, and cryptocurrency, enabling users to interact via virtual reality technology).
  • Blockchain Technology (i.e. an advanced database system enabling transparent information sharing in a network, storing information in linked blocks, each containing data and a hash of the previous block, creating an immutable, independently verifiable chain).
  • Cloud Computing and cloud services.

Data Subject Consent and Alternative Legal Bases

Under the PDPL and Draft PDPL Decree, controllers (or controller-processors) must obtain data subject consent that is clear, specific, and able to be reproduced in writing (including electronic or verifiable formats). Consent must be collected in a manner that clearly shows the method, time, content and authentication of the data subject. Silence or non-response is not considered to be valid consent. When sensitive personal data is processed, the data subject must be informed that the data is sensitive.

Prescribed acceptable methods under the Draft PDPL Decree to obtain consent include in writing; by voice; SMS; email; on websites, platforms, or applications with technical consent mechanisms; or by other suitable, verifiable, and authenticable means. As the PDPL prescribes tht consent must be able to be produced in writing, verbal consent will likely only be valid where it is recorded.  

For children who are aged 7 or older, the consent of both the child and their legal representative is required for the disclosure of the child’s personal data.

The PDPL provides that personal data may be processed without the data subject’s consent in the following situations:

  • Individual Rights and Interests: To protect the life, health, honour, dignity, rights, or lawful interests of the data subject or others in urgent cases.
  • Legitimate Interests: To protect the legitimate rights or interests of oneself, others, or the State, agencies, or organisations as necessary against acts infringing those interests.
  • Contractual Necessity: To implement agreements between the data subject and relevant agencies, organisations, or individuals as prescribed by law.
  • Emergencies and Threats: To address emergencies or threats to national security not yet declared as emergencies; or to prevent or combat riots, terrorism, crime, or legal violations.
  • State Activities or Management: To serve the activities of state agencies or state management as prescribed by law.
  • Other Prescribed Cases: Other cases as prescribed by law.

General Obligations Impacting All Businesses

Even businesses not primarily dealing with "core" or "important" data, or specialised data services, will have general obligations under the New Laws, such as:

  • Appointing Data Protection Personnel: Data owners subject to the Data Law and organisations subject to the PDPL must designate a data protection officer (“DPO”) (or, alternatively, under the PDPL, hire data protection service providers) responsible for data protection. The New Laws and Implementation Decree do not specify whether the DPO must be based in Vietnam. However, the Draft PDPL Decree specifies that the DPO designated under the PDPL must have the following qualifications:
    • Have a university degree or a higher-level academic qualification;
    • Hold a certificate of completion of basic data protection training from a qualified Vietnamese provider;
    • Meet the professional assessment standards set by the competent data protection authority; and
    • Understand data protection law and the organisation’s data processing activities.
  • Addressing Data Subject Rights: Under the Data Law, a request by a data subject to delete or destroy data must be actioned within 72 hours. If deletion or destruction is not possible, the data owner or manager must cease processing and using the data. This requires robust internal processes for handling data subject requests. The PDPL provides for various data subject rights, such as the right to be informed, the right to access and rectify personal data, the right to consent and withdraw consent, the right to object to and/or request to restrict the processing of personal data, the right to complain, the right to deletion of their personal data, and the right to request the relevant party to take measures to protect their personal data as prescribed by law. The Draft PDPL Decree further provides that:
    • Upon receiving a consent withdrawal request, the controller (or controller-processor) must respond within 2 working days providing all relevant information to cease processing and resolve the request within 7 working days. An extension of up to 10 working days may be possible due to complexities involved in resolving the request, subject to notifying the data subject of the reason for the extension.
    • Upon receiving an access, correction, or deletion request, the controller (or controller-processor) must respond within 2 working days providing all relevant information and resolve the request within 10 working days (or 15 working days where a third party or processor is involved). An extension of up to 10 working days may be possible due to complexities involved in resolving the request, subject to notifying the data subject of the reason for the extension.
  • Mandatory Data Sharing with State Agencies: Under the Data Law, organisations are required to share some types of data with state agencies at their request, even without the consent of the data subject, under specific circumstances (e.g., emergencies, national security threats, disasters, preventing riots/terrorism). The Implementation Decree now clarifies the scope of data which may be requested (type, level of detail, volume, frequency, method of supply, etc.). State agencies must specify certain information, including the legal grounds and reason for the request, the purpose of data use, and the period for which the data must be provided. If an organisation believes a request is inappropriate, it may request the state agency to withdraw or amend it. Such sharing is also permitted under the PDPL, which provides that personal data may be transferred or shared as requested by competent state agencies.
  • Mandatory Data Breach Notification: Under the PDPL, a controller, controller-processor, or third party must notify the personal data protection agency within 72 hours of detecting a violation that may harm national defence, security, public order, or the life, health, honour, dignity, or property of the data subject. The processor must promptly notify the controller or controller-processor of such violations. Notification is required (a) upon discovery of such a violation; (b) in the event it is discovered that personal data has been processed for a wrong purpose or contrary to an agreement; (c) where there is failure to ensure or properly comply with the data subject’s rights; and (d) other cases as prescribed by law. Further guidance will be released on the content of such notifications.
    • A notification of a data breach violation is done by using the prescribed form and must include the following information:
      • A description of the violation, including the time, place, conduct, parties, types and number of affected personal data sets;
      • Contact details of the DPO or data protection service provider;
      • Description of the possible consequences of damages in relation to the violation; and
      • Measures taken to resolve or mitigate the violation.
    • Where a violation involves location or biometric data, the controller (or controller-processor) must notify affected data subjects within 72 hours of discovery.

Timeline for Compliance and Enforceability Considerations

The Decrees in relation to the Data Law do not provide a grace period for compliance, which means businesses currently need to comply with these obligations as the Decrees have taken effect on 1 July 2025. However, enforcement actions remain limited, likely due to the absence of a dedicated sanctioning decree, which is currently under development. When a sanctioning decree is eventually issued, enforcement activity will commence.

For the PDPL and the Draft PDPL Decree, both pieces of legislation are expected to be in force from 1 January 2026.

Penalties for Non-Compliance

The PDPL proposes significant fines for violations of the PDPL, including:

  • Up to 10 times of the illicitly gained revenue from the buying or selling of personal data without permission;
  • Up to 5% of an organisation’s revenue in the preceding year for unauthorised cross-border data transfers; and
  • Up to VND 3 billion (approx. USD 112,000) for other violations, with individuals facing up to half that amount.

The Decrees and Data Law currently do not specify penalties for non-compliance with the provisions of the Data Law.

Conclusion

Vietnam's New Laws represent a significant evolution in the country's data governance landscape. As the Data Law and the Decrees are already in force, and with the PDPL coming into force soon, businesses operating in or doing business with Vietnam must assess their data handling practices, particularly concerning cross-border data transfers and the management of personal and non-personal data, particularly “core” and “important” data.

 

The information provided above does not, and is not intended to, constitute legal advice pertaining to the Data Law, the Decrees, and the PDPL; information, content, and materials stipulated above is based on our reading of the amendments and are for general informational purposes only.

This article was written with insights and contributions from Tilleke & Gibbins Vietnam (Tram Ngoc Bich Nguyen and Quang Minh Vu). 

More insights

Explore more

Event Singapore

IP Insights webinar series 2026

28 Apr 2026
Expert Guide International

International arbitration law and rules in Singapore

41 min read
Publication Singapore

CMS Arbitration Atlas

20 Mar 2026 3 min read
Back to top Back to top
You will now find all Law-Now content on CMS.law
Explore more
Law-Now, RegZone, LEXplicite and Blogtt have moved to CMS.law. Law-Now has moved to CMS.law. RegZone has moved to CMS.law. LEXplicite has moved to CMS.law. Blogtt has moved to CMS.law.
Learn more Learn more Learn more Learn more
If you want to use third party tools, please enable personalisation cookies as part of your cookie preferences. You can change this setting at any time via the button below or in our Cookie Notice.