Personal Data Protection Law (Law 91/2025/QH15) - Everything enterprises must know

Customer data theft and unauthorized access to internal systems are realities thousands of Vietnamese enterprises confront every day. The Personal Data Protection Law (Law No. 91/2025/QH15) officially takes effect on Jan 1, 2026, establishing stringent legal standards with penalties reaching hundreds of millions of dong. This article provides a comprehensive analysis of the 2025 Personal Data Protection Law from a practical standpoint, helping enterprises understand precisely what they must do and within what timeframes.

1. What is the Personal Data Protection Law?

The Personal Data Protection Law, also known as PDPL 2025, is Law No. 91/2025/QH15, passed by the XV National Assembly at its 9th session on 26 June 2025 and officially taking effect on 01 January 2026. It is the first legislation in Vietnam to comprehensively and uniformly regulate the collection, processing, storage, and protection of personal data, replacing Decree 13/2023/ND-CP which was only a transitional measure. Prior to this, the Cybersecurity Law and the Data Law 2024 addressed certain related aspects, but neither was sufficient to govern the full lifecycle of personal data from collection through deletion.

The scope of the Law is broad: any action affecting a user's personal data falls within its scope, including collection, analysis, aggregation, encryption, decryption, editing, deletion, destruction, de-identification, provision, disclosure, and transfer of personal data (Article 1).

To understand the scope correctly, enterprises need to grasp the 4 core concepts defined in Article 2:

Personal data is digital data or information in any other form that can identify or help identify a specific individual (Clause 1). Importantly, once data is fully de-identified, it is no longer considered personal data and may be processed more freely (Clause 11).
Personal data falls into two categories: basic data covers common identity attributes such as full name, date of birth, address, phone number, and national ID number (Clause 2); sensitive data covers attributes directly tied to personal privacy where a violation would directly affect the legitimate rights and interests of the data subject, including health information, private secrets, financial and credit data, biometric data, and personal location data (Clause 3). The specific list of each category is issued by the Government.
On the enterprise side, the Law clearly distinguishes between the data controller, which is the organization that determines the purpose and means of processing (Clause 7), and the data processor, which is the organization that carries out processing as directed (Clause 8). This distinction is significant because the legal responsibilities of the two parties are specifically differentiated under Article 37 of the Law.

Luật số 912025QH15 (2).jpg — **How the Law on Personal Data Protection, No. 91/2025/QH15 Protects Personal Data in the Digital Era**

Passed by the National Assembly on June 26, 2025, and effective from January 1, 2026, the Law on Personal Data Protection, No. 91/2025/QH15 establishes a comprehensive legal framework. It covers individual rights, organizational responsibilities, and penalties to mitigate risks associated with data breaches in digital activities.

2. Who does the Personal Data Protection Law apply to, and what data does it cover?

2.1 Entities required to comply

The Law applies to all agencies, organizations, and individuals in Vietnam, including foreign organizations with operations there. Critically, the Law also binds foreign organizations that do not have a place of establishment in Vietnam but are directly involved in or related to the processing of personal data of Vietnamese citizens (Article 1, Clause 2, Point c).

This means that if an enterprise uses a foreign SaaS service to store Vietnamese customers' information, or engages a foreign partner to process HR data, the entire processing chain falls within the Law's scope.

2.2 Distinguishing basic and sensitive personal data

Correctly distinguishing between these two data types is a prerequisite for determining the right level of protection to apply. Sensitive data is subject to significantly stricter controls: enterprises must apply dedicated technical standards (Article 34) and are required to designate a specific department and personnel solely responsible for this category of data (Article 33, Clause 2).

Criterion	Basic personal data	Sensitive personal data
Examples	Full name, date of birth, address, phone number, email, national ID number	Health conditions, fingerprints, facial recognition, GPS location, financial/credit data, religious affiliation
Legal basis	Clause 2, Article 2 — Law 91/2025	Clause 3, Article 2 — Law 91/2025
Protection level	General requirements under the Law	Requires higher technical and organizational measures (Article 34)
Dedicated personnel	Not specifically required	Must designate a dedicated department and personnel (Article 33, Clause 2)
Maximum penalty for violation(organizations)	VND 140–200 million	VND 140–200 million + suspension of operations for 1–3 months

3. What mandatory obligations do enterprises have?

3.1 Obtain valid consent before collecting data

This is the foundational obligation that many enterprises are currently getting wrong. Consent is only valid when the user voluntarily and knowingly agrees, with clear disclosure of the type of data being processed, the purpose of processing, which party will hold the data, and the rights and obligations of the data subject (Article 9, Clause 2). There are four mandatory consent principles that enterprises commonly overlook:

First, consent must be expressed separately for each purpose and may not be bundled into a single clause.
Second, users may not be coerced into consenting to purposes beyond those in the agreement.
Third, consent remains valid until the data subject changes it or as otherwise provided by law.
Fourth, and most importantly: silence or non-response may not be treated as consent. This provision completely prohibits pre-ticked checkboxes (Article 9, Clause 4).

In addition, consent must be expressed in a clear, specific manner that can be printed or stored electronically and verified (Article 9, Clause 3). If audited, enterprises must be able to demonstrate that users consented; the burden of proof does not fall on the regulator.

3.2 Fulfil user rights within mandatory timeframes

The Law grants individuals 6 categories of rights: to be informed about data processing; to give or withdraw consent; to access and correct data; to request deletion or restriction of processing; to object to processing; and to file complaints and seek compensation (Article 4, Clause 1). These are not merely paper rights; they come with enforceable obligations tied to specific deadlines.

The draft administrative sanctions decree has quantified specific mandatory response timeframes when enterprises receive requests from users under Article 58. The table below summarizes the deadlines and corresponding penalties for non-compliance:

Request type	Response	Fulfillment	Penalty for violation (organization)
View or correct data	2 business days	10 days	VND 140–200 million (Article 58, Decree)
Withdraw consent / stop processing	2 business days	15 days	VND 140–200 million (Article 58, Decree)
Delete personal data	2 business days	20 days	VND 140–200 million (Article 58, Decree)
Apply data protection measures	2 business days	15 days	VND 140–200 million (Article 58, Decree)

3.3 Prepare a DPIA and submit it to the Ministry of Public Security within 60 days

A DPIA (Data Protection Impact Assessment) is a mandatory filing that the Law specifies clearly in Article 21. Enterprises must prepare this document and deliver one original copy to the competent personal data protection authority within 60 days of the first date of data processing. The document must also be updated every 6 months, or immediately upon any significant change in the organization, service providers, or new business activities involving personal data (Article 22).

Failure to prepare or submit on time may result in a fine of VND 100–140 million, plus suspension of data processing activities for 1–3 months (Article 67, draft decree).

3.4 Notify a breach within 72 hours

Upon discovering a data breach that may cause harm to data subjects, an enterprise must notify the competent personal data protection authority no later than 72 hours after discovery; if the data processor discovers the breach, it must immediately notify the data controller (Article 23, Clause 1). The enterprise must also prepare a breach confirmation report and cooperate with the competent authority in addressing the incident (Clause 2, Article 23).

This is precisely why an incident response plan must be built and rehearsed in advance, not assembled after an incident occurs. Late notification or notification with incomplete information are both subject to penalties, ranging from VND 50–100 million for organizations (Article 66, draft decree).

3.5 Comply with cross-border data transfer requirements

Many enterprises are currently using foreign cloud computing services to store data without realizing this may fall within the scope of the Law. Three situations are considered cross-border data transfers (Article 20, Clause 1):

Transferring data stored in Vietnam to a system located outside Vietnamese territory.
Transferring data to an organization based abroad.
An organization using a platform located outside Vietnamese territory to process data collected in Vietnam.

For all three scenarios, enterprises must prepare an impact assessment and submit it to the Ministry of Public Security within 60 days of the first occurrence. However, the Law also clearly provides 4 fully exempt scenarios: a competent state authority transferring data; an organization storing employee data on cloud services; an individual transferring their own data; and other cases as specified by the Government (Article 20, Clause 6). In other words, using a foreign cloud service to store internal employee data is exempt, but using a foreign cloud service to process customer data is not.

4. Which industry sectors require additional attention?

4.1 Finance, banking, and credit

In addition to general obligations, enterprises in the finance and credit sectors must comply with 2 sector-specific requirements:

First, customer credit information may not be used for scoring, ranking, or creditworthiness assessment without clear explicit consent (Article 27, Clause 1, Point b).
Second, upon discovering the leakage or loss of a customer's bank account or credit information, the enterprise is obligated to immediately notify the customer without delay (Article 27, Clause 1, Point d).

4.2 Recruitment and workforce management

When a candidate is not selected, the enterprise must delete and destroy all personal information that candidate provided during the recruitment process, unless a separate arrangement has been made with the candidate (Article 25, Clause 1, Point c). This is an obligation that most HR departments are currently not fulfilling correctly, as the practice of retaining candidate files indefinitely is widespread.

For employee data collected through monitoring technologies such as cameras, location tracking devices, or monitoring software, enterprises may only apply such measures when the employee is clearly aware of them, and may not process data collected in violation of applicable law (Article 25, Clause 3).

4.3 Advertising and social media

A customer's silence does not constitute consent to receive advertising. Processing personal data for advertising services requires explicit consent, based on the customer being clearly informed of the content, delivery method, and frequency of product promotion (Article 28, Clause 3). Enterprises must also provide a mechanism for customers to opt out of advertising at any time and must act on such requests immediately (Clause 5, Article 28).

For social media platforms and online services, several specific requirements apply: users may not be required to provide images of their national ID card or identity documents as a condition for account verification (Article 29, Clause 2); a cookie opt-out option must be provided (Clause 3); and an option to opt out of behavioral tracking must be provided, with tracking permitted only upon consent (Clause 4).

4.4 AI, big data, and cloud computing

This is the group most significantly impacted by the Personal Data Protection Law. Personal data within AI, big data, blockchain, metaverse, and cloud security environments must be processed for defined purposes and limited to what is necessary (Article 30, Clause 1). AI systems that process data must be classified by risk level so that appropriate protection measures can be applied (Clause 4, Article 30). It is prohibited to use or develop AI systems that leverage personal data in ways that harm national defense, security, or the legitimate rights of others (Article 30, Clause 5).

For biometric data such as fingerprints and facial recognition specifically, enterprises must apply physical security to storage devices, restrict access, and maintain intrusion detection systems; re-identification of biometric data that has been de-identified is prohibited, unless otherwise provided by law (Article 31, Clause 4). This point is particularly relevant for enterprises using biometric attendance systems or facial recognition cameras in the workplace.

5. What are the penalties for violating the Personal Data Protection Law?

5.1 Penalty schedule by specific violation

The Law sets the maximum monetary penalty for ordinary violations at VND 3 billion for organizations (Article 8, Clause 5). Specific penalties by violation type are itemized at Articles 57 through 69 of the draft administrative sanctions decree. Important note: organizations are fined at twice the rate applied to individuals (Article 6, draft decree).

Violation	Article ref.	Individual penalty	Organization penalty (x2)
Denying users the right to view or correct their data	Art. 58, Decree	VND 50–70M	VND 100–140M
Obstructing or creating difficulties when users withdraw consent	Art. 60, Decree	VND 25–50M	VND 50–100M
Continuing to process data after user withdraws consent	Art. 60, Decree	VND 50–70M	VND 100–140M
Retaining data after the original purpose has lapsed or after a deletion request	Art. 62, Decree	VND 25–50M	VND 50–100M
Failing to delete data upon a legitimate user request	Art. 62, Decree	VND 50–70M	VND 100–140M
Collecting or processing data beyond stated purpose or scope	Art. 57, Decree	VND 50–70M	VND 100–140M
Processing personal data without valid consent	Art. 59, Decree	VND 50–70M	VND 100–140M
Treating user silence as consent	Art. 59, Decree	VND 70–100M	VND 140–200M
Failing to prepare or submit the DPIA within 60 days	Art. 67, Decree	VND 50–70M	VND 100–140M
Failing to notify a breach within 72 hours or providing incomplete notification	Art. 66, Decree	VND 25–50M	VND 50–100M
Failing to apply required data protection measures	Art. 69, Decree	VND 50–70M	VND 100–140M
Failing to designate personnel responsible for sensitive data protection	Art. 69, Decree	VND 70–90M	VND 140–180M
Unlawfully buying or selling personal data (below criminal threshold)	Art. 65, Decree	VND 50–70M	VND 100–140M
Misappropriating or intentionally disclosing personal data	Art. 57, Decree	VND 70–100M	VND 140–200M
Violating cross-border data transfer regulations	Art. 68, Decree	VND 70–100M	VND 140–200M

5.2 Escalating penalty scale based on breach scope

One of the most notable features of the sanctions framework is that penalties increase according to the number of Vietnamese citizens affected when a data leakage or loss incident occurs, as specified in Articles 67 and 68 of the draft decree. This mechanism is unprecedented in previous Vietnamese administrative sanctions regulations.

Breach scale	Multiplier	Effective penalty (organization)	Reference
Under 100,000 individuals	x1 (base)	VND 100–140 million	Art. 67, Cl. 1 — Decree
100,000 to under 1 million individuals	x2	VND 200–280 million	Art. 67, Cl. 2 — Decree
1 million to under 5 million individuals	x5	VND 500–700 million	Art. 67, Cl. 3 — Decree
5 million individuals or more	% of revenue	3–5% of prior-year revenue	Art. 67, Cl. 4 — Decree
Buying or selling personal data	x illegal gain	10x the unlawful proceeds	Art. 8, Cl. 3 — Law

5.3 Supplementary penalties can be more damaging than monetary fines

Beyond monetary fines, enterprises in violation may also face supplementary penalties with more severe operational consequences (Article 4, draft decree):

Suspension of personal data processing activities for 1–3 months applies to most violations under Articles 57 through 69, particularly for repeat violations. For enterprises whose entire service depends on customer data, this penalty is effectively a suspension of business operations.
Revocation of business operating licenses in the violated sector for 1–3 months, specifically provided in Articles 59, 64, 65, 67, 68, and 69 of the draft decree.
Mandatory public apology through mass media outlets for violations of Articles 57, 59, 62, 64, and certain other provisions.
Confiscation of all devices and means used for personal data processing, applied across most articles from 57 to 69.

Repeat violations in certain categories, such as advertising (Article 64) and data trading (Article 65), incur an additional penalty of up to 5% of total revenue from the preceding financial year in Vietnam.

6. What exemptions are available for small businesses and startups?

The Law includes specific concessions for small enterprises and startups. For 5 years from 01 January 2026, this group may choose to defer 3 obligations: preparing a DPIA, updating the DPIA periodically, and designating a data protection department and personnel (Article 38, Clause 2).

However, an important exception is specified within the same clause: these concessions do not apply if the small business provides data processing services, directly processes sensitive personal data, or processes data belonging to a large number of data subjects. This means a fintech, healthtech, or edtech startup, regardless of its size, must comply fully from day one. Household businesses and micro-enterprises are eligible for the same concessions under the same exception conditions (Article 38, Clause 3).

Beyond the 3 temporarily deferred obligations, all enterprises of every size must fully comply from 01 January 2026: obtaining valid consent (Article 9), fulfilling user rights within the specified timeframes (Articles 4 and 10), notifying breaches within 72 hours (Article 23), and complying with cross-border data transfer requirements (Article 20). One favorable point to note: enterprises already processing data under Decree 13/2023 with existing data subject consent may continue without seeking re-consent (Article 39).

7. Compliance roadmap for the Personal Data Protection Law starting today

The Personal Data Protection Law officially took effect on 01 January 2026. Every enterprise currently processing personal data has been subject to its requirements from that date. If you have not yet prepared, here are 5 steps to take immediately:

Data inventory and classification: Compile a complete list of all personal data currently collected, processed, and stored. Clearly identify which is basic and which is sensitive per Article 2; identify who acts as data controller and who acts as data processor within each workflow.
Review and standardize consent mechanisms: Audit all collection forms, terms of use, and privacy policies. Ensure consent meets all 4 principles in Article 9, Clause 4. In particular, remove all pre-ticked checkboxes and separate consent for each individual purpose.
Prepare the DPIA and register with the Ministry of Public Security: Build the assessment document using the prescribed template and submit it within 60 days as required by Article 21. Enterprises that were processing personal data before 01 January 2026 should submit immediately, as the 60-day window began running from the date the Law took effect.
Build security infrastructure and internal procedures: Implement data encryption, zero trust access controls, and intrusion monitoring to meet the technical requirements of Article 3, Clause 4 and Article 37. In parallel, establish procedures for receiving and handling user requests so that all mandatory deadlines under Article 58 of the decree are met.
Test and rehearse the incident response plan: Run a simulated data breach scenario and test the full process from detection through notification within 72 hours per Article 23. Ensure the team is clear on roles, responsibilities, and the communication channel with competent authorities when a real incident occurs.

8. Conclusion

The Personal Data Protection Law (Law 91/2025/QH15) is not merely a legal requirement; it is a new standard in how enterprises build trust with customers in the era of digital transformation. With a detailed sanctions system mapped to specific provisions and a penalty scale that escalates with the scope of an incident, the legal risk is real and immediate. Enterprises need to start preparing now, not waiting until after the Law has taken effect to act.

VNETWORK is ready to support enterprises in building a comprehensive data security system, from technical infrastructure to monitoring and incident response, ensuring reliable and sustainable compliance with PDPL 2025. Register for a free consultation: Here

Luật số 912025QH15 (3).jpg — VNETWORK is currently a leading provider of infrastructure, transmission, and cybersecurity solutions in Vietnam and Asia.

9. Disclaimer and references

This article has been prepared for general informational purposes only and does not constitute legal advice. The analyses, interpretations, and examples presented reflect VNETWORK's perspective based on a review of legal documentation, and do not substitute for the opinion of a qualified lawyer or legal expert. Enterprises should seek specialist legal counsel before making any compliance decisions.

Note on the draft decree: at the time of publication, the administrative sanctions decree governing cybersecurity and personal data protection was still in the public consultation phase and had not yet been officially promulgated. The specific penalties and detailed provisions may differ from the draft. VNETWORK will update this article once the decree officially takes effect.

Reference documents:

Law No. 91/2025/QH15 — Personal Data Protection Law, passed by the XV National Assembly on 26/06/2025, signed by National Assembly Chairman Tran Thanh Man. Full text available at the Government Electronic Information Portal.
Draft Decree on administrative sanctions in cybersecurity and personal data protection, led by the Ministry of Public Security, currently in public consultation. Available at the Ministry of Public Security information portal.

FAQ — Frequently asked questions about the Personal Data Protection Law

1. When does the Personal Data Protection Law take effect?

Law No. 91/2025/QH15 was passed by the National Assembly on 26 June 2025 and officially takes effect on 01 January 2026. Enterprises currently processing data under Decree 13/2023 do not need to seek re-consent from customers, but must update their procedures to comply with the new obligations introduced by the Law from the date it takes effect (Article 39).

2. Are foreign enterprises required to comply with Vietnam's Personal Data Protection Law?

Yes. The Law applies to foreign organizations that are directly involved in or related to the processing of personal data of Vietnamese citizens, even if they do not have a place of establishment in Vietnam (Article 1, Clause 2, Point c). This includes foreign SaaS platforms, mobile applications, and online services provided to users in Vietnam.

3. What is the maximum penalty for violating the Personal Data Protection Law?

The maximum monetary penalty for organizations is VND 3 billion for ordinary violations (Article 8, Clause 5). Unlawful buying or selling of personal data may be penalized at up to 10 times the unlawful proceeds (Clause 3, Article 8). For breaches exposing data of 5 million or more individuals, the penalty reaches up to 5% of prior-year total revenue (Article 8, Clause 4).

4. How long does an enterprise have to respond to a customer's data deletion request?

An enterprise must acknowledge receipt of the request and confirm the procedure within 2 business days, and must complete the deletion within 20 days (Article 58, draft decree). If deletion is not possible for a legitimate reason, the enterprise must immediately notify the user. Failure to meet the deadline may result in a fine of VND 140–200 million for organizations.

5. Are small businesses required to prepare a DPIA?

Small enterprises and startups are exempt from the DPIA filing obligation for the first 5 years from 01 January 2026 (Article 38, Clause 2). However, the important exception is that if a small enterprise provides data processing services, processes sensitive data, or processes data belonging to a large number of data subjects, it must comply fully from the outset.

6. Does using a foreign cloud service to store employee data violate the Law?

No. Organizations that store personal data of their own employees on cloud services located outside Vietnamese territory are exempt from the cross-border data transfer impact assessment procedure (Article 20, Clause 6, Point b). However, the enterprise must still ensure that the cloud provider maintains equivalent security standards.

7. If a data breach occurs, how long does an enterprise have to report it and to whom?

Upon discovering a personal data breach that may cause harm, an enterprise must notify the competent personal data protection authority within the Ministry of Public Security within 72 hours; if the data processor discovers the breach, it must immediately notify the data controller (Article 23, Clause 1). The enterprise must also prepare a breach confirmation report and cooperate with the competent authority (Clause 2, Article 23). Failing to notify on time may result in a fine of VND 50–100 million for organizations (Article 66, draft decree.