LEGAL UPDATE: PERSONAL DATA PROTECTION LAW

The Personal Data Protection Law (expected to take effect on January 1, 2026) (“PDP Law”) is a comprehensive legal document concerning personal data protection in Vietnam. It expands upon and supplements the content set out in Decree 13/2023/ND‑CP (effective from July 1, 2023) (“Decree 13”). While Decree 13 was introduced to satisfy the needs of data governance in light of significant information technology development, the PDP Law encompasses all domains of personal data processing—from business and technology to government operations. Below is ALTAS’s detailed analysis of the content, new provisions, and differences between the two documents.

I - NEW DEFINITIONS

The PDP Law supplements and clarifies several important definitions to expand its scope of application and provide a legal basis for in-depth regulations on personal data processing. Some notable definitions include:

1. Information that helps identify a specific individual refers to data generated from an individual’s activities, which, when combined with other stored information or data, can lead to the identification of a specific person. This concept broadens the scope of data requiring protection, including indirectly identifiable personal information through technology or big data.

2. Non-personal data is data that is not linked to a specific individual or cannot be used to identify a specific person. This provision aims to clearly distinguish between personal and non-personal data, ensuring transparency and efficiency in management.

3. De-identification of personal data is the process of anonymizing, removing, or replacing identifying elements (such as real names, ID numbers, addresses, etc.) with pseudonyms, encryption, or non-reversible identifiers to create new data that can no longer identify a specific individual. This is a recommended technical measure in data processing to minimize risks and enhance privacy protection.

II - PROHIBITED ACTIVITIES AND PENALTIES

The PDP Law specifically lists prohibited acts to safeguard personal data, including:

1. Processing personal data in violation of legal regulations on personal data protection; creating information or data aimed at opposing the Socialist Republic of Vietnam, affecting national defense, national security, public order and safety, or the legitimate rights and interests of other organizations and individuals.

2. Obstructing the personal data protection activities of competent authorities.

3. Abusing personal data protection activities to commit illegal acts.

4. Collecting, processing, or transferring personal data in contravention of legal regulations.

5. Buying or selling personal data.

6. Intentionally seizing, disclosing, or losing personal data.

Regarding sanctions for violations, the PDP Law introduces a comprehensive mechanism for handling violations, applying flexible sanctions based on the severity of the offending behavior. Specifically, organizations and individuals violating regulations on personal data protection may be held civilly liable, subject to disciplinary action, administrative penalties, or criminal prosecution, depending on the nature and extent of the violation.

A significant new feature of the PDP Law is the application of administrative fines calculated as a percentage of revenue, replacing the fixed penalty approach used in Decree 13/2023/NĐ-CP. Accordingly, administrative fines may range from 1% to 5% of the organization’s revenue from the immediately preceding year. This approach reflects an international trend toward enhancing deterrence against violations in the field of personal data protection.

The Government will issue detailed regulations on penalty levels, fine brackets, and aggravating or mitigating circumstances for each specific violation.

III - DataTrust CE – Your Strategic Partner for Seamless Data Protection Compliance

ALTAS LAW is pleased to introduce DataTrust Compliance Edition (DataTrust CE), a leading software solution developed by our esteemed partner, VNDS. DataTrust CE is more than just software; it is a strategic solution engineered to streamline and simplify your personal data protection compliance journey, particularly regarding the mandatory Personal Data Protection Impact Assessment (DPIA) dossier. It empowers your organization to accurately complete this essential documentation, ensuring full alignment with regulatory requirements and significantly mitigating legal risks.

Our collaboration with technology partner VNDS allowing us to provide clients with both the necessary legal guidance and access to effective technical tools to ensure comprehensive compliance.

Contact ALTAS LAW to discuss how we can assist you in navigating the requirements of the Personal Data Protection Law and implementing robust compliance strategies via email: contact@altas.vn

IV - PERSONAL DATA PROTECTION IN ARTIFICIAL INTELLIGENCE

The PDP Law dedicates a significant section to regulating the processing of personal data in new technologies such as artificial intelligence (AI), blockchain, the metaverse, and cloud computing—areas that inherently carry privacy and information security risks. It explicitly affirms that organizations and individuals have the right to use personal data for developing automated systems, AI, and self-learning algorithms, but they must fully comply with all legal requirements. In particular, data controllers and processors are responsible for notifying data subjects about automated data processing, clearly explaining the potential impacts of AI use, and providing the right to opt out.

Organizations are additionally required to implement comprehensive cybersecurity standards, contingency plans in case of AI system failures, early-warning surveillance systems, and controls to prevent AI misuse that could threaten national security or individual rights. A wide range of additional requirements—such as transparent scientific operation processes, multi-layer monitoring mechanisms, the right to access information, grievance handling processes, and impact assessments for AI systems—are prescribed to ensure transparency and accountability.

Simultaneously, the PDP Law establishes regulations on personal data protection in cloud computing—a widely used modern data processing and storage platform. Under these provisions, organizations and individuals using cloud services must implement organizational and technical safeguards against unauthorized access, and must include explicit contractual terms with cloud service providers regarding compliance with Vietnamese law, protection of sensitive data, data security, compensation for damage, and audit reporting. Cloud service providers, meanwhile, must commit to complying with Vietnam’s data protection regulations, monitor their subcontractors, and implement measures proportional to the volume of data processed.

Overall, these provisions illustrate the state’s efforts to modernize data protection frameworks to address emerging technologies and to impose clearer technical and governance responsibilities on participants handling personal data in a highly digitalized context.

V - PERSONAL DATA PROTECTION IN EMPLOYEE SUPERVISION AND RECRUITMENT

The PDP Law clearly stipulates the responsibilities of organizations and individuals in collecting, processing, and monitoring personal data of employees from the recruitment stage.

During recruitment, enterprises are only allowed to request information disclosed in job vacancy lists or employee profiles, must process all data in accordance with the law, and only after obtaining the employee’s consent. Employee records must be stored within the prescribed timeframe and deleted when no longer needed, unless otherwise required by law.

In cases where foreign enterprises recruit Vietnamese workers on Vietnamese territory, in addition to complying with Vietnam’s personal data protection laws, they must sign contracts with legal entities in Vietnam and provide data copies upon request by competent authorities. All technological and technical measures used to monitor employees must be transparent, known and consented to by the employees, detailed in data processing impact assessment records, and committed to not exceeding legal limits.

VI - PERSONAL DATA PROTECTION IN FINANCE, BANKING, CREDIT, AND CREDIT INFORMATION

The PDP Law explicitly forbids the trade or unauthorized transfer of credit information among banks, finance companies, credit organizations, and credit information providers. These entities must strictly adhere to regulations on sensitive personal data protection and implement requisite security standards.

They must obtain explicit data subject consent before using credit information for credit scoring or evaluation, and any results must be disclosed in simple formats such as “Pass/Fail,” “Yes/No,” or numerical scores based solely on internally collected data. The PDP Law also requires explicit identification and disclosure of data handling stages that require pseudonymization, along with proactive notifications to data subjects upon any data breach involving bank, finance, or credit information.

VII - PERSONAL DATA PROTECTION ON SOCIAL MEDIA AND ONLINE MEDIA PLATFORMS

The PDP Law sets a comprehensive legal framework for processing personal data on social media and online media platforms. “Social media” includes platforms for user profiles, messaging, calls, content sharing, and online activities like meetings or classes; “online media services” cover video-on-demand, music streaming, live streaming, and internet TV.

Platforms must protect the personal data of Vietnamese citizens when operating in Vietnam or appearing in local mobile app stores. They must clearly inform users of the data collected during installation and use, refrain from collecting unauthorized data, and offer options to refuse cookies or tracking. They cannot require identity document images as account authentication, must offer “Do Not Track” options, and must clearly disclose data sharing in marketing via written notifications with adequate security measures.

They are prohibited from eavesdropping, recording, or reading users’ private communications without consent. Platforms must publicize privacy policies, enable users to access, correct, or delete personal information, set privacy preferences, and guarantee proper data protection even if data is transferred abroad. Any data breach or violation must be communicated to users within 72 hours, including remediation measures, severity evaluations, and risks. Data used for account registration cannot be processed without explicit user consent, emphasizing the law’s consent-based data processing principle.

These provisions reflect a strengthened regulatory approach to personal data protection in digital environments and require cross-border service providers to adjust their operations to uphold user privacy in Vietnam.

VIII - PERSONAL DATA PROTECTION THROUGH DATA RELIABILITY RATINGS

The PDP Law defines data reliability rating as a process conducted by certified organizations under the Personal Data Protection Authority, assessing how different entities manage personal data. Ratings are categorized as “High Reliability,” “Reliable,” or “Not Reliable.” Only businesses such as limited liability companies, joint-stock companies, partnerships, private enterprises, or other legally defined entities can provide this service if they meet specified criteria.

These include: a certificate of data protection capability; a minimum charter capital of VND 5 billion; at least one year of experience in cybersecurity or personal data protection; at least three qualified analysts; and at least two certified data protection experts (or one each with technological and legal expert credentials); and a formal certification proposal. Unregistered businesses cannot use the “personal data reliability rating” title or equivalent. Certificates are issued by the authority head, while the Government details the rating procedures and licensing.

IX - PERSONAL DATA PROTECTION EXPERT

PDP Law stipulates that every organization, enterprise, and individual must have at least one Personal Data Protection Expert appropriate to their industry, profession, or business field.

Personal Data Protection Experts are individuals with the requisite competence to protect personal data, categorized as:

• Experts with competence in both technology and legal aspects of personal data protection;

• Experts with competence in technology for personal data protection;

• Experts with competence in legal aspects of personal data protection.

This requirement includes an exemption for small enterprises and startups, which are not required to have a Personal Data Protection Expert during the first 05 years from the date of establishment. However, this exemption does not apply to micro-enterprises, small enterprises, or startups that directly engage in personal data processing activities.

Additionally, organizations, agencies, and enterprises falling within the scope of this requirement will be exempt for a period of 01 year from the effective date of the PDP Law. After this 01-year period, all such enterprises must comply with the regulation.

 X - RELATED LAWS AMENDMENTS

The PDP Law also amends Appendix IV of the 2020 Investment Law to establish three conditional business activities:

ALTAS Can Assist You:

ALTAS LAW is uniquely positioned to assist your business in navigating these complex administrative reforms. We offer a comprehensive suite of legal and business services designed to provide seamless support during this transition period:

• Accounting and Tax Services: We also offer accounting and tax services to help your business manage the financial implications, including tax planning, tax settlement, tax auditing and tax refund.

• Licensing & Regulatory Compliance: We will meticulously review your existing licenses and permits, advise on necessary amendments or renewals, and guide you through the process of obtaining any new approvals. Our team will also ensure your compliance with all relevant regulatory changes.

Please feel free to reach us via email contact@altas.vn to discuss your specific concerns and explore how we can navigate these reforms successfully.

---
Written by: Mr. Luong Van Chuong (Chris) – Partner Lawyer at ALTAS Law & Senior Legal Assistant Nguyen Tran Ngoc Thach - ALTAS Law 

Date: 01/07/2025