Starting from January 1, 2026, the Personal Data Protection Law 2025 (PDPL) is expected to officially come into force, marking a major turning point in corporate governance in Vietnam.
Alt Text: Warning of 3 billion VND fine under PDPL 2025 and data security compliance solutions for businesses.
No longer just a recommendation or guideline, securing customer and employee information is now a vital mandatory obligation. Authorities are tightening the legal net against all forms of unauthorized data collection.
With administrative fines potentially reaching 3 billion VND or 5% of total revenue, what must organizations and businesses do to adapt safely?
The following article from the legal expert team at Altas Corp provides a detailed analysis of the Decree on Personal Data Protection and offers the most optimized compliance roadmap.
1. What is the Personal Data Protection Law 2025? An Inevitable Shift
In the era of global digitalization, personal data is no longer merely identification information. It has been elevated to a "strategic resource" and an invaluable "asset" for every nation.
The Explosion of the Data Economy
The boom of e-commerce platforms, social networks, and online public services has generated a massive volume of data, leading to a corresponding rise in cybercrime.
The illegal buying, selling, and exchange of customer information occur openly, causing significant public outcry and threatening social security and order.
From Decree 13/2023/ND-CP to the 2025 Law
The Government of Vietnam issued the Personal Data Protection Decree (Decree 13/2023/ND-CP) as a crucial stepping stone. This is the first comprehensive legal document in this field.
However, to keep pace with integration trends and international standards like Europe's GDPR, upgrading the Decree into the 2025 Personal Data Protection Law is an inevitable step.
The new law will address existing loopholes while increasing the weight of penalties, forcing businesses to truly invest in information security.
2. Data Classification: The Foundation for Compliance
To correctly apply the personal data compliance roadmap, businesses must first clearly understand which types of information assets they hold.
According to current legal regulations, information is divided into two core groups, requiring completely different levels of protection.
Basic Personal Data
This is information used to identify a specific individual in society. It is common and frequently collected by businesses every day.
This group includes: Full name at birth, date of birth, gender, permanent residence registration address, current place of residence, phone number, and email address.
In addition, ID card numbers, Citizen Identification numbers, passport numbers, personal tax identification numbers, and facial images are also classified as basic data.
Sensitive Personal Data
This is the "restricted zone" of the law. The leakage of sensitive data can cause serious harm to an individual's legal rights and interests.
When collecting this group, businesses must adhere to extremely strict legal constraints, including the mandatory establishment of a DPIA dossier.
Sensitive data includes: Political views, religious views, health status (excluding blood group information), sexual life, and sexual orientation.
Furthermore, personal location data determined through positioning services, genetic data, biometric characteristics (fingerprints, irises), and bank account data also belong to this group.
3. PDPL 2025 Penalties: An "Alarming" Figure for Businesses
The most significant difference between the new Law and previous regulations lies in the severity of the sanctions. PDPL violation penalties are designed to be deterrent enough even for billion-dollar corporations.
Enormous Monetary Fines
Serious violations, such as illegal collection, trade, or transfer of data, will face very large cash fines.
Depending on the severity and consequences, authorities may apply fines ranging from several hundred million to between 2 billion and 3 billion VND per violation.
This serves as a financial lever forcing companies to abandon business habits based on profiting from customer information.
Fines Based on a Percentage of Revenue
This is a "catastrophic" regulation for large-scale enterprises. Similar to GDPR standards, fines can be applied based on revenue.
For particularly serious violations with widespread consequences, the fine can be up to 5% of the total revenue of the preceding fiscal year.
This means that the larger the company and the higher the profit, the more colossal the fine will be if the security system has vulnerabilities.
Alt Text: Warning that PDPL violation fines can reach 5% of total revenue or 3 billion VND.
Supplementary Penalties and Legal Consequences
Beyond financial loss, businesses also face supplementary penalties that can "freeze" business operations.
Competent authorities may issue decisions to suspend the business's personal data processing activities for 1 to 3 months.
Furthermore, a business may have its business license revoked for sectors related to information collection, or be forced to destroy the entire violating database system.
4. Entities Directly Affected by PDPL
The scope of personal data protection regulations is extremely broad. Every organization and individual involved in data processing activities in Vietnam must comply.
Below are the industry groups and departments that will be most strongly impacted by this legal "storm."
Finance, Banking, and Insurance Sector
This group possesses massive amounts of Big Data filled with sensitive information, ranging from credit history and income to medical health records.
Banks and insurance companies will have to restructure their entire storage systems and information-sharing processes with third parties (such as debt collection partners and insurance agents).
E-commerce and Retail Businesses
E-commerce platforms and supermarket chains frequently track shopping behavior, consumption habits, and store payment information of millions of people.
Running Targeted Ads based on user data will face more hurdles. They are required to have clear Consent mechanisms from their customers.
Technology Solutions, Cloud, and SaaS Providers
Companies providing cloud storage services and business management software (SaaS) act as "Data Processors" or "Data Controllers and Processors."
They must prove that their systems meet international information security standards and commit to joint liability if a Data Breach occurs.
Potential Risks in Human Resources (HR)
Many businesses mistakenly believe that PDPL only applies to customers. In reality, employees' information is also strictly protected.
The HR department frequently collects ID cards, information of dependents, health checkup records, and fingerprints for time attendance. All of these are personal data.
If HR does not have confidentiality agreement appendices or shares candidates' CVs with third parties without permission, the business could face heavy fines.
5. Comprehensive Compliance Roadmap: 5 "Vital" Steps
To avoid unfortunate legal risks, waiting for authorities to conduct an inspection is a flawed strategy.
Altas Corp proposes a personal data compliance roadmap consisting of 5 key stages, helping businesses proactively master the process.
Step 1: Inventory and Data Mapping
Before protecting the "treasure," you must know what you have. Businesses need to review the entire source of data flowing through their systems.
Precise answers are required for these questions: Where is this data collected from? Which department holds it? What is the actual purpose of its use?
Data mapping helps businesses eliminate redundant information and avoid violating the principle of "collecting only what is strictly necessary."
Step 2: Appoint a Data Protection Officer (DPO)
The introduction of the new Law brings an urgent need for an entirely new job position: Personal Data Protection Officer (DPO).
Especially for entities processing sensitive data, the appointment of a DPO is a mandatory requirement under legal regulations.
A DPO does not necessarily have to be an IT professional. This person is legally savvy, acting as the internal monitoring focal point and working directly with the Department of Cybersecurity when requested.
Step 3: Finalize the "Consent" Mechanism
All current data collection activities must be based on the principle of voluntariness. A customer's silence is not considered consent.
Businesses must redesign their website/app interfaces. Instead of pre-selected checkboxes hidden deep within lengthy terms, customers must manually click the "Agree" button.
The Privacy Policy must be written in easy-to-understand language, transparently disclosing what the data will be used for and with whom it will be shared.
Step 4: Establish DPIA Dossiers and Update Contracts
After reviewing processes, businesses are required to begin drafting the Data Protection Impact Assessment (DPIA) dossier. This document proves the legal validity of the system.
Simultaneously, the Legal department needs to conduct a full review of labor contracts with employees and service contracts with partners (shipping, payment).
It is necessary to add data processing agreement appendices, clearly stipulating compensation responsibilities if a partner leaks the company's customer information.
Step 5: Internal Training and Incident Response
Humans are always the weakest link in a security system. A single mistaken click on an email containing malware can collapse the entire firewall.
Businesses need to build a culture of information security from top leadership to executive staff. Periodic training sessions on cybersecurity are essential.
At the same time, an Incident Response Plan must be established. If a breach occurs, the company has a maximum of 72 hours to report it to the state authority as regulated.
Alt Text: 5-Step PDPL 2025 Compliance Roadmap: Audit, Classification, DPIA Assessment, Training, and Operation.
6. The Legal Focal Point: What is a DPIA Dossier?
Throughout the entire compliance roadmap, the Data Protection Impact Assessment (DPIA) dossier is the concept that confuses many businesses the most.
It is not a simple commitment letter, but a specialized legal document that requires a combination of legal expertise and information technology knowledge.
Mandatory Structure of a DPIA Dossier
A standard DPIA dossier must present a panoramic view of how the business operates its data flows.
The mandatory content includes detailed business information, information of the Data Protection Officer (DPO) in charge, and a detailed description of the types of data being collected.
Businesses must clearly state the purposes of processing, the expected storage period, and the mechanism that allows users to request the deletion of their data.
Risk Assessment and Mitigation Measures
The most critical part of a DPIA is the risk assessment report. Businesses must establish worst-case scenarios: If a hacker attacks, what will the consequences be?
Subsequently, the dossier must list the technical and organizational measures currently applied for prevention. For example: end-to-end data encryption, physical access control, and firewall installation.
The goal is to prove to the authorities that the business has made every effort to protect citizens' information.
Regulations on Submitting Dossiers to the Department of Cybersecurity (A05)
The law clearly stipulates that businesses have 60 days from the start of data processing activities to complete the DPIA dossier.
This dossier must always be available at the business headquarters for inspections and sudden audits.
At the same time, businesses must submit one (01) original copy of the DPIA dossier to the specialized personal data protection authority under the Ministry of Public Security (currently Department A05) in accordance with the prescribed forms.
Outbound Data Transfer Dossier
If your business uses cloud storage services with servers located abroad (such as AWS, Google Cloud, Microsoft Azure), the process will be more complex.
Alternatively, if you are a subsidiary and need to send reports containing employee information to a parent company in another country, you are engaging in cross-border data transfer.
In this case, in addition to the DPIA, the business must prepare a "Personal Data Outbound Transfer Impact Assessment Dossier" and wait for appraisal from the state authority.
7. Identifying Tech Risks in Cyberspace
Establishing technical measures in a DPIA dossier requires businesses to clearly understand threats from the digital space.
According to documents from Thuvienphapluat.vn and Chinhphu.vn, the State continuously warns about the sophistication of cyberattacks aimed at appropriating digital assets.
Malware Attacks and Online Fraud (Phishing)
Ransomware is becoming a nightmare for businesses. It infiltrates through suspicious links sent to employees' emails.
Once activated, the malware encrypts the company's entire database. Hackers will demand a ransom to unlock it, accompanied by threats to leak customer data online.
Phishing is equally common. Fraudsters create fake websites impersonating partners to trick accounting staff into providing login credentials for CRM systems.
Risks from Artificial Intelligence (AI) and Algorithms
AI technology brings immense benefits but also carries serious risks of privacy infringement if ethical safeguards are absent.
AI can automatically collect (crawl) data from social networks, then aggregate and analyze it to create detailed profiles of individuals without their knowledge.
The use of algorithms to manipulate purchasing psychology based on private data is being placed under strict scrutiny by lawmakers.
Digital Footprints and the Encirclement of the Internet of Things (IoT)
Security cameras, fingerprint time attendance machines, and smart home devices in the office are all network-connected and constantly send data to servers.
If a business's internal Wi-Fi system does not use VLANs (Virtual Local Area Networks) to isolate IoT devices, hackers can easily use them as a "springboard" to penetrate deep into servers containing data.
8. Comparison: Proactive Compliance vs. Delay
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9. Why Start Your Privacy Policy Today?
The transition between regulatory frameworks always creates a certain "lag" in the market. Businesses that take the lead will capture the most trust.
Modern customers are becoming increasingly demanding. They are ready to boycott apps or brands that show signs of misappropriating personal information.
Direct Impact on B2B Cooperation and FDI Attraction
If your business is participating in global supply chains or wishes to receive capital from Foreign Direct Investment (FDI) funds, compliance with the PDPL (Personal Data Protection Law) is a prerequisite.
During the Due Diligence process, investors will strictly inspect your storage systems and DPIA (Data Protection Impact Assessment) dossiers.
A company that fails to meet data security standards will be immediately excluded from M&A (Mergers and Acquisitions) negotiation tables.
10. Altas Corp – Your Partner in the Digital Era
Full implementation of the Personal Data Protection Law has never been an easy task. It goes beyond the boundaries of the IT department, requiring deep coordination between Legal, Human Resources, and Strategic Management perspectives.
At Altas Corp, we understand the difficulties that Vietnamese enterprises are facing in the process of digital legal transformation.
We provide a comprehensive ecosystem of legal consulting solutions, specifically designed to fit the scale and characteristics of each industry.
Review and Compliance Process Construction Services
Altas’s team of lawyers and experts will directly review the enterprise's data flow system (Data Mapping).
From there, we assist in redrafting the entire Privacy Policy and the Consent terms on the Website/App to ensure 100% compliance with legal regulations.
Establish DPIA Dossiers and Procedures with State Authorities
End the anxiety over complex forms. Altas Corp will represent clients in drafting and standardizing Data Protection Impact Assessment (DPIA) dossiers.
We also provide consultancy for completing outbound data transfer report dossiers, representing the enterprise in submitting and explaining them to the Department of Cybersecurity (Ministry of Public Security) on schedule.
DPO Personnel Training and Labor Contract Amendment
To ensure the system operates sustainably, Altas organizes intensive training courses to help businesses train and appoint "battle-ready" Data Protection Officer (DPO) personnel internally.
In addition, legal experts will promptly review and add strict Non-Disclosure Agreement (NDA) appendices to labor contracts and partnership contracts, establishing a solid legal shield from within.
CONCLUSION
The PDPL 2025 is a wake-up call ending the era of loose data usage. Don't let legal risks hinder your growth. Contact Altas Corp today to establish a secure and professional legal shield.
Alt Text: Register for PDPL compliance consulting at Altas Law.
- HCM Office: 5th Floor, 37 Ky Con, Nguyen Thai Binh Ward, District 1.
- Hanoi Office: 12th Floor, Mipec Tower, 229 Tay Son St., Dong Da Dist.
- Bac Ninh Office: 4th Floor, Duong Tuan Building, No. 09 Le Thai To St., Vo Cuong Ward, Bac Ninh.
- Hotline: +84 916 923 235 | Website: altas.vn
Content Lead: Tran Tu Van – Marketing Lead at ALTAS Corp.
