As of January 1, 2026, Vietnam has officially stepped into a new era of data governance with the full effect of its landmark Law on Personal Data Protection (LPDP) . This legislative milestone, formally known as Law No. 91/2025/QH15, was passed by the National Assembly on June 26, 2025, and represents a significant upgrade from the previous Decree 13/2023/ND-CP, elevating personal data protection from a governmental decree to a formal law with greater authority and scope . Accompanying the LPDP is the crucial implementing guide, Decree 356/2025/ND-CP, which replaces Decree 13 and provides the granular details necessary for compliance .
This dual-layered framework the LPDP and Decree 356 establishes a consent-centric, technologically nuanced, and strictly enforced regime that aligns Vietnam with global privacy standards like the EU’s GDPR, while also embedding unique local requirements focused on national security and data classification . For any organization, whether based in Vietnam or foreign entities processing the data of Vietnamese citizens, understanding and adapting to this new legal landscape is no longer optional but a critical business imperative . This comprehensive guide delves into every facet of the new law, from its core definitions and stringent consent rules to the intricate requirements for cross-border data transfers and the severe penalties for non-compliance.
2. The Genesis and Structure of Vietnam’s Data Protection Framework
The journey to a comprehensive data protection law in Vietnam has been rapid but deliberate. It began in earnest with Decree 13/2023/ND-CP, which first introduced the concepts of data protection impact assessments and consent. However, the LPDP, building upon that foundation, consolidates these rules into a unified, higher-level legal instrument . The government further solidified this framework with Decree 356, which took effect simultaneously on January 1, 2026, offering detailed guidance on the law’s key provisions .
This framework is not operating in a vacuum. It works in tandem with the Law on Data (No. 60/2024/QH15) , which took effect earlier in July 2025 and governs data management more broadly, classifying data based on its importance to national interests . Together, these laws create a dual system where general data activities and specific personal data protections are tightly regulated, emphasizing data as a strategic national asset .
A. Scope and Extraterritorial Reach
One of the most critical aspects for international businesses is the LPDP’s broad extraterritorial application. The law applies to:
-
Vietnamese entities: All agencies, organizations, and individuals based in Vietnam .
-
Foreign entities in Vietnam: Foreign agencies, organizations, and individuals operating within Vietnamese territory .
-
Foreign entities abroad: Perhaps most significantly, the law applies to foreign organizations and individuals that directly participate in or are related to the processing of personal data of Vietnamese citizens, as well as Vietnamese-origin individuals residing in Vietnam . This means that a company in Singapore or the United States that markets to or collects data from users in Vietnam must comply with the LPDP, even without a physical presence in the country .
3. Defining the Digital Self: Personal Data Classifications
The LPDP, guided by Decree 356, provides a detailed classification of personal data, dividing it into two main categories: basic and sensitive. The definitions have been significantly expanded from previous regulations .
A. Basic Personal Data
This category includes the common identifiers that pinpoint an individual. Decree 356 has refined this list. It now includes:
-
Full name, date of birth, gender, and place of birth.
-
Phone numbers, email addresses, and marital status.
-
Personal identification number: Notably, specific numbers like the old national identity card number or tax ID have been consolidated under this single identifier .
-
Information on family relationships, including spouse, parents, and children .
B. Sensitive Personal Data
This category is afforded a higher level of protection due to the inherent risks associated with its processing. Decree 356 has substantially broadened its scope to reflect modern digital realities. It now explicitly includes :
-
Political, religious, and philosophical views: The new decree adds “beliefs” to this category, acknowledging its importance in Vietnamese society .
-
Biometric data: This includes not only fingerprints and facial recognition characteristics but also images of identity cards and citizen identification cards, which could be misused for fraud .
-
Financial data: A major expansion includes bank account details, login credentials, bank card information, and full transaction histories in the banking, securities, and insurance sectors .
-
Behavioral data: Data tracking an individual’s activities and usage history on telecommunications networks, social media, and other online services is now classified as sensitive .
-
Location data: Precise geographic location information from mobile devices or other technologies .
-
Data on criminal and legal violations: This now covers any law violation, not just those reaching the level of criminal liability .
When processing sensitive data, organizations must implement enhanced security measures, including strict access controls, encryption, anonymization, and physical security for storage devices .
4. The Cornerstone of Compliance: Consent and Data Subject Rights
The LPDP is firmly built on the principle of explicit, informed, and unambiguous consent. It moves away from passive acceptance to active agreement.
A. The Anatomy of Valid Consent
For consent to be legally valid under the new law, it must meet stringent criteria :
-
Specific and Informed: The data subject must clearly understand (A) the type of personal data being processed, (B) the purpose of the processing, (C) the identity of the data controller, and (D) their rights and obligations.
-
Voluntary and Unbundled: Consent must be freely given. It cannot be bundled as a condition for receiving a service that is unrelated to the data processing purpose. “Default consent” (e.g., pre-ticked boxes) and misleading interface designs are explicitly prohibited .
-
Verifiable: The burden of proof lies with the organization. They must be able to demonstrate when, how, and to what the data subject consented. Acceptable methods include written forms, recorded calls, SMS syntax, or verifiable digital records on websites and apps .
B. Empowering the Data Subject
The LPDP grants individuals a comprehensive set of rights, transforming them from passive subjects to active participants. Organizations must establish clear procedures and standardized forms to handle these requests within strict statutory timelines .
The table below outlines the key data subject rights and the corresponding deadlines for organizations to respond and act.
Data Subject Rights and Organizational Response Timelines
| Data Subject Request | Response Deadline | Implementation Deadline |
|---|---|---|
| Withdraw Consent / Restrict Processing / Object | 2 working days | 15 days (20 days if third party involved) |
| Access, Rectify, or Request Provision of Data | 2 working days | 10 days (15 days if third party involved) |
| Request Erasure (Deletion) of Data | 2 working days | 20 days (30 days if third party involved) |
| Request Protection Measures | 2 working days | 15 days |
C. Exceptions to Consent
While consent is central, the law acknowledges situations where processing is necessary without it. These include :
-
Protecting the life or health of the data subject or another person in an emergency.
-
Fulfilling contractual obligations with the data subject.
-
Performing tasks in the public interest or for state management functions as defined by law.
-
Responding to emergencies or threats to national security.
5. Operationalizing Compliance: Key Organizational Obligations
Beyond obtaining consent, the LPDP and Decree 356 impose a range of proactive compliance obligations on organizations acting as data controllers or data controller-processors.
A. The Data Protection Officer (DPO)
Every entity processing personal data must formally appoint a Data Protection Officer (DPO) or establish a Data Protection Department (DPD) through a written decision . This represents a significant shift from Decree 13, where the requirement was less absolute.
To qualify as a DPO, an individual must meet specific criteria :
-
Hold a college degree.
-
Have at least three years of experience in relevant fields such as law, data processing, cybersecurity, or compliance.
-
Have completed training in legal knowledge and professional skills related to personal data protection.
-
The role can be outsourced to a qualified third-party service provider .
B. Mandatory Impact Assessments
The requirement for impact assessments is a cornerstone of the accountability-based approach. There are two primary types :
-
Data Processing Impact Assessment (DPIA): Must be prepared and submitted to the Specialized Authority for Personal Data Protection (A05) within 60 days of commencing data processing.
-
Cross-Border Data Transfer Impact Assessment (CDTIA): Required before transferring data overseas and must be submitted within 60 days of the first transfer.
Key Changes under Decree 356:
-
Technical Depth: The new templates are far more demanding, requiring detailed data flow maps, system architecture diagrams, and descriptions of security measures .
-
Update Cycle: Assessments must be updated every six months if any changes occur, or immediately upon major events like corporate restructuring or changes in business scope .
-
Regulatory Review: Authorities now have 15 days to review the dossiers and provide a “pass/fail” notice, signaling a move from a simple filing system to substantive review .
-
Exemptions: Small and micro-enterprises, as well as start-ups, may be exempt from these filing requirements for up to five years, provided they do not process sensitive data or data of over 100,000 subjects .
C. Data Breach Notification
In the unfortunate event of a data breach that could harm national security, public order, or the rights of data subjects, organizations must act fast :
-
Notification Timeline: The breach must be reported to the Ministry of Public Security’s cybersecurity department (A05) within 72 hours of becoming aware of the violation. This is a more practical adjustment from the previous rule, which counted from the occurrence of the breach .
-
Content: The notification must include details of the breach, and for incidents involving location or biometric data, even more specific information is required .
-
Record Keeping: A formal record of the violation must be prepared, and the organization must cooperate fully with any subsequent investigation .
6. Navigating the Complexities of Cross-Border Data Transfers
The cross-border transfer of personal data is one of the most tightly regulated areas under the new regime. The LPDP and Decree 356, in conjunction with the Law on Data, create a layered compliance obligation .
A. The CDTIA and Its Exemptions
The primary tool for regulating outbound transfers is the Cross-Border Data Transfer Impact Assessment (CDTIA). However, Decree 356 has introduced several welcome exemptions to this requirement, streamlining processes for common business operations :
-
Data subjects transferring their own data (e.g., using an overseas service directly) .
-
Using cloud services to store employee data.
-
Transfers necessary for cross-border human resource management as per internal company rules.
-
Providing data to enter into contracts or carry out procedures related to cross-border transportation, payments, hotel bookings, visa, or scholarship applications .
-
Journalism activities and publicly disclosed data.
B. The Law on Data’s Parallel Control
A critical layer of complexity is added by the Law on Data, which classifies data into “Core Data” and “Critical Data” based on its potential impact on national security and socio-economic stability .
-
Critical Data: Data that could potentially affect national interests (e.g., banking data of 10,000+ enterprises). Transferring this data requires an impact assessment to be submitted 15 days prior to the transfer .
-
Core Data: Data that directly affects national interests (e.g., banking data of 100,000+ enterprises). Transferring this data requires prior approval from the competent authority (Ministry of Public Security or Ministry of National Defense) before any transfer can take place .
This means that a financial institution must not only comply with the LPDP’s CDTIA but also check if its data meets the threshold for Core or Critical data, triggering a separate, more stringent approval process .
C. Data Transfer Agreements
Organizations must also formalize data sharing through binding agreements. Decree 356 outlines mandatory contents for these agreements, which must cover the purpose of the transfer, the security measures to be implemented by the recipient, and the responsibilities of each party .
7. Sector-Specific Rules and High-Risk Activities
Recognizing that data processing risks vary by industry, the LPDP introduces tailored rules for specific sectors and emerging technologies .
-
Banking and Finance: Beyond the general rules, using credit information for scoring or rating requires explicit consent. The classification of extensive financial data as “sensitive” under Decree 356 imposes a higher duty of care on banks and financial institutions .
-
Social Media and Online Services: Platforms must provide users with the ability to opt out of tracking. They are explicitly prohibited from eavesdropping on or recording calls without consent. They also cannot require users to provide images of their ID documents for simple account authentication .
-
Big Data, AI, Blockchain, and Cloud Computing: Organizations using these technologies must ensure their systems comply with legal standards, adhere to ethical principles, and have built-in security controls. They are prohibited from using these systems to cause harm to individuals or national security .
-
Healthcare and Insurance: Processing health data generally requires consent, and patient data cannot be provided to third parties (like insurers) without a specific request from the data subject or as required by law .
8. The New Enforcement Landscape and Penalties
The LPDP transforms data protection from a policy goal into a serious compliance obligation, backed by a powerful enforcement mechanism led by the Ministry of Public Security’s Department of Cybersecurity and High-Tech Crime Prevention (A05) .
A. A Deterrent-Based Approach
While the law is strict, the initial approach by authorities is expected to be one of deterrence and education, using inspections to understand implementation challenges. However, the channels for enforcement are expanding. The National Portal for Personal Data Protection allows citizens to report violations, increasing the likelihood of investigations being triggered by public complaints .
B. Severe Financial Penalties
The sanctions framework under the LPDP is designed to be a significant deterrent, with fines that can cripple a non-compliant business :
-
Illegal Data Trading: Fines can reach up to 10 times the illegal revenue obtained from the violation. An absolute prohibition on data trading reinforces that personal data is not a commodity .
-
Cross-Border Transfer Violations: Unauthorized or improperly documented cross-border data transfers can result in fines ranging from 3 billion VND (approx. $118,000) up to 5% of the company’s total revenue from the previous fiscal year .
-
General Violations: Other infractions can attract fines of up to 3 billion VND .
These severe penalties, potentially tied to revenue, are designed to ensure that data protection is prioritized at the highest levels of an organization.
9. Practical Roadmap for Compliance
For organizations operating in or engaging with Vietnam, the path to compliance requires a structured and proactive approach. Here is a practical roadmap based on the new legal requirements.
A. Phase 1: Preparation and Gap Analysis
-
Conduct a Comprehensive Data Inventory: Map out all personal data collected, where it comes from, how it flows through your organization (data mapping), where it is stored, and who has access to it. Classify data as basic or sensitive according to the new expanded definitions .
-
Perform a Gap Analysis: Compare your current data processing practices and policies against the requirements of the LPDP and Decree 356. Identify areas of non-compliance, particularly concerning consent mechanisms, data subject rights procedures, and security measures for sensitive data .
-
Appoint a Qualified DPO: Designate an internal employee or engage an external service provider that meets the new qualification standards for a Data Protection Officer. Formalize this appointment with a written decision .
B. Phase 2: Implementation and Operationalization
-
Revise Consent Mechanisms: Update all consent forms, privacy policies, and user interfaces to ensure they are specific, unbundled, and verifiable. Eliminate any default consent or pre-ticked boxes .
-
Draft and Standardize Procedures: Create clear internal processes and standardized forms for handling data subject access requests (access, deletion, correction, withdrawal of consent). Ensure your team is trained to meet the statutory response deadlines .
-
Prepare and Submit Impact Assessments: Complete the new, technically detailed DPIA and, if applicable, CDTIA templates. Submit them to the Specialized Authority for Personal Data Protection within the required 60-day window. Be prepared for the 15-day regulatory review period .
-
Strengthen Security Measures: For sensitive personal data, implement enhanced technical and organizational measures, including encryption, strict access controls, and regular security testing .
-
Review Contracts and Data Sharing Agreements: Ensure all contracts with data processors and third parties include the mandatory provisions for data protection and transfer agreements as required by Decree 356 .
C. Phase 3: Monitoring and Continuous Improvement
-
Establish a Review Cycle: Create a schedule to review and update your DPIAs and CDTIAs every six months or immediately upon any significant operational change .
-
Train Your Workforce: Regularly train employees on data protection principles, the new law, and their specific responsibilities. This is not just for the legal team but for anyone handling personal data .
-
Monitor Regulatory Guidance: Stay alert to further guidance and enforcement practices from the authorities, as many provisions will be clarified over time through implementation .
10. Conclusion: Embracing Data Protection as a Strategic Imperative
Vietnam’s new data protection regime, spearheaded by the LPDP and Decree 356, represents a decisive shift toward a modern, accountable, and rights-respecting digital society. While the compliance bar has been raised significantly, particularly with its consent-centric rules, extraterritorial reach, and the dual-layered control over cross-border data flows, the framework provides much-needed legal certainty .
For businesses, this is not merely a compliance exercise but an opportunity to build trust with Vietnamese consumers, who are becoming increasingly aware of their data rights . By viewing these regulations as a strategic framework for responsible data stewardship, organizations can mitigate legal risks, avoid severe financial penalties, and gain a competitive advantage in one of Southeast Asia’s most dynamic digital economies. The era of lax data protection in Vietnam is over; the era of proactive, embedded privacy compliance has just begun.
