Law on Personal Data Protection of Vietnam 2025

LAW

PERSONAL DATA PROTECTION

Pursuant to the Constitution of the Socialist Republic of Vietnam, amended by Resolution No. 203/2025/QH15;

The National Assembly of Vietnam hereby promulgates the Law on Personal Data Protection

Chapter I

GENERAL PROVISIONS

Article 1. Scope and regulated entities

1. This Law provides for personal data, personal data protection, and rights, obligations, and responsibilities of relevant agencies, organizations, and individuals.

2. This Law applies to:

a) Vietnamese agencies, organizations, and individuals;

b) Foreign agencies, organizations, and individuals in Vietnam;

c) Foreign agencies, organizations, and individuals directly participating in or involved in the processing of personal data of Vietnamese citizens and persons of Vietnamese origin without determined nationality residing in Vietnam who have been issued with identification certificates.

Article 2. Interpretation of terms

For the purpose of this Law, the following terms shall be construed as follows:

1. Personal data refers to digital data or information in other forms that identifies or assists the identification of a specific individual, including basic personal data and sensitive personal data. Personal data, once de-identified, is no longer considered personal data.

2. Basic personal data refers to personal data reflecting common personal details and background information, frequently used in transactions and social relations and specified by the Government of Vietnam.

3. Sensitive personal data refers to personal data associated with individuals’ privacy rights that, if infringed on, directly affect legitimate rights and benefits of agencies, organizations, and individuals specified by the Government of Vietnam.

4. Personal data protection refers to when agencies, organizations, and individuals use specific forces, equipment, and measures to prevent and combat infringement on personal data.

5. Personal data subject matters refer to persons reflected in the personal data.

6. Personal data processing refers to activities impacting personal data, including one or more of the following: collection, analysis, summary, encryption, decryption, modification, deletion, destruction, de-identification, provision, disclosure, transfer of personal data, and other activities impacting personal data.

7. Personal data controlling party refers to an agency, organization, or individual that decides on the purposes and means of personal data processing.

8. Personal data processing party refers to an agency, organization, or individual processing personal data as requested by the personal data processing party or personal data processing and controlling party under a contract.

9. Personal data processing and controlling party refers to an agency, organization, or individual that decides on the purposes and means of personal data processing and directly processes personal data.

10. Third party refers to an organization or individual other than the personal data subject matter, personal data controlling party, personal data processing and controlling party, and personal data processing party participating in the personal data processing according to the law;

11. Personal data de-identification refers to the process of altering or deleting information to create new data that cannot be determined or assist the identification of a specific individual.

12. Personal data processing impact assessment refers to the analysis and assessment of potential risks during personal data processing for the application of measures to minimize risks and protect personal data.

Article 3. Personal data protection principles

1. Ensuring compliance with the Constitution, this Law, and relevant laws.

2. Ensuring that personal data is only collected and processed within a specific, clear, and lawful scope and purpose.

3. Ensuring that personal data’s accuracy is ensured, and such data is modified, updated, supplemented (if necessary), and stored for a period in conformity with the personal data processing purpose unless otherwise prescribed by the law.

4. Ensuring that institutional, technical, and human measures and solutions are synchronously and effectively implemented to protect personal data.

5. Ensuring proactive prevention, detection, combat, and timely and strict handling of all violations against personal protection laws.

6. Ensuring that personal data protection aligns with national benefits, supports socio-economic development, ensures national defense, security, and foreign affairs; ensuring harmony between personal data protection and the protection of legitimate rights and benefits of agencies, organizations, and individuals.

Article 4. Rights and obligations of personal data subject matters

1. Rights of personal data subject matters:

a) To be informed of the personal data processing;

b) To consent, refuse, or request withdrawal of consent to the personal data processing;

c) To view, modify, or request modification of their personal data;

d) To request provision, deletion, and restriction of personal data processing; to object to personal data processing;

dd) To complain, denounce, initiate lawsuits, or claim damages according to the law;

e) To request competent authorities or agencies, organizations, or individuals relevant to personal data processing to adopt solutions and measures to protect their personal data according to the law.

2. Obligations of personal data subject matters:

a) To protect their personal data;

b) To respect and protect the personal data of others;

c) To adequately and accurately provide their personal data according to the law, contracts, or upon their consent to the processing of their personal data;

d) To comply with personal data protection laws and participate in the prevention and combat against personal data infringement.

3. Personal data subject matters shall, when exercising their rights and fulfilling their obligations, ensure compliance with the following principles:

a) Ensuring compliance with the law and contractual obligations; ensuring that the rights and obligations of personal data subject matters are implemented to protect the legitimate rights and benefits of such subject matters;

b) Refraining from obstructing or hindering the implementation of legal rights and obligations of the personal data controlling parties, personal data processing and controlling parties, and personal data processing parties;

c) Refraining from infringing on the legitimate rights and benefits of the State and other agencies, organizations, and individuals.

4. Agencies, organizations, and individuals shall create favorable conditions and refrain from obstructing and hindering the implementation of rights and obligations of personal data subject matters according to the law.

5. When receiving requests from the personal data subject matters for the implementation of rights of personal data subject matters according to Clause 1 of this Article, personal data controlling parties and personal data processing and control parties shall promptly implement such requests within the period prescribed by the law.

The Government of Vietnam shall elaborate on this Clause.

Article 5. Application of personal data protection laws

1. Activities concerning personal data protection within the territory of the Socialist Republic of Vietnam shall be conducted in compliance with this Law and relevant laws.

2. Where specific laws and resolutions of the National Assembly of Vietnam promulgated before the effective date of this Law contain specific regulations on personal data protection that are not contrary to the personal data protection principles of this Law, such laws and resolutions shall prevail.

3. Where specific laws and resolutions of the National Assembly of Vietnam promulgated after the effective date of this Law contain specific regulations on personal data protection contrary to this Law, such laws and resolutions must specify contents to be implemented or not implemented according to this Law, and contents to be implemented according to such laws and resolutions.

4. Agencies, organizations, and individuals conducting personal data processing impact assessments and cross-border personal data transfer impact assessments under this Law shall be exempted from conducting personal data processing risk assessments and cross-border personal data transfer impact assessments according to data laws.

Article 6. International cooperation in personal data protection

1. Compliance with the law of Vietnam, international treaties to which the Socialist Republic of Vietnam is a signatory, and international agreements on personal data protection based on equality, mutual benefit, and respect for independence, sovereignty, and territorial integrity.

2. International cooperation in personal data protection includes:

a) Developing international cooperation mechanisms to facilitate the effective implementation of personal data protection laws;

b) Participating in the provision of judicial assistance to protect personal data of other nations;

c) Preventing and combating infringement on personal data;

d) Providing personnel training, conducting scientific research, and applying science and technology to personal data protection;

dd) Exchanging experience in developing and implementing personal data protection laws;

e) Transferring technologies in service of personal data protection.

3. The Government of Vietnam shall stipulate the responsibility for conducting international cooperation in personal data protection.

Article 7. Prohibited acts

1. Processing personal data to oppose the Socialist Republic of Vietnam or in ways that affect national defense, security, social order, safety, and legitimate rights and benefits of agencies, organizations, and individuals.

2. Obstructing personal data protection activities.

3. Taking advantage of personal data protection activities to violate the law.

4. Processing personal data against the law.

5. Using personal data of others and/or letting others use one’s personal data to violate the law.

6. Trading personal data unless otherwise prescribed by the law.

7. Appropriating, intentionally leaking, or causing the loss of personal data.

Article 8. Handling of violations against personal data protection laws

1. Organizations and individuals committing violations against this Law and other laws concerning personal data protection shall, depending on the nature, severity, and consequences of the violations, be fined or criminally prosecuted and provide compensation if the violations cause damage as prescribed by laws.

2. The imposition of fines for administrative violations concerning personal data protection shall comply with Clauses 3, 4, 5, 6, and 7 of this Article and administrative violation handling laws.

3. The maximum fine for an administrative violation concerning the trading of personal data is 10 times the revenue gained from the violation. Where there is no revenue from the violation, or if the fine calculated based on the revenue is lower than the maximum fine specified in Clause 5 of this Article, the fine specified in Clause 5 of this Article shall prevail.

4. The maximum fine for an administrative violation committed by an organization concerning the cross-border transfer of personal data is 5% of its revenue in the previous year. Where there is no revenue from the previous year, or if the fine calculated based on the revenue is lower than the maximum fine specified in Clause 5 of this Article, the fine specified in Clause 5 of this Article shall prevail.

5. The maximum fine for other administrative violations concerning personal data protection is 3 billion VND.

6. The maximum fines specified in Clauses 3, 4, and 5 of this Article shall be applicable to organizations; for individuals committing the same violations, the maximum fine is half of that applied to organizations.

7. The Government of Vietnam shall stipulate the methods for calculating revenues gained from committing violations against personal data protection laws.

Chapter II

PERSONAL DATA PROTECTION

Section 1. PERSONAL DATA PROTECTION DURING PERSONAL DATA PROCESSING

Article 9. Consent of personal data subject matters

1. Consent of a personal data subject matter (hereinafter referred to as “consent”) refers to when the personal data subject matter permits the processing of its personal data unless otherwise prescribed by the law.

2. The consent is valid only if it is voluntary and based on full awareness of the following information:

a) The type of personal data to be processed and the purpose of the processing;

b) The personal data controlling party or the personal data processing and controlling party;

c) Rights and obligations of the personal data subject matter.

3. The consent shall be displayed in a clear and specific manner, in a format that can be printed or copied in writing, including electronic forms or verifiable formats.

4. The consent shall comply with the following principles:

a) The consent must be specific to each purpose;

b) Conditions requiring consent for purposes other than those stated in the agreement must not be enclosed;

c) The consent shall be valid until the personal data subject matter changes it or as prescribed by the law;

d) Silence or lack of response shall not be deemed as consent.

5. The Government of Vietnam shall elaborate Clause 3 of this Article.

Article 10. Requests for withdrawal of consent and restriction of personal data processing

1. A personal data subject matter may request the withdrawal of its consent to personal data processing or the restriction of the processing of its personal data when there is doubt about the scope, purpose of the personal data processing, or accuracy of the personal data, excluding the cases prescribed in Article 19 of this Law or other legal provisions.

2. The request mentioned above must be made in writing, including electronic forms or verifiable formats, and sent to the personal data controlling party or the personal data processing and controlling party.  The request shall be carried out under the law and an agreement between the concerned parties.

3. The personal data controlling party or the personal data processing and controlling party shall receive, implement, and request the personal data processing party to carry out the request for consent withdrawal or personal data processing restriction of the personal data subject matter within the period prescribed by the law.

4. The implementation of the request for consent withdrawal or personal data processing restriction shall not apply to personal data processing activities that occur before the personal data subject matter makes the request.

Article 11. Collection, analysis, and summary of personal data

1. Personal data may only be collected with the personal data subject matter’s consent unless otherwise provided by the law.

2. Agencies of the CPV and the State are competent to analyze and summarize personal data from self-collected data sources or data sources shared, provided, transferred, utilized, and used for leadership, directive, state management, and socio-economic development according to the law.

3. Agencies, organizations, and individuals not specified in Clause 2 of this Article may analyze and summarize personal data from personal data sources permitted for processing according to the law.

Article 12. Personal data encryption and decryption

1. Personal data encryption means converting such data into an unreadable format without decryption; encrypted personal data is still considered personal data.

2. Personal data classified as state secrets must be encrypted and decrypted according to state secret protection laws and cipher laws.

3. Agencies, organizations, and individuals shall decide on the encryption and decryption of personal data in conformity with personal data processing activities.

Article 13. Personal data modification

1. A personal data subject matter may modify its personal data (applicable to specific types of personal data) under an agreement with the personal data controlling party or the personal data processing and controlling party; request either of the mentioned parties to modify its personal data.

2. The personal data controlling party or the personal data processing and controlling party shall modify the concerned personal data after the personal data subject matter issues the request or modifies its personal data under the law; request the personal data processing party or the third party to modify the personal data of the personal data subject matter.

3. The modification of personal data must ensure accuracy. Where personal data cannot be modified for legitimate reasons, the personal data controlling party or personal data processing and controlling party shall issue a notice to the requesting agency, organization, or individual.

Article 14. Deletion, destruction, and de-identification of personal data

1. Personal data shall be deleted or destroyed in the following cases:

a) At the request of the personal data subject matter, who accepts any potential risks or damages.  Such request must comply with the principles prescribed in Clause 3 Article 4 of this Law;

b) Upon completion of the personal data processing purpose;

c) Upon the expiration of the storage period according to the law;

d) Upon decisions of competent state authorities;

dd) In accordance with agreements;

e) Other cases according to the law.

2. A personal data subject matter’s request for personal data deletion or destruction shall not be carried out if it falls into the cases prescribed in Article 19 of this Law or if the personal data deletion or destruction violates Clause 3 Article 3 of this Law.

3. The personal data controlling party or the personal data processing and controlling party shall delete or destroy personal data in the cases prescribed in Clause 1 of this Article or request the personal data processing party or the third party to delete or destroy the personal data of the personal data subject matter.

4. Agencies, organizations, and individuals shall not intentionally and illegally restore the deleted or destroyed personal data.

5. The personal data controlling party, personal data processing and controlling party, and personal data processing party shall comply with this Law.  Where personal data deletion or destruction cannot be carried out due to legitimate reasons after receiving the request of the personal data subject matter, the personal data controlling party or personal data processing and controlling party shall issue a notice to the personal data subject matter.

6. Regulations on personal data de-identification:

a) Agencies, organizations, and individuals performing personal data de-identification shall strictly control and supervise the personal data de-identification process; prevent unauthorized access, copying, appropriation, disclosure, or loss of personal data during the mentioned process;

b) Re-identification of personal data after it has been de-identified is prohibited unless otherwise prescribed by the law;

c) Personal data de-identification shall comply with this Law and other relevant laws.

Article 15. Personal data provision

1. Personal data subject matters shall provide personal data for agencies, organizations, and individuals according to the law or under agreements with such entities.

2. The personal data controlling party or personal data processing or controlling party shall provide personal data:

a) For a personal data subject matter upon its request in conformity with the law or under an agreement with the data subject matter, excluding cases where the provision may harm national defense, security, social order, and safety or infringe on the life, health, or property of others; or

b) For other agencies, organizations, or individuals when consented to by the personal data subject matter unless otherwise prescribed by the law.

Article 16. Personal data disclosure

1. Personal data may only be disclosed for a specific purpose. The scope of the disclosure and the type of personal data to be disclosed must conform with the disclosure purpose. The personal data disclosure shall not infringe on the legitimate rights and benefits of the personal data subject matter.

2. Personal data may only be disclosed in the following cases:

a) Upon the personal data subject matter’s consent;

b) According to the law;

c) In the cases prescribed in Point b Clause 1 Article 19 of this Law;

d) For contractual obligation implementation.

3. The disclosed personal data must accurately reflect the original personal data and facilitate access, utilization, and use by agencies, organizations, and individuals.

4. Forms of personal data disclosure include: publishing on websites, web portals, mass media, and other forms according to the law.

5. Agencies, organizations, and individuals disclosing personal data shall strictly control and supervise the personal data disclosure to ensure compliance with the proper purpose, scope, and the law; prevent unauthorized access, use, disclosure, copying, modification, deletion, destruction, or other illegal processing acts regarding the disclosed personal data within their capacity and conditions.

Article 17. Personal data transfer

1. Personal data shall be transferred in the following cases:

a) Upon the personal data subject matter’s consent to the personal data transfer;

b) Upon personal data sharing among departments in the same agency or organization to process personal data in conformity with the defined processing purpose;

c) Upon personal data transfer to continue the personal data processing in case of division, separation, or merger or agencies, organizations, or administrative divisions, or restructuring and conversion of ownership of state-owned enterprises; division, separation, consolidation, merger, and operational termination of units or organizations; establishment of new units or organizations based on the operational termination of other units or organizations;

d) When the personal data controlling party or the personal data processing and controlling party transfers personal data to the personal data processing party or the third party for processing as per regulation;

dd) Upon requests from competent state authorities;

e) In the cases prescribed in Clause 1 Article 19 of this Law.

2. The personal data transfer specified in Clause 1 of this Article, whether free of charge or for a fee, shall not be considered personal data trading.

3. The Government of Vietnam shall elaborate on this Article.

Article 18. Other operations in personal data processing

1. Personal data controlling parties, personal data processing and controlling parties, personal data processing parties, and third parties shall store personal data in a manner conformable with their operations and adopt measures to protect personal data during the storage process according to the law.

2. The storage, access, retrieval, connection, regulation, confirmation, and authentication of personal data and activities that impact personal data shall comply with this Law, data laws, relevant laws, and agreements among the concerned parties.

3. Priority shall be given to the utilization and use of personal data in state management and operations of public service providers in service of the pilot implementation of special mechanisms and policies aimed at breakthroughs in science, technology, innovation, and national digital transformation.

Article 19. Personal data processing without personal data subject matters’ consent

1. Personal data processing may be processed without the personal data subject matter’s consent in the following cases:

a) To protect the life, health, honor, dignity, and legitimate rights and benefits of the personal data subject matter or others in urgent cases; or to protect one’s own or others’ legitimate rights or benefits, or benefits of the State or agencies/organizations in a necessary manner against infringement on such rights or benefits. The personal data controlling party, personal data processing party, personal data processing and controlling party, and the third party shall prove the necessity of such processing;

b) To respond to emergencies or threats to national security that have yet to escalate to the level of a declared emergency; to prevent and combat riots, terrorism, crimes, and law violations;

c) To serve the operations of state agencies and the state management according to the law;

d) To carry out the agreement between the personal data subject matter and a relevant agency, organization, or individual according to the law;

dd) Other cases according to the law.

2. Relevant agencies, organizations, and individuals shall establish supervision mechanisms while processing personal data in cases where the personal data subject matters’ consent is not required, including:

a) Establishing procedures and regulations on personal data processing and determination of the responsibilities of agencies, organizations, and individuals during the personal data processing;

b) Adopting measures to protect personal data appropriately; regularly assessing potential risks during personal data processing;

c) Conducting periodic inspections and assessments of compliance with personal data processing laws, procedures, and regulations;

d) Establishing mechanisms to receive and handle feedback and suggestions from relevant agencies, organizations, and individuals.

Article 20. Cross-border personal data transfer

1. Cases of cross-border personal data transfer:

a) Transfer of personal data stored in Vietnam to storage systems outside of the territory of the Socialist Republic of Vietnam;

b) Agencies, organizations, or individuals in Vietnam transferring personal data to overseas organizations or individuals;

c) Agencies, organizations, and individuals in Vietnam or overseas using specific platforms outside the territory of the Socialist Republic of Vietnam to process personal data collected in Vietnam.

2. Agencies, organizations, and individuals engaging in cross-border personal data transfer shall perform the operations prescribed in Clause 1 of this Article, prepare dossiers on the assessment of cross-border personal data transfer impact, and send 1 original copy of the mentioned dossiers to personal data protection authorities within 60 days from the first day of cross-border personal data transfer, excluding the cases prescribed in Clause 6 of this Article.

3. Assessment of cross-border personal data transfer impact shall be carried out once for the entire operational duration of the agencies, organizations, and individuals above and be updated according to Article 22 of this Law.

4. Personal data protection authorities shall decide on the periodic inspection of the cross-border personal data transfer, up to once per year, or irregular inspection upon detection of violations against personal data protection laws or personal data leak or loss.

5. Personal data protection authorities shall decide to request the suspension of cross-border personal data transfer by agencies, organizations, or individuals when the transferred data is detected to be used in operations that can potentially harm national defense and security.

6. Cases where assessment of cross-border personal data transfer impact is not required:

a) Cross-border personal data transfer by competent state authorities;

b) Agencies and organizations storing their employees’ personal data on cloud computing services;

c) Personal data subject matters transferring their personal data across borders;

d) Other cases according to regulations of the Government of Vietnam.

7. The Government of Vietnam shall elaborate on Clauses 1, 5, and 6 of this Article and stipulate dossier components, conditions, and procedures for assessing the impact of cross-border personal data transfer.

Article 21. Assessment of personal data processing impact

1. The personal data controlling party or personal data processing and controlling party shall prepare and store a dossier on the assessment of personal data processing impact and send 1 original copy to a personal data protection authority within 60 days from the first day of the personal data processing, excluding the cases prescribed in Clause 6 of this Article.

2. The assessment of personal data processing impact shall be carried out once for the entire operational duration of the personal data controlling party or personal data processing and controlling party and be updated according to Article 22 of this Law.

3. The personal data processing party shall prepare and store a dossier on the assessment of personal data processing impact under an agreement with the personal data controlling party or the personal data processing and controlling party, excluding the cases prescribed in Clause 6 of this Article.

4. The personal data protection authority shall assess and request the personal data controlling party/the personal data processing and controlling party or the personal data processing party to complete its dossier on the assessment of personal data processing impact in case such dossier is inadequate and not in compliance with regulations.

5. The personal data controlling party/personal data processing and controlling party and the personal data processing party shall update and supplement their dossiers on the assessment of personal data processing impact upon changes to the dossiers sent to the personal data protection authority.

6. Competent state authorities are not required to implement regulations on the assessment of personal data processing impact specified in this Article.

7. The Government of Vietnam shall stipulate dossier components, conditions, and procedures for assessing personal data processing impact.

Article 22. Updates on dossiers on assessment of personal data processing impact and dossiers on assessment of cross-border personal data transfer impact

1. A dossier on the assessment of personal data processing impact and a dossier on the assessment of cross-border personal data transfer impact shall be updated biannually upon changes or in the cases prescribed in Clause 2 of this Article.

2. Cases requiring immediate updates:

a) When agencies, organizations, or units undergo reorganization, operational termination, dissolution, or bankruptcy according to the law;

b) Upon changes to the information on the personal data protection service providers;

c) When new or changed professions or business services concerning personal data processing arise that differ from those registered in the dossiers on the assessment of personal data processing impact and dossiers on the assessment of cross-border personal data transfer impact.

3. Updates on the dossiers on the assessment of personal data processing impact and dossiers on the assessment of cross-border personal data transfer impact shall be carried out on the National Information Portal for Personal Data Protection or at personal data protection authorities.

4. The Government of Vietnam shall elaborate on this Article.

Article 23. Notices of violations against personal data protection regulations

1. The personal data controlling party, personal data processing and controlling party, and third party detecting violations against personal data protection regulations that may harm national defense, security, social order, and safety or infringe on the life, health, honor, dignity, and property of personal data subject matters shall issue notices to personal data protection authorities within 72 hours from the detection of such violations.  Where the personal data processing party detects violations, it shall promptly issue a notice to the personal data controlling party or the personal data processing and controlling party.

2. The personal data controlling party or the personal data processing and controlling party shall prepare a written confirmation of violations against personal data protection regulations and cooperate with the personal data protection authority in handling such violations.

3. Agencies, organizations, and individuals shall issue notices to personal data protection authorities in the following cases:

a) Upon detection of violations against personal data protection regulations;

b) Personal data is processed for improper purposes or against the agreement between the personal data subject matter and the personal controlling party or personal data processing and controlling party;

c) Upon failure to ensure the rights or to properly implement the rights of the personal data subject matter;

d) Other cases according to the law.

4. Personal data protection authorities shall receive notices and handle violations against personal data protection regulations.  The personal data controlling party, personal data processing and controlling party, third party, and relevant agencies, organizations, and individuals shall prevent violations, remedy consequences, and cooperate with the personal data protection authority in handling violations against personal data protection regulations.

5. The Government of Vietnam shall stipulate the contents of notices of violations against personal data protection regulations.

Section 2. PERSONAL DATA PROTECTION IN CERTAIN ACTIVITIES

Article 24. Protection of personal data of children, persons with lost or limited legal capacity, and persons with cognitive or behavioral difficulties

1. The protection of the personal data of children, persons with lost or limited legal capacity, and persons with cognitive or behavioral difficulties shall comply with this Law.

2. The legal representatives of children, persons with lost or limited legal capacity, or persons with cognitive or behavioral difficulties shall, on behalf of the mentioned persons, exercise the rights of personal data subject matters, excluding the cases prescribed in Clause 1 Article 19 of this Law. The processing of the personal data of children aimed to disclose information on the private life or personal secrets of children aged 7 or older must receive the consent of the children and their legal representatives.

3. The processing of the personal data of children, persons with lost or limited legal capacity, and persons with cognitive or behavioral difficulties shall be suspended in the following cases:

a) The consent to the processing of the personal data of children, persons with lost or limited legal capacity, and persons with cognitive or behavioral difficulties as prescribed in Clause 2 of this Article is withdrawn unless otherwise prescribed by the law;

b) Upon requests from competent authorities where there are adequate grounds to prove that the personal data processing may infringe on the legitimate rights and benefits of children, persons with lost or limited legal capacity, and persons with cognitive or behavioral difficulties unless otherwise prescribed by the law.

Article 25. Personal data protection in recruitment, management, and use of employees

1. Personal data protection responsibilities of agencies, organizations, and individuals in labor recruitment are stipulated as follows:

a) Only request the provision of information serving the recruitment of the recruiting agencies, organizations, and individuals in conformity with the law and use the provided information solely for recruitment or other purposes under agreements in compliance with the law;

b) Process the provided information in compliance with the law and with the consent of the candidates;

c) Delete or destroy the information of unsuccessful candidates unless otherwise agreed with the candidates;

2. Personal data protection responsibilities of agencies, organizations, and individuals in the management and use of employees are stipulated as follows:

a) Comply with this Law, labor and employment laws, data laws, and other relevant laws;

b) Store employees’ personal data for the period prescribed by the law or under agreements;

c) Delete or destroy employees’ personal data after contract termination unless otherwise agreed on or prescribed by the law.

3. The processing of employees’ personal data, collected using technological or technical measures in employee management, is stipulated as follows:

a) Only apply technological and technical measures in conformity with the law, ensure the rights and benefits of the personal data subject matters, and ensure that employees are aware of the mentioned measures;

b) Refrain from processing or using personal data collected by technological and technical measures contrary to the law.

Article 26. Personal data protection for health information and in insurance business activities

1. Personal data protection for health information and in insurance business activities is stipulated as follows:

a) There must be personal data subject matters’ consent during the collection and processing of personal data, excluding the cases prescribed in Clause 1 Article 19 of this Law;

b) Personal data protection regulations and relevant laws must be adequately applied.

2. Agencies, organizations, and individuals engaging in the field of health shall not provide personal data for third-party providers of health care services, health insurance services, or life insurance services, excluding cases where the provision is requested in writing by personal data subject matters or the cases prescribed in Clause 1 Article 19 of this Law.

3. Organizations and individuals developing health or insurance business applications shall comply with personal data protection regulations.

4. Where reinsurance or retrocession insurance enterprises transfer personal data to their partners, this must be clearly stated in the contracts with their clients.

Article 27. Personal data protection in finance, banking, and credit information activities

1. Organizations and individuals operating in finance, banking, and credit information activities shall:

a) Comply with regulations on the protection of sensitive personal data and safety and confidentiality standards in finance and banking according to the law;

b) Refrain from using personal data subject matters’ credit information to mark, rank, evaluate credit information, or assess creditworthiness without their consent;

c) Only collect personal data necessary for credit information activities from sources in conformity with this Law and relevant laws;

d) Issue notices to personal data subject matters in case of leakage or loss of information on bank accounts, finance, credit, or credit information.

2. Organizations and individuals engaging in credit information activities shall comply with this Law; apply measures to prevent unauthorized access, use, disclosure, and modification of clients’ personal data; adopt measures to restore clients’ personal data in case it is lost; ensure confidentiality during the collection, provision, and processing of clients’ personal data in service of credit information assessment.

3. The Government of Vietnam shall elaborate on this Article.

Article 28. Personal data protection in advertising services

1. A provider of advertising services may only use its clients’ personal data transferred by the personal controlling party or personal data processing and controlling party under an agreement or collected through its business activities in service of the provision of advertising services. The collection, use, and transfer of personal data must ensure the rights of the personal data subject matters according to Article 4 of this Law.

2. The personal data controlling party or personal data processing and controlling party may only transfer personal data to the provider of advertising services in compliance with the law.

3. The processing of clients’ personal data for the provision of advertising services must be done with the clients’ consent, based on their full awareness of the content, method, form, and frequency of the product introduction. Clients must be provided with methods for refusing to receive advertising information.

4. The use of personal data for advertising purposes shall comply with the law on prevention and combat against spam messages, spam emails, and spam calls and advertising laws.

5. Personal data subject matters may request to stop receiving information from advertising services. Providers of advertising services shall provide mechanisms and cease advertising activities as requested by the personal data subject matters.

6. Providers of advertising services shall not engage in subleases or agreements for other organizations or individuals to fully carry out advertising services involving personal data on their behalf.

7. Providers of advertising services shall prove that the use of clients’ personal data is for advertising purposes and comply with Clauses 1, 2, 3, and 4 of this Article and advertising laws.

8. Organizations and individuals using personal data for behavioral, targeted, or personalized advertising shall comply with this Article and the following regulations:

a) Personal data may only be collected through monitoring websites, web portals, and applications with the consent of the personal data subject matters;

b) There must be methods for permitting personal data subject matters to refuse to share data; methods for determining the storage period and deleting or destroying the data when it is no longer necessary.

Article 29. Personal data protection for social media platforms and online communication services

Providers of social media services and online communication services shall:

1. Issue notices of the contents of personal data to be collected when the personal data subject matters install and use social media or online communication services; refrain from collecting personal data illegally or beyond the scope agreed with the clients.

2. Refrain from requesting images or videos containing all or part of personal identification documents as a method of account verification;

3. Provide users with an option to refuse the collection and sharing of data files (referred to as “cookies”);

4. Provide a “Do not track” option or only track the social media or online communication service activities with users’ consent;

5. Refrain from eavesdropping, wiretapping, recording calls, or reading text messages without personal data subject matters’ consent unless otherwise prescribed by the law;

6. Announce confidentiality policies and explain the methods of collecting, using, and sharing personal data; provide users with mechanisms to access, modify, delete data, configure privacy settings, and submit reports on privacy or confidentiality violations; protect the personal data of Vietnamese citizens when conducting cross-border data transfer; develop procedures for handling violations concerning personal data protection swiftly and effectively.

Article 30. Personal data protection in processing of big data, artificial intelligence, blockchain, virtual space, and cloud computing

1. Personal data in environments such as big data, artificial intelligence (AI), blockchain, virtual space, and cloud computing must be processed properly within a scope of necessity, ensuring the legitimate rights and benefits of personal data subject matters.

2. The processing of personal data in environments such as big data, AI, blockchain, virtual space, and cloud computing must comply with this Law and relevant laws and conform with the ethical standards and fine customs and traditions of Vietnam.

3. Systems and services that use big data, AI, blockchain, virtual space, and cloud computing must be integrated with appropriate personal data confidentiality measures and apply appropriate methods for authentication, identification, and access authorization to process personal data.

4. Personal data processing using AI must involve risk-based classification to adopt appropriate measures to protect personal data.

5. It is prohibited to use or develop processing systems of big data, AI, blockchain, virtual space, and cloud computing involving the use of personal data to harm national defense, security, social order, and safety or infringe on the life, health, honor, dignity, and property of others.

6. The Government of Vietnam shall elaborate on this Article.

Article 31. Personal data protection for personal location data and biometric data

1. Personal location data refers to data determined through positioning technologies that indicate the location and identification of a specific person.

2. Biometric data refers to data on a person’s unique and stable physical attributes or biological characteristics used to identify such a person.

3. Personal data protection for personal location data is stipulated as follows:

a) It is prohibited to conduct tracking via radio frequency identification (RFID) tags and other technologies unless there is consent from personal data subject matters, there are requests from competent authorities according to the law, or other cases prescribed by the law;

b) Providers of mobile application platforms shall notify users of the use of personal location data, adopt measures to prevent unauthorized organizations or individuals from collecting personal location data, and provide users with options to track their personal locations.

4. Biometric data protection is stipulated as follows:

a) Agencies, organizations, and individuals collecting and processing biometric data shall  adopt physical confidentiality measures for their biometric data transmission and storage devices; restrict rights to access to biometric data; establish monitoring systems to prevent and detect acts of infringement on biometric data; comply with relevant laws and international standards;

b) Where the processing of biometric data causes damage to personal data subject matters, the organizations and individuals collecting and processing biometric data shall issue notices to such subject matters according to the regulations of the Government of Vietnam.

Article 32. Protection of personal data collected from audio and video recording activities in public places and public activities

1. Agencies, organizations, and individuals may record audio and videos and process personal data collected from audio or video recording activities in public places or public activities without personal data subject matters’ consent in the following cases:

a) Upon implementation of tasks concerning national defense, national security protection, assurance of social order and safety, and protection of legitimate rights and benefits of agencies, organizations, and individuals;

b)  When the audio, images, and other identification information collected from public activities, including conferences, seminars, sports competitions, artistic performances, and other public activities, do not harm the honor, dignity, or reputation of personal data subject matters;

c) Other cases according to the law.

2. In case of audio or video recording under Clause 1 of this Article, agencies, organizations, and individuals shall notify or use other appropriate means to inform personal data subject matters that they are being recorded unless otherwise prescribed by the law.

3. Collected personal data may only be processed and used for the intended processing purposes and shall not be used for illegal purposes or in ways that infringe on the legitimate rights and benefits of personal data subject matters.

4. Personal data collected from audio or video recording activities in public places or public activities may only be stored within a necessary period in service of the collecting purpose unless otherwise prescribed by the law.  After the storage period expires, the personal data must be deleted or destroyed as prescribed by this Law.

5. Agencies, organizations, and individuals that engage in audio/video recording and processing of personal data collected from audio/video recording in the cases prescribed in Clause 1 of this Article shall protect such personal data in compliance with this Law and other relevant laws.

Chapter III

FORCES AND CONDITIONS FOR ENSURING PERSONAL DATA PROTECTION

Article 33. Personal data protection forces

1. Personal data protection forces include:

a) Personal data protection authorities of the Ministry of Public Security of Vietnam;

b) Personal data protection departments and personnel in agencies and organizations;

c) Providers of personal data protection services;

d) Organizations and individuals mobilized to participate in personal data protection.

2. Agencies and organizations shall designate personnel departments with adequate capacity to protect personal data or hire providers of personal data services.

3. The Government of Vietnam shall stipulate the conditions and tasks of personal data protection departments and personnel in agencies and organizations, as well as the conditions and tasks of providers of personal data protection services and personal data processing services.

Article 34. Technical regulations and standards on personal data protection

1. Personal data protection standards include standards for information systems, hardware, software, operation, processing, and protection of personal data, as announced, recognized, and applied in Vietnam.

2. Technical regulations on personal data protection include technical regulations applicable to information systems, hardware, software, operation, processing, and protection of personal data, as announced, recognized, and applied in Vietnam.

3. The promulgation of technical regulations and standards on personal data protection shall comply with the law on technical regulations and standards.

Article 35. Inspection of personal data protection activities

The inspection of personal data protection activities shall comply with this Law and the regulations of the Government of Vietnam.

Chapter IV

RESPONSIBILITIES OF AGENCIES, ORGANIZATIONS, AND INDIVIDUALS REGARDING PERSONAL DATA PROTECTION

Article 36. State management responsibilities for personal data protection

1. The Government of Vietnam shall agree on the implementation of the state management of personal data protection.

2. The Ministry of Public Security of Vietnam shall assume responsibility before the Government of Vietnam for implementing state management of personal data protection, excluding the contents under the management of the Ministry of National Defense of Vietnam.

3. The Ministry of National Defense of Vietnam shall assume responsibility before the Government of Vietnam for implementing state management of personal data protection under its management scope.

4. Ministries, ministerial agencies, and governmental agencies shall implement state management of personal data protection for sectors and fields under their management in compliance with the law and assigned functions and tasks.

5. Provincial People’s Committees shall implement state management of personal data protection in compliance with the law and assigned functions and tasks.

Article 37. Responsibilities of personal data controlling parties, personal data processing parties, and personal data processing and controlling parties

1. A personal data controlling party shall:

a) Specify the responsibilities, rights, and obligations to be complied with of concerned parties in agreements or contracts concerning personal data processing according to this Law and relevant laws;

b) Decide on the purposes and means of personal data processing in documents and agreements with personal data subject matters, ensuring compliance with the principles and contents of this Law;

c) Adopt appropriate managerial and technical measures to protect personal data according to the law and review and update such measures if necessary;

d) Issue notices of violations against personal data protection regulations according to Article 23 of this Law;

dd) Select an appropriate personal data processing party to process personal data;

e) Ensure the rights of personal data subject matters according to Article 4 of this Law;

g) Assume responsibility before personal data subject matters for any damage arising from personal data processing;

h) Prevent unauthorized collection of personal data from its system, equipment, and service;

i) Cooperate with the Ministry of Public Security of Vietnam and competent state authorities in protecting personal data, providing information serving the investigation, and handling violations against personal data protection laws;

k) Implement other responsibilities according to this Law and other relevant laws.

2. A personal data processing party shall:

a) Only receive personal data after concluding an agreement or contract on personal data processing with the personal data controlling party or personal data processing and controlling party;

b) Process personal data in compliance with the agreement or contract concluded with the personal data controlling party or personal data processing and controlling party;

c) Adequately adopt measures to protect personal data in compliance with this Law and other relevant laws;

d) Assume responsibility before the personal data controlling party or personal data processing and controlling party for any damage arising from personal data processing;

dd) Prevent unauthorized collection of personal data from its system, equipment, and service;

e) Cooperate with the Ministry of Public Security of Vietnam and competent state authorities in protecting personal data, providing information serving the investigation, and handling violations against personal data protection laws;

g) Implement other responsibilities according to this Law and other relevant laws.

3. A personal data processing and controlling party shall comply with Clauses 1 and 2 of this Article.

Chapter V

IMPLEMENTATION

Article 38. Entry into force

1. This Law comes into force as of January 1, 2026.

2. Small-sized enterprises and startups may choose whether or not to implement Article 21, Article 22, and Clause 2 Article 33 of this Law within 5 years from the effective date of this Law, except for those providing personal data processing services, directly processing sensitive personal data, or processing personal data of large numbers of personal data subject matters.

3. Household businesses and micro-enterprises are not required to comply with Article 21, Article 22, and Clause 2 Article 33 of this Law, except for those providing personal data processing services, directly processing sensitive personal data, or processing personal data of large numbers of personal data subject matters.

4. The Government of Vietnam shall elaborate Clauses 2 and 3 of this Article.

Article 39. Transitional provisions

1. Personal data processing activities with the consent of personal data subject matters or under agreements as prescribed in Decree No. 13/2023/ND-CP dated April 17, 2023 of the Government of Vietnam conducted before the effective date of this Law shall continue to be carried out without needing to obtain new consent or conclude new agreements.

2. Dossiers on the assessment of personal data processing impact and dossiers on the assessment of outward personal data transfer impact as prescribed in Decree No. 13/2023/ND-CP dated April 17, 2023 of the Government of Vietnam received by personal data protection authorities before the effective date of this Law shall continue to be used without need to prepare dossiers on the assessment of personal data processing impact or dossiers on the assessment of cross-border personal data transfer impact according to this Law.  If the mentioned dossiers are updated after the effective date of this Law, comply with this Law.

This Law is approved by the 15th National Assembly of the Socialist Republic of Vietnam at its 9th meeting on June 26, 2025.