Vietnam's Law on Personal Data Protection (PDPL), Law No. 91/2025/QH15, is the country's first comprehensive personal data protection statute. Passed by the National Assembly on June 26, 2025 and effective January 1, 2026, it replaces Decree 13/2023/ND-CP, which had been the primary personal data framework since July 1, 2023. The PDPL introduces enforceable data subject rights, mandatory data protection officers, formal impact assessment requirements, and criminal penalties alongside administrative fines.
Enforcement sits with the Ministry of Public Security through its Department of Cybersecurity and Hi-tech Crime Prevention (A05), rather than an independent data protection authority.
The law applies to any organisation or individual that collects, stores, uses, discloses, or transfers personal data of individuals within the territory of Vietnam. Scope covers both domestic and foreign entities that process personal data or are involved in the processing of personal data within Vietnam, regardless of where they are established.
Organisations without a physical presence in Vietnam must still appoint a local representative or contact point if they process data of individuals in Vietnam at scale.
Consent is the primary legal basis under the PDPL. Unlike GDPR, there is no broad legitimate interests basis: Article 19.1(a) introduces a narrow legitimate interests ground, but it is confined to defensive situations tied to protecting against infringement of the controller's or a third party's rights. It does not support the general balancing test that GDPR Article 6.1(f) permits, and commercial interest alone is not a valid justification for processing.
Beyond consent, the other recognised bases are contractual necessity, legal obligation, vital interests, and public interest as defined by law. For sensitive personal data, explicit consent is required regardless of any other basis. Organisations that currently rely on legitimate interests under GDPR will need to revisit their processing records and, in most cases, move to consent-based collection.
Consent under the PDPL must be freely given, specific to the stated purpose, informed, and expressed through a clear affirmative action. Consent must be displayed in a clear and specific manner, in a format that can be printed or copied in writing, including electronic forms. It must be withdrawable at any time without detriment to the individual. Conditioning service access on consent to unrelated purposes is prohibited.
Pre-ticked boxes, blanket consent bundled with terms of service, and consent obtained through dark patterns are not valid. Consent records must be maintained and retrievable on request from A05.
Sensitive personal data categories are enumerated in Decree 356/2025/ND-CP. All require explicit consent and higher levels of protection:
Decree 356 broadened the scope of sensitive data compared to the earlier Decree 13. Online account credentials, images of identity documents, and behavioural and usage-tracking data on digital platforms were added as new sensitive categories. Activities and activity history in cyberspace, previously classified as basic personal data, were reclassified as sensitive.
The PDPL establishes 11 rights:
Refusals to fulfil data subject requests must be documented with reasons. The timeline for handling requests includes initial acknowledgement within two working days and a substantive response within seven to ten working days.
All data controllers and processors must appoint a Data Protection Officer. There is no threshold based on scale or type of processing, unlike GDPR.
Exemptions and grace periods depend on enterprise size. Micro-enterprises and household businesses are fully exempt. Small enterprises and startups have a five-year grace period from January 1, 2026, but only if they are not acting as data processing service providers and do not process sensitive personal data or large volumes of data. Those that do must appoint a DPO without delay. All other organisations must comply from the effective date.
Organisations that process personal data presenting elevated risk must conduct a Data Protection Impact Assessment and submit it to A05 within 60 days of the first date of personal data processing. The assessment must document the categories of data processed, the purposes, the necessity and proportionality of the processing, risks to data subjects, mitigating measures, and the technical and organisational safeguards applied. DPIAs must be updated when processing activities change materially.
Personal data may only be transferred outside Vietnam if specific conditions are met. Organisations must conduct a Transfer Impact Assessment (TIA) and submit it to A05 within 60 days of the first cross-border transfer. Within 15 days from submission, A05 will appraise the TIA and request revisions if the dossier is incomplete. TIAs must be updated every six months in the event of regulated changes.
Recipient countries must offer an adequate level of data protection, or appropriate safeguards must be in place through binding contractual clauses. Vietnam has not yet published a formal list of adequate countries, so most international transfers require both contractual protections and TIA registration with A05.
Organisations must notify A05 within 72 hours of becoming aware of a personal data breach. The notification must include a description of the breach, the categories and approximate volume of data affected, the likely consequences, measures taken or proposed, and the contact details of the DPO or responsible officer. Where the breach involves sensitive personal data, affected individuals must also be notified within 72 hours of discovery.
Administrative fines under the PDPL follow a tiered structure:
Fines can be combined with suspension of processing activities, mandatory audits, or requirements to delete unlawfully processed data. Under Vietnam's Penal Code, individuals can face imprisonment of up to 7 years for intentional unlawful collection, transfer, or use of personal data, along with monetary fines ranging from VND 30 million to VND 1 billion.
The PDPL's consent-first approach directly affects cookie-based tracking, behavioural advertising, and third-party data sharing. Organisations that collect consent improperly risk losing the legal basis for their advertising data, which means ad platforms cannot use that data for targeting or measurement.
Major ad platforms are already enforcing consent requirements for Vietnam:
Without compliant consent collection, organisations face reduced ad revenue, degraded campaign performance, and potential regulatory action from A05.
Because the PDPL is consent-centric, organisations need consent collection mechanisms that meet the law's specificity, granularity, and withdrawability requirements. UniConsent provides the tools to comply without sacrificing advertising performance:
By collecting consent properly from the start, organisations protect their ad revenue streams, maintain access to full advertising platform capabilities from Google, Microsoft, and programmatic partners, and build an auditable compliance record that satisfies both PDPL requirements and advertising partner policies.
Commencez à rendre votre site web et votre application conformes au RGPD de l'UE, au CPRA des États-Unis, au PIPEDA de la CA, etc.
S'inscrire