Vietnam Personal Data Protection Law (PDPL)

Vietnam Law on Personal Data Protection (PDPL), Law No. 91/2025/QH15, effective January 1, 2026. Compliance requirements, data subject rights, consent rules, and penalties.

What is Vietnam's Personal Data Protection Law (PDPL)?

Vietnam's Law on Personal Data Protection (PDPL), Law No. 91/2025/QH15, is the country's first comprehensive personal data protection statute. Passed by the National Assembly on June 26, 2025 and effective January 1, 2026, it replaces Decree 13/2023/ND-CP, which had been the primary personal data framework since July 1, 2023. The PDPL introduces enforceable data subject rights, mandatory data protection officers, formal impact assessment requirements, and criminal penalties alongside administrative fines.

Enforcement sits with the Ministry of Public Security through its Department of Cybersecurity and Hi-tech Crime Prevention (A05), rather than an independent data protection authority.

Who Does the Vietnam PDPL Apply To?

The law applies to any organisation or individual that collects, stores, uses, discloses, or transfers personal data of individuals within the territory of Vietnam. Scope covers both domestic and foreign entities that process personal data or are involved in the processing of personal data within Vietnam, regardless of where they are established.

Organisations without a physical presence in Vietnam must still appoint a local representative or contact point if they process data of individuals in Vietnam at scale.

Legal Bases for Processing Personal Data

Consent is the primary legal basis under the PDPL. Unlike GDPR, there is no broad legitimate interests basis: Article 19.1(a) introduces a narrow legitimate interests ground, but it is confined to defensive situations tied to protecting against infringement of the controller's or a third party's rights. It does not support the general balancing test that GDPR Article 6.1(f) permits, and commercial interest alone is not a valid justification for processing.

Beyond consent, the other recognised bases are contractual necessity, legal obligation, vital interests, and public interest as defined by law. For sensitive personal data, explicit consent is required regardless of any other basis. Organisations that currently rely on legitimate interests under GDPR will need to revisit their processing records and, in most cases, move to consent-based collection.

Consent Requirements

Consent under the PDPL must be freely given, specific to the stated purpose, informed, and expressed through a clear affirmative action. Consent must be displayed in a clear and specific manner, in a format that can be printed or copied in writing, including electronic forms. It must be withdrawable at any time without detriment to the individual. Conditioning service access on consent to unrelated purposes is prohibited.

Pre-ticked boxes, blanket consent bundled with terms of service, and consent obtained through dark patterns are not valid. Consent records must be maintained and retrievable on request from A05.

Sensitive Personal Data

Sensitive personal data categories are enumerated in Decree 356/2025/ND-CP. All require explicit consent and higher levels of protection:

  • Ethnic or racial origin
  • Political views or political party membership
  • Religious or philosophical beliefs
  • Private life, personal secrets, or family secrets
  • Health data, including medical records
  • Biometric data and genetic characteristics used for unique identification
  • Sexual life or sexual orientation
  • Individual location data determined through positioning services
  • Family relationships, including relationships with parents, children, and spouse
  • Online account credentials, including usernames and passwords for electronic identification accounts; images of identity documents
  • Financial data, including bank account numbers, bank card information, and transaction records
  • Behavioural and usage data from telecommunications services, social networks, online media platforms, and cyberspace services
  • Criminal records or history of legal violations

Decree 356 broadened the scope of sensitive data compared to the earlier Decree 13. Online account credentials, images of identity documents, and behavioural and usage-tracking data on digital platforms were added as new sensitive categories. Activities and activity history in cyberspace, previously classified as basic personal data, were reclassified as sensitive.

Data Subject Rights

The PDPL establishes 11 rights:

  1. Right to be informed about which organisations hold their data and on what basis
  2. Right to give consent and to have that consent respected
  3. Right of access to request a copy of personal data held
  4. Right to withdraw consent at any time
  5. Right to deletion of personal data
  6. Right to restriction of processing
  7. Right to data provision
  8. Right to object to processing on any basis
  9. Right to file complaints, denunciations, or lawsuits with the enforcement authority or courts
  10. Right to claim damages for harm caused by unlawful processing
  11. Right to self-defence against unlawful processing

Refusals to fulfil data subject requests must be documented with reasons. The timeline for handling requests includes initial acknowledgement within two working days and a substantive response within seven to ten working days.

Data Protection Officer (DPO) Requirement

All data controllers and processors must appoint a Data Protection Officer. There is no threshold based on scale or type of processing, unlike GDPR.

Exemptions and grace periods depend on enterprise size. Micro-enterprises and household businesses are fully exempt. Small enterprises and startups have a five-year grace period from January 1, 2026, but only if they are not acting as data processing service providers and do not process sensitive personal data or large volumes of data. Those that do must appoint a DPO without delay. All other organisations must comply from the effective date.

Data Protection Impact Assessments (DPIA)

Organisations that process personal data presenting elevated risk must conduct a Data Protection Impact Assessment and submit it to A05 within 60 days of the first date of personal data processing. The assessment must document the categories of data processed, the purposes, the necessity and proportionality of the processing, risks to data subjects, mitigating measures, and the technical and organisational safeguards applied. DPIAs must be updated when processing activities change materially.

Cross-Border Data Transfers

Personal data may only be transferred outside Vietnam if specific conditions are met. Organisations must conduct a Transfer Impact Assessment (TIA) and submit it to A05 within 60 days of the first cross-border transfer. Within 15 days from submission, A05 will appraise the TIA and request revisions if the dossier is incomplete. TIAs must be updated every six months in the event of regulated changes.

Recipient countries must offer an adequate level of data protection, or appropriate safeguards must be in place through binding contractual clauses. Vietnam has not yet published a formal list of adequate countries, so most international transfers require both contractual protections and TIA registration with A05.

Data Breach Notification

Organisations must notify A05 within 72 hours of becoming aware of a personal data breach. The notification must include a description of the breach, the categories and approximate volume of data affected, the likely consequences, measures taken or proposed, and the contact details of the DPO or responsible officer. Where the breach involves sensitive personal data, affected individuals must also be notified within 72 hours of discovery.

Penalties for Non-Compliance

Administrative fines under the PDPL follow a tiered structure:

  • Cross-border data transfer violations: up to 5% of the organisation's preceding year's revenue in Vietnam, or VND 3 billion (approximately USD 115,000), whichever is higher
  • Illegal trading or sale of personal data: up to 10 times the revenue generated from the unlawful activity, or VND 3 billion, whichever is higher
  • Other violations: up to VND 3 billion

Fines can be combined with suspension of processing activities, mandatory audits, or requirements to delete unlawfully processed data. Under Vietnam's Penal Code, individuals can face imprisonment of up to 7 years for intentional unlawful collection, transfer, or use of personal data, along with monetary fines ranging from VND 30 million to VND 1 billion.

Impact on Digital Advertising and Marketing

The PDPL's consent-first approach directly affects cookie-based tracking, behavioural advertising, and third-party data sharing. Organisations that collect consent improperly risk losing the legal basis for their advertising data, which means ad platforms cannot use that data for targeting or measurement.

Major ad platforms are already enforcing consent requirements for Vietnam:

  • Microsoft Advertising is adding Vietnam as a consent-enforced market effective June 30, 2026. After this date, Microsoft will not serve personalised ads against Vietnam traffic without valid consent signals passed via IAB TCF 2.3. Microsoft device identifiers (e.g. cookies) must not be dropped on end user devices without proper consent.
  • Google Ads requires compliant consent signals through Google Consent Mode v2 for users in regulated markets. Without valid consent, ad requests are treated as non-consented, disabling personalised ads and reducing CPMs.

Without compliant consent collection, organisations face reduced ad revenue, degraded campaign performance, and potential regulatory action from A05.

How UniConsent Helps You Comply with the Vietnam PDPL

Because the PDPL is consent-centric, organisations need consent collection mechanisms that meet the law's specificity, granularity, and withdrawability requirements. UniConsent provides the tools to comply without sacrificing advertising performance:

  • Localised consent banners designed for Vietnamese users, with full Vietnamese language support and clear purpose descriptions that meet PDPL transparency requirements
  • Purpose-level granularity for each processing activity, allowing users to consent to analytics, advertising, and functional cookies independently, as required by the PDPL's specificity rules
  • Google Consent Mode v2 integration that sends compliant consent signals to Google Ads, Google Analytics, and other Google services, preserving ad measurement and conversion modelling even when users decline personalised tracking
  • IAB TCF v2.3 support for programmatic advertising, ensuring that consent signals are passed correctly through the ad supply chain to demand-side platforms, SSPs, and advertising partners including Microsoft Advertising
  • Preference management centre that allows users to update or withdraw consent at any time, fulfilling the PDPL's withdrawal requirements without disrupting the user experience
  • Tamper-evident consent records stored with timestamps, consent choices, and version history, providing the documentation organisations need to demonstrate compliance if A05 requests evidence of valid consent

By collecting consent properly from the start, organisations protect their ad revenue streams, maintain access to full advertising platform capabilities from Google, Microsoft, and programmatic partners, and build an auditable compliance record that satisfies both PDPL requirements and advertising partner policies.

Comply With Global Privacy Regulations

Microsoft certified CMP - UniConsent CMPIAB certified CMP - UniConsent CMPIAB TCF V2 certified CMP - UniConsent CMPIAB TCF Canada certified consent manager - UniConsent CMPGoogle-certified CMP Gold tire - UniConsent CMPGoogle-certified CMP partner
受全球5000多家出版商和营销人员的信赖
  • sej
  • football365
  • sharethrough
  • districtm
  • pf1
  • tower cast

开始使您的网站和应用符合欧盟 GDPR、美国 CPRA、加拿大 PIPEDA 等法规

注册