Vietnam Personal Data Protection Law (PDPL)

Vietnam’s personal data protection regime is transitioning from Decree No. 13/2023/ND-CP to a dedicated Personal Data Protection Law (PDPL) enacted by the National Assembly in June 2025. The new PDPL significantly strengthens data protection obligations and enforcement mechanisms. It applies to Vietnamese organizations, foreign entities operating in Vietnam, and overseas organizations processing personal data of individuals located in Vietnam.

The law introduces enhanced requirements around consent, lawful processing, data security, cross-border data transfers, and regulatory reporting, making proactive compliance essential for organizations operating in the Vietnamese market.

Important Dates – Vietnam PDPL

Vietnam PDPL compliance timelines are critical for regulatory readiness.

• 17 April 2023 – Decree No. 13/2023/ND-CP issued

• 1 July 2023 – Decree No. 13/2023/ND-CP came into effect• 26 June 2025 – Vietnam Personal Data Protection Law passed by the National Assembly

• 1 January 2026 – Vietnam Personal Data Protection Law comes into force and becomes enforceable nationwide Organizations should treat 2025 as a transition period and ensure full operationalcompliance before January 2026.

‍

‍

Vietnam PDPL grants individuals enforceable rights over their personal data, including the right to be informed, provide or withdraw consent, access personal data, request correction or deletion, restrict processing, and lodge complaints with competent authorities. These rights reinforce transparency and strengthen individual control over personal data processing activities.

Compliance with Vietnam PDPL requires organizations to adopt a consent-driven processing framework, clearly define processing purposes, and implement appropriate technical and organizational security safeguards. Organizations must also maintain compliance documentation, appoint responsible personnel, and meet notification or registration obligations, particularly for cross-border data transfers and processing of sensitive personal data.

With the PDPL taking effect in January 2026, organizations are expected to move beyond basic compliance under Decree 13 and demonstrate mature, auditable privacy governance.

‍

The new Vietnam Personal Data Protection Law introduces a significantly stronger enforcement regime. While detailed penalty thresholds will be implemented through subordinate regulations, the law allows for substantial administrative fines, corrective measures, suspension of data processing activities, and other regulatory actions for non-compliance.

Penalties may apply for unlawful processing, failure to obtain valid consent, inadequate data security safeguards, or non-compliance with cross-border data transfer and reporting obligations. Organizations are strongly advised to prepare in advance of the January 2026 enforcement date.

‍

Vietnam PDPL aligns with global data protection principles reflected in regulations such as the EU GDPR and UK GDPR, particularly around consent, data subject rights, and accountability. However, it introduces stricter government oversight, registration requirements, and controls on cross-border data transfers, making Vietnam-specific compliance strategies essential for multinational organizations.

‍