Vietnam: New Personal Data Protection Law: What You Need to Know

Vietnam’s Personal Data Protection Law (PDPL) officially took effect on 1 January 2026, marking a major step in strengthening how personal data is protected in the country.

Originally passed by Vietnam’s National Assembly on 26 June 2025, the PDPL sets out clear rules on how personal data can be collected, used, shared, and protected, along with penalties for getting it wrong.

This update reflects the law now being fully in force.

Who does the PDPL apply to?

The PDPL applies to Vietnamese organisations and individuals, foreign organisations and individuals operating in Vietnam, and any organisation processing the personal data of Vietnamese citizens or residents, even if they are based overseas.

What counts as personal data?

Personal data includes any information that can identify a person. The law distinguishes between basic personal data and sensitive personal data related more closely to privacy. Properly de-identified data is excluded.

Relief for small businesses and start-ups

Small businesses, start-ups, business households, and micro-enterprises are given a five-year grace period. During this time, they may choose whether to prepare data protection impact assessments or appoint dedicated data protection personnel.

What is strictly prohibited?

The PDPL prohibits illegal or harmful uses of personal data, including unlawful processing, buying or selling personal data (unless permitted by law), obstructing data protection activities, and intentional disclosure, misuse, or loss of personal data.

When can personal data be transferred?

Personal data may be transferred with consent, within the same organisation, during mergers or restructures, to approved processors or third parties, when required by authorities, or in other situations allowed by law. Lawful transfers are not considered the sale of personal data.

What happens if organisations break the rules?

Penalties include fines of up to 10 times the illegal gain for data trading, up to 5% of the previous year’s revenue for cross-border violations, and up to VND 3 billion (approximately USD 115,000) for other breaches. Individuals may face fines of up to half the organisational penalty.

In summary

Vietnam’s PDPL strengthens data protection while offering flexibility for smaller businesses. Organisations handling Vietnamese personal data should review their compliance posture now that the law is in force.

For an official information details, please refer to the external website - here