Fundamental grounds for personal information and privacy rights are provided in Vietnam’s Constitution and Civil Code, while the PDPD is the comprehensive legislation that regulates the collection and processing of personal data in Vietnam.

In addition to the PDPD, the laws below (and their related decrees and circulars providing guidance on implementation) also include regulations and principles for personal data protection:

• Criminal Code No. 100/2015/QH13, passed by the National Assembly on 27 November 2015, as amended from time to time.
• Law No. 20/2023/QH15 on E-Transactions, passed by the National Assembly on 22 June 2023.
• Law No. 19/2023/QH15 on Protection of Consumers’ Rights, passed by the National Assembly on 20 June 2023 (CRPL).
• Law No. 24/2018/QH14 on Cybersecurity, passed by the National Assembly on 12 June 2018 (“Cybersecurity Law”).
• Law No. 86/2015/QH13 on Network Information Security, passed by the National Assembly on 19 November 2015, as amended (“Network Information Security Law”).
• Law No. 67/2006/QH11 on Information Technology, passed by the National Assembly on 29 June 2006, as amended by Law No. 21/2017/QH14 dated 14 November 2017 on planning.

Among the above, the PDPD, Cybersecurity Law, and Network Information Security Law play the key roles in the protection of personal data in general. Specifically, while the Cybersecurity Law focuses on national security and sovereignty, with the aim of preventing and combating cybersecurity threats and incidents, the Network Information Security Law stipulates data protection and technical security measures to ensure network information security for organizations and individuals. Both laws, together with the PDPD, serve as the main legal frameworks ensuring security and order and personal data protection in practice.

The Ministry of Public Security (MPS) has been developing a Law on Personal Data Protection (PDPL) to complete Vietnam’s legal framework for personal data protection. A draft of the PDPL was released for the first time on 24 September 2024 to seek public consultation. The PDPL is being proactively finalized and is expected to be presented to the National Assembly before the end of 2024, with a tentative entry into force on 1 January 2026.

On 30 November 2024, the National Assembly approved a new Law on Data, which will take effect on 1 July 2025. The Law on Data was developed to provide a consistent legal framework for data system management in general, to implement high digital technology in data processing, and to develop the national data center.

The PDPD has extraterritorial effect and applies to a broad range of onshore and offshore entities, including:

• Vietnamese agencies, organizations, and individuals;
• foreign agencies, organizations, and individuals located in Vietnam;
• Vietnamese agencies, organizations, and individuals operating overseas; and
• foreign agencies, organizations, and individuals directly involved in or related to the processing of personal data in Vietnam.

As mentioned in Question 2, the PDPD has extraterritorial effect.

The regulated personal data processing activities defined under the PDPD include a wide range of acts and operations related to personal data, such as collecting, recording, analyzing, validating, storing, editing, publishing, combining, accessing, retrieving, withdrawing, encrypting, decrypting, copying, sharing, transmitting, providing, transferring, deleting, and destroying personal data, or other related actions.

The PDPD defines personal data as information expressed in the form of symbols, letters, numbers, images, sounds or similar forms in an electronic environment that is associated with a specific person or helps identify a specific person. This means that the PDPD regulates all types of data that are capable of identifying a particular natural person.

The PDPD also categorizes personal data into two groups: basic personal data and sensitive personal data.

• Basic personal data. Basic personal data is information that identifies or relates to an individual, which may include: full name, birth name and alternative names; date of birth, date of death, or date of declaration of missing status; gender; various locations associated with the individual, including place of birth, residence, and contact address; nationality; personal images; and identification details, such as phone numbers, ID card numbers, personal identification codes, passport number, driver’s license number, vehicle registration, tax ID, social security number, and health insurance number.
• Sensitive personal data. Sensitive personal data is personal data associated with the rights to privacy of a person that, when violated, will directly affect his/her legitimate rights and interests, which may include: information related to a person’s political or religious views; health status and private life recorded in the medical record, excluding information about blood type; racial or ethnic origin; inherited or acquired genetic characteristics; physical attributes and/or biological characteristics; and sex life and/or sexual orientation. Sensitive personal data also includes data on crimes and/or offenses collected and stored by law enforcement agencies; customer information of credit institutions, foreign bank branches, payment intermediary service providers, and other authorized organizations, including customer identification information as prescribed by law, account information, deposit information, deposited asset information, transaction information, and/or information about guarantors at credit institutions, bank branches and/or payment intermediary service providers; location data of a person identified through location services; and other personal data that is required by law to be specific and require necessary security measures. “Special categories of personal data” is construed as having the same meaning.

Sensitive personal data (as defined in Question 5) is subject to a higher level of protection as cases of misuse are likely to affect the data subjects’ legitimate rights and interests.

The processing of sensitive personal data requires the clear awareness of the data subjects that their sensitive personal data is being processed (Article 11.8 of the PDPD). Additionally, alongside the general measures applied to all types of personal data, additional protection measures are required for sensitive personal data; specifically, a department responsible for protecting personal data (data protection department or DPD) and personnel responsible for protecting personal data (data protection officer or DPO) must be designated, and information about this department and individual must be communicated to the MPS (Article 28.2 of the PDPD).

It is mandatory to have a lawful basis in order to process personal data. This is reflected as one of the principles under the PDPD, which is that the processing of personal data must be in accordance with the law (lawfulness; Article 3.1 of the PDPD).

Vietnam is a consent-centric jurisdiction when it comes to processing personal data. The consent of data subjects is the legal basis for almost all personal data processing activities in Vietnam, save for very limited exceptions. In accordance with Article 11 of the PDPD, the consent must be given in a voluntary manner, with the data subject’s full awareness of the following:

• the types of personal data to be processed; 
• the purpose of the processing; 
• the organizations or individuals authorized to process the personal data; and 
• the data subject’s rights and obligations.

In terms of formality, the PDPD requires that the consent of the data subject must be expressed clearly and specifically, either in writing, verbally, by ticking a consent box, through consent syntax in a message, by selecting consent settings, or by other equivalent forms. The consent must be given for one purpose. If there are multiple processing purposes, they must be presented in a way that allows the data subject to consent to each one individually. Data subjects may also opt to provide partial or conditional consent. Additionally, the consent must be given in a format that can be printed, copied, or verified, including in electronic form.

Silence or lack of response from the data subject will not be considered as valid consent, meaning implied consent is not permitted.

However, personal data may be processed without consent if falling under the following circumstances as set out in Article 17 and 18 of the PDPD:

• in emergencies where personal data must be promptly processed to protect the life and health of the data subject or others; 
• when personal data is disclosed in compliance with legal regulations;
• in emergencies related to national defense, national security, public order, large-scale disasters, or dangerous epidemics, in situations posing a threat to security or defense that do not yet require declaring a state of emergency, and for the prevention of riots, terrorism, crime, and legal violations in accordance with the law; 
• to fulfil the contractual obligations of the data subject with relevant agencies, organizations, or individuals in compliance with legal requirements; 
• for the use by authorities of CCTV cameras in public places in order to protect national security, social order and safety, or the legitimate rights and interests of organizations and individuals as prescribed by law without the consent of the data subjects; or 
• for activities of state agencies as stipulated by specific laws. 

It appears that Vietnam does not recognize “legitimate interest” as a lawful basis for processing, as regulated under the European Union General Data Protection Regulation.

Prior to processing personal data, the data subject must be notified in a format that can be printed and reproduced in writing, including in electronic or verifiable format (Article 13 of the PDPD). The PDPD outlines certain contents with which the data controller or data controller-processor must comply, including:

• purposes of processing; 
• type of personal data used in relation to the processing purposes; 
• method of processing; 
• information on other organizations and individuals related to the processing purposes; 
• consequences and undesirable damages that could potentially occur; and 
• start time and end time of data processing. 

The data controller or data controller-processor is exempted from this notification obligation if: 

• the data subject is fully informed of the regulatory contents and explicitly consents to the data collection and processing; or 
• personal data is processed by state authorities for lawful public service purposes.

Several obligations regulated under the PDPD are applied to the processing entity, either when processing personal data for its own purposes (as a data controller) or when processing personal data on behalf of another (as a data processor). Below is a breakdown of the key obligations for both roles.

Obligations of data controller 

• To obtain the valid consent of the data subject where required by law (see Question 7 for further details on the requirements for consent statement).
• To inform data subjects about the processing of their data (see Question 7 for further details on the requirements for privacy notification).
• To implement appropriate technical and organizational measures to protect personal data from unauthorized access, loss, or damage. The PDPD does not require specific protective measures, giving businesses discretion in determining appropriate security measures for their processing in practice. However, under the Network Information Security Law, certain requirements for management and technical measures (such as encryption) can be triggered when the business owns a data system in Vietnam.
• To honor the data subject’s rights. It is the data controller’s obligation to ensure that the rights of data subjects can be exercised (see Question 9 for further discussion).
• To prepare/submit impact assessment dossiers. The data controller must prepare and submit a Data Processing Impact Assessment (DPIA) dossier for the role of controller when processing personal data (Article 24 of the PDPD), and a Transfer Impact Assessment (TIA) dossier for the cross-border transfer of Vietnamese citizens’ personal data outside of Vietnam (Article 25 of the PDPD). The DPIA and TIA must be submitted within 60 days from the processing and be updated from time to time in case of changes to the content, and must remain available at all times for MPS inspection purposes.
• To report data breaches. The data controller must notify the authority within 72 hours from the occurrence of a data breach (Article 23 of the PDPD).
• To record and store system logs of personal data processing (Article 38 of the PDPD).
• To select a data processor with a clear mandate and only work with a data processor that has appropriate safeguards in place (Article 38 of the PDPD).
• To coordinate with the MPS and competent state agencies in protecting personal data, and provide information to serve investigation and handling of violations of the law on personal data protection (Article 38 of the PDPD).

Obligations of data processor

• To only receive and process personal data in accordance with the contract or agreement with the data controller (Article 39 of the PDPD).
• To implement appropriate technical and organizational measures to protect personal data from unauthorized access, loss, or damage: The PDPD does not require specific protective measures; however, under the Network Information Security Law, certain requirements for management and technical measures (such as encryption) can be triggered where the business owns a data system in Vietnam.
• To delete or return all personal data to the data controller after completing the processing (Article 39 of the PDPD).
• To prepare/submit impact assessment dossiers. The data processor must prepare and submit a DPIA for the role of processor when processing personal data (Article 24 of the PDPD), and a TIA when transferring Vietnamese citizen’s personal data outside of Vietnam (Article 25 of the PDPD). The DPIA and TIA must be submitted within 60 days from the processing and be updated from time to time in the case of changes to the content, and must remain available at all times for MPS inspection purposes.
• To report data breaches: The data processor must notify the data controller as soon as possible after the occurrence (Article 23 of the PDPD).
• To coordinate with the MPS and competent state agencies in protecting personal data, and provide information to serve the investigation and handling of violations of the law on personal data protection (Article 39 of the PDPD).

Data subjects are granted 11 rights under the PDPD: 

• the right to be informed; 
• the right to give consent; 
• the right to access personal data; 
• the right to withdraw consent; 
• the right to delete data; 
• the right to restrict data processing; 
• the right to request provision of personal data; 
• the right to object to data processing; 
• the right to file complaints, denunciations and lawsuits; 
• the right to claim damages; and
• the right to self-defense. 

Among these rights, responses to the first five would be subject to a 72-hour deadline. Data controllers and processors need to pay special attention to these rights to ensure the response can be delivered in a timely manner. 

The sending of commercial or direct marketing communications is regulated by several legal instruments dedicated to protecting individuals from unsolicited marketing communications.

As one of the primary principles under Decree No. 91/2020/ND-CP, dated 14 August 2020, on anti-spam messages, emails and calls (“Decree 91”), advertisers can only send advertisements via emails, SMSs or phone calls when the users have consented in advance, expressed in one of the following forms:

• agreeing to receive advertising messages after the advertiser sends the first and only opt-in message;
• completing a form and making a confirmation on paper or on the website/web portal, online application or social network of the advertiser;
• calling or sending a message to the advertiser’s call center to subscribe; or
• using a software program to subscribe.

Advertisers are also required to comply with other principles under Decree 91, notably including: 

• Do-Not-Call compliance: Advertisements cannot be made to numbers listed on the Do-Not-Call Register.
• Advertisers are allowed to send only one registration message, and it must be clear that this message is for seeking consent. This registration message must contain at least three types of information: (i) introduction to the advertiser; (ii) instructions for registering to receive advertising; and (iii) instructions for refusal.
• Time restriction: Depending on the communication channels, the time restriction will differ. SMS and emails may be sent from 7 a.m. to 10 p.m. Phone calls may only be made from 8 a.m. to 5 p.m.
• No more than three messages or emails, and one advertising phone call, may be sent or made per day to a single user.
• Advertising content must comply with advertising laws.

The use of customers’ personal information for marketing purposes must also comply with the provisions of the CRPL and PDPD.

Under Article 18.4 of the CRPL, consumers have the right to opt in/consent to the use of their information to advertise and introduce products, goods, services and other commercial activities. This right must be facilitated by an opt-out mechanism developed by businesses that collect or use consumer information. 

Under the PDPD, the use of customers’ personal information for marketing purposes must comply with the notification of personal data processing to data subjects and the collection of their consent before collecting and processing personal data for marketing purposes. Additionally, marketing service providers must include in their privacy notice clear information on the content, means, methods, and frequency of product promotion and advertising.

Foreign enterprises which do not have a commercial presence in Vietnam but wish to advertise their products, goods, services, or operations in Vietnam are required to hire a local advertising service provider (Vietnam-based company).

In general, cross-border personal data transfer is permitted under the law, except when such transfer falls under specific prohibited cases prescribed by law (e.g., state secrets). The cross-border transfer of Vietnamese nationals’ personal data is subject to several requirements set out under the PDPD:

• Data subject’s consent. Obtaining the data subject’s consent is mandatory prior to transferring personal data abroad (see Question 7 for further details on the consent requirements).
• Impact assessment application. The data transferor must prepare and submit a DPIA and a TIA in accordance with the statutory forms to the MPS within 60 days from the transfer. Updates must be made in the event of changes to the content, and the DPIA and TIA must remain available at all times for MPS inspection purposes (Article 25 of the PDPD).
• Notification of successful transfer. Upon successful data transfer outside of Vietnam, the data transferor must notify the MPS about information on the data transfer and contact details of the responsible organization or individual in writing (Article 25 of the PDPD).
• Cessation of transfer. The MPS can request the data transferor to cease cross-border transfers in certain circumstances, including when: 

  • the transferred data is used in activities harming Vietnam’s national interests or security;

  • the data transferor fails to comply with requirements for the TIA dossier; or

  • incidents of personal data breaches occur involving Vietnamese citizens (Article 25 of the PDPD).

• Data localization. Under the Cybersecurity Law, domestic and foreign companies that provide certain types of services must store specified categories of data in Vietnam when conditions are met, including personal data of service users in Vietnam. 

The key regulators in charge of information and data protection are the MPS (in charge of the PDPD and Cybersecurity Law) and the Ministry of Information and Communication (MIC; in charge of the Network Information Security Law).

The state authorities in general, and the MPS and MIC in particular, hold significant powers in relation to investigatory/inspection and enforcement in Vietnam to ensure compliance with the law, especially with data protection laws and regulations, such as the power to conduct inspections, impose sanctions, or initiate charges, investigation, prosecution, and hearing. These powers are outlined both in the general laws such as the Law on Inspection and the Law on Handling Administrative Violations and in the specialized regulations in relation to data protection such as the PDPD, Cybersecurity Law and Network Information Security Law.

The penalties and sanctions for violation in terms of personal data protection are scattered in various legal regulations, and vary depending on the severity of the violation. Administrative fines range from VND 5 million (approx. USD 200) to VND 100 million (approx. USD 4,000), and some remedial measures can be applied in certain cases. More severe violations may lead to imprisonment of up to 12 years under the Criminal Code. As an example, a failure to properly use the personal data as agreed may result in a fine ranging from VND 40 to 60 million (approx. USD 1,600 to 1,800).

The MPS is developing a sanctioning decree dedicated to cybersecurity and personal data protection. The draft version released on 2 May 2024 proposes a fine of up to VND 1 billion (approx. USD 40,000) or 5% of an enterprise’s annual turnover for aggravated violations, such as repeated offenses in marketing or data disclosure affecting five million or more Vietnamese citizens. Additional penalties and remedy measures may include license revocation and suspension of data processing, and confiscation of profits.