ALIN Legislative News
From Institute of State
and Law,
Vietnam Academy of
Social Sciences
Vietnam: Promulgation of the
2025 Personal Data Protection Law - A New Legal Foundation for the Digital
Economy
The Personal Data Protection Law, passed by
the 15th National Assembly of Vietnam on June 26, 2025, and effective from
January 1, 2026, marks a significant step forward in the process of perfecting
the legal framework for privacy rights and data governance in Vietnam. This is
the first law to comprehensively regulate the issue of personal data protection
– an area previously only sporadically stipulated in various legal documents
such as the 2015 Civil Code, the 2018 Cybersecurity Law, and Decree No.
13/2023/ND-CP.
The Law was introduced in the context of
Vietnam's robust digital economic growth, alongside the expansion of activities
involving the collection, processing, and sharing of personal data in
e-commerce, digital finance, online public services, and artificial
intelligence. The Law's objectives are to establish a unified legal framework
to protect the lawful rights and interests of individuals regarding their data,
while ensuring transparency, safety, and accountability in the processing of
personal data by organizations, enterprises, and state agencies. The
promulgation of the Law also helps Vietnam align with international standards,
contributing to enhancing the country's credibility and integration capacity in
the global economy.
The Law regulates all activities related to
personal data, including collection, storage, use, sharing, transfer, deletion,
and destruction. The subjects of application extend not only to domestic
agencies, organizations, and enterprises but also to foreign organizations and
individuals processing data of Vietnamese citizens. This broad scope reflects
the globalization trend of data and the need for cross-border protection.
Regarding principles for personal data
processing, all processing activities must have a clear legal basis, ensuring
specific purpose, minimization, accuracy, and transparency (Article 3).
Individuals have the right to know, consent, access, rectify, erase, restrict
processing, object, and lodge complaints related to their data (Article 4).
Organizations and enterprises must apply appropriate technical and managerial
measures to protect personal data as prescribed by law, and review and update
these measures when necessary (Article 37). Data transfer must comply with
strict conditions, such as having the data subject's consent, conducting impact
assessments, and notifying competent authorities (Article 20). The personal
data protection agency is granted the authority to inspect, audit, and handle
violations; violating acts may face strict administrative penalties, or even
criminal prosecution in serious cases (Articles 33, 36).
Compared to Decree 13/2023/ND-CP, the new
Law has several progressive points, particularly: (i) upgrading the protection
mechanism from the decree level to the law level, ensuring higher legal effect;
(ii) supplementing mechanisms for controlling cross-border data transfer and
regulations on accountability; (iii) establishing the foundation for a
specialized personal data protection agency; and (iv) clearly stipulating the
responsibilities of technology enterprises, digital platforms, credit
institutions, and the public sector. The Law is expected to enhance public and
business trust in the digital environment, promoting the sustainable
development of e-commerce, financial services, and e-government.
However, the Law's enforcement will face
challenges such as limited data management capacity of enterprises, low public
awareness of information security, and unclear coordination mechanisms among
functional agencies. Furthermore, balancing data protection with digital
economic development requires more detailed and flexible guidelines in the
future.
Overall, the 2025 Personal Data Protection
Law is an essential and timely step for Vietnam in the context of digital
transformation. By establishing principles of transparency, consent, and
accountability, the Law not only protects human rights in cyberspace but also
contributes to shaping a modern, human-centric national data governance
framework, aiming for a safe and sustainable digital economy.
Author: Nguyen Thu Dung, LLM
Topic: Personal Data Protection
Jurisdiction: Vietnam
Date: November 8, 2025