PERSONAL DATA PROTECTION LAW 2025: TRADING PERSONAL DATA MAY BE FINED UP TO 10 TIMES ILLICIT GAINS AND NOT LESS THAN VND 3 BILLION

On June 26, 2025, the National Assembly passed the Personal Data Protection Law No. 91/2025/QH15, effective from January 1, 2026 (“PDPL”), marking a significant milestone in safeguarding personal information and promoting the digital economy. For the first time, regulations on personal data protection have been codified into a distinct and standalone law in Vietnam. Compared to Decree No. 13/2023/ND-CP on personal data protection issued by the Government on April 17, 2024 (“Decree 13”), the PDPL introduces groundbreaking changes—not only to enhance the right to privacy of individuals but also to impose stricter compliance requirements on organizations collecting, processing, and storing personal data in the era of modern technologies.

ATA summarizes below the key highlights of the PDPL that are expected to significantly impact both individuals and enterprises:

1. Foreign-based platforms processing Vietnamese personal data fall under the scope of the PDPL

Compared to Decree 13, the PDPL expands its scope of application to include foreign organizations and individuals without a physical presence in Vietnam but that process personal data of Vietnamese citizens or persons of Vietnamese origin who reside in Vietnam and possess identification documents. As such, platforms like Google, Facebook, TikTok, and other cross-border digital platforms will be directly governed by the PDPL if they handle personal data of Vietnamese individuals.

This provision strengthens Vietnam’s regulatory oversight of cross-border personal data processing amid global integration and the increasing number of online fraud cases, thereby protecting the rights of Vietnamese citizens on international platforms.

2. Administrative penalties for trading personal data may reach up to 10 times illicit revenue, and no less than VND 3 billion

In addition to the prohibited acts previously prescribed under Decree 13, the PDPL expressly prohibits the following two acts:

• Buying or selling personal data, unless otherwise stipulated by law;

• Appropriating, intentionally disclosing, or causing the loss of personal data.

Previously, administrative sanctions for violations related to personal data protection were governed under general consumer protection regulations (the Law on Protection of Consumer Rights and Decree 98/2020/ND-CP as amended by Decree 24/2025/ND-CP), with penalties ranging from VND 30 million to VND 160 million depending on the severity and scale of violations.

To enhance deterrence, the PDPL stipulates that administrative fines for organizations may reach up to 10 times the illicit gain from trading personal data, or up to 5% of the previous year’s revenue in the case of cross-border transfers. In all cases, the fine shall not be less than VND 3 billion, even where there is no illicit gain or the gain cannot be determined. For individuals committing the same violations, the maximum fine shall be half of the fine imposed on organizations.

3. Big Data, AI, and Blockchain systems must de-identify data upon request of the data subject

- The PDPL provides specific regulations on personal data processing in the context of big data, artificial intelligence (AI), blockchain, metaverse, and cloud computing environments:

• Personal data must be processed for legitimate purposes, within necessary limits, and in a manner that protects the lawful rights and interests of data subjects.

• Systems and services must incorporate appropriate security measures, authentication, identification protocols, access control, and risk classification when processed by AI.

• Data processing must comply with applicable laws, adhere to ethical standards and social norms of Vietnam, and must not harm national defense, public security, social order, or the life, health, honor, dignity, or property of individuals.

- Additionally, in high-tech environments, the PDPL mandates the erasure, destruction, or de-identification of personal data (i.e., altering or deleting information such that individuals cannot be identified) in the following cases:

• Upon request of the data subject;

• Once the purpose of data processing has been fulfilled;

• Upon expiration of the lawful retention period;

• As mandated by competent authorities;

• As agreed between the parties.

Entities performing de-identification must strictly monitor and control the entire process, prevent unauthorized access, copying, appropriation, leakage, or loss during erasure or destruction, and are prohibited from re-identifying data after it has been de-identified.

4. Social media platforms prohibited from requesting ID photos/videos for authentication

Provisions related to personal data protection in sectors such as finance, banking, credit, insurance, advertising, social media, and online communications include:

* For social media and online communication service providers:

• Must not request photos or videos containing personal ID documents for account verification;

• Must not eavesdrop on or record calls or read messages without the consent of the data subject, except as required by law;

• Must not collect personal data unlawfully or beyond the agreed scope with users.

* For recruiters:

• May only request information directly related to recruitment purposes; Must not collect excessive or unrelated information;

• May only use such data for recruitment or other purposes with the candidate’s explicit consent;

• If the candidate is not hired, must delete or destroy the collected personal data unless otherwise agreed.

* For employers:

• May only retain employee personal data for the period stipulated by law or agreed contractually;

• Must delete or destroy such data upon termination of employment, unless otherwise provided by law or agreement (e.g., for insurance or tax purposes);

• May only use monitoring technologies (e.g., GPS, cameras, attendance software) with the employee’s knowledge and consent, and must not repurpose the data without consent.

* For banks and credit institutions:

• Must not use credit data to score, rank, or evaluate individuals without their consent; this applies to banks, financial companies, and credit information providers;

• May only collect necessary data from lawful and transparent sources, consistent with the PDPL;

• Must notify individuals in case of breaches involving financial, credit, or account information.

* For advertising companies:

• Must obtain customers’ informed consent before processing personal data for advertising purposes, including information on content, method, format, and frequency of communications;

• Must allow customers to opt out of receiving marketing materials, and may only use data shared by controllers or collected directly in the course of business;

• Must not fully outsource advertising services involving personal data to third parties. Advertisers must execute the services themselves and be able to prove data sources and processing procedures.

* For insurance enterprises:

• May only access customers’ health data with their explicit consent;

• Where such data is shared with reinsurers or reinsurance partners, this must be clearly stipulated in the contract with the customer.

5. Exemptions from certain obligations on personal data processing for micro, small enterprises and individual business households

• Within 5 years from the effective date of the Law, small enterprises and startups shall have the right to choose whether or not to carry out the following obligations: personal data processing impact assessment, updating personal data processing impact assessment dossiers and cross-border personal data transfer impact assessment dossiers, appointing qualified departments/personnel for personal data protection, or hiring service providers for personal data protection (except for enterprises providing personal data processing services, directly processing sensitive personal data, or processing the personal data of a large number of data subjects).

• Individual business households and micro enterprises are not required to carry out the aforementioned obligations (except for business households and enterprises providing personal data processing services, directly processing sensitive personal data, or processing the personal data of a large number of data subjects).

The Personal Data Protection Law will take effect on January 1, 2026. Any personal data processing activities or documents established or received under Decree 13 before this date shall remain valid and do not require re-execution.