Data protection & privacy laws in Vietnam (2026)

Issued on 31 December 2025 and effective 1 January 2026 alongside the PDPL, Decree 356 replaces Decree 13/2023 and converts the new law into concrete operational obligations — prescribing Data Protection Officer qualifications (minimum college degree, two years' experience), mandatory written data-transfer agreements, sector-specific rules for AI/fintech/blockchain/metaverse, and stricter verifiable-consent documentation standards.

Vietnam's first statutory personal data protection law — effective 1 January 2026 — elevates the framework from decree-level rules to national legislation, explicitly bans the sale and purchase of personal data, mandates Data Processing Impact Assessments within 60 days of processing commencement, introduces Cross-border Transfer Impact Assessments, and sets penalties up to 10× revenue from illegal data sales or 5% of prior-year revenue for cross-border transfer violations.

In late 2024 the Ministry of Public Security conducted Vietnam's first systematic compliance inspection campaign under Decree 13/2023, focusing on lawful data sharing and network-security measures for personal data; marked the transition from a purely legislative phase to active regulatory oversight and signalled heightened enforcement risk for non-compliant organisations.

Issued 17 April 2023 and effective 1 July 2023, this was Vietnam's first comprehensive personal data protection instrument: it introduced a two-tier classification (basic vs. sensitive personal data), a consent-centric processing framework, mandatory 72-hour breach notification to the Department of Cybersecurity and High-Tech Crime Prevention, Data Processing Impact Assessment filings, and fines of up to 5% of Vietnam revenue for disclosures affecting over one million data subjects.

Effective 1 October 2022, Decree 53 gave the Cybersecurity Law's vague data localisation mandate enforceable substance: telecoms, e-commerce, social networks, online payment, and other internet-service providers must store personal data, user-relationship data, and user-generated data in Vietnam for at least 24 months, and foreign firms must establish a branch or representative office within 12 months of a formal ministerial request.

Vietnam's landmark Cybersecurity Law imposed broad data localisation obligations on domestic and foreign companies providing digital services in Vietnam — requiring local storage of personal data, service-user data, and user-relationship data — alongside mandatory government-access and platform-cooperation provisions; it was widely contested by industry and took four years to receive an implementing decree.

Personal data from more than 163 million Zing ID accounts — including usernames, hashed passwords, emails, phone numbers, and IP addresses — were offered for sale on hacking forum Raidforums; the Ministry of Public Security later cited this incident as a primary catalyst for drafting comprehensive personal data protection legislation.

Effective 1 January 2017, the Civil Code explicitly recognised the right to privacy and protection of personal information as enforceable civil rights, providing a foundational legal basis for data protection claims in Vietnamese courts and underpinning all subsequent sector-specific data regulations.

Effective 1 July 2016, this law established the first dedicated personal data protection obligations in Vietnam's online environment — defining personal information, requiring owner consent for collection and use, mandating appropriate security measures, and granting individuals rights to access and correct their data — superseding the IT Law's narrower provisions.

Article 21 of this law marked the first time personal information protection was codified in Vietnamese law: it required consent before online collection of personal data, established purpose-limitation principles, and granted individuals rights to access and correct their information — laying the conceptual foundation on which all subsequent data protection legislation was built.