Data & Privacy - Vietnam

Law No. 91/2025/QH15 on Personal Data Protection was passed by the National Assembly on 26 June 2025 and took effect 1 January 2026, replacing Decree 13/2023/ND-CP as the primary framework. Decree 356/2025/ND-CP (promulgated 31 December 2025) provides the detailed implementing regulations.

The Ministry of Public Security (MPS), specifically its Department of Cybersecurity and Prevention of Cybercrimes, is the primary enforcement authority. The Ministry of Information and Communications retains supplementary jurisdiction over digital and telecom-related data matters.

Explicit, documented consent is required before processing personal data (with enumerated exceptions). Data subjects hold 11 statutory rights including access, rectification, deletion, restriction of processing, data portability, and the right to object; requests to restrict or object must be addressed within 72 hours.

Data Protection Impact Assessments (DPIAs) must be completed within 60 days of commencing processing activities. Cross-border transfers require a separate Cross-border Transfer Impact Assessment (CTIA), submitted to the MPS within 60 days of the first transfer. Data breaches must be notified to authorities within 72 hours of detection.

Decree 356 expands the sensitive data category to include location data, online account credentials and behavioural tracking, bank account and transaction details, and images of ID documents. Domestic websites and social networks are required to store Vietnamese users' data on servers with IP addresses located within Vietnam.

Sanctions include fines of up to 5% of a corporate violator's preceding-year annual revenue for unauthorised cross-border data transfers, up to 10 times illicitly gained revenue from unlawful buying or selling of personal data, and monetary penalties up to VND 3 billion. An administrative sanctions decree with fuller enforcement detail was in final drafting as of early 2026.