Key Highlights and New Developments of the 2025 Law on Personal Data Protection

On June 26, 2025, at the 9th Session of the 15th National Assembly, the National Assembly of Viet Nam officially passed the Law on Personal Data Protection (Law No. 91/2025/QH15) — the first specialized legislation in Viet Nam providing a comprehensive legal framework for personal data protection. The enactment of this Law marks a significant shift in legislative thinking, addressing the urgent demands of digital transformation while reaffirming the State’s commitment to safeguarding human rights and citizens’ rights in the digital environment.

I. Fundamental contents of the Law

1. Broad scope of regulation and application

The Law provides detailed regulations on principles, rights, obligations, and legal responsibilities of entities involved in personal data processing activities. Notably, its scope extends to foreign organizations and individuals that process the personal data of Vietnamese citizens, thereby affirming Viet Nam’s digital sovereignty and protecting national interests in cyberspace.

2. Clear classification of personal data

For the first time in Viet Nam’s legal system, the Law clearly distinguishes between:

• Basic personal data: common identification information; and
• Sensitive personal data: data closely associated with private life, the infringement of which may cause serious harm to data subjects.

3. Strengthened protection of data subjects’ rights

Data subjects are granted key rights, including the right to be informed, the right to give or withhold consent, the right to request rectification, deletion, or restriction of data processing, the right to object, and the right to claim compensation for data breaches. This represents a major advancement in privacy protection in line with international standards.

4. Clearly defined responsibilities of related parties

The Law clearly defines the responsibilities of:

• Personal data controllers;
• Personal data processors;
• Entities acting as both data controllers and processors; and
• Third parties participating in the data processing chain.

All parties are required to strictly comply with legal requirements on the protection, storage, provision, transfer, and destruction of personal data.

5. Supervision mechanisms and strict sanctions

The Law provides for stringent enforcement measures, including:

• Administrative fines of up to VND 3 billion or 5% of annual revenue for violating organizations;
• Penalties of up to ten times the illegal proceeds for acts involving the purchase or sale of personal data;
• Criminal liability for serious violations.

II. Notable innovations in legislative approach

1. Modern legislative thinking – concise, substantive, and enforceable law

The Law is streamlined and drafted in a manner that is:

• Clear, transparent, and practicable;
• Free from overlap with other legislation;
• Supported by detailed implementing regulations to be issued by the Government regarding procedures, conditions, and technical requirements.

2. Establishment of an absolute prohibition on the trading of personal data

The Law strictly prohibits the buying and selling of personal data in any form, including non-monetary transactions, unless otherwise permitted by specialized laws. This reflects a firm stance on protecting privacy and eliminating the unlawful commercialization of personal data.

3. Adoption of a post-inspection mechanism for cross-border data transfers

Instead of requiring prior approval, enterprises are only required to prepare a one-time data transfer impact assessment dossier and submit it to competent authorities. Regulatory authorities will conduct inspections when necessary. This approach balances data protection with business facilitation and supports digital transformation.

4. Preferential treatment and exemptions for small and micro enterprises

• Household businesses and micro enterprises are exempt from the obligation to prepare impact assessment dossiers and appoint personal data protection personnel.
• Small enterprises and start-ups may choose whether or not to comply with these obligations for five years from the effective date of the Law.

5. Enhanced protection mechanisms for vulnerable groups

For the first time, Vietnamese law provides specific protections for the personal data of:

• Children;
• Persons who have lost or have limited civil act capacity;
• Persons with cognitive or behavioral control difficulties.

Legal representatives are authorized to exercise data-related rights on behalf of these groups, ensuring a humane and inclusive legal framework.

6. Alignment with emerging technology trends

The Law introduces specialized provisions governing:

• Artificial intelligence, big data, blockchain, cloud computing, and virtual environments;
• Biometric data, location data, and personalized advertising services;
• Social networks and online communication platforms.

These regulations aim not only to protect personal data but also to safeguard national security, social order, and cultural values.

III. Significance of the Law on Personal Data Protection

The 2025 Law on Personal Data Protection is not merely a legislative instrument but a legal declaration of the right to privacy in the digital era. Its promulgation affirms that:

• Personal data rights are fundamental personal rights of every individual;
• The State is committed to protecting personal data with the same seriousness as protecting property and life in the digital environment;
• A transparent, modern legal framework aligned with international practices is being established, contributing to enhanced national competitiveness and deeper international integration.