Under Data Law 2024 and the Law on Personal Data Protection 2025 (PDPL 2025), several data-related services, including “personal data processing service” (dịch vụ xử lý dữ liệu cá nhân), personal data protection service (DPO Service), data intermediary service, data trading floor and data synthesis and analysis service (collectively, New Data-Related Services) are now designated as conditional business sectors. The New Data-Related Services (which could include dozen of sub-services) are subject to specific licenses and operational conditions. In the past, data processing or exploitation services in Vietnam were not classified as conditional business lines, allowing providers to operate with limited regulatory prerequisites.

In short, the Government has arguably created (or at least intended to create) more than just a regulatory system; it has established a complex compliance economy. This new framework tethers businesses to a costly ecosystem of mandatory intermediaries, from licensing consultants to training centers and credit rating agencies. To remain operational, enterprises must now absorb the dual burden of initial licensing fees and the recurring costs of maintaining qualified staff and ratings. As these obligations mount, the pressing question remains: will this expensive bureaucracy actually reduce the daily scam calls and messages suffered by Vietnamese citizens, or simply increase the cost of doing business?

In June 2025, the National Assembly passed a new Law on Personal Data Protection (PDPL 2025), set to take effect on 1 January 2026. This new law represents a significant evolution from the foundational framework established by Decree 13/2023, introducing a far more comprehensive and stringent regime for personal data protection. This post will analyze some critical highlights of the new PDPL 2025, with some important implications for businesses. To offer a comprehensive perspective, we also include a summary generated by Google's Gemini AI for comparison and reference (see here).

A narrower extraterritorial scope of application

The PDPL 2025 narrows its extraterritorial application compared to previous regulations. Instead of a broad rule for "foreigners' data, the PDPL 2025 explicitly applies to foreign entities that are directly involved in or related to the processing of personal data of Vietnamese citizens and people of Vietnamese origin residing in Vietnam. This new provision successfully addressed the confusion and uncertainty that the earlier draft of PDPL 2025 had introduced (see our discussions here).

However, this scope of application still has the following issues:

·       It has not addressed the existing ambiguity under Decree 13/2023 of whether the applicable subjects under the PDPL 2025 apply to the processing entities or data subjects (see our discussions here)

·       The PDPL 2025 is also unclear on its application to foreign organizations processing the data of non-Vietnamese individuals (e.g., tourists, expatriates) within Vietnam. While Article 1.2 of the PDPL 2025 does not explicitly cover this scenario, Article 5.1 states the law applies to all "personal data protection activities on the territory of Vietnam", which may arguably cover this case.

A new Data Law, passed in late November 2024 and set to take effect on 1 July 2025, focuses primarily on establishing a national general database and data centre for state use. However, it also introduces rules on digital data (data in the rest of this article) that concerns the private sector, such as, data products and services. The Government is also drafting three draft decrees detailing key issues under the Data Law, including Data-Related Products & Services Draft Decree, Core & Important Data Draft Decree and a Master Draft Decree.

This blog will discuss several key points under the Data Law and related draft decrees. This post is written by Ha Thanh Phuc and Trinh Phuong Thao.

1)          The police will review and supervise your data activities

The Ministry of Public Security (MPS) again is authorized to regulate all activities relating to data except for data under the Ministry of Defence. Accordingly, it seems that Vietnam considers data as security issue and violation of data activities could result in significant liabilities. This could raise significant compliance costs for businesses and companies in Vietnam if they want to be fully comply with unclear rules (see discussion below).

1)          Conditional Business Lines

Amendments to the Investment Law 2020 in late 2024 now require businesses involved in (i) data intermediary products and services, (ii) data analysis and synthesis, or (iii) data platform services to meet certain conditions. The Data Law suggests that:

a. data platform services may be restricted to state enterprises and public providers, potentially excluding private companies; and

b. only providers of data analysis and synthesis services that potentially harm national defence, national security, social order, safety, social ethics, or public health, which have been detailed under the Data-Related Products & Services Draft Decree, will be subject to these conditions.

Under the Data-Related Products & Services Draft Decree, businesses in these sectors are subject to strict requirements. Notably, all such businesses must maintain an escrow of at least 5 billion VND at a Vietnamese commercial bank to cover compensation and expenses in the event their licenses are revoked.