Is Metadata Personal Data? New Risks Under Vietnam’s Personal Data Protection Law (PDPL 2025)

When companies think about data protection, they usually focus on “visible” data like names, email addresses, or bank details. However, there is a hidden layer called metadata - essentially “data about data” - that often gets ignored.

Under Vietnam’s new personal data protection rules, overlooking metadata is a major risk. If metadata can be used to identify a specific person, it falls under the same strict rules as regular personal data.

What is Metadata? The “Digital Footprint”

Metadata is information that describes the context of a file or a message rather than the content itself. Even if you remove a person’s name from a file, the metadata can still point directly to them.

Read MoreInfo
Comment
Written by Lawyers VNLaw On In

Key points under Decree 356/2025 guiding the Personal Data Protection Law (PDPL 2025)

On 31 December 2025, the Government issued Decree 356/2025 guiding the implementation of the PDPL 2025, which took effect on 1 January 2026. Decree 356/2025 provides critical detailed guidance and, notably, resolves several ambiguities under the PDPL 2025 framework. This post highlights the key takeaways from this new regulation.

1.         Expansion of "sensitive personal data": ID Cards and login credentials

As compared to the Draft PDPL Decree, Decree 356/2025 expands the scope of sensitive personal data to explicitly include:

Read MoreInfo
Comment
Written by Lawyers VNLaw On In

Key Terminologies under Vietnam’s AI Law

The Law on Artificial Intelligence (AI Law), which was passed by the National Assembly on 10 December 2025, is arguably among the most anticipated pieces of legislation of Vietnam in 2025.

Unfortunately, similar to the Law on Digital Technology Industry, Vietnam’s AI Law still feels like a half-baked legislation, which makes it hard to clearly identifying the key players in the artificial intelligence (AI) value chain. This article would examine several key terminologies under the AI Law.

Read MoreInfo
Comment
Written by Nguyen Quang Vu On In

Compliance Burdens For Vietnamese Companies Under New Conditional Data-Related Business Lines

Under Data Law 2024 and the Law on Personal Data Protection 2025 (PDPL 2025), several data-related services, including “personal data processing service” (dịch vụ xử lý dữ liệu cá nhân), personal data protection service (DPO Service), data intermediary service, data trading floor and data synthesis and analysis service (collectively, New Data-Related Services) are now designated as conditional business sectors. The New Data-Related Services (which could include dozen of sub-services) are subject to specific licenses and operational conditions. In the past, data processing or exploitation services in Vietnam were not classified as conditional business lines, allowing providers to operate with limited regulatory prerequisites.

In short, the Government has arguably created (or at least intended to create) more than just a regulatory system; it has established a complex compliance economy. This new framework tethers businesses to a costly ecosystem of mandatory intermediaries, from licensing consultants to training centers and credit rating agencies. To remain operational, enterprises must now absorb the dual burden of initial licensing fees and the recurring costs of maintaining qualified staff and ratings. As these obligations mount, the pressing question remains: will this expensive bureaucracy actually reduce the daily scam calls and messages suffered by Vietnamese citizens, or simply increase the cost of doing business?

Read MoreInfo
Comment
Written by Nguyen Quang Vu On In ,