In June 2025, the National Assembly passed a new Law on Personal Data Protection (PDPL 2025), set to take effect on 1 January 2026. This new law represents a significant evolution from the foundational framework established by Decree 13/2023, introducing a far more comprehensive and stringent regime for personal data protection. This post will analyze some critical highlights of the new PDPL 2025, with some important implications for businesses. To offer a comprehensive perspective, we also include a summary generated by Google's Gemini AI for comparison and reference (see here).

A narrower extraterritorial scope of application

The PDPL 2025 narrows its extraterritorial application compared to previous regulations. Instead of a broad rule for "foreigners' data, the PDPL 2025 explicitly applies to foreign entities that are directly involved in or related to the processing of personal data of Vietnamese citizens and people of Vietnamese origin residing in Vietnam. This new provision successfully addressed the confusion and uncertainty that the earlier draft of PDPL 2025 had introduced (see our discussions here).

However, this scope of application still has the following issues:

It has not addressed the existing ambiguity under Decree 13/2023 of whether the applicable subjects under the PDPL 2025 apply to the processing entities or data subjects (see our discussions here)
The PDPL 2025 is also unclear on its application to foreign organizations processing the data of non-Vietnamese individuals (e.g., tourists, expatriates) within Vietnam. While Article 1.2 of the PDPL 2025 does not explicitly cover this scenario, Article 5.1 states the law applies to all "personal data protection activities on the territory of Vietnam", which may arguably cover this case.

Definition of basic and sensitive information personal data

Unlike Decree 13/2023, which explicitly lists out types of personal data, the PDPL 2025 defines “basic personal data” and “sensitive personal data” as data “belonging to the list issued by the Government.” The draft decree guiding the PDPL 2025 (the Draft PDPL 2025 Decree) provides such lists, but numerous issues arise:

Circular Definitions: The Draft PDPL 2025 Decree defines basic personal data as any data that is not sensitive personal data. This circular definition is time-consuming for processing entities, since they must first determine whether such data fall within the list of sensitive personal data, and may be inherently unworkable because the corresponding list of sensitive data is not exhaustive (see below).
Non-exhaustive sensitive personal data list: Article 4.2(n) of the Draft PDPL 2025 Decree includes a catch-all clause, allowing organizations to self-determine other types of data as "sensitive". This makes it impossible for businesses to definitively know what is considered "basic" or “sensitive”, creating significant compliance uncertainty.
Inconsistent conditions: Article 4.1 of the Draft PDPL 2025 Decree also introduces a new condition for personal data to be considered sensitive: it must require "restricted access rights, processing procedures, and strict security measures". This technical requirement appears inconsistent with the definition under PDPL 2025 itself, which defines sensitive personal data based on its potential to cause harm to the data subject.

Introduction of a "legitimate interests" basis

A significant development in the new PDPL 2025 is the introduction of a "legitimate interests" basis for processing personal data without consent. Article 19.1(a) of the PDPL 2025 allows data processing when necessary to protect the "legitimate rights or interests" of the controller/processor or another party "against an act of infringement" of those interests. This provision moves Vietnamese data protection regulations closer to the GDPR and gives processing entities a potential new ground to process personal data without explicit consent. However,

While the GDPR's "legitimate interests" basis (Article 6.1(f)) applies broadly for proactive purposes, the PDPL 2025's provision is narrower, requiring a reactive or defensive purpose linked to an "act of infringement"
Furthermore, unlike the GDPR, the PDPL 2025 does not provide a clear framework for a "balancing test" to weigh the controller's interests against the rights of the data subject. The PDPL 2025 only offers a general principle in Article 3.6, stating that data protection must be harmonized with the "lawful rights and interests" of organizations and individuals. This ambiguity makes the basis difficult to rely on in practice and creates a risk that it may be misused by processing entities.

Introduction of severe, revenue-based financial penalties

For the first time, PDPL 2025 introduces specific and severe financial penalties for violations of personal data protection regulations. Article 8 of the PDPL 2025 establishes a multi-tiered penalty system, including fines of up to 5% of the preceding year's total revenue for unlawful cross-border data transfers, up to 10 times the revenue gained from illegally trading personal data, and a maximum of VND 3 billion for other violations.

This is a significant departure from the Decree 13/2023, which only provided for general sanctions without specifying monetary penalties. The new penalty structure, particularly the revenue-based fine, shows clear alignment with GDPR, which imposes penalties of up to 4% of a company's global annual turnover (Article 83). By adopting a similar model, Vietnam signals a serious commitment to enforcement, putting non-compliant companies at risk of substantial financial loss. But given the lack of clarity and consistency of the PDPL 2025, this pose significant risks to business dealing with personal data.

New list of permitted cases for personal data transfer

Unlike Decree 13/2023, Article 17.1 of the PDPL 2025 sets out a defined list of circumstances that constitute the permitted transfer of personal data. This list establishes a solid legal basis for common business activities, such as sharing data between departments within the same company or transferring data in corporate restructuring, including mergers and acquisitions. Notably, Article 17.2 clarifies that these transfers are not considered prohibited trading of personal data, even when a fee is involved, which legitimizes many data-related services.

However, several issues arise from these provisions:

The intra-group transfer gap: While the PDPL 2025 clarifies data sharing within a single organization, it does not explicitly address transfers between separate companies within the same corporate group. This omission means that subsidiary companies must treat each other as "third parties," requiring a distinct legal basis (like specific consent under Article 17,1(a)) for data sharing, which complicates integrated business operations.
The risk of misusing consent: The "not a sale" exception creates a high risk that a data controller/processor could misuse this provision by obtaining broad or bundled consent from data subjects to then sell their data commercially, arguing it is a permissible "fee-based transfer" under Article 17 rather than an illegal sale. This ambiguity is heightened because the Draft PDPL 2025 Decree offers no further clarification on this matter.

Significant changes related to cross-border transfer of personal data

The PDPL 2025 introduces a significantly revised framework for the cross-border transfer of personal data as compared to Decree 13/2023. Key changes include:

Broader scope of application: The PDPL 2025's cases of a cross-border transfer now cover any personal data collected in Vietnam, regardless of their nationality. This is a departure from Decree 13/2023, which limited the rules to the data of "Vietnamese citizens".
New practical exceptions: Both the PDPL 2025 and the Draft PDPL 2025 Decree introduces several new exceptions where the submission of TIA dossier is not required, such as storing employee data on cloud services or transfers for hotel bookings and logistics. This significantly reduces the administrative burden for many routine business operations.
One-Time TIA submission: The PDPL 2025 clarifies that the TIA dossier only needs to be submitted once and then updated as required. This removes the ambiguity under Decree 13/2023 and streamlines the compliance process.
Despite the improvements, the new framework also introduces significant legal challenges:
Uncertainty over scope for foreigners' data: The broader scope suggested by the PDPL 2025 is challenged by Article 18.1 of the Draft PDPL 2025 Decree, which states that the TIA requirement applies only to data of "Vietnamese citizens and people of Vietnamese origin". This conflict creates major ambiguity for businesses processing data from foreign nationals in Vietnam.
The list of exceptions may not cover all routine activities. For example, using global Software-as-a-Service (SaaS) platforms like a CRM (e.g., Salesforce) or an email marketing service (e.g., mailchimp), or allowing remote access for technical support on IT systems to process customer data collected in Vietnam still qualifies as a cross-border transfer under Article 20.1(c) of PDPL 2025 and would likely trigger the TIA filing requirement.

Compulsory appointment of DPO

Under Article 28.2 of Decree 13/2023, the obligation to appoint a personnel or department in charge of personal data protection (DPO) was only required for organizations processing sensitive personal data. The PDPL 2025 removes this distinction, imposing the obligation on all organizations, regardless of the type of data they process.

Notably, Article 33.2 of the PDPL 2025 provides flexibility, allowing organizations to choose between appointing internal personnel, establishing a dedicated department, or hiring an external service provider to fulfill this role. In a key change from the exemptions under Decree 13/2023, small and medium-sized enterprises (SMEs) are no longer exempt from this requirement if their activities involve processing sensitive personal data or handling a large volume of data.

This universal requirement is even stricter than the GDPR. Article 37 of the GDPR mandates a DPO only in specific, high-risk cases, such as for public authorities or when core activities involve large-scale, regular monitoring or processing of sensitive data.

Conflict with the Data Law on impact assessment on core and important personal data

The PDPL 2025 creates a significant legal conflict with the Decree 165/2025 guiding Vietnam's Data Law 2024 concerning the impact assessments required for personal data that is also classified as "core data" or "important data." This contradiction introduces considerable uncertainty for businesses.

· On the one hand, Article 5.4 of the PDPL 2025 states that if an organization conducts a Data Processing Impact Assessment (DPIA) and a Cross-border Transfer Impact Assessment (TIA) under the PDPL 2025, it is exempt from performing the similar assessments required by the Data Law 2024.

· On the other hand, Article 16.2 of Decree 165/2025 stipulates the exact opposite. It requires that for core and important data that is also personal data, organizations must follow the procedures in the Data Law 2024 and Decree 165/2025, and are explicitly exempt from the PDPL 2025's requirements

This inconsistency creates confusion over which regulation to follow. While one may argue that the PDPL 2025, as a Law passed by the National Assembly, holds higher legal authority than a government Decree, ignoring a direct instruction in Decree 165/2025 creates a practical compliance risk for businesses, especially during inspections by state authorities.

Unclear whether PDPL 2025 will replace Decree 13/2023

Neither the Personal Data Protection Law (PDPL 2025) nor its current Draft PDPL 2025 Decree contains an explicit clause stating that Decree 13/2023 will be repealed

While the principle of legal hierarchy dictates that the PDPL 2025 should supersede Decree 13/2023 upon taking effect, the absence of a clear repeal provision creates significant legal uncertainty. This legislative gap is a critical point for regulators to address in the final version of the Draft PDPL 2025 Decree to ensure a clear and smooth transition for businesses.

Significant exemptions for competent authority

The PDPL 2025 introduces and broad exemptions for competent state authorities from core data protection obligations, a significant change compared to Decree 13/2023. Specifically,

Exemption from TIA: Article 20.6(a) of the PDPL 2025 explicitly exempts competent state authorities from the requirement to prepare a TIA when conducting cross-border transfer of personal data.
Exemption from DPIA: Article 21.6 of the PDPL 2025 exempts competent state authorities from the requirement to prepare a DPIA for their processing activities.
Unlike the PDPL 2025, the GDPR does not provide a blanket exemption for public authorities from conducting DPIAs or complying with international transfer rules. In fact, public authorities are often required to conduct DPIAs because their large-scale processing of citizen data is considered high-risk. Similarly, they must adhere to the rules in Chapter V of the GDPR when transferring data outside the EU.
Other notable points
New processing concepts: The PDPL 2025 introduces formal definitions for encryption (mã hoá) and pseudonymization (khử nhận dạng). Crucially, it clarifies that personal data, if undergone pseudonymization, is no longer considered personal data
Enhanced sector-specific protections: The PDPL 2025 provides more detailed and stronger protections for data subjects across various sectors. For example, in advertising services, controllers must now ensure the data subject is fully informed of the content, method, form, and frequency of product introductions before consent is given.
Expanded Grace Period for SMEs: The grace period for SMEs has been extended from two to five years compared to Decree 13/2023. Furthermore, its scope now covers the submission of TIA/DPIA dossiers and the DPO appointment obligation, an expansion from Decree 13/2023, which only exempted the DPO appointment.

This post is written by Trinh Phuong Thao and edited by Nguyen Quang Vu.

Vietnam Business Law