Key Highlights On The Vietnam New Personal Data Protection Law (PDPL 2025)
In June 2025, the National Assembly passed a new Law on Personal Data Protection (PDPL 2025), set to take effect on 1 January 2026. This new law represents a significant evolution from the foundational framework established by Decree 13/2023, introducing a far more comprehensive and stringent regime for personal data protection. This post will analyze some critical highlights of the new PDPL 2025, with some important implications for businesses. To offer a comprehensive perspective, we also include a summary generated by Google's Gemini AI for comparison and reference (see here).
A narrower extraterritorial scope of application
The PDPL 2025 narrows its extraterritorial application compared to previous regulations. Instead of a broad rule for "foreigners' data, the PDPL 2025 explicitly applies to foreign entities that are directly involved in or related to the processing of personal data of Vietnamese citizens and people of Vietnamese origin residing in Vietnam. This new provision successfully addressed the confusion and uncertainty that the earlier draft of PDPL 2025 had introduced (see our discussions here).
However, this scope of application still has the following issues:
· It has not addressed the existing ambiguity under Decree 13/2023 of whether the applicable subjects under the PDPL 2025 apply to the processing entities or data subjects (see our discussions here)
· The PDPL 2025 is also unclear on its application to foreign organizations processing the data of non-Vietnamese individuals (e.g., tourists, expatriates) within Vietnam. While Article 1.2 of the PDPL 2025 does not explicitly cover this scenario, Article 5.1 states the law applies to all "personal data protection activities on the territory of Vietnam", which may arguably cover this case.