In June 2025, the National Assembly passed a new Law on Personal Data Protection (PDPL 2025), set to take effect on 1 January 2026. This new law represents a significant evolution from the foundational framework established by Decree 13/2023, introducing a far more comprehensive and stringent regime for personal data protection. This post will analyze some critical highlights of the new PDPL 2025, with some important implications for businesses. To offer a comprehensive perspective, we also include a summary generated by Google's Gemini AI for comparison and reference (see here).

A narrower extraterritorial scope of application

The PDPL 2025 narrows its extraterritorial application compared to previous regulations. Instead of a broad rule for "foreigners' data, the PDPL 2025 explicitly applies to foreign entities that are directly involved in or related to the processing of personal data of Vietnamese citizens and people of Vietnamese origin residing in Vietnam. This new provision successfully addressed the confusion and uncertainty that the earlier draft of PDPL 2025 had introduced (see our discussions here).

However, this scope of application still has the following issues:

·       It has not addressed the existing ambiguity under Decree 13/2023 of whether the applicable subjects under the PDPL 2025 apply to the processing entities or data subjects (see our discussions here)

·       The PDPL 2025 is also unclear on its application to foreign organizations processing the data of non-Vietnamese individuals (e.g., tourists, expatriates) within Vietnam. While Article 1.2 of the PDPL 2025 does not explicitly cover this scenario, Article 5.1 states the law applies to all "personal data protection activities on the territory of Vietnam", which may arguably cover this case.

A new Data Law, passed in late November 2024 and set to take effect on 1 July 2025, focuses primarily on establishing a national general database and data centre for state use. However, it also introduces rules on digital data (data in the rest of this article) that concerns the private sector, such as, data products and services. The Government is also drafting three draft decrees detailing key issues under the Data Law, including Data-Related Products & Services Draft Decree, Core & Important Data Draft Decree and a Master Draft Decree.

This blog will discuss several key points under the Data Law and related draft decrees. This post is written by Ha Thanh Phuc and Trinh Phuong Thao.

1)          The police will review and supervise your data activities

The Ministry of Public Security (MPS) again is authorized to regulate all activities relating to data except for data under the Ministry of Defence. Accordingly, it seems that Vietnam considers data as security issue and violation of data activities could result in significant liabilities. This could raise significant compliance costs for businesses and companies in Vietnam if they want to be fully comply with unclear rules (see discussion below).

1)          Conditional Business Lines

Amendments to the Investment Law 2020 in late 2024 now require businesses involved in (i) data intermediary products and services, (ii) data analysis and synthesis, or (iii) data platform services to meet certain conditions. The Data Law suggests that:

a. data platform services may be restricted to state enterprises and public providers, potentially excluding private companies; and

b. only providers of data analysis and synthesis services that potentially harm national defence, national security, social order, safety, social ethics, or public health, which have been detailed under the Data-Related Products & Services Draft Decree, will be subject to these conditions.

Under the Data-Related Products & Services Draft Decree, businesses in these sectors are subject to strict requirements. Notably, all such businesses must maintain an escrow of at least 5 billion VND at a Vietnamese commercial bank to cover compensation and expenses in the event their licenses are revoked.