Under Data Law 2024 and the Law on Personal Data Protection 2025 (PDPL 2025), several data-related services, including “personal data processing service” (dịch vụ xử lý dữ liệu cá nhân), personal data protection service (DPO Service), data intermediary service, data trading floor and data synthesis and analysis service (collectively, New Data-Related Services) are now designated as conditional business sectors. The New Data-Related Services (which could include dozen of sub-services) are subject to specific licenses and operational conditions. In the past, data processing or exploitation services in Vietnam were not classified as conditional business lines, allowing providers to operate with limited regulatory prerequisites.

In short, the Government has arguably created (or at least intended to create) more than just a regulatory system; it has established a complex compliance economy. This new framework tethers businesses to a costly ecosystem of mandatory intermediaries, from licensing consultants to training centers and credit rating agencies. To remain operational, enterprises must now absorb the dual burden of initial licensing fees and the recurring costs of maintaining qualified staff and ratings. As these obligations mount, the pressing question remains: will this expensive bureaucracy actually reduce the daily scam calls and messages suffered by Vietnamese citizens, or simply increase the cost of doing business?

In June 2025, the National Assembly passed a new Law on Personal Data Protection (PDPL 2025), set to take effect on 1 January 2026. This new law represents a significant evolution from the foundational framework established by Decree 13/2023, introducing a far more comprehensive and stringent regime for personal data protection. This post will analyze some critical highlights of the new PDPL 2025, with some important implications for businesses. To offer a comprehensive perspective, we also include a summary generated by Google's Gemini AI for comparison and reference (see here).

A narrower extraterritorial scope of application

The PDPL 2025 narrows its extraterritorial application compared to previous regulations. Instead of a broad rule for "foreigners' data, the PDPL 2025 explicitly applies to foreign entities that are directly involved in or related to the processing of personal data of Vietnamese citizens and people of Vietnamese origin residing in Vietnam. This new provision successfully addressed the confusion and uncertainty that the earlier draft of PDPL 2025 had introduced (see our discussions here).

However, this scope of application still has the following issues:

·       It has not addressed the existing ambiguity under Decree 13/2023 of whether the applicable subjects under the PDPL 2025 apply to the processing entities or data subjects (see our discussions here)

·       The PDPL 2025 is also unclear on its application to foreign organizations processing the data of non-Vietnamese individuals (e.g., tourists, expatriates) within Vietnam. While Article 1.2 of the PDPL 2025 does not explicitly cover this scenario, Article 5.1 states the law applies to all "personal data protection activities on the territory of Vietnam", which may arguably cover this case.