Vietnam’s First Draft of New Personal Data Protection Law (PDPL) Released for Public Comments

Posted by Written by Melissa Cyrill Reading Time: 6 minutes

On September 24, 2024, the Vietnamese government issued the first draft of a new Law on Personal Data Protection (PDPL) for public feedback. The draft law has more stringent provisions than the Personal Data Protection Decree and is potentially set to take effect from January 1, 2026.

On September 24, 2024, the Vietnamese government issued the first draft of a new Law on Personal Data Protection (PDPL) This draft law, set to take effect on January 1, 2026, marks another step forward in Vietnam’s efforts to build a robust framework for personal data protection. The draft is currently open for public consultation until November 24, 2024, allowing stakeholders to provide feedback.

The PDPL draft, developed by the Ministry of Public Security (MPS), comprises of 68 articles across seven chapters. The Draft PDPL is more comprehensive than last year’s Decree No. 13/2023/ND-CP on Personal Data Protection (PDPD) and covers a wide range of areas, including marketing services, behavioral advertising, big data processing, AI, cloud computing, employee monitoring and recruitment, financial and credit data, healthcare, insurance, and more.

FIND BUSINESS SUPPORT
De-Risk Your Asia Business with a Company Health Check Review and Professional Advisory

The PDPL draft is expected to be adopted by the National Assembly in May 2025. It does not provide a transition period for compliance, except for micro-enterprises, SMEs, and startups, which are only exempt from appointing a data protection department during their first two years from establishment. However, these smaller businesses must meet all other PDPL obligations within the same timeline as larger enterprises.

Main goals and policies

In March 2024, the Ministry of Public Security (MPS) submitted a proposal to the National Assembly to develop a draft of the Personal Data Protection Law. The MPS emphasized that the draft aims to enhance Vietnam’s legal framework for personal data protection, establish a clear legal basis for safeguarding personal data, improve the ability of domestic organizations and individuals to protect personal data to meet international and regional standards, and encourage the lawful use of personal data to support economic and social development.

To accomplish the above targets, the draft PDPL is constructed in accordance with four key missions:

  • Unifying legal regulations on legal terms related to personal data and personal data protection;
  • Specifying the rights and obligations of data subjects;
  • Improving regulations on personal data protection during data processing; and
  • Enhancing regulations to ensure conditions and measures for personal data protection.

Key features of the draft PDPL

  1. Expanded scope:The PDPL draft applies to all Vietnamese agencies, organizations, and individuals operating domestically and abroad, as well as foreign entities involved in data processing within Vietnam. This wide-ranging scope ensures the law will cover data processing activities within the country and for Vietnamese data subjects overseas.
  2. Strict consent requirements:Consent remains the primary legal basis for processing personal data, with new stipulations for cross-border data transfers. Controllers and processors are required to gain affirmative, informed consent from data subjects, particularly for sensitive personal data like health records, political views, and biometric data. The PDPL draft specifies that silence or non-response cannot be deemed consent, which reinforces Vietnam’s stance on stringent data privacy.
  3. Definitions of personal data:The draft PDPL introduces a clearer distinction between ‘basic personal data’ and ‘sensitive personal data.’ Sensitive data categories have expanded to include land-use information, location data, and credit records. Additionally, new definitions like “personal data protection expert,” “personal data protection credit rating,” and “use of personal data for marketing” have been introduced, further refining data protection responsibilities.
  4. Data Protection Impact Assessments (DPIA) and Transfer Impact Assessments (TIA):The draft PDPL mandates both DPIAs and TIAs for organizations, which must be updated every six months or upon any material change. This ensures that personal data processing is continuously monitored and compliant with the evolving regulatory landscape.
  5. Obligations for enterprises: The draft PDPL imposes strict obligations on companies regarding data protection compliance. For instance, enterprises must appoint a data protection department for both basic and sensitive data processing. This department can be outsourced to external service providers, enabling more flexibility for businesses. The draft law also promulgates that companies must have at least one personal data protection expert in these departments while providing detailed requirements for eligible recruitment of these personnel.
  6. Exemption for MSMEs: Micro-enterprises, SMEs, and startups are only exempted from the requirement of a data protection department for their first two years, and all other obligations must be adhered to within the same timeline as larger organizations. However, micro-enterprises, SMEs, and startups directly engaged in personal data processing activities are not subject to the exemption.
  7. Data breach notifications:Enterprises will have a 72-hour window to notify authorities of any data breach incidents, a rule carried over from the PDPD. This rapid response requirement reflects international best practices, ensuring timely action in case of data security violations.
  8. New certification mechanisms:The draft introduces personal data protection certification, effectively creating a credit rating system for businesses based on their compliance. Companies can earn ratings like “high credibility” or “trust” based on their personal data protection practices, which could enhance consumer trust and market reputation.

Prohibition of personal data sales in any form

The draft PDPL clearly states eight principles of personal data protection, one of which is that personal data cannot be bought or sold in any form.

According to the draft law, personal data is information in symbols, letters, numbers, images, sounds, or similar forms in the electronic environment that are associated with a specific person or help identify that person. These data are divided into two types:

  • Basic personal data, which includes full name, date/month/year of birth, gender, place of birth, nationality, personal image, phone number, identification number, marital status, etc.; and
  • Sensitive personal data, which is information that, when violated, will directly affect the legitimate rights and interests of organizations and individuals, and is closely related to the privacy of individuals.

Stop marketing activities when requested by the data subject

The draft law sets aside a separate article to regulate personal data protection in marketing services.

Accordingly, organizations and individuals providing marketing services are only allowed to use customers’ personal data collected through their business activities for marketing services. The collection and use of personal data must ensure the data subject’s rights.

The processing of customers’ personal data for marketing services must receive the customer’s consent, on the basis that the customer clearly knows the content, method, form, and frequency of product introduction.

Personal data protection regulations in financial, banking, credit, and credit information activities

The draft PDPL stipulates that financial, banking, and credit companies must:

  • Not buy, sell, or illegally transfer credit information between financial, credit, and credit information institutions.
  • Not transmit or share unencrypted financial and credit data of data subjects between such institutions.
  • Fully comply with regulations on protecting sensitive personal data, as well as payment and credit security standards prescribed by law.
  • Obtain explicit consent from data subjects before using their credit information to score credit or assess their creditworthiness.
  • Ensure that credit assessments of data subjects result only in binary outputs, such as “Pass or Fail,” “Yes or No,” or scales based on data collected directly from customers.
  • Clearly identify and declare stages that require the application of personal data de-identification measures.
  • Notify data subjects promptly in the event of financial account information breaches or data loss.

Organizations providing credit information services, as well as those in banking, insurance, and finance, and payment intermediaries, are prohibited from unlawfully sharing or transferring personal data to one another or to third-party businesses, except in cases permitted by law.

Credit information and related products of a data subject may only be provided to financial, banking, and credit institutions as explicitly prescribed by law.

The agency responsible for personal data protection serves as the primary authority for requesting credit information in order to investigate and address legal violations in accordance with applicable regulations.

Challenges and compliance considerations

FIND BUSINESS SUPPORT
Grow Your Presence in Asia with Complete Market Entry and Cross-Regional Support

Despite the new provisions, certain challenges remain unresolved. For example, how the PDPL will interact with the existing PDPD is still unclear. Will the PDPL replace the PDPD or coexist alongside it? Moreover, while the law reinforces consent-based data processing, it does not recognize “legitimate interest” as a legal basis, which contrasts with global standards like the GDPR.

For businesses operating in Vietnam, this draft law will require significant adjustments. Companies must prepare to enhance their data processing operations, particularly around DPIAs, cross-border transfers, and the stringent consent regime. Additionally, sectors like marketing, behavioral advertising, healthcare, and AI will need to adapt their practices to remain compliant with the heightened requirements around sensitive personal data processing.

Conclusion

The draft Personal Data Protection Law signifies Vietnam’s ambition to establish a comprehensive personal data protection framework that aligns with global standards. While businesses will need to navigate new compliance challenges, they also have the opportunity to provide input during the consultation period. With the PDPL slated for potential enactment in May 2025 and enforcement starting January 1, 2026, companies must act swiftly to assess their readiness and align with Vietnam’s new data protection paradigm.

(With inputs from Vu Nguyen Hanh.)

About Us

Vietnam Briefing is published by Asia Briefing, a subsidiary of Dezan Shira & Associates. We produce material for foreign investors throughout Asia, including ASEAN, China, and India. For editorial matters, contact us here and for a complimentary subscription to our products, please click here. For assistance with investments into Vietnam, please contact us at vietnam@dezshira.com or visit us at www.dezshira.com.

Dezan Shira & Associates assists foreign investors throughout Asia from offices across the world, including in Hanoi, Ho Chi Minh City, and Da Nang. We also maintain offices or have alliance partners assisting foreign investors in China, Hong Kong SAR, Dubai (UAE), Indonesia, Singapore, Philippines, Malaysia, Thailand, Bangladesh, Italy, Germany, the United States, and Australia.